I've just purchased a wildcard SSL cert (AlphaSSL) which I'd like to install on a box running Tomcat, to replace the existing SSL certificate.
I have the cert, the private key, the CA Root, the intermediate CA and so on.
I'm not too familiar with Tomcat so can anyone say with certainty what sequence I need to follow?
Here's the guide for creating a CSR from scratch that is specific to the appliance I'm using:
Thanks.
- Back up your keystore
cp /opt/msw/data/keystore /root/keystoreBackup
- Re-initialise the keystore
rm /opt/msw/data/keystore
- Check the hostname
hostname appliance.inside6.com
- Create a certificate for this machine
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/msw/data/keystore -storepass changeit
What is your first and last name? [Unknown]: appliance.inside6.com
What is the name of your organizational unit? [Unknown]: Development
What is the name of your organization? [Unknown]: Clearswift
What is the name of your City or Locality? [Unknown]: Reading
What is the name of your State or Province? [Unknown]: Berkshire
What is the two-letter country code for this unit? [Unknown]: GB
Is CN=appliance.inside6.com, OU=Development, O=Clearswift, L=Reading, ST=Berkshire, C=GB correct? [no]: yes
Enter key password for (RETURN if same as keystore password): {leaving the password blank here}
- Generate the request keytool -certreq -alias tomcat -keyalg RSA -keystore /opt/msw/data/keystore -storepass changeit -file /root/certreq.csr
cat /root/certreq.csr
-----BEGIN NEW CERTIFICATE REQUEST----- MIIBvjCCAScCAQAwfjELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UEBxMH UmVhZGluZzETMBEGA1UEChMKQ2xlYXJzd2lmdDEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxHjAcBgNV BAMTFWFwcGxpYW5jZS5pbnNpZGU2LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAncyI Ui4emCBqY1of4xUk0eJ8CcZtHaYyXrych5sFXTDFq9icRd2e4Xe94IvHlKZwtxAXsoZONXXo4gP2 jU5PKD/DMNlu2TtdISvxD4DstkYv9dpC+8bt5uftYQ405nHeRwPpBQornJz98f5tNiCIYRsB0gec 2Gj7J4TDf2+igYkCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAGVvifaZLvnwOYAdlblBMsSDAI1h VahtdzcLQrFzH3DezNfx5knqzzaM4oOC2N2RohMSKsP9DazqCFkj4i6lBS6M+X/inu0Hyp6b9fEz 06BJby+RM4nmv4RFXqdR5usIHalfodRxjWVHjMhN3FwiD1SPxXqLppp3zjEqhycVox/5 -----END NEW CERTIFICATE REQUEST-----
Obtain a certificate from a commercial Certificate Authority such as Verisign. During this phase you will have to paste/email the contents of /root/certreq.csr into an appropriate location
On the appliance, add the certificate the CA will have mailed you
keytool -import -alias tomcat -trustcacerts -keystore /opt/msw/data/keystore -storepass changeit -file /root/server.cert
Certificate reply was installed in keystore
- Restart tomcat
uiservicecontrol restart tomcat
All you need to do is this for a Tomcat server:
Start with the original keystore that you used to create your CSR. This keystore has on private key in it with the alias called "tomcat"
From your certificate reply you will have a reply-cert , a intermediate (probably) , and also a root cert that are 3 separate files.
use keytool -import root cert with alias "root"
use keytool -import intermediate cert with alias "intermediate"
finally use keytool -import cert-reply.crt into keystore with alias "tomcat". this action imports the cert reply into position on top of the cert you generated when you created the keystore. this action will generate a certificate chain of length 2 or 3
use keytool -list to see the contents and the chain
NOTE: for an Apache server, the steps are a bit different.