Re: Publishing Tomcat webapp

Thu, 21 Jul 2022 05:15:01 -0700 

Aryeh,

On 7/18/22 09:08, Aryeh Friedman wrote:

Here are the steps to installing a SSL cert (it varies slightly based
on who your certificate authority [CA] is):

Generate a CSR


Stop. The OP already has a key, cert, and chain. None of this is necessary.


[..] with keytool (it must be key tool despite what the
tomcat docs say since for whatever reason it refuses to import from
any other SSL tool):

keytool –keystore clientkeystore –genkey –alias mykey

Submit the above to your CA (they will give you directions on how to
submit it) and have them issued a signed cert for it

The signed cert usually comes with some intermediate files (this is
the part that varies by CA) which you have to apply in order to the
keystore (the following is the set of files I use):
This may or may not be necessary, depending upon what CPanel is willing to give to you. 


keytool -noprompt -importcert -alias AAACertificateServices -file
AAACertificateServices.crt -keystore sslStore

keytool -importcert -trustcacerts -keystore sslStore -file
USERTrustRSAAAACA.crt -alias USERTrustRSAAAACA

keytool -importcert -trustcacerts -keystore sslStore -file
/SectigoRSAOrganizationValidationSecureServerCA.crt -alias
SectigoRSAOrganizationValidationSecureServerCA

keytool -importcert -trustcacerts -alias mykey (this *MUST* match the
alias of the CSR you submitted to the CA)
                 -file 1008013344repl_2.crt -keystore sslStore

Modify the tomcat server.xml to uncomment out the right https line in
the config and tell it where to find the sslStore (some OS's force you
to put it in $TOMCAT_HOME)... for example I do the following:

<Connector
            protocol="org.apache.coyote.http11.Http11NioProtocol"
            port="443" maxThreads="200"
            scheme="https" secure="true" SSLEnabled="true"
            keystoreFile="/usr/local/apache-tomcat-9.0/keystore"
keystorePass="mySuperSecretPassword"
            clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>
A modern configuration would use <SSLHostConfig>s and <Certificate>s, which I'd highly recommend doing. 


Restart tomcat and you should have SSL how if you go to https if you
on port 8080 you will likely want to put in 8443 not 443
I disagree: using 443 is what the whole world expects for a publicly-accessible web site using https. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to