Knowledgebase:
Tomcat CSR Generation and SSL Installation (GUI Method)
Posted by Aly Essa, Last modified by Aly Essa on 27 October 2020 10:15 AM
Overview 

This article will walk you through the different steps in creating and installing an SSL certificate on a Tomcat Webserver in a Windows Environment. The steps below will help you create a Java Keystore (JKS) which contains a Self-Signed SSL Certificate or one that has been purchased from a Certificate Authority. Our document was written and tested with Certificates purchased from Thawte or Digicert.


Here are quick links to sections within the article:




Environment

Tomcat 9.0
Workflow v5.0 and newer

Prerequisites


Resolution

Generate CSR and Keystore Container.


  1. Run the application and select Create A New Keystore and select the JKS radial.



  2. Right-click in the white space and select Generate Key Pair (Ctrl+G).


  3. Use the RSA Algorithm with 2048 key size.




  4. At the bottom of the window edit the Name section.



  5. Fill out your company information. This information will be needed to Generate the CSR. Please note that the CN field should be the Domain you are trying to secure.



  6. Once you have completed your entry hit OK. You will be prompted to enter an Alias name. Use tomcat and create a password. We suggest using a complex password with 8 characters. This password will be required for other steps, keep it handy. You should receive a message to confirm Key Pair Generation Successful. For this article, we will use changeit.

  7. Save the Keystore, for this article we will use companyssl.jks. We suggest using a folder on the root of C:\ called TomcatSSL. You will be prompted to Set a Keystore Password. Use the same one created in Step 6). 

  8. To Export the CSR, right-click on the tomcat entry and select Generate CSR. In the new window, you will see a path to where the CSR will be stored edit the path if necessary. You will receive a message confirming the CSR Generation Successful.




  9. At this point, you will have a Keystore file that contains:

    • Private Key (which is in the Keystore container)
    • Self-Signed Certificate (which is in the Keystore container)
    • CSR (separate file)

  10. The CSR can be uploaded to your Certificate Authority or Vendor for signing purposes. Once you have received your Certificate from your Authority Vendor use these steps to add it to your Keystore.

    Alternatively, you can choose to Deploy the Self-Signed Certificate.


Append Signed SSL Certificate to Keystore

In this step, we will replace the Self-Signed Certificate in your current Keystore (companyssl.jks) with the one you have purchased from the Certificate Authority. Please download the certificate as a full chain with a CRT extension. If you did not get a full chained certificate then create one here.

  1. Open the Keystore container (companyssl.jks) created when Generating the CSR.

  2. Right-click on tomcat and select Import CA Reply and use the From File option.



  3. From the file explorer, locate and select the SSL Certificate you have downloaded from the Certificate Authority.

  4. Once the import is complete right click on tomcat and navigate to View Details and select Certificate Chain Details. You should see a waterfall of certificates with the bottom one being your Domain SSL Certificate.




  5. Save the Keystore file and proceed to the Deploy SSL Certificate on Tomcat.

    Note: If you receive an error adding the full certificate chain to the keystore container you may still have your Self-Signed Certificate as part of your keystore. You will need to remove it. Right click on tomcat and select Edit Certificate Chain and choose Remove Certificate.



Creating an Entire SSL Certificate Trust Chain

There are many methods of creating a full chained certificate. This is an example of one method.

A full trust chain looks like:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: CA.crt)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

We use Notepad++ for this section as it allows you to open multiple text files and let you flip between them.

  1. Open an empty text file and call it chained.crt.

  2. Open your Domain Certificate (PEM) in a text editor. This is the SSL certificate that your Domain is tied to. Copy the contents and paste them into the chained.crt file. 

  3. Open the Intermediate Certificate (PEM) and copy the contents. Paste it below your Domain Certificate. 

  4. Repeat the process again for the Root Certificate (PEM).
    Note in some cases your Intermediate and Root Certificates can be downloaded as a bundle. You can use the bundle to create the full chain as long as the end result is formatted in the illustration above.

  5. Save the chained.crt file and proceed to add it to the Java Keystore section.



Deploy SSL Certificate on Tomcat


In Tomcat there are many different ways to configure your connector. The example below uses a hardened and secure connector which supports the following clients:

  • Android 4.4.2 and later
  • Firefox 32 and later
  • IE 11 and later
  • IE Mobile 11 and later
  • Java 8 b132
  • Safari 7 and later
  • TLSv1.2

If you would like to use a less secure connector you can use the example shown here:

https://wiki.owasp.org/index.php/Securing_tomcat#Sample_Configuration_-_Good_Security 

For a more secure connection using the following steps:

  1. Shut down the Tomcat WebServer.

  2. Create a copy of the server.xml file located in <path-to-tomcat>/conf/.

  3. Open server.xml in a text editor and add the following connector:

    <Connector port="443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    SSLEnabled="true"
    maxThreads="150"
    scheme="https"
    secure="true"
    keystoreFile="c:\Tomcat-SSL\companyssl.jks"
    keystorePass="changeit"
    clientAuth="false"
    sslProtocol="TLSv1.2"
    sslEnabledProtocols="TLSv1.2"
    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
    />

  4. Save the file and start the Tomcat WebServer. 

Specify the path to your keystore file in keystoreFile="c:\tomcat-ssl\companyssl.jks". If your keystore password is not "changeit" then make the change to keystorePass="changeit" in the factory element. If a specific port does not need to be specified in the URL, such as https://mycompany.com:<port>, then port 443 should be specified in the connector. This change will provide seamless integration.

Once your Tomcat Server is back online you can test the SSL on  your webpage (https://mycompany.com:<port>) here: https://www.sslshopper.com/ssl-checker.html




Useful Tomcat Security Articles: