Hello again, I still didn't manage to configure SSL for my Tomcat. I tried a whole bunch of tutorials and solutions but nothing worked for me. Once again I will provide you with what I have, so if anybody can help me I would really appreciate it. If anyone has a free time I will provide you with remote access to configure it together with me. So, I have a subdomain testjc.fgu.ba created in a cpanel, and it automatically generated the SSL certificate for the testjc.fgu.ba and www.testjc.fgu.ba. I have a certificate.crt, private.key and ca_bundle.crt files in my cpanel. The subdomain has an A record pointing to my PC IP address where I installed Tomcat instance and it is currently running. You can access it via http, but I want to do the encryption and be able to have https access to my Tomcat. What should I do next?
Sincerely, JC čet, 21. srp 2022. u 14:15 Christopher Schultz <ch...@christopherschultz.net> napisao je: > Aryeh, > > On 7/18/22 09:08, Aryeh Friedman wrote: > > Here are the steps to installing a SSL cert (it varies slightly based > > on who your certificate authority [CA] is): > > > > Generate a CSR > > Stop. The OP already has a key, cert, and chain. None of this is necessary. > > > [..] with keytool (it must be key tool despite what the > > tomcat docs say since for whatever reason it refuses to import from > > any other SSL tool): > > > > keytool –keystore clientkeystore –genkey –alias mykey > > > > Submit the above to your CA (they will give you directions on how to > > submit it) and have them issued a signed cert for it > > > > The signed cert usually comes with some intermediate files (this is > > the part that varies by CA) which you have to apply in order to the > > keystore (the following is the set of files I use): > > > > This may or may not be necessary, depending upon what CPanel is willing > to give to you. > > > keytool -noprompt -importcert -alias AAACertificateServices -file > > AAACertificateServices.crt -keystore sslStore > > > > keytool -importcert -trustcacerts -keystore sslStore -file > > USERTrustRSAAAACA.crt -alias USERTrustRSAAAACA > > > > keytool -importcert -trustcacerts -keystore sslStore -file > > /SectigoRSAOrganizationValidationSecureServerCA.crt -alias > > SectigoRSAOrganizationValidationSecureServerCA > > > > keytool -importcert -trustcacerts -alias mykey (this *MUST* match the > > alias of the CSR you submitted to the CA) > > -file 1008013344repl_2.crt -keystore sslStore > > > > Modify the tomcat server.xml to uncomment out the right https line in > > the config and tell it where to find the sslStore (some OS's force you > > to put it in $TOMCAT_HOME)... for example I do the following: > > > > <Connector > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > port="443" maxThreads="200" > > scheme="https" secure="true" SSLEnabled="true" > > keystoreFile="/usr/local/apache-tomcat-9.0/keystore" > > keystorePass="mySuperSecretPassword" > > clientAuth="false" sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2"/> > > A modern configuration would use <SSLHostConfig>s and <Certificate>s, > which I'd highly recommend doing. > > > Restart tomcat and you should have SSL how if you go to https if you > > on port 8080 you will likely want to put in 8443 not 443 > > I disagree: using 443 is what the whole world expects for a > publicly-accessible web site using https. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
