Server certificate installation and Configuration Guide (Tomcat6)

1. Generate a certificate request

1. Install JDK
JDK support is required to install Tomcat. If you have not installed JDK, you can refer
Download Java SE Development Kit (JDK. :
Http://www.oracle.com/technetwork/java/javase/downloads/index.html

2. Generate a keystore File
To generate the keystore file keystore. jks, you must use the JDK keytool. Run the command line to enter the bin directory under JDK or JRE and run the keytool command (the bold part in the example is user-defined. Please adjust it according to the actual configuration ).
Keytool-genkey-aliasServer-Keyalg RSA-keysize 2048-keystore. jks-storepassPassword-KeypassPassword


In the preceding command, the server is the private key alias (-alias), and the generated keystore. jks file is stored in the current path of the command line by default.

3. Generate the certificate request file (CSR)
Keytool-certreq-alias server-sigalg SHA1withRSA-file certreq. csr-keystore C: \ keystore. jks-keypassPassword-StorepassPassword


Back up the keystore file keystore. jks and submit the certificate request file certreq. csr later. Wait for the certificate to be issued. The loss of keystore. jks in the keystore file will cause the certificate to become unavailable.

Ii. Import server certificates

1. Obtain the intermediate CA certificate of the server certificate
To ensure the compatibility of server certificates on the client, two intermediate CA certificates must be installed on the server certificate (different brands of certificates may have only one intermediate certificate ).
Obtain the intermediate CA certificate from the email:
The contents of two intermediate CA certificates from BEGIN to END (including "----- begin certificate -----" and "----- end certificate -----") paste the file into a text editor such as Notepad, modify the file extension, and save it as the intermediate1.cer and intermediate2.cer files.

2. Obtain the server certificate
Paste the content of the server CERTIFICATE (including ----- begin certificate ----- and ----- end certificate -----) in the email from the CERTIFICATE bookmarks to a text editor such as Notepad, modify the file extension and save it as server. cer File

3. view the content of the Keystore File
Go to the bin directory under the JDK installation directory and run the keytool command.
Keytool-list-keystore. jks-storepassPassword


The private key alias (alias) of the PrivateKeyEntry attribute is server. Remember this alias and use it later when importing the server certificate. (The bold part in the example is a custom part. Please adjust it according to the actual configuration ).
Note: When importing a certificate, you must use the keystore. jks file generated when the certificate request file is generated. If the keystore. jks file is lost or a new keystore. jks file is generated, your server certificate cannot be correctly imported.

4. Import the certificate (if there is only one intermediate certificate, you only need to import one intermediate Certificate)
Import the First Intermediate CA certificate
Keytool-import-alias intermediate1-keystore. jks-trustcacerts-storepassPassword-File intermediate1.cer
Import the second intermediate CA certificate
Keytool-import-alias intermediate2-keystore. jks-trustcacerts-storepassPassword-File intermediate2.cer


Import server certificate
Keytool-import-alias server-keystore C: \ keystore. jks-trustcacerts-storepassPassword-File server. cer


When importing a server certificate, the server certificate alias must be the same as the Private Key alias. Please note the prompts when importing intermediate CA certificates and server certificates. If the alias you use when importing the server certificate is different from the private key alias, the system prompts "authentication has been added to the keystore" instead of "authentication reply has been installed in the keystore ".
After the certificate is imported, run the keystool command to view the content of the keystore file again.
Keytool-list-keystore. jks-storepassPassword

Iii. Install the server certificate

1. One-way authentication Configuration
Copy the correctly imported keystore. jks file to the conf directory under the Tomcat installation directory. Open the server. xml file in the conf directory, find and modify the following content:
<! --
<Connector port = "8443" protocol = "HTTP/1.1" SSLEnabled = "true"
MaxThreads = "150" scheme = "https" secure = "true"
ClientAuth = "false" sslProtocol = "TLS"/>
SSL Access Port
-->
Change
<Connector port = "443" protocol = "org. apache. coyote. http11.Http11Protocol" SSLEnabled = "true"
MaxThreads = "150" scheme = "https" secure = "true"
KeystoreFile = "conf \ keystore. jks" keystorePass = "password"
ClientAuth = "false" sslProtocol = "TLS"/>
The default SSL access port number is 443. If you use another port number, you must use https: // yourdomain: port to access your site.

2. Two-way authentication Configuration
When configuring two-way authentication, you also need to specify the trusted library file for client authentication. The client-side truststoreFile can be the same as the server certificate keystore file or configured independently.
The same keystore file is used in the example. You must first import the client-authenticated root certificate and intermediate CA certificate to the client-authenticated trust database.
<Connector port = "443" protocol = "org. apache. coyote. http11.Http11Protocol" SSLEnabled = "true"
MaxThreads = "150" scheme = "https" secure = "true"
KeystoreFile = "conf \ keystore. jks" keystorePass = "password"
TruststoreFile = "conf \ keystore. jks" truststorePass = "password"
ClientAuth = "true" sslProtocol = "TLS"/>

3. Access Test

Restart Tomcat, access https: // youdomain: port, and test the certificate installation.

The procedure is the same for Linux.