Skip to main content
Version: Next

Secure Connection Configuration (HTTPS)

This section describes how to install a certificate from a Certificate Authority into Tomcat. Self-signed certificate is already installed in $NFO_HOME/tomcat/conf/.tomcat_keystore, the keystore password is password and private key password is the same.

If you want to replace self-signed certificate to a new one from a Certificate Authority, use following steps from https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

HTTPS parameters are configured in the tomcat/conf/server.xml configuration file (Connector section). All Connector attributes are described here: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html. If keystore path or password are changed, corresponding Connector attributes should be modified.

Using your Existing Key and Signed Certificate​

If you have the key and signed certificates, perform the following:

  1. Merge all certificates into a single file (chain):

    cat tomcat.pem [intermediate.pem [intermediate-2.pem ... ]] root.pem > chain
  2. Convert the chain to a PKCS12 using OpenSSL:

    openssl pkcs12 -export -in chain -inkey tomcat_key.pem -out .tomcat_keystore -name tomcat
  3. Validate .tomcat_keystore using keytool:

    $NFO_HOME/java/jre/bin/keytool -list -v -keystore .tomcat_keystore

    The output is expected like following:

    Keystore type: PKCS12
    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: tomcat
    Creation date: Jan 1, 2023
    Entry type: PrivateKeyEntry
    Certificate chain length: 3
    Certificate[1]:
    ******* TOMCAT CERTIFICATE INFO IS HERE *******
    Certificate[2]:
    ******* INTERMEDIATE CERTIFICATE INFO IS HERE *******
    Certificate[3]:
    ******* ROOT CERTIFICATE INFO IS HERE *******
  4. Backup and replace $NFO_HOME/tomcat/conf/.tomcat_keystore with the new .tomcat_keystore using the following command:

    cp .tomcat_keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

Create a Local Certificate Signing Request (CSR)​

If you don't have the key and signed certificate, follow these steps:

In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". To create a CSR follow these steps:

  1. Delete preinstalled self-signed certificate:

  2. Create a local Certificate:

    $NFO_HOME/java/jre/bin/keytool -keysize 2048 -genkey -alias tomcat \
    -ext "SAN=dns:${domain_name},ip:${host_ip}" \
    -keyalg RSA -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

    Where ${domain_name} is your server domain name and ${host_ip} is a host IP address. SubjectAlternativeName (SAN) and all its parts are optional. If host has different IP addresses or domain names, several comma separated dns:${domain_name} and ip:${host_ip} parts have to be added.

    note

    In some cases you will have to enter the domain of your website (i.e. www.domain.org) in the field "first- and lastname" in order to create a working Certificate.

  3. The CSR is then created with:

    $NFO_HOME/java/jre/bin/keytool -certreq -keyalg RSA -alias tomcat \
    -file certreq.csr -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate.

Import the Certificate​

Now that you have your Certificate you can import it into your local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.

  1. Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.

    For Verisign.com commercial certificates go to:

    http://www.verisign.com/support/install/intermediate.html

    For Verisign.com trial certificates go to:

    http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html

    For Trustcenter.de go to: http://www.trustcenter.de/certservices/cacerts/en/en.htm#server

    For Thawte.com go to:

    http://www.thawte.com/certs/trustmap.html

  2. Import the Chain Certificate into your keystore

    $NFO_HOME/java/jre/bin/keytool -import -alias root \
    -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore \
    -trustcacerts -file <filename_of_the_chain_certificate>
  3. And finally import your new Certificate

    $NFO_HOME/java/jre/bin/keytool -import -alias tomcat \
    -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore \
    -file <your_certificate_filename>
note

If signed certificate is imported successfully, you will see this message: "Certificate reply was installed in keystore".

Import the Certificate into External Data Feeder for NFO (EDFN)​

warning

You must import the certificate into EDFN truststore. Please see Import the Certificate into External Data Feeder for NFO truststore in EDFN Administration Guide.