Introduction

This article explains the process to enable SSL/TLS authentication on Tomcat.

Prerequisites

  1. In case the user has access to a trusted Certificate Authority (CA), then the user should go through the CA process to get a CA certificate, server certificate and server private key. In case user does not have a trusted Certificate Authority (CA), then they can create dummy CA certificates to test the set up in a LAB/TEST Environment. In an ideal scenario, the user should have a trusted Certificate Authority (CA)
  2. The user must have OpenSSL (in case trusted CA is not available)
  3. The user must have Perl

Creating Self-Signed Certificates Using OpenSSL

If you already have the cacert.pem, servercert.pem and serverkey.pem files, then you can directly proceed to Section 2 below.

    1. Locate OpenSSL CA.pl file as this file is required to create dummy CA certificate file. This will be inside the bin directory within the OpenSSL directory.
    2. Create a temporary directory to store certificates the certificates and navigate to it in the command line
    3. Linux users: Execute the following command (You might need to edit the path accordingly)
      /usr/lib/ssl/misc/CA.pl -newca

      Windows users: Execute the following command (You might need to edit the path accordingly)

       C:\OpenSSL-Win32\bin\CA.pl -newca

      This creates demoCA/cacert.pem (CA Certificate) and demoCA/private/cakey.pem (private key)

    4. Make a server certificate signing request (CSR) using the following command:
 openssl req -newkey rsa:2048 -nodes -keyout newreq.pem -out newreq.pem

Note: Make sure to use same name/value in Common Name as that of servername/hostname. Otherwise, the browser may complain while accessing that name does not match the hostname of the server. Adding to this make sure to access the server with the same hostname as mentioned here

      1. Linux users: Execute the following command (You might need to edit the path accordingly)
        /usr/lib/ssl/misc/CA.pl -sign

        Windows users: Execute the following command (You might need to edit the path accordingly)

         C:\OpenSSL-Win32\bin\CA.pl -sign

        After the above steps have been followed, you will have the 3 following files: cacert.pem, newreq.pem and newcert.pem.

      2. Rename newreq.pem to serverkey.pem and newcert.pem to servercert.pem.

    Section 2

    1. Convert the servercert.pem file to PKC12 format (*.p12) using the following command:
openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out servercert.p12 -name servercertificate

Note: The converted file (servercert.p12) acts as a server certificate and is used to generate keystore. When prompted for Export Password, enter a password and keep the password safe.

    1. Create a java keystore file by converting the servercert.p12 file to Java Keytool format by using the following command:
 keytool -importkeystore -destkeystore servercert.jks -srckeystore servercert.p12 -srcstoretype PKCS12 -alias servercertificate

Note: When prompted for destination keystore password, enter a password and keep it safe. It will be used as keystore password in server.xml file. Also, when prompted for source keystore password, enter the export password for input servercert.p12 file created in the previous step (Step 7).

    1. Navigate to the demoCA directory (cd demoCA) and create a java truststore file by converting the cacert.pem file to Java Keytool format by using the following command:
 keytool -import -keystore cacerts.jks -alias cacert -file cacert.pem

Note: When prompted for keystore password, enter a password and keep the password safe. It will be used as truststore password in server.xml

Generating a CSR if you have a Certificate Authority

    1. Create a new key-CSR pairing
keytool -genkey -alias servercertificate -keyalg RSA -keysize 2048 -keystore servercert.jks
    1. Enter your DN information and confirm it with a “yes” when prompted
    2. Create a new Certificate Signing Request (CSR)
keytool -certreq -alias servercertificate -keyalg RSA -file yourdomain.csr -keystore servercert.jks
    1. Enter your keystore password
    2. Send the CSR to your Certificate Authority(CA)
    3. Make a copy of servercert.jks and rename the copy file as cacerts.jks
    4. Once you have received cacert.pem and servercert.pem from your CA , execute below steps to import the certificates.
    5. Importing cacert.pem in cacerts.jks and servercert.pem in servercert.jks files as below.
keytool -import -keystore cacerts.jks -alias cacert -file cacert.pem

keytool -import -keystore servercert.jks -alias servercertificate -file servercert.pem