Requirements
1. Certificate file issued by an authority in the PEM format. Example given below:
-----BEGIN CERTIFICATE----- <base64 encoded domain cert> -----END CERTIFICATE-----
2. Matching Private Key generated by us in the PEM format during the process of generating CSR. Example given below:
-----BEGIN PRIVATE KEY----- <base64 encoded domain cert's key> -----END PRIVATE KEY-----
3. CA certificate bundle for of the certificate issuer. It can be downloaded at issuer website. Make sure it is matching with the issued certificate type.
-----BEGIN CERTIFICATE----- <base64 encoded CA cert> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <some CA have multiple chained certificates> -----END CERTIFICATE-----
Step 1: Appending CA-Cert into Domain Certificate
We need append the CA certs in to the domain’s certificate file. The final certificate in PEM format will look like the following:
-----BEGIN CERTIFICATE----- <base64 encoded domain cert> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <base64 encoded CA cert> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <some CA have multiple chained ca certificates> -----END CERTIFICATE-----
Step 2: Converting PEM to PKCS12 format
Using the openssl command-line tool, we will convert PEM format to PKCS12 (p12) format.
# openssl pkcs12 -export -in domain.com_combined.crt -inkey domain.com.key -name "domain.com" -out domain.com.p12
Where:
-in domain.com_combined.crt is the input combined CA + Domain certificate in PEM format
-inkey domain.com.key is the input private key filename in PEM format
-CAfile domain.com.ca is the input CA certificate file.
-name “domain.com” is a friendly name for the certificate inside PKCS12 file.
-out domain.com.p12 is the output filename for PKCS12 format
When prompted, enter a new export password. This password will be required to read the certificate inside the PKCS12 file.
Enter Export Password: ******** Verifying - Enter Export Password: ********
Now the PKCS12 formatted certificate will be created with filename domain.com.p12 in the current directory.
Step 3: Importing PKCS12 into a JAVA Keystore file
Java keystore is nothing but a file which can be used to store multiple certificate in a format which is understandable to JAVA (Tomcat is running using JAVA)
# keytool -importkeystore -destkeystore domain.com.jks -srckeystore domain.com.p12 -srcstoretype PKCS12 -deststoretype PKCS12
Where:
-destkeystore domain.com.jks is the output JAVA keystore filename
-srckeystore domain.com.p12 is the input PKCS12 file which we have created in Step 1.
This step will prompt for a new password for the keystore file and the previous password we used for PKCS12 file. You can use same password for both.
Enter destination keystore password: ******** Re-enter new password: ******** Enter source keystore password: ******** Entry for alias domain.com successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Step 4: Configure Tomcat to use the Keystore
Enter the following command to check the Tomcat version:
# java -cp /path/to/catalina.jar org.apache.catalina.util.ServerInfo Server version: Apache Tomcat/7.0.30 (...)
Edit the conf/server.xml located under tomcat base directory and add the following code block inside <Service tag.
Tomcat 6:
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/path/to/domain.com.jks" keystorePass="my_keystore_password" clientAuth="false" sslProtocol="TLS" > </Connector>
Tomcat 7 / Tomcat 8.0.x:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/path/to/domain.com.jks" keystorePass="my_keystore_password" clientAuth="false" sslProtocol="TLS" > </Connector>
Tomcat 8.5.x / Tomcat 9:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" > <SSLHostConfig> <Certificate certificateKeystoreFile="/path/to/domain.com.jks" certificateKeystorePassword="my_keystore_password" type="RSA" /> </SSLHostConfig> </Connector>
Where:
/path/to/domain.com.jks is the absolute path to the keystore file we have created in Step 2.
my_keystore_password is the password set for keystore file in Step 2.
Step 5: Restart tomcat service
We need to restart the tomcat daemon using service / systemctl option (if available) or using the shutdown.sh + startup.sh method