11/30/2021

Tomcat Ssl Keystore

This means that the keystore/truststore password cannot be passed as an attribute in the connector element of Tomcat's server.xml. A working understanding of the JaasSecurityDomain that supports keystores, truststores, and password based encryption is advised. When any of the keystore-related properties are set on the Tomcat connection, Tomcat initializes a new certificate object with a default keystore password value. Prior to the change in #24052, Spring Boot would override the Tomcat default keystore password with null when server.ssl.key-store-password was not set. Edit the JAVAHOME/jre/lib/security/java.securityfile and change the default keystore type: # Default keystore type.keystore.type=pkcs12. Configure the SSL connector by editing the Tomcat server.xmlfile with an entry similar to the following example. Note that the keystoreTypeand truststoreTypeattributes are set to 'PKCS12' because you are not using the default JKS format.

An SSL certificate was required for one of our customers. The SSL certificate was to be used with a Tomcat server, but I decided to give the customer the flexibility to re-use this certificate on a different webserver if needed. This meant I used openssl to generate the certificate and then created a pkcs12 keystore.

Create the private key and certificate request

Tomcat 9 ssl keystore

Create the certificate key

Remove the passphrase from the key

Create the Certificate request

Create the Keystore file for use with tomcat and keytool

I had some trouble getting this to work. This is a very simple procedure when working with certs signed by GoDaddy, but certs from Verisign needed some extra hand-holding. There is some information on how to do this is found at http://conshell.net/wiki/index.php/OpenSSL_to_Keytool_Conversion_tips.

Tomcat

I did not follow the instructions on this site. I ended up creating a keystore in the pkcs12 format instead of the default jks format. This site above does have instructions for converting a pkcs12 keystore to a jks format, if you require.

The signed certificate was downloaded to clients.adaptivetcr.com.cer. The Secure Site with EV Root bundle was downloaded to intermediate.crt. When I first attempted to create the keystore file, I received the error below

Keystore

Now the interesting thing about this error is that if you attempt a openssl verify using both cert file and intermediate.crt, it does not complain and gives the “OK” message. After a bit of testing, I found that you need to make a new CAfile to be used, that combines the cacerts file from the openssl distribution and the intermediate.crt file.

Tomcat

This successfully created the keystore file. You can look at the contents of the keystore by running

Tomcat Ssl Keystore File

  1. Download your certificate files from your certificate authority and save them to the same directory as the keystore that you created during the CSR creation process. The certificate will only work with the same keystore that you initially created the CSR with. The certificates must be installed to your keystore in the correct order.
  2. Install the Root Certificate file: Every time you install a certificate to the keystore you must enter the keystore password that you chose when you generated it. Enter the following command to install the Root certificate file:

    keytool -import -trustcacerts -alias root -file RootCertFileName.crt -keystore keystore.key

  3. If you receive a message that says 'Certificate already exists in system-wide CA keystore under alias <...> Do you still want to add it to your own keystore? [no]:', select Yes. If successful, you will see 'Certificate was added to keystore'.

  4. Install the Intermediate Certificate file: If your certificate authority provided an intermediate certificate file, you will need to install it here by typing the following command:

    keytool -import -trustcacerts -alias intermediate -file IntermediateCertFileName.crt -keystore keystore.key

    If successful, you will see 'Certificate was added to keystore'.

  5. Install the Primary Certificate file: Type the following command to install the Primary certificate file (for your domain name):

    keytool -import -trustcacerts -alias tomcat -file PrimaryCertFileName.crt -keystore keystore.key

    If successful, you will see 'Certificate reply was installed in keystore'. You now have all the certificates installed to the keystore file. You just need to configure your server to use the keystore file.