Requirements

1. Certificate file issued by an authority in the PEM format. Example given below:

-----BEGIN CERTIFICATE-----
 
<base64 encoded domain cert>
 
-----END CERTIFICATE-----

 

2. Matching Private Key generated by us in the PEM format during the process of generating CSR. Example given below:

-----BEGIN PRIVATE KEY-----
 
<base64 encoded domain cert's key>
 
-----END PRIVATE KEY-----

 

3. CA certificate bundle for of the certificate issuer. It can be downloaded at issuer website. Make sure it is matching with the issued certificate type.

-----BEGIN CERTIFICATE-----
 
<base64 encoded CA cert>
 
-----END CERTIFICATE-----
 
-----BEGIN CERTIFICATE-----
 
<some CA have multiple chained certificates>
 
-----END CERTIFICATE-----

Step 1: Appending CA-Cert into Domain Certificate

We need append the CA certs in to the domain’s certificate file. The final certificate in PEM format will look like the following:

-----BEGIN CERTIFICATE-----
 
<base64 encoded domain cert>
 
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
 
<base64 encoded CA cert>
 
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
 
<some CA have multiple chained ca certificates>
 
-----END CERTIFICATE-----

Step 2: Converting PEM to PKCS12 format

Using the openssl command-line tool, we will convert PEM format to PKCS12 (p12) format.

# openssl pkcs12 -export -in domain.com_combined.crt -inkey domain.com.key -name "domain.com" -out domain.com.p12

Where:

-in domain.com_combined.crt is the input combined CA + Domain certificate in PEM format

-inkey domain.com.key is the input private key filename in PEM format

-CAfile domain.com.ca is the input CA certificate file.

-name “domain.com” is a friendly name for the certificate inside PKCS12 file.

-out domain.com.p12 is the output filename for PKCS12 format

 

When prompted, enter a new export password. This password will be required to read the certificate inside the PKCS12 file.

Enter Export Password: ********
Verifying - Enter Export Password: ********

Now the PKCS12 formatted certificate will be created with filename domain.com.p12 in the current directory.

 

Step 3: Importing PKCS12 into a JAVA Keystore file

Java keystore is nothing but a file which can be used to store multiple certificate in a format which is understandable to JAVA (Tomcat is running using JAVA)

# keytool -importkeystore -destkeystore domain.com.jks -srckeystore domain.com.p12 -srcstoretype PKCS12 -deststoretype PKCS12

Where:

-destkeystore domain.com.jks is the output JAVA keystore filename

-srckeystore domain.com.p12 is the input PKCS12 file which we have created in Step 1.

 

This step will prompt for a new password for the keystore file and the previous password we used for PKCS12 file. You can use same password for both.

Enter destination keystore password: ********
Re-enter new password: ********
Enter source keystore password: ********
Entry for alias domain.com successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

 

Step 4: Configure Tomcat to use the Keystore

Enter the following command to check the Tomcat version:

# java -cp /path/to/catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/7.0.30
(...)

Edit the conf/server.xml located under tomcat base directory and add the following code block inside <Service tag.

Tomcat 6:

<Connector protocol="org.apache.coyote.http11.Http11Protocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/path/to/domain.com.jks" keystorePass="my_keystore_password"
           clientAuth="false" sslProtocol="TLS" >
</Connector>

Tomcat 7 / Tomcat 8.0.x:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/path/to/domain.com.jks" keystorePass="my_keystore_password"
           clientAuth="false" sslProtocol="TLS" >
</Connector>

Tomcat 8.5.x / Tomcat 9:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true" >
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/path/to/domain.com.jks"
            certificateKeystorePassword="my_keystore_password"
            type="RSA" />
        </SSLHostConfig>
</Connector>

Where:

/path/to/domain.com.jks is the absolute path to the keystore file we have created in Step 2.

my_keystore_password is the password set for keystore file in Step 2.

 

Step 5: Restart tomcat service

We need to restart the tomcat daemon using service / systemctl option (if available) or using the shutdown.sh + startup.sh method

Was this answer helpful? 0 Users Found This Useful (0 Votes)