Ordering and renewing an SSL Certificate on Apache Tomcat Servers consists of the following parts:
Generating a keystore
Generating a CSR
Ordering a Certificate
Importing the resulting certficitate and any intermediate certificates required
Configuring the server to use the keystore
This tutorial assumes you are renewing from a Linux Tomcat installation, although the methods are largely the same for any other operating system running Tomcat.
Step 1 – Generating a Keystore
SSL certificates are placed into “keystores” on the Tomcat Server. Depending on tyour situation, you may or may not have an existing keystore. You may also have to recreate a keystore if it had been created incorrectly in the past with the wrong bit-length or cipher (recommend 2048-bit RSA as of this writing), if you do not know the keystore password, or for a variety of other reasons.
To find the current keystore(s) (typically, this will be keystore.jks), connect to your server via SSH and run this command:
find / -name keystore.jks
If that fails to yield any results, you can try looking for all the *.jks files on the system:
find / -name *.jks
If still no results are found, odds are that you do not have a keystore yet on your system. You will need to generate a keystore and private key with the following:
keytool -genkey -alias server -keystore /path/to/your/keystore/keystore.jks -keyalg RSA -sigalg SHA256withRSA -keysize 2048
Note that when keytool is asking for your first and last name, it is actually asking for the FQDN of the server you wish to install an SSL certificate on (depending on the flavor of keytool you have, it may or may not be “first and last name”, it may actually ask for “FQDN” or “server name”). It will also prompt you for a keystore password – make this anything you want, but be sure to remember it.
root@jarvis-web:/# keytool -genkey -alias server -keystore /tmp/keystore.jks -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 365 Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: jgomez.net What is the name of your organizational unit? [Unknown]: Geeks What is the name of your organization? [Unknown]: Joes Consulting What is the name of your City or Locality? [Unknown]: Monterey What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is CN=jgomez.net, OU=Geeks, O=Joes Consulting, L=Monterey, ST=California, C=US correct? [no]: yes Enter key password for <server> (RETURN if same as keystore password): root@jarvis-web:/#
Congratulations, you now have a keystore in which to place keys and generate CSRs from.
Step 2 – Generating a CSR (Certificate Signing Request)
Typically, generating a CSR is a pretty straight forward task. This will generate a CSR for jgomez.net (or whatever you entered in for “First and Last Name” above) named mycertrequest.csr and place it in /tmp/.
keytool -certreq -alias server -keystore /tmp/keystore.jks -file /tmp/mycertrequest.csr
root@jarvis-web:/# keytool -certreq -alias server -keystore /tmp/keystore.jks -file mycertequest.csr Enter keystore password: root@jarvis-web:/#
Do note that the alias has to be the same alias as you created with the first command, otherwise you will throw an error:
root@jarvis-web:/tmp# keytool -certreq -alias fjasdlkfjadkslf -keystore /tmp/keystore.jks -file /tmp/mycerrequest.csr Enter keystore password: keytool error: java.lang.Exception: Alias <fjasdlkfjadkslf> does not exist
Step 3 – Ordering a Certificate
Go to your favorite certificate reseller (eg: Trustico, NameCheap, whatever) and proceed to order your certificate
You will be prompted to enter the text of the CSR you generated.
Copy the full content of the mycertrequest.csr you made and paste it where requested
Fill out other order information as appropriate, and double-check the domain you are getting the certificate for (eg: jgomez.net or sub.jgomez.net)
Step 4 – Importing the Certificate
First, you will want to concatenate all certificates together into a single file, or download the .p7b bundle of certificates from your vendor, which will include the certificate you ordered and any required intermediate certificates. If you do not do one of these steps, odds are you will run into an error.
SSH to the server
Copy the certificates to the server
Import the certificate into the keystore:
keytool -import -trustcacerts -alias server -keystore /tmp/keystore.jks -file /path/to/certs/you/uploaded.p7b
Verify key exists and is type “PrivateKeyEntry” – if it does not, then your certificates were imported incorrectly and Tomcat will not be happy.
keytool -list -v -keystore /path/to/keystore.jks | more
Step 5 – Configuring the Server
Find the location of server.xml (the config file for Tomcat)
find / -name server.xml
Specify the correct keystore filename and password in your connector configuration.
When you are done, your connector should look something like this, although your port numbers may vary depending on your setup:
<Connector port=“443” maxHttpHeaderSize=“8192” maxThreads=“150” minSpareThreads=“25” maxSpareThreads=“75” enableLookups=“false” disableUploadTimeout=“true” acceptCount=“100” scheme=“https” secure=“true” SSLEnabled=“true” clientAuth=“false” sslProtocol=“TLS” keyAlias=“server” keystoreFile=“/home/user_name/your_site_name.jks” keystorePass=“your_keystore_password” />
- Restart Tomcat
- Test your website
I hope this helps.