SSL Certificate Installation in Apache Tomcat

Prerequisites

OS : Centos
JAVA : JDK 8
Web Server : Apache Tomcat
SSL Authority : Symantec SSL or Comodo
Domain Name : From Godaddy or from any others



1. For OS Installation Please Refer our Previous article.

                            http://www.admincool.com/2017/12/how-to-install-linux-on-windows-using.html



2. For JDK and Apache Tomcat Installation Please Refer our Previous article.

                            http://www.admincool.com/2016/09/how-to-install-apache-tomcat-on-linux.html

                            http://www.admincool.com/2016/09/how-to-apache-tomcat-server-on-startup_19.html


3. Instant SSL offers 90 days of trial license.

                          https://www.instantssl.com/free-ssl-certificate.html


4. Purchase your own domain name.

Configuration Steps:

1. Create a Keystore and Private Key

2. Generate a CSR

3. Install issued certificate on your server



To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match and you will need to replace the certificate.

Step 1: Create a Keystore and Private Key

Syntax:

C:\Program Files\Java\jdk1.7.0_79\bin>keytool -genkey -alias “your alias” -keyalg RSA

 -keystore “path to keystore file to create” -keysize 2048

Example: Create a certificate keystore and private key by executing the following command:

C:\Program Files\Java\jdk1.7.0_79\bin>keytool -genkey -alias bayasys -keyalg RSA

 -keystore C:\Bayasys\SSL-Key\bayasyskey.jks -keysize 2048

 Note: Use a recent version of the JDK.

Enter and re-enter a keystore password. 

This command will prompt for the following X.509 attributes of the certificate:

Note:

• First and last name (Common Name (CN)): Enter the domain of your website eg:www.admincool.com
• Organizational Unit (OU): This field is optionalYou can give your name of the department or organization.
• Organization (O): Name of your organization.
• Locality or City (L): The Locality field is the city or town name, for example: kochi.
• State or Province (S): Your state, for example: Kerala
• Country Name (C): Use the two-letter code without punctuation for country, for example: IN

  Step 2: Generate a CSR

Syntax:

C:\Program Files\Java\jdk1.7.0_79\bin>keytool -certreq -alias “your alias” -file “Path to CSR to create” -keystore “Path of your kesstore file”

Example:

C:\Program Files\Java\jdk1.7.0_79\bin>keytool -certreq -alias bayasys -file C:\B

ayasys\SSL-Key\bayasy.csr -keystore C:\Bayasys\SSL-Key\bayasyskey.jks

Use this CSR file to register for SSL Certificate.

Make sure to include the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" header and footer.

The text file should look like this:

-----BEGIN CERTIFICATE REQUEST-----

[encoded data]

-----END CERTIFICATE REQUEST----- 

 Note: You should request the SSL Certificate Authority along with the CSR  file. After validating your CSR file, they will issue Certificates to your registered mail.

Step 3:  Once the certificate has been issued, follow the steps from this link to install the certificate on your server:

This document provides instructions for installing SSL Certificates on Tomcat using the X.509 format of the certificate.

You have to perform four steps to install SSL Certificate.

11.    Download and install root CA certificate.

22.   Download and install intermediate (may be more than one) CA certificate.

33.   Download issued SSL certificate from your mail and install it.

44.  Configure Apache Tomcat.

1. Download and install root CA certificate

Download and save the Root Certificate as “rootCA.cer”

(For Symantec Free SSL

https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=INFO1751 )

Install this root certificate in to your keystore file.

C:\Program Files\Java\jdk1.7.0_79\bin>keytool -import -alias RootCA -keystore C:

\Bayasys\SSL-Key\bayasyskey.jks -trustcacerts -file C:\Bayasys\SSL-Key\rootCA.cer

2. Download and install intermediate CA certificate.

Download and save the intermediate certificate as “intermediate.cer”.

(For Symantec Free SSL

https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=INFO2516 )

Install this intermediate certificate in to your keystore file.

C:\Program Files\Java\jdk1.7.0_79\bin>keytool -import -trustcacerts -alias Inter

mediate -keystore C:\Bayasys\SSL-Key\bayasyskey.jks -file C:\Bayasys\SSL-Key\intermediate.cer

3. Download issued SSL certificate from your mail and install it.

Download and save the issued SSL  certificate as “ssl_cert.cer”.

Install this SSL certificate in to your keystore file.

C:\Program Files\Java\jdk1.7.0_79\bin>keytool -import  -alias bayasys -keystore

C:\Bayasys\SSL-Key\bayasyskey.jks -trustcacerts -file C:\Bayasys\SSL-Key\ssl_cert.cer

Troubleshoot

·         You can delete any alias entry form your keystore file by the following command.

C:\Program Files\Java\jdk1.7.0_79\bin>keytool -delete -noprompt -alias intermedi

are -keystore C:\Bayasys\SSL-Key\bayasyskey.jks

·         You can verify your keystore file by exporting the file to a document by following command.

C:\Program Files\Java\jdk1.7.0_79\bin>keytool -list -v -keystore C:\Bayasys\SSL-

Key\bayasyskey.jks >Keystore_content.txt

Install SSL Certificate - Steps Together

To import Root : 

> keytool -import -trustcacerts -alias AddTrustExternalCARoot -file /root/SSLCertificate/bayaplanter/AddTrustExternalCARoot.crt -keystore /root/SSLCertificate/bayasyskey.jks

To import Intermeditate1 : 

> keytool -import -trustcacerts -alias COMODORSAAddTrustCA -file /root/SSLCertificate/bayaplanter/COMODORSAAddTrustCA.crt -keystore /root/SSLCertificate/bayasyskey.jks

To import Intermediate2 :

> keytool -import -trustcacerts -alias COMODORSADomainValidationSecureServerCA -file /root/SSLCertificate/bayaplanter/COMODORSADomainValidationSecureServerCA.crt -keystore /root/SSLCertificate/bayasyskey.jks

To import Domain Certificate:

> keytool -import -trustcacerts -alias bayasys -file /root/SSLCertificate/bayaplanter/bayaplanter_in.crt -keystore /root/SSLCertificate/bayasyskey.jks

Here 'domain.keystore' is the name of your keystore.

5. Configure Apache Tomcat.

Tomcat keeps its configuration information in a server.xml file, which ensures Tomcat is reading the correct keystore file and keystore
password.This file also allows server administrators to set the port for secure connections.

Open server.xml file and search for “Define a SSL HTTP/1.1 Connector on port 8443” and edit this file as following.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"

               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS"

                 keystoreFile="Path to your keystore file"

                keystorePass="Your keystore password"/>

For Apache Tomcat 8 and Later

<Connector

           protocol="org.apache.coyote.http11.Http11NioProtocol"

           port="8443" maxThreads="200"

           scheme="https" secure="true" SSLEnabled="true"

           keystoreFile="${user.home}/.keystore" keystorePass="changeit"

           clientAuth="false" sslProtocol="TLS"/>

Restart your apache tomcat.

Redirect HTTP Requests to HTTPS

Change apache 8080 port  to 80 and 8443 to 443

Open web.xml file in tomcat/conf and add following to last line before tag ends.

<security-constraint>

 <web-resource-collection>

 <web-resource-name>Protected Context</web-resource-name>

 <url-pattern>/*</url-pattern>

 </web-resource-collection>

 <!-- auth-constraint goes here if you requre authentication -->

 <user-data-constraint>

 <transport-guarantee>CONFIDENTIAL</transport-guarantee>

 </user-data-constraint>

 </security-constraint>

Restart your apache tomcat.

Open your browser and https://localhost or https://www.admincool.com