{"id":210,"date":"2009-03-17T13:17:56","date_gmt":"2009-03-17T06:17:56","guid":{"rendered":"http:\/\/adityo.blog.binusian.org\/?p=210"},"modified":"2009-04-02T10:55:07","modified_gmt":"2009-04-02T03:55:07","slug":"how-to-add-new-ssl-certificate-on-tomcat-server","status":"publish","type":"post","link":"https:\/\/adityo.blog.binusian.org\/?p=210","title":{"rendered":"How to add new ssl certificate on tomcat server"},"content":{"rendered":"<p style=\"text-align: justify;\"><span style=\"font-size: large;\"><strong>How to add ssl certificate (.crt) on tomcat server<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: large;\"><strong>what is ssl ?<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span id=\"_ctl0_ArticleRepeater__ctl1_ArticleText\">SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.<\/span><\/p>\n<p style=\"text-align: justify;\">To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys &#8211; a Private Key and a Public Key.<\/p>\n<p style=\"text-align: justify;\">The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) &#8211; a data file also containing your details. You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer&#8217;s web browser.<\/p>\n<p style=\"text-align: justify;\">And i wanted to add Godaddy SSL to my tomcat server, here is my tomcat version<\/p>\n<p style=\"text-align: justify;\">#.\/version.sh<\/p>\n<p style=\"text-align: justify;\">Server version: Apache Tomcat\/6.0.14<br \/>\nServer built:\u00a0\u00a0 Jul 20 2007 04:17:30<br \/>\nServer number:\u00a0 6.0.14.0<br \/>\nOS Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Linux<br \/>\nOS Version:\u00a0\u00a0\u00a0\u00a0 2.6.24-16-server<br \/>\nArchitecture:\u00a0\u00a0 i386<br \/>\nJVM Version:\u00a0\u00a0\u00a0 1.6.0_06-b02<br \/>\nJVM Vendor:\u00a0\u00a0\u00a0\u00a0 Sun Microsystems Inc.<\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: large;\"><strong>Intallation Steps<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: large;\">1<\/span>.\u00a0 First you need to generate your new CSR and key pair<\/p>\n<p style=\"text-align: justify;\">Generating key pair :<\/p>\n<p style=\"text-align: justify;\">a. Enter the following command:<br \/>\nkeytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore<br \/>\nb.\u00a0 You will be prompted for a password.<br \/>\nc. Enter Distinguished Name (DN) information :<br \/>\ni.\u00a0 First and last name &#8211; This is the Common Name: Common Name: The common name is the\u00a0 fully-qualified domain name &#8211;<br \/>\nor URL &#8211; to which you plan to apply your certificate. Do not enter your personal name in this field.<br \/>\nIf you are requesting a Wildcard certificate, please add an asterisk (*) on the left side of the Common Name (e.g., &#8220;*.<br \/>\ndomainnamegoes.com&#8221; or &#8220;www*.domainnamegoeshere.com&#8221;). This will secure all subdomains of the Common Name.<br \/>\nNote: An SSL certificate only secures the exact fully-qualified domain entered as the Common Name in your certificate<br \/>\nsigning request. Thus, if your certificate secures &#8220;www.domainnamegoeshere.com,&#8221; it will not secure the domain<br \/>\n&#8220;domainnamegoeshere.com.&#8221; If you need to secure both domains you must request an SSL certificate for each of them.<br \/>\nii.\u00a0 &#8220;Organizational unit&#8221; &#8211; Use this field to differentiate between divisions within an organization. For example, &#8220;Engineering&#8221;<br \/>\nor &#8220;Human Resources.&#8221; If applicable, you may enter the DBA (doing business as) name in this field.<br \/>\niii.\u00a0 Organization &#8211; The name under which your business is legally registered. The listed organization must be the legal<br \/>\nregistrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate<br \/>\nrequestor&#8217;s name in the &#8220;Organization&#8221; field, and the DBA (doing business as) name in the &#8220;Organizational Unit&#8221; field.<br \/>\niv.\u00a0 City\/Locality &#8211; Name of the city in which your organization is registered\/located. Please spell out the name of the city. Do<br \/>\nnot abbreviate.<br \/>\nv.\u00a0 State\/Province &#8211; Name of state or province where your organization is located. Please enter the full name. Do not<br \/>\nabbreviate.<br \/>\nvi.\u00a0 Country code &#8211; The two-letter International Organization for Standardization- (ISO-) format country code for the country in<br \/>\nwhich your organization is legally registered.<br \/>\nd. Confirm that the Distinguished Name information is correct.<\/p>\n<p style=\"text-align: justify;\">Generating CSR<\/p>\n<p style=\"text-align: justify;\">i.\u00a0\u00a0\u00a0\u00a0 Enter the following command:<\/p>\n<p style=\"text-align: justify;\">keytool -certreq -keyalg RSA -alias tomcat -file &lt;your file name&gt;.csr -keystore tomcat.keystore<br \/>\nii.\u00a0\u00a0\u00a0\u00a0 Upon prompt, enter keystore password:<br \/>\niii.\u00a0\u00a0 If the password is correct then the CSR is created.<br \/>\niv. \u00a0 If the password is incorrect then a password error is displayed.<br \/>\nv.\u00a0\u00a0\u00a0 Cut\/copy and paste the generated CSR into godady online enrollment form. ( Then sent the csr you just generate &lt;your file name&gt;.csr and tomcat.keystore to the godaddy and purchase the ssl from them )<br \/>\nvi.\u00a0\u00a0 Select &#8220;Tomcat&#8221; as your server software.<\/p>\n<p style=\"text-align: justify;\">\n<p style=\"text-align: justify;\"><span style=\"font-size: large;\">2<\/span>.\u00a0 After you received godaddy new certification usually you will get 4 files:<\/p>\n<p style=\"text-align: justify;\">&#8211; gd_bundle.crt\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8211; gd_intermediate.crt<\/p>\n<p style=\"text-align: justify;\">&#8211; gd_cross_intermediate.crt\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8211;\u00a0 &lt;your file name cst&gt;.crt<\/p>\n<p style=\"text-align: justify;\">now we need to install SSL certificate and Intermediate Certificate separately<\/p>\n<p style=\"text-align: justify;\"><strong style=\"font-weight: 400;\">I.\u00a0 Installing Root and Intermediate Certificates<\/strong><\/p>\n<p style=\"text-align: justify;\">Once you have downloaded the certificates to            your local machine, please use the following keytool commands to import them:<\/p>\n<p style=\"text-align: justify;\">Root:<br \/>\n&#8220;keytool -import -alias root -keystore tomcat.keystore -trustcacerts            -file valicert_class2_root.crt.&#8221;<\/p>\n<p style=\"text-align: justify;\">but before you run the comand you need to download valicert_class2_root.crt from godady repostiroy https:\/\/certs.godaddy.com\/Repository.go<\/p>\n<p style=\"text-align: justify;\"># wget https:\/\/certs.godaddy.com\/repository\/valicert_class2_root.crt &#8211;no-check-certificate<br \/>\nthen create First intermediate (gd_cross_intermediate.crt):<br \/>\n&#8220;keytool -import -alias cross -keystore tomcat.keystore            -trustcacerts -file gd_cross_intermediate.crt&#8221;<\/p>\n<p style=\"text-align: justify;\">Second intermediate (gd_intermediate.crt):<br \/>\n&#8220;keytool -import -alias intermed -keystore tomcat.keystore            -trustcacerts -file gd_intermediate.crt&#8221;<\/p>\n<p style=\"text-align: justify;\"><strong style=\"font-weight: 400;\">Installing SSL Certificate<\/strong><\/p>\n<ol style=\"text-align: justify;\" type=\"i\">\n<li>Use the following command to import the issued certificate into              your keystore.<\/li>\n<li>keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts              -file &lt;name of your certificate, example: test.csr&gt;<\/li>\n<\/ol>\n<p style=\"text-align: justify;\">it should generate tomcat.keystore files<\/p>\n<p style=\"text-align: justify;\"><strong style=\"font-weight: 400;\">II. Updating the server.xml Configuration File<\/strong><br \/>\nWhen you have completed installing your certificate, you must configure            your Tomcat server.xml configuration file to point to the correct keystore            file:<\/p>\n<ol style=\"text-align: justify;\">\n<li>Open the server.xml file. it is usually located on \/usr\/local\/tomcat\/conf\/server.xml<\/li>\n<li>Put this files<\/li>\n<\/ol>\n<p style=\"text-align: justify;\">&lt;Connector<br \/>\nport=&#8221;8443&#8243; minSpareThreads=&#8221;5&#8243; maxSpareThreads=&#8221;75&#8243;<br \/>\nenableLookups=&#8221;true&#8221; disableUploadTimeout=&#8221;true&#8221;<br \/>\nacceptCount=&#8221;100&#8243;\u00a0 maxThreads=&#8221;200&#8243;<br \/>\nscheme=&#8221;https&#8221; secure=&#8221;true&#8221; SSLEnabled=&#8221;true&#8221;<br \/>\nkeystoreFile=&#8221;\/tomcat.keystore&#8221; keystorePass=&#8221;test&#8221;<br \/>\nclientAuth=&#8221;false&#8221; sslProtocol=&#8221;TLS&#8221;\/&gt;<\/p>\n<p style=\"text-align: justify;\">3. i use port 8433 as my ssl connection that is why i add port=&#8221;8443 not the default ssh port 443<\/p>\n<p style=\"text-align: justify;\">4. Restart Tomcat.<\/p>\n<p style=\"text-align: justify;\"># cd \/usr\/local\/tomcat\/bin<\/p>\n<p style=\"text-align: justify;\"># .\/shutdown.sh<\/p>\n<p style=\"text-align: justify;\"># export JAVA_HOME=\/usr\/lib\/jvm\/java-6-sun<\/p>\n<p style=\"text-align: justify;\"># .\/startup.sh<\/p>\n<p style=\"text-align: justify;\">Now go to your ssl web and checked the ssl information<\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-211\" title=\"ssl\" src=\"http:\/\/adityo.blog.binusian.org\/files\/2009\/03\/ssl.png\" alt=\"ssl\" width=\"620\" height=\"409\" srcset=\"https:\/\/adityo.blog.binusian.org\/files\/2009\/03\/ssl.png 620w, https:\/\/adityo.blog.binusian.org\/files\/2009\/03\/ssl-300x197.png 300w\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to add ssl certificate (.crt) on tomcat server what is ssl ? SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[622],"tags":[897,896],"class_list":["post-210","post","type-post","status-publish","format-standard","hentry","category-ssl","tag-register-ssl","tag-ssl-on-tomcat-server"],"_links":{"self":[{"href":"https:\/\/adityo.blog.binusian.org\/index.php?rest_route=\/wp\/v2\/posts\/210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adityo.blog.binusian.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adityo.blog.binusian.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adityo.blog.binusian.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/adityo.blog.binusian.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=210"}],"version-history":[{"count":7,"href":"https:\/\/adityo.blog.binusian.org\/index.php?rest_route=\/wp\/v2\/posts\/210\/revisions"}],"predecessor-version":[{"id":214,"href":"https:\/\/adityo.blog.binusian.org\/index.php?rest_route=\/wp\/v2\/posts\/210\/revisions\/214"}],"wp:attachment":[{"href":"https:\/\/adityo.blog.binusian.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adityo.blog.binusian.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adityo.blog.binusian.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}