Knowledgebase:
Tomcat CSR and SSL Certificate Installation and Renewal
Posted by Aly Essa, Last modified by Aly Essa on 27 October 2020 10:15 AM

Overview

This article will give a quick walkthrough of the installation procedure or the upgrade of an SSL Certificate with the Generation of a Certificate Signing Request (CSR).

For an additional fee, our FileCatalyst Support team can assist you with this process. The setup and debug of SSL certificates are not covered under our Support SLA.

Please contact your account representative for more details. This fee is waived if the SSL Certificate is purchased from FileCatalyst. 

These instructions assume you acquired your certificate containing a full chain.

Note: To renew or upgrade an existing certificate please follow the same steps as for a new certificate, however, use a different name for the keystore file, for example, -keystore .keystoreNew

Quick Links to Sections in this article:

Environment

FileCatalyst Workflow
Tomcat 9.0
 

Resolution

Prerequisites

An installation of Java JDK is required to proceed. The keytool and java commands must be recognized system-wide. 

Amazon Corretto Windows Installer: https://corretto.aws/downloads/latest/amazon-corretto-8-x64-windows-jdk.msi

Windows  Documentation: https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/windows-7-install.html  

Amazon Corretto Linux Installer: https://corretto.aws/downloads/latest/amazon-corretto-8-x64-linux-jdk.tar.gz

Linux Documentation: https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/generic-linux-install.html  

Generate CSR and Keystore Container

By default Tomcat will expect the password to be "changeit". If you choose a different password you will have to make an additional change in the server.xml file.

  1. Open a Command Prompt.

  2. Create a new folder on your system to store the Tomcat SSL. We used the following command:

    mkdir C:\Tomcat-SSL\

  3. Navigate to the Tomcat-SSL directory, by using the command:

    cd C:\Tomcat-SSL\

  4. Steps to Java Keystore File:

    Use the keytool command to create the CSR. Use the following command to execute the process:

    keytool -keysize 2048 -genkey -keyalg RSA -alias tomcat -keystore companyssl.jks

    Fill out the prompts:

    Note: When prompted for the first and last name, DO NOT type your first and last name. Instead, type the Fully Qualified Domain Name (FQDN) for the site you are securing with this certificate (e.g., www.yourdomain.com, mail.yourdomain.com). Are you are ordering a Wildcard Certificate? Then your FQDN must begin with an asterisk (*). (e.g.,*.yourdomain.com).



  5. In the last step, specify the same password (changeit) for the companyssl.jks and the keyEntry. If there was an error in the process you will receive the following error message when you restart the Tomcat Engine: 

    java.security.UnrecoverableKeyException: Cannot recover key

  6. --IMPORTANT--
    At this point, make a copy of the companyssl.jks keystore container before you proceed. The container has your private key in it and can not be regenerated.
    --IMPORTANT--

  7. To acquire a signed SSL certificate from a vendor you will need to extract the CSR from the companyssl.jks keystore. Run the following in the command prompt:

    keytool -certreq -alias tomcat -keyalg RSA -file companyname.csr -keystore companyssl.jks

    The output of this command will yield a CSR file named companyname.csr.

    At this point, if you may wish to use a self-signed certificate which is in the keystore (companyssl.jks). You can proceed to the Install SSL Connector on Tomcat section.


Append and Import SSL Certificate to Keystore Container

Download a full chain certificate from your Certificate Authority for use with a Tomcat WebServer. These files usually are already chained with the domain certificate and the intermediate certificate with a .p7b extension.

  1. Download your domain certificate to the Tomcat-SSL directory.

  2. Import the domain certificate (p7b) into the keystore (companyssl.jks) using the following command:

    keytool -import -alias tomcat -file your_site_name.p7b -keystore companyssl.jks

  3. You should get a confirmation that the Certificate reply was installed in keystore.

  4. If you are prompted to trust the certificate, type y or yes.

  5. The installation of this file loads all necessary certificates to your keystore.

    Your keystore file (your_site_name.jks) is now ready to be used on your Tomcat Server. Now, you can proceed to the Install SSL Connector on Tomcat section



Install SSL Connector on Tomcat

In Tomcat there are many different ways to configure your connector. The example below uses a hardened and secure connector which supports the following clients and connections:

  • Android 4.4.2 and later
  • Firefox 32 and later
  • IE 11 and later
  • IE Mobile 11 and later
  • Java 8 b132
  • Safari 7 and later
  • TLSv1.2

If you would like to use a less secure connector you can use the example shown here:

https://wiki.owasp.org/index.php/Securing_tomcat#Sample_Configuration_-_Good_Security 

For a more secure connection use the following steps to implement the connector:

  1. Shut down the Tomcat WebServer.

  2. Create a copy of the server.xml file located in <path-to-tomcat>/conf/.

  3. Open server.xml in a text editor and add the following connector:

    <Connector port="443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    SSLEnabled="true"
    maxThreads="150"
    scheme="https"
    secure="true"
    keystoreFile="c:\Tomcat-SSL\companyssl.jks"
    keystorePass="changeit"
    clientAuth="false"
    sslProtocol="TLSv1.2"
    sslEnabledProtocols="TLSv1.2"
    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
    />

  4. Save the file and start the Tomcat WebServer. 

    Specify the path to your keystore file in keystoreFile="c:\tomcat-ssl\companyssl.jks". If your keystore password is not "changeit" then make the change to keystorePass="changeit" in the factory element. If a specific port does not need to be specified in the URL, such as https://mycompany.com:<port>, then port 443 should be specified in the connector. This change will provide seamless integration.

    Once your Tomcat Server is back online you can test the SSL on  your webpage (https://mycompany.com:<port>) here: https://www.sslshopper.com/ssl-checker.html


Useful Tomcat Security Articles