How to add ssl certificate (.crt) on tomcat server
what is ssl ?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys – a Private Key and a Public Key.
The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) – a data file also containing your details. You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer’s web browser.
And i wanted to add Godaddy SSL to my tomcat server, here is my tomcat version
Server version: Apache Tomcat/6.0.14
Server built: Jul 20 2007 04:17:30
Server number: 22.214.171.124
OS Name: Linux
OS Version: 2.6.24-16-server
JVM Version: 1.6.0_06-b02
JVM Vendor: Sun Microsystems Inc.
1. First you need to generate your new CSR and key pair
Generating key pair :
a. Enter the following command:
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
b. You will be prompted for a password.
c. Enter Distinguished Name (DN) information :
i. First and last name – This is the Common Name: Common Name: The common name is the fully-qualified domain name -
or URL – to which you plan to apply your certificate. Do not enter your personal name in this field.
If you are requesting a Wildcard certificate, please add an asterisk (*) on the left side of the Common Name (e.g., “*.
domainnamegoes.com” or “www*.domainnamegoeshere.com”). This will secure all subdomains of the Common Name.
Note: An SSL certificate only secures the exact fully-qualified domain entered as the Common Name in your certificate
signing request. Thus, if your certificate secures “www.domainnamegoeshere.com,” it will not secure the domain
“domainnamegoeshere.com.” If you need to secure both domains you must request an SSL certificate for each of them.
ii. “Organizational unit” – Use this field to differentiate between divisions within an organization. For example, “Engineering”
or “Human Resources.” If applicable, you may enter the DBA (doing business as) name in this field.
iii. Organization – The name under which your business is legally registered. The listed organization must be the legal
registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate
requestor’s name in the “Organization” field, and the DBA (doing business as) name in the “Organizational Unit” field.
iv. City/Locality – Name of the city in which your organization is registered/located. Please spell out the name of the city. Do
v. State/Province – Name of state or province where your organization is located. Please enter the full name. Do not
vi. Country code – The two-letter International Organization for Standardization- (ISO-) format country code for the country in
which your organization is legally registered.
d. Confirm that the Distinguished Name information is correct.
i. Enter the following command:
keytool -certreq -keyalg RSA -alias tomcat -file <your file name>.csr -keystore tomcat.keystore
ii. Upon prompt, enter keystore password:
iii. If the password is correct then the CSR is created.
iv. If the password is incorrect then a password error is displayed.
v. Cut/copy and paste the generated CSR into godady online enrollment form. ( Then sent the csr you just generate <your file name>.csr and tomcat.keystore to the godaddy and purchase the ssl from them )
vi. Select “Tomcat” as your server software.
2. After you received godaddy new certification usually you will get 4 files:
- gd_bundle.crt – gd_intermediate.crt
- gd_cross_intermediate.crt - <your file name cst>.crt
now we need to install SSL certificate and Intermediate Certificate separately
I. Installing Root and Intermediate Certificates
Once you have downloaded the certificates to your local machine, please use the following keytool commands to import them:
“keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt.”
but before you run the comand you need to download valicert_class2_root.crt from godady repostiroy https://certs.godaddy.com/Repository.go
# wget https://certs.godaddy.com/repository/valicert_class2_root.crt –no-check-certificate
then create First intermediate (gd_cross_intermediate.crt):
“keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt”
Second intermediate (gd_intermediate.crt):
“keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt”
Installing SSL Certificate
- Use the following command to import the issued certificate into your keystore.
- keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate, example: test.csr>
it should generate tomcat.keystore files
II. Updating the server.xml Configuration File
When you have completed installing your certificate, you must configure your Tomcat server.xml configuration file to point to the correct keystore file:
- Open the server.xml file. it is usually located on /usr/local/tomcat/conf/server.xml
- Put this files
port=”8443″ minSpareThreads=”5″ maxSpareThreads=”75″
scheme=”https” secure=”true” SSLEnabled=”true”
3. i use port 8433 as my ssl connection that is why i add port=”8443 not the default ssh port 443
4. Restart Tomcat.
# cd /usr/local/tomcat/bin
# export JAVA_HOME=/usr/lib/jvm/java-6-sun
Now go to your ssl web and checked the ssl information