Difference between revisions of "Managing SSL Certificates"

Latest revision as of 22:43, 24 January 2014

Managing SSL Certificates

Obtaining an SSL Certificate

The platform provides a default self-signed certificate which is used by the Application Server.

To obtain and install your own SSL Certificate, make a request to a Certificate Authority (CA). An SSL certificate authenticates a website to a web browser, part of a security protocol to manage secure data exchange.

The CA will accept your Certificate Signing Request and generate a certificate which identifies your website as a secured website.

To create a Certificate Signing Request (CSR)

1. Create a keystore and a private key:

cd {install_dir}/tomcat/conf/RN
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore {keystore_filename}

2. Create a CSR from the keystore

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr 
        -keystore {keystore_filename}

3. Submit the resulting file, certreq.csr, to the CA to obtain a certificate.
(When the certificate arrives, you are ready for the next step of steps.)

To Install the Certificate Obtained from the CA

Once you have obtained a certificate, you need to import it into the keystore.

But first, in addition to your certificate, the CA might provide a Chain/Root Certificate, which must also be imported. If you have received a chain certificate from the CA, then:

1. Copy the contents of the chain certificate into a file called chain

2. Import the chain certificate into your keystore:

keytool -import -alias root -keystore {keystore_filename} 
        -trustcacerts -file chain

When the chain certificate (if any) has been imported, you are ready for the final step:

3. Import the certificate received from the CA:

keytool -import -alias tomcat -keystore {keystore_filename} 
        -trustcacerts -file {certificate_filename}

Replacing the Default SSL Certificate

To replace the certificate:

Add the new certificate to this directory:
{install_dir}/tomcat/conf/RN
Edit {install_dir}/tomcat/conf/server.xml file
Replace the following line:
keystoreFile="conf/RN/thirdParty" keystorePass="algrsa"
with:

keystoreFile="conf/RN/your_certficate_file_name"

keystorePass="your_password_for_certificate_store"
Save the file
Restart the application server

The Application Server will now use your certificate file for communication over https.

Learn More

Certificate Signing Request (CSR) Generation Instructions-Tomcat, at
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227

@@ Line 9: / Line 9: @@
 '''To create a Certificate Signing Request (CSR)'''
-#Create a keystore and a private key:
+:1. Create a keystore and a private key:
-#:<tt>cd {install_dir}/tomcat/conf/RN</tt>
+::{|
-#:<pre>keytool -genkey -alias tomcat -keyalg RSA -keystore {keystore_filename}</pre>
+<pre>cd {install_dir}/tomcat/conf/RN
-#Create a CSR from the keystore
+keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore {keystore_filename}</pre>
-#:<pre>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore {keystore_filename}</pre>
+|}
-#The result is a file: <tt>certreq.csr</tt>, which can be submitted to the CA
-Once you have obtained a certificate from the CA, in addition to your certificate, the CA might provide an Chain/Root Certificate, which must be installed/imported into the keystore created in the previous section.
+:2. Create a CSR from the keystore
+::{|
+<pre>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
+        -keystore {keystore_filename}
+</pre>
+|}
-'''To Install the Certificate'''
+:3. Submit the resulting file, <tt>certreq.csr</tt>, to the CA to obtain a certificate.<br>(When the certificate arrives, you are ready for the next step of steps.)
-*If you have received the chain certificate from the (CA), complete #1 - #3:
+'''To Install the Certificate Obtained from the CA'''
-*If you have NOT received the chain certificate from the (CA), complete #3 only:
-#Install/import the chain certificate: Copy the contents of the chain certificate into a file called <tt>chain</tt>
+Once you have obtained a certificate, you need to import it into the keystore.
-#Import the chain certificate into your keystore:
-#:<pre>keytool -import -alias root -keystore {keystore_filename} -trustcacerts -file chain</pre>
+But first, in addition to your certificate, the CA might provide a Chain/Root Certificate, which must also be imported. If you have received a chain certificate from the CA, then:
-#Import the certificate received from the CA:
+:1. Copy the contents of the chain certificate into a file called <tt>chain</tt>
-#:<pre>keytool -import -alias tomcat -keystore {keystore_filename} -trustcacerts -file <certificate filename ></pre>
+:2. Import the chain certificate into your keystore:
+::{|
+<pre>keytool -import -alias root -keystore {keystore_filename}
+        -trustcacerts -file chain
+</pre>
+|}
+When the chain certificate (if any) has been imported, you are ready for the final step:
+:3. Import the certificate received from the CA:
+::{|
+<pre>keytool -import -alias tomcat -keystore {keystore_filename}
+        -trustcacerts -file {certificate_filename}
+</pre>
+|}
 ====Replacing the Default SSL Certificate====
@@ Line 47: / Line 65: @@
 ====Learn More====
-* Certificate Signing Request (CSR) Generation Instructions-Tomcat, at
+* Certificate Signing Request (CSR) Generation Instructions-Tomcat, at<br>https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227
-https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227
-{{#if: {{ShowIsvInfo}} |
 <noinclude>
 [[Category:Installation]]
 </noinclude>
-}}

Search

where to start

learn more

Tools

Personal tools