Implementing SSL (https) in Tomcat using CA generated certificates
Updated on Thu, 2013-03-28 13:02. Originally created by lbhajdu on 2013-03-28 13:02.
Under:
The reason for using a certificate from a CA as opposed to a self-signed certificate is that the browser gives a warning screen and asks you to except the certificate in the case of a self-signed certificate. As there already exists a given list of trusted CAs in the browser this step is not needed.
The following list of certificates and a key are needed:
Run this command. Note that “-name tomcat” and “-caname root” should not be changed to any other value. The command will still work but will fail under tomcat. If it works you will be asked for a password, that password should be set to "changeit".
Test the new p12 output file with this command:
Note it should say: "Certificate chain length: 3"
In tomcat’s the server.xml file add a connector that looks like this:
Note the path should be set to the correct path of the certificate. And the p12 file should only be readable by the Tomcat account because it holds the host key.
The following list of certificates and a key are needed:
Concatenate the following certs into one file in this example I call it: Global_plus_Intermediate.crt/etc/pki/tls/certs/wildcard.star.bnl.gov.Nov.2012.cert – host cert.
/etc/pki/tls/private/wildcard.star.bnl.gov.Nov.2012.key – host key (don’t give this one out)
/etc/pki/tls/certs/GlobalSignIntermediate.crt – intermediate cert.
/etc/pki/tls/certs/GlobalSignRootCA_ExtendedSSL.crt –root cert.
/etc/pki/tls/certs/ca-bundle.crt – a big list of many cert.
cat /etc/pki/tls/certs/GlobalSignIntermediate.crt > Global_plus_Intermediate.crt cat /etc/pki/tls/certs/GlobalSignRootCA_ExtendedSSL.crt >> Global_plus_Intermediate.crt cat /etc/pki/tls/certs/ca-bundle.crt >> Global_plus_Intermediate.crt
Run this command. Note that “-name tomcat” and “-caname root” should not be changed to any other value. The command will still work but will fail under tomcat. If it works you will be asked for a password, that password should be set to "changeit".
openssl pkcs12 -export -in wildcard.star.bnl.gov.Nov.2012.cert -inkey wildcard.star.bnl.gov.Nov.2012.key -out mycert.p12 -name tomcat -CAfile Global_plus_Intermediate.crt -caname root -chain
Test the new p12 output file with this command:
keytool -list -v -storetype pkcs12 -keystore mycert.p12
Note it should say: "Certificate chain length: 3"
In tomcat’s the server.xml file add a connector that looks like this:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/home/lbhajdu/certs/mycert.p12" keystorePass="changeit" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS"/>
Note the path should be set to the correct path of the certificate. And the p12 file should only be readable by the Tomcat account because it holds the host key.
»
- Printer-friendly version
- Login or register to post comments