SSL installation in Tomcat

How to generate a CSR in Tomcat

We can use keytool command to generate and manage Keystore file.  Go to the path where you want to manage the Keystore and certificates.

                                Command is useful to generate CSR:

$JAVA_Home/bin/ keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore your_site_name.jks

It will prompt for the keystore password .The default is changeit (provide the password which you want to set)

Then it will ask for the below information:

Note: If you want Wildcard Certificate then domain name must begin with the * character. (Example: *.domainname.com)

• First and Last Name— the fully-qualified domain name, or URL, you're securing. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.domainname.com
• Organizational Unit— Optional. If applicable, enter the DBA name in this field.

A company is said to be "doing business as (DBA)" when the name under which they operate their business differs from its legal, registered name. 

• Organization— the full legal name of your organization. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in Organization.
• City or Locality— Name of the city in which your organization is registered or located — do not abbreviate.
• State or Province— Name of state or province where your organization is located — do not abbreviate.
• Country Code— the two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.

After you have completed the required information confirm that the information is correct by entering 'y' or 'yes' when prompted. Next you will be asked for your password to confirm.

Note: Make sure to remember the password you choose.

Now keystore file named your_site_name.jks is now created in your current working directory.

Generate a CSR from Your New Keystore

1. We can use keytool to create the Certificate Signing Request (CSR) from Keystore.

Enter below command:

keytool -certreq -alias server -file csr.txt -keystore your_site_name.jks

2. Type the keystore password that you chose/entered earlier and then press Enter (keyword).
3. Your CSR file with name csr.txt is created in your current directory.
4. Open the CSR with a text editor, and copy and paste the text (including the BEGIN and END tags) into your SSL provider and get the certificate and be careful to save the keystore file (jks) as your certificates will be installed to it later.

Tomcat Web Server SSL Certificate Installation

1. Download yourSSL Certificate file (your_domain_name.p7b) to the directory where you saved your keystore during the CSR creation process.
2. If you used ourkeytool CSR command generator to generate your CSR, the keystore is called your_site_name.jks.
3. Note:
   You must install the SSL Certificate file to the same keystore and under the same alias name (i.e. "server") that you used to generate your CSR. If you try to install it to a different keystore, the install command in the next step will not work.
4. To install the SSL Certificate file to your keystore, use the following command:

keytool -import -trustcacerts -alias server -file your_site_name.p7b -keystore your_site_name.jks

5. You will get a confirmation stating as "Certificate reply was installed in keystore."
6. If asked if you want to trust the certificate, choosey or yes
7. Your keystore file (jks) is now ready to be used on your Tomcat Server. Need to configure your server to use the keystore
8. Before Tomcat can accept secure connections, you need to configure an SSL Connector
9. Open the Tomcat xml file in any text editor (server.xml file is usually located in the conf folder from your Tomcat's home directory)
10. Locate the connector that you want to use the new keystore to secure
11. A connector with the port number 443 or 8443
12. Specify the correct keystore filename and password in connector configuration
13. xml settings are as below:

                 <Connector port="80" protocol="HTTP/1.1"

 connectionTimeout="20000   

  URIEncoding="UTF-8"

 redirectPort="443" />

                 <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"

                  maxThreads="150" scheme="https" secure="true"

                 clientAuth="false"

                 sslProtocols="TLS"

                 keystoreFile="/home/user_name/your_site_name.jks"

                  keystorePass=" your_keystore_password"

                   compression="force" />

14. Save the changes in server.xml file.
15. Then Restart Tomcat.