Wednesday, January 27, 2016

Configuring tomcat7 with SSL

Recording steps that worked for me.  the certificate was created using letsencrypt

The generated files in the directory with keys are :

cert.pem  chain.pem  fullchain.pem  privkey.pem  

now, using openSSL converted the certificate to p12 format.

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root

(it will prompt you to input password, please provide, i found it not working while importing to java keystore without password to the p12 file)

Import to java keystore

Let us import it into a keystore file (KeyStore.jks), please make sure you provide the same password chosen in the previous step. Also it will prompt for keystore password, please provide one.

 keytool -importkeystore -deststorepass CHANGEIT  -destkeypass  CHANGEIT-destkeystore KeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12  -alias tomcat
Enter source keystore password:

Not sure if its mandatory but needed to execute the following too.

keytool -import -trustcacerts -alias root -file chain.pem -keystore KeyStore.jks

Tomcat configuration


Let us configure the tomcat (in /etc/tomcat7/server.xml)  add this after the http connector (80 port).

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/usr/share/tomcat7/certs/KeyStore.jks" keystorePass="CHANGEIT" keyAlias="tomcat" keyPass="CHANGEIT"/ >

Please make sure you are providing the path and the passwords specific to your application server. the keystore (.jks file) should be in accessible location. 

No comments: