Secure Connection Configuration (HTTPS)

This section describes how to install a certificate from a Certificate Authority into Tomcat. Self-signed certificate is already installed in $NFO_HOME/tomcat/conf/.tomcat_keystore, the keystore password is “password” and private key password is the same.

If you want to replace self-signed certificate to a new one from a Certificate Authority, use following steps from http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

HTTPS parameters are configured in the tomcat/conf/server.xml configuration file (Connector section). All Connector attributes are described here: https://tomcat.apache.org/tomcat-7.0-doc/config/http.html. If keystore path or password are changed, corresponding Connector attributes should be modified.

Create a local Certificate Signing Request (CSR)

In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". To create a CSR follow these steps:

  • Delete preinstalled self-signed certificate:

$NFO_HOME/java/jre8/jre/bin/keytool -delete -alias tomcat \
-keystore $NFO_HOME/tomcat/conf/.tomcat_keystore
  • Create a local Certificate:

$NFO_HOME/java/jre8/jre/bin/keytool -keysize 2048 -genkey -alias tomcat \
-keyalg RSA -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

Note: In some cases you will have to enter the domain of your website (i.e. www.domain.org) in the field "first- and lastname" in order to create a working Certificate.

  • The CSR is then created with:

$NFO_HOME/java/jre8/jre/bin/keytool -certreq -keyalg RSA -alias tomcat \
-file certreq.csr -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate.

Import the Certificate

Now that you have your Certificate you can import it into your local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.

  • Download a Chain Certificate from the Certificate Authority you obtained the Certificate from. For Verisign.com commercial certificates go to: http://www.verisign.com/support/install/intermediate.html For Verisign.com trial certificates go to: http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html For Trustcenter.de go to: http://www.trustcenter.de/certservices/cacerts/en/en.htm#server For Thawte.com go to: http://www.thawte.com/certs/trustmap.html

  • Import the Chain Certificate into your keystore

$NFO_HOME/java/jre8/jre/bin/keytool -import -alias root \
-keystore $NFO_HOME/tomcat/conf/.tomcat_keystore \
-trustcacerts -file <filename_of_the_chain_certificate>
  • And finally import your new Certificate

$NFO_HOME/java/jre8/jre/bin/keytool -import -alias tomcat \
-keystore $NFO_HOME/tomcat/conf/.tomcat_keystore \
-file <your_certificate_filename>

Please see Import the Certificate into NFO External Data Feeder truststore section in External Data Feeder for NFO Getting Started Guide for additional information.