How to install a certificate on a Java Based Web Servers (Tomcat) using keytool?
Installing SSL Certificate Chain (Root, Intermediate(s) and the End Entity)
1. Import Root Certificate
-> keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore domain.keystore
2. Import Intermediate(s)
-> keytool -import -trustcacerts -alias intermediate_filename -file intermediate_filename.crt -keystore domain.keystore
Note: Depending on the type of certificate that was purchased, there may be more than one Intermediate certificate in the chain of trust. Please install all intermediates in numberical order until you get to the domain/end entity certificate.
3. Import Entity/Domain certificate
-> keytool -import -trustcacerts -alias mykey -file yourDomainName.crt -keystore domain.keystore
You should you should receive a message: Certificate reply was installed in keystore if successful. It should NOT match the output of Step 1 or 2 above.
Note: If an alias was specified upon creation of the CSR then please use that alias instead of mykey.
4. Restart the Web Server Service.
Note: Tomcat will first need an SSL Connector configured before it can accept secure connections. Please ensure this is set BEFORE the server is restarted.
Tomcat SSL Connector
Please read this before proceeding: Java Based (Tomcat) Web Servers (using keytool)
Tomcat will first need a SSL Connector configured before it can accept secure connections.
Note: By default Tomcat will look for your Keystore with the file name .keystore in the CATALINA_Home directory with the default password 'changeit'.
Commonly found CATALINA_HOME Directories
Unix, Linux or *nix -- /etc/tomcat5.5
Windows -- C:\Program Files\Apache Software Foundation\Tomcat 5.5\
It is possible to change the file name, password, and even location that Tomcat looks for the keystore. If you need to do this, pay special attention to #8 of Option 2 or #5 of Option 1 below.
Option 1 -- Configure the SSL Connector in server.xml:
1. Copy your keystore file (your_domain.key or your_domain.pfx) to the home directory (see the Note above)
2. Open the file Home_Directory/conf/server.xml in a text editor
3. Un-comment the 'SSL Connector' Configuration
4. Make sure that the 'Connector Port' is 443
5. If your keystore filename is something other than the default file name (.keystore) and/or your keystore password is something other than default ('changeit') then you will need to specify the correct keystore filename and/or password in your connector configuration -- ex. keystorePass="newpassword". When you are done your connector should look something like this:
To use a JKS (Java Key Store) file:
To use a PFX/P12 (PKCS#12) file:
6. Save the changes to server.xml
Note: You may need to comment out the following line:
Note2: You may also need to set SSLEnabled="true"on the Connector in order for the SSL connection to work or else an HTTP only connection may be made. However, this is often not required.
7. Restart Tomcat
Please remember all Connector arguments are case sensitive!
Option 2 -- Add an SSL Connector using admintool:
1. Start Tomcat
2. Enter 'http://localhost:8080/admin' in a local browser to start admintool
3. Type a username and password with administrator rights
4. On the left select 'Service' (Java Web Services Developer Pack)
5. Select 'Create New Connector' from the drop-down list on the right
6. Choose 'HTTPS' in the 'Type' field
7. In the 'Port' field, enter '443'. This defines the TCP/IP port number on which Tomcat will listen for secure connections
8. Enter the Keystore Name and Keystore Password if (a.) your keystore is named something other than .keystore, (b.) if .keystore is located in a directory other than the home directory of the machine on which Tomcat is running, or if (c.) the password is something other than the default value of 'changeit'. If you have used the default values, you can leave these fields blank.
9. Select 'Save' to save the new Connector
10. Select 'Commit Changes' to save the new Connector information to the server.xml file so that it is available the next time Tomcat is started