Scribd Logo
Upload

Welcome to Scribd!

  • SSL - HTTPS On Tomcat1

    Uploaded by

    Nabil Chowdhury
    12 views6 pages
    SSL- HTTPS on Tomcat

    Original Title

    SSL- HTTPS on Tomcat1

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SSL- HTTPS on Tomcat

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views6 pages

    SSL - HTTPS On Tomcat1

    Uploaded by

    Nabil Chowdhury
    SSL- HTTPS on Tomcat

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Prepare the Certificate Keystore

    Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores. The JKS format is


    Java's standard "Java KeyStore" format, and is the format created by the keytool command-line
    utility. (Tomcat Documentation, Apache Tomcat 9 (9.0.68) - SSI How To)

    For JKS format keystore we need to create CSR (create .jks and import .crt/.p7b/.pem files to
    key store ) on other hand for PKCS12 format keystore we need .pfx file and password only (No
    need to create .jks file and import .pem/.crt/.p7b files).

    Installing a Certificate from a Certificate Authority and Configuring Tomcat

    Create a local Certificate Signing Request (CSR)

    In order to obtain a Certificate from the Certificate Authority of your choice you have to create a
    so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to
    create a Certificate that will identify your website as "secure".

    In order to obtain a Certificate from the Certificate Authority of your choice you have to create a
    so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to
    create a Certificate that will identify your website as "secure". To create a CSR follow these
    steps:

     Create a local self-signed Certificate (as described in the previous section):

    keytool -genkey -alias tomcat -keyalg RSA -keystore <your_keystore_filename>

    Note: In some cases you will have to enter the domain of your website
    (i.e. www.myside.org) in the field "first- and lastname" in order to create a working
    Certificate.

    Example :

    -genkey -alias server -keyalg RSA -keysize 2048 -keystore erp_ametro_com.jks -


    dname "CN=erp.ametro.com OU=IT, O=Metro Limited, L=Dhaka, ST=Dhaka, C=BD"
     The CSR is then created with:

    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore


    <your_keystore_filename>

    Example :

    -certreq -alias server -file erp-svr_metro_net_bd.csr -keystore erp-


    svr_metro_net_bd.jks

    Now you have a file called erp_metro.csr that you can submit to the Certificate Authority (look
    at the documentation of the Certificate Authority website on how to do this). In return you get a
    Certificate.

    Importing the Certificate

    Now that you have your Certificate you can import it into you local keystore. First of all you have
    to import a so called Chain Certificate or Root Certificate into your keystore. After that you can
    proceed with importing your Certificate.

     Download a Chain Certificate from the Certificate Authority you obtained the Certificate
    from.

     Import the Chain Certificate into your keystore

    keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -


    file <filename_of_the_chain_certificate>

    And finally import your new Certificate

    keytool -import -alias server -keystore <your_keystore_filename> -file


    <your_certificate_filename>

    Each Certificate Authority tends to differ slightly from the others. They may require slightly
    different information and/or provide the certificate and associated certificate chain in different
    formats. Additionally, the rules that the Certificate Authorities use for issuing certificates
    change over time. As a result you may find that the commands given above may need to be
    modified.
    Example

    if file type is .pem (root and intermediate needed)

    -import -alias root -keystore "E:\SSL_New\erp.jks" -trustcacerts -file "E:\


    SSL_New\TrustedRoot.pem"

    -import -trustcacerts -alias Intermediate -keystore "E:\SSL_New\erp-


    svr_bd.jks" -file "E:\SSL_New\DigiCert TLS RSA SHA256 2020
    CA1_intermediate.pem"

    -import -alias server -file "E:\SSL_New\star_metro_net_bd.pem" -keystore "E:\


    SSL_New\erp-bd.jks"

    delete alise

    -delete -noprompt -alias "Intermediate" -keystore "E:\SSL_New\erp-svr.jks"

    if file type is .p7b or .crt

    -import -trustcacerts -alias server -file your_file_name.p7b -keystore


    your_domain_name.jks

    -import -trustcacerts -alias server -file "F:\ssl_old\__metro_net_bd.crt" -


    keystore "C:\Program Files\Amazon Corretto\jdk11.0.11_9\bin\notification_.jks"

    ** While importing certificates make sure your alias name should be matched with
    keystore creation alias name
    Configure Tomcat
    Configure server.xml file:

    Now open server.xml ( C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf ) file and
    paste/replace following:

    For .jks keystore and .pem/.p7b file:

    <Connector SSLEnabled="true"
    acceptCount="100"
    clientAuth="false"
    disableUploadTimeout="true"
    enableLookups="false"
    maxThreads="150"
    port="8443"
    keyAlias="server"
    keystoreFile="E:\ssltest\erp.jks"
    keystorePass="B@ndsadead"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    scheme="https"
    secure="true"
    sslProtocol="TLS" />

    For .pfx file:

     Need .pfx file from ssl provider


     Need password (Password that is given while generating .pfx file)
     Copy the .pfx file to your folder where you store your SSL certificate. link the file in
    server.xml file.
     Nothing to import or create .jks file in this case.
     Paste/replace following in server.xml file

    <Connector
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    port="8443"
    maxThreads="200"
    scheme="https"
    secure="true"
    SSLEnabled="true"
    keystoreFile="E:\ssl-2022-23\SSL23.pfx"
    keystorePass="dad121"
    keystoreType="PKCS12"
    clientAuth="false"
    sslProtocol="TLS"/>
    Configure web.xml file:

    open web.xml (C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf ) and paste /


    replace following

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>webapps</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>

    Reference:

    https://tomcat.apache.org/tomcat-9.0-doc/index.html

    https://www.digicert.com/easy-csr/keytool.htm

    https://www.digicert.com/kb/csr-ssl-installation/tomcat-keytool.htm

    https://www.ssls.com/knowledgebase/how-to-install-an-ssl-certificate-on-a-tomcat-server/

    https://www.youtube.com/watch?v=RaEG_DOpNPc

    https://www.youtube.com/watch?v=MFYgCHC8t0o

    https://www.youtube.com/watch?v=MFYgCHC8t0o

    https://www.youtube.com/watch?v=d-f-2pMOgOA

    https://www.youtube.com/watch?v=OOFMpUZjito

    https://www.youtube.com/watch?v=vYhY11p47rI

    You might also like