SSL Certificate Installation in Apache Tomcat
Prerequisites
OS : CentosJAVA : JDK 8
Web Server : Apache Tomcat
SSL Authority : Symantec SSL or Comodo
Domain Name : From Godaddy or from any others
1. For OS Installation Please Refer our Previous article.
http://www.admincool.com/2017/12/how-to-install-linux-on-windows-using.html
2. For JDK and Apache Tomcat Installation Please Refer our Previous article.
http://www.admincool.com/2016/09/how-to-install-apache-tomcat-on-linux.html
http://www.admincool.com/2016/09/how-to-apache-tomcat-server-on-startup_19.html
3. Instant SSL offers 90 days of trial license.
https://www.instantssl.com/free-ssl-certificate.html
4. Purchase your own domain name.
Configuration Steps:
1. Create a Keystore and Private Key2. Generate a CSR
3. Install issued certificate on your server
To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and you will need to replace the certificate.
Step 1: Create a Keystore and Private Key
Syntax:
C:\Program
Files\Java\jdk1.7.0_79\bin>keytool -genkey -alias “your alias” -keyalg RSA
-keystore “path to keystore file to create”
-keysize 2048
Example: Create a
certificate keystore and private key by executing the following command:
C:\Program Files\Java\jdk1.7.0_79\bin>keytool -genkey
-alias bayasys -keyalg RSA
-keystore
C:\Bayasys\SSL-Key\bayasyskey.jks -keysize 2048
Note: Use a recent version of the JDK.
Enter and re-enter a keystore password.
This command will prompt for the following X.509 attributes of the certificate:
Note:
- First
and last name (Common Name (CN)): Enter the domain of your
website eg:www.admincool.com
- Organizational
Unit (OU): This field is optionalYou can give your name of the
department or organization.
- Organization
(O): Name of your organization.
- Locality
or City (L): The Locality field is the city or town name, for
example: kochi.
- State
or Province (S): Your state, for example: Kerala
- Country
Name (C): Use the two-letter code without punctuation for
country, for example: IN
Syntax:
C:\Program
Files\Java\jdk1.7.0_79\bin>keytool -certreq -alias “your alias” -file “Path
to CSR to create” -keystore
“Path of your kesstore file”
Example:
C:\Program Files\Java\jdk1.7.0_79\bin>keytool -certreq
-alias bayasys -file C:\B
ayasys\SSL-Key\bayasy.csr -keystore
C:\Bayasys\SSL-Key\bayasyskey.jks
Use this CSR file to register for SSL Certificate.
Make sure to include the "BEGIN CERTIFICATE
REQUEST" and "END CERTIFICATE REQUEST" header and footer.
The text file should look like this:
-----BEGIN CERTIFICATE REQUEST-----
[encoded data]
-----END CERTIFICATE REQUEST-----
The text file should look like this:
-----BEGIN CERTIFICATE REQUEST-----
[encoded data]
-----END CERTIFICATE REQUEST-----
Step 3: Once the certificate has been issued, follow the steps from this link to install the certificate on your server:
This document
provides instructions for installing SSL Certificates on Tomcat using the X.509
format of the certificate.
You have to perform four steps to install SSL Certificate.
11. Download and install root CA certificate.
22. Download and install intermediate (may be more than one) CA
certificate.
33. Download issued SSL certificate from your mail
and install it.
44. Configure Apache Tomcat.
1. Download and install root CA certificate
Download and save the Root Certificate as “rootCA.cer”
(For Symantec Free SSL
Install this root certificate in to your keystore file.
C:\Program Files\Java\jdk1.7.0_79\bin>keytool -import
-alias RootCA -keystore C:
\Bayasys\SSL-Key\bayasyskey.jks -trustcacerts -file C:\Bayasys\SSL-Key\rootCA.cer
2. Download and install intermediate CA certificate.
Download and save the intermediate certificate as
“intermediate.cer”.
(For Symantec Free SSL
Install this intermediate certificate in to your keystore
file.
C:\Program Files\Java\jdk1.7.0_79\bin>keytool -import
-trustcacerts -alias Inter
mediate -keystore C:\Bayasys\SSL-Key\bayasyskey.jks -file
C:\Bayasys\SSL-Key\intermediate.cer
3. Download issued SSL certificate from your mail and install it.
Download and save the issued SSL certificate as “ssl_cert.cer”.
Install this SSL certificate in to your keystore file.
C:\Program Files\Java\jdk1.7.0_79\bin>keytool
-import -alias bayasys -keystore
C:\Bayasys\SSL-Key\bayasyskey.jks -trustcacerts -file
C:\Bayasys\SSL-Key\ssl_cert.cer
Troubleshoot
·
You can delete any alias entry form your
keystore file by the following command.
C:\Program Files\Java\jdk1.7.0_79\bin>keytool -delete
-noprompt -alias intermedi
are -keystore C:\Bayasys\SSL-Key\bayasyskey.jks
·
You can verify your keystore file by exporting
the file to a document by following command.
C:\Program Files\Java\jdk1.7.0_79\bin>keytool -list -v
-keystore C:\Bayasys\SSL-
Key\bayasyskey.jks >Keystore_content.txt
Install SSL Certificate - Steps Together
To import Root :
> keytool -import -trustcacerts -alias AddTrustExternalCARoot -file /root/SSLCertificate/bayaplanter/AddTrustExternalCARoot.crt -keystore /root/SSLCertificate/bayasyskey.jks
To import Intermeditate1 :
> keytool -import -trustcacerts -alias COMODORSAAddTrustCA -file /root/SSLCertificate/bayaplanter/COMODORSAAddTrustCA.crt -keystore /root/SSLCertificate/bayasyskey.jks
To import Intermediate2 :
> keytool -import -trustcacerts -alias COMODORSADomainValidationSecureServerCA -file /root/SSLCertificate/bayaplanter/COMODORSADomainValidationSecureServerCA.crt -keystore /root/SSLCertificate/bayasyskey.jks
To import Domain Certificate:
> keytool -import -trustcacerts -alias bayasys -file /root/SSLCertificate/bayaplanter/bayaplanter_in.crt -keystore /root/SSLCertificate/bayasyskey.jks
Here 'domain.keystore' is the name of your keystore.
5. Configure Apache Tomcat.
Tomcat keeps its configuration information in a server.xml file, which ensures Tomcat is reading the correct keystore file and keystore
password.This file also allows server administrators to set the port for secure connections.
password.This file also allows server administrators to set the port for secure connections.
Open server.xml file and search for “Define a SSL HTTP/1.1
Connector on port 8443” and edit this file as following.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true"
scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="Path to your keystore
file"
keystorePass="Your keystore password"/>
For Apache Tomcat 8 and Later
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443"
maxThreads="200"
scheme="https"
secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore"
keystorePass="changeit"
clientAuth="false"
sslProtocol="TLS"/>
Restart your apache tomcat.
Redirect HTTP Requests to HTTPS
Change apache 8080 port
to 80 and 8443 to 443
Open web.xml file in tomcat/conf and add following to last line before tag
ends.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected
Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!--
auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Restart your apache tomcat.
Open your browser and https://localhost or https://www.admincool.com
No comments: