Skip to main content
Version: 2.10.0

Secure Connection Configuration (HTTPS)

This section describes how to install a certificate from a Certificate Authority into Tomcat. Self-signed certificate is already installed in $NFO_HOME/tomcat/conf/.tomcat_keystore, the keystore password is password and private key password is the same.

If you want to replace self-signed certificate to a new one from a Certificate Authority, use following steps from https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

HTTPS parameters are configured in the tomcat/conf/server.xml configuration file (Connector section). All Connector attributes are described here: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html. If keystore path or password are changed, corresponding Connector attributes should be modified.

Using your Existing Key and Signed Certificate

If you have the key and signed certificates, perform the following:

  1. Merge all certificates into a single file (chain):

    cat tomcat.pem [intermediate.pem [intermediate-2.pem ... ]] root.pem > chain
  2. Convert the chain to a PKCS12 using OpenSSL:

    openssl pkcs12 -export -in chain -inkey tomcat_key.pem -out .tomcat_keystore -name tomcat
  3. Validate .tomcat_keystore using keytool:

    $NFO_HOME/java/jre/bin/keytool -list -v -keystore .tomcat_keystore

    The output is expected like following:

    Keystore type: PKCS12
    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: tomcat
    Creation date: Jan 1, 2023
    Entry type: PrivateKeyEntry
    Certificate chain length: 3
    Certificate[1]:
    ******* TOMCAT CERTIFICATE INFO IS HERE *******
    Certificate[2]:
    ******* INTERMEDIATE CERTIFICATE INFO IS HERE *******
    Certificate[3]:
    ******* ROOT CERTIFICATE INFO IS HERE *******
  4. Backup and replace $NFO_HOME/tomcat/conf/.tomcat_keystore with the new .tomcat_keystore using the following command:

    cp .tomcat_keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

Create a Local Certificate Signing Request (CSR)

If you don't have the key and signed certificate, follow these steps:

In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". To create a CSR follow these steps:

  1. Delete preinstalled self-signed certificate:

  2. Create a local Certificate:

    $NFO_HOME/java/jre/bin/keytool -keysize 2048 -genkey -alias tomcat \
    -ext "SAN=dns:${domain_name},ip:${host_ip}" \
    -keyalg RSA -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

    Where ${domain_name} is your server domain name and ${host_ip} is a host IP address. SubjectAlternativeName (SAN) and all its parts are optional. If host has different IP addresses or domain names, several comma separated dns:${domain_name} and ip:${host_ip} parts have to be added.

    note

    In some cases you will have to enter the domain of your website (i.e. www.domain.org) in the field "first- and lastname" in order to create a working Certificate.

  3. The CSR is then created with:

    $NFO_HOME/java/jre/bin/keytool -certreq -keyalg RSA -alias tomcat \
    -file certreq.csr -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate.

Import the Certificate

Now that you have your Certificate you can import it into your local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.

  1. Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.

    For Verisign.com commercial certificates go to:

    http://www.verisign.com/support/install/intermediate.html

    For Verisign.com trial certificates go to:

    http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html

    For Trustcenter.de go to: http://www.trustcenter.de/certservices/cacerts/en/en.htm#server

    For Thawte.com go to:

    http://www.thawte.com/certs/trustmap.html

  2. Import the Chain Certificate into your keystore

    $NFO_HOME/java/jre/bin/keytool -import -alias root \
    -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore \
    -trustcacerts -file <filename_of_the_chain_certificate>
  3. And finally import your new Certificate

    $NFO_HOME/java/jre/bin/keytool -import -alias tomcat \
    -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore \
    -file <your_certificate_filename>
note

If signed certificate is imported successfully, you will see this message: "Certificate reply was installed in keystore".

Import the Certificate into External Data Feeder for NFO (EDFN)

warning

You must import the certificate into EDFN truststore. Please see Import the Certificate into External Data Feeder for NFO truststore in EDFN Administration Guide.