Like the majority of server systems you will install your SSL certificate on the same server or keystore where your Certificate Signing Request (CSR) was created. Your private key will always be left on and inside the server system and keystore where the CSR was originally created. Your SSL certificate will not work without original keystore file. We will assume that this is the original system. Tomcat is a very customization environment below are generalized instructions, you will have to adapt these instructions to your own environment.
If you lose your keystore file or your password to access it. your SSL Certificate will no longer match and you will need to replace the certificate.
In order to install your Tomcat pkcs7 SSL certificate a into your keystore Tomcat system perform the following steps.
Step 1: Picking up your SSL Certificate
- If you had the option of server type during enrollment and selected IIS/Tomcat you will receive a pkcs7/.p7b version of your certificate within the email. Alternately you can access your Certificate User Portal by the supplied link in the email to pick up the pkcs#7 version of your certificate.
- Copy the SSL certificate and make sure to copy the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– header and footer Ensure there are no white spaces, extra line breaks or additional characters.
- Use a plain text editor such as Notepad, paste the content of the certificate and save it with extension .p7b (When performing this on a Windows system the Icon of the file should change into a certificate icon)
Step 2: Installing your SSL certificate:
It is recommended that you have your Keystore, SSL certificate and Keytool.exe in the same folder or you will need to specify the full file path when running the following commands. you may want to make a copy of your Keystore in case their are issues with Installation.
- Import the SSL certificate into the keystore used for CSR creation.
Note: Use the same Privatekey alias name based on when you created the keystore for CSR creation.
keytool -import -alias your_Privatekey_alias -trustcacerts -file your_SSL_Certificate.p7b -keystore your_keystorename.jks
- You will be prompted to enter the password to access the keystore.
If the installation is successful you will see “Certificate reply was installed in keystore”.
Note: During the import you might encounter the following error: Error: “java.lang.Exception: Input not an X.509 certificate.” or “Failed to establish chain from reply.” If you receive this it means that your version of Tomcat keytool will not accept pkcs7/.p7b certificate and will have to proceed with the X509/.cer instructions instead. Below are Instruction on the X509 Tomcat installation.
SSL Installation instructions for Tomcat using X509
Step 3: Confirm contents of the keystore (optional):
- At the command prompt, enter:
keytool -list -v -keystore your_keystore_filename.jks
- Viewing the contents of the keystore.
The end entity SSL certificate is imported into the alias with the “Entry Type” of PrivateKeyEntry or KeyEntry. If not, import the certificate into the Private Key alias.
Note: The Certificate chain length: tells you the keystore was successful in establishing the certificate chain, and your keystore is ready for use.
Step 4: Configuring the Tomcat Server:
Tomcat keeps its configuration information in a server.xml file, which ensures Tomcat is reading the correct keystore file and keystore password.This file also allows server administrators to set the port for secure connections.
If the server.xml file is not configured, or if it is pointing to the wrong keystore, then the server may present the incorrect certificate to the client browser.
Note: Tomcat can be a custom environment. The name of your server.xml file could be something different. You should see some sort of connector within a .xml file under tomcat in the example below. This is what needs to be configured. If you are unable to figure or discover this SSL Connecter you may have to contact Tomcat for Support.
- On the Tomcat server search and open the Tomcat server.xml file.
- Open the server.xml config file using a text editor (ie. JAKARTA_HOME/conf/server.xml)
Search for the secure element in your config file (try searching for SSL Connector). - Your keystore file name and path is listed under KeystoreFile, and its Password is under keystorePass.
- By default it should look either one of the following A or B:
-
A: Standard Tomcat Systems server.xml using .jks keystores..
- If your Server.xml file looks like the above then perform the following conversion using Keytool on the Tomcat system.
Note: below the naming conversions are generalized. your names will differ. - keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore newjkskeystore.jks -deststoretype JK
- After this conversion you will have a new .jks keystore that can be used to specify to the keystore file path and directory.
- Make sure to specify the correct “keystoreFile” directive to the new keystore and the “keystorePass” directive is referencing the correct keystore password.
Note: These directives are case-sensitive! Make sure the letters “F” and “P” in “keystoreFile” and “keystorePass” are in uppercase.
Note: If your keystore contains more than one private key alias, please add the “keyAlias” directive to reference the correct private key alias name. Usually only seen in some standard Tomcat systems that use .jks keystores.
For Example:
keystoreFile=”insert path to the keystore here”
keystorePass=”insert keystore password here”
keyAlias=”insert private key alias here”/>
- If your Server.xml file looks like the above then perform the following conversion using Keytool on the Tomcat system.
-
B: Tomcat Systems server.xml able to use .pfx keystores..
- If your Server.xml file looks like the blow example then no need for a conversion your version of tomcat has the capability of using .pfx files.
- After you have figured out what type of keystore your server.xml file requires you are then ready to make the server.xml file point to your .pfx keystore.
- Make sure to specify the correct “keystoreFile” directive to the new keystore and the “keystorePass” directive is referencing the correct keystore password.
Note: These directives are case-sensitive! Make sure the letters “F” and “P” in “keystoreFile” and “keystorePass” are in uppercase.
For Example:
keystoreFile=”insert path to the keystore here”
keystorePass=”insert keystore password here”
- If your Server.xml file looks like the blow example then no need for a conversion your version of tomcat has the capability of using .pfx files.
-
- After you have updated your server.xml file…
- Save the changes.
- Stop and start Tomcat.
Your SSL/TLS certificate is now installed and configured for its website.
If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.
Tomcat Support:
For more information, please refer to Tomcat Support