Tomcat SSL Administration on Windows

Download PDF

Introduction

 

When ordering an SSL certificate you need a Certificate Signing Request (CSR), this is created from a private key.

 

If you want to create the private key yourself, you also need to generate the CSR. In that case follow Generating a CSR followed by Installation of an SSL certificate.

 

Alternatively you can choose CSR-service when ordering. Then we will generate the private key and CSR-file, and you will receive certificate and private key securely in a .PFX file.

When you got the file follow Installation via PFX file.

 

Apart from installing the certificate you need to ensure the HTTPS section of the configuration is active, and set to use the required port, e.g. 443.

 

All paths in the guide assumes a standard installation. If your server has been installed differently you need to correct that paths accordingly.

 

  1. To find the versions of OS, Tomcat and JVM, and their respective paths execute the following command:

 

c:\tomcat\bin\version.bat

 

 

  1. Create a certificates folder for your certificates and keystore files:

 

mkdir c:\tomcat\certificates

 

 

Generating a CSR

 

In this example we have used a single DNS name that works with both standard and SAN certificates, for a wildcard the Common Name has to be changed to *.fairssl.dk.

 

To generate the CSR you need to gather the following information:

 

  • Common Name (CN): The primary full internet domain name. e.g.: www.fairssl.dk
  • Organization Name (O): The full organisation name, exactly as presented in CVR. e.g.: FairSSL A/S
  • Organizational Unit (OU): The department that is to use the certificate. May not be possible to conflate with another organisation. We recommend leaving it blank or using the organisation name. e.g.: FairSSL A/S
  • Locality (L): City name. e.g.: Oerum Djurs
  • State (S): State or municipality, in Denmark the municipality is used. e.g.: Norddjurs
  • Country (C): ISO-standard two-letter country code, must be capital letters. e.g.: DK

 

Be aware that Æ, Ø, and Å is not handled correctly by Keytool, so change them to AE, OE and AA.

 

Creating a keystore

 

  1. Create a keystore file by running the following command:

If you already have a keystore you can use the path to this, along with the password that belongs to it

 

    • alias: A name that is easy to remember in relations to the website it is to be used with. E.g. DNS-navnet
    • password: Here you can type in a password for the keystore file, if you leave it blank it will use the default password: changeit

 

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -genkey -alias www.fairssl.dk -keyalg RSA -keysize 2048 -keystore c:\tomcat\certificates\keystore

 

Now you need the information you collected in Generating a CSR

First and last name: Here you need to type in the Common Name

At Enter key password for <www.fairssl.dk> it is important that you do not type in anything, because Tomcat needs the password to be the same for the keystore and the key.

 

 

Creating a CSR

 

  1. To create a CSR you need the alias you created in your keystore

Run the following command using the password for the keystore file:

 

    • alias: The alias you want to create the CSR from
    • keystore: Path and name for hte keystore file
    • file: Path and name for the CSR file you want to create

 

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -certreq -keyalg RSA -keysize 2048 -alias www.fairssl.dk -keystore c:\tomcat\certificates\keystore -file c:\tomcat\certificates\www.fairssl.dk.csr

 

 

  1. Open the CSR file with a text editor (e.g. notepad www.fairssl.dk.csr) and copy the entire text, incl. all the dashes at the beginning and end.

During the certificate ordering process you paste the text into the CSR field.

The following is an example of a complete CSR text:

 

 

A CSR does not contain any confidential information, and there is no security risk by sending it through an unencrypted mail or similar.

 

Installation of an SSL certificate

 

  1. Import the intermediate certificate into the keystore file:

 

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -import -alias root -keystore c:\tomcat\certificates\keystore -trustcacerts -file c:\tomcat\certificates\intermediate.crt

 

 

  1. Import the server certificate into the keystore file:

 

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -import -alias www.fairssl.dk -keystore c:\tomcat\certificates\keystore -file c:\tomcat\certificates\www.fairssl.dk.crt

 

 

  1. Restart the Tomcat service

 

We recommend that you test the installation with our server tester on https://www.fairssl.net/en/ssltest/

 

Installation via PFX file

 

Tomcat 5+ supports PKCS#12 files directly in the configuration

If this does not work, follow Converting from PFX to keystore, requires JVM 1.6+

 

  1. Put your .PFX file in c:\tomcat\certificates

 

  1. Open server.xml with a text editor, e.g.:

 

notepad c:\tomcat\conf\server.xml

 

  1. Type in the following, and correct it so it fits your server:

 

    • hostName: The DNS name for your website
    • certificateKeystoreFile: The path for your .PFX file
    • keystorePass: The password for the .PFX file. If you have used CSR service you got the code in an SMS

 

 

  1. Restart the Tomcat service

 

We recommend that you test the installation with our server tester on https://www.fairssl.net/en/ssltest/

 

Converting from PFX to keystore

 

  1. If you have an existing keystore, make a backup with the following command:

 

move c:\tomcat\certificates\keystore c:\tomcat\certificates\keystore.bak

 

 

  1. If you have used CSR service, the alias will be something in the lines of fairssl-2018, you are of course welcome to keep that alias, but you can also change it to something you can more easily remember what it is for

Run the following command to see which alias is in the .PFX file:

 

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -list -keystore c:\tomcat\certificates\www.fairssl.dk.PFX

 

 

  1. Import the .PFX file into the keystore using the following command:

 

    • srckeystore: the path to the .PFX file
    • srcalias: The alia you found in step 2
    • srcstorepass: The password for the .PFX file, if you have used CSR service you have gotten the password in an SMS
    • destkeystore: The path to the keystore file
    • destalias: The alias you want in the keystore
    • deststorepass: The password you want on your keystore
    • destkeypass: The same password you entered in deststorepass

 

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -importkeystore -srckeystore c:\tomcat\certificates\www.fairssl.dk.PFX -srcalias fairssl-2018 -srcstoretype PKCS12 -srcstorepass myPassword -destkeystore c:\tomcat\certificates\keystore -deststoretype JKS -destalias www.fairssl.dk -deststorepass keystorePassword -destkeypass keystorePassword

 

 

  1. Restart the Tomcat service

 

We recommend that you test the installation with our server tester on https://www.fairssl.net/en/ssltest/

 

Configuration of server.xml

 

  1. Open server.xml with a text editor, e.g.:

 

notepad c:\tomcat\conf\server.xml

 

  1. Type in the following, and correct it so it fits your server:

 

    • hostName: The DNS name for your website
    • certificateKeystoreFile: The path to the keystore file
    • keystorePass: The password you gave the keystore when you made it

 

 

  1. Restart the Tomcat service

 

We recommend that you test the installation with our server tester on https://www.fairssl.net/en/ssltest/

 

Intermediate Certificates

 

Here you can find the intermediate certificates from different Certificate Authorities.

We recommend that you use the intermediate certificate you got with your server certificate, and only download from here in case you lose it, as the one you get in the mail will always be the correct one for your server certificate.

 

Intermediate certificates