Difference between revisions of "Managing SSL Certificates"
imported>Aeric |
imported>Aeric |
||
Line 18: | Line 18: | ||
::{| | ::{| | ||
<pre>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr | <pre>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr | ||
-keystore {keystore_filename} | |||
</pre> | </pre> | ||
|} | |} | ||
:3. Submit the resulting file, <tt>certreq.csr</tt>, to the CA to obtain a certificate.<br>(When the certificate arrives, you are ready for the next step of steps.) | |||
'''To Install the Certificate''' | '''To Install the Certificate Obtained from the CA''' | ||
Once you have obtained a certificate, you need to import it into the keystore. (In addition to your certificate, the CA might provide an Chain/Root Certificate, which must also be imported.) | |||
If you have received a chain certificate from the CA, then: | |||
:1. Copy the contents of the chain certificate into a file called <tt>chain</tt> | :1. Copy the contents of the chain certificate into a file called <tt>chain</tt> | ||
Line 35: | Line 34: | ||
::{| | ::{| | ||
<pre>keytool -import -alias root -keystore {keystore_filename} | <pre>keytool -import -alias root -keystore {keystore_filename} | ||
-trustcacerts -file chain | |||
</pre> | </pre> | ||
|} | |} | ||
When the chain certificate (if any) has been imported, you are ready for the final step: | |||
:3. Import the certificate received from the CA: | :3. Import the certificate received from the CA: | ||
::{| | ::{| | ||
<pre>keytool -import -alias tomcat -keystore {keystore_filename} | <pre>keytool -import -alias tomcat -keystore {keystore_filename} | ||
-trustcacerts -file {certificate_filename} | |||
</pre> | </pre> | ||
|} | |} |
Revision as of 22:57, 23 June 2011
Managing SSL Certificates
Obtaining an SSL Certificate
The platform provides a default self-signed certificate which is used by the Application Server.
To obtain and install your own SSL Certificate, make a request to a Certificate Authority (CA). An SSL certificate authenticates a website to a web browser, part of a security protocol to manage secure data exchange.
The CA will accept your Certificate Signing Request and generate a certificate which identifies your website as a secured website.
To create a Certificate Signing Request (CSR)
- 1. Create a keystore and a private key:
cd {install_dir}/tomcat/conf/RN keytool -genkey -alias tomcat -keyalg RSA -keystore {keystore_filename}
- 2. Create a CSR from the keystore
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore {keystore_filename}
- 3. Submit the resulting file, certreq.csr, to the CA to obtain a certificate.
(When the certificate arrives, you are ready for the next step of steps.)
To Install the Certificate Obtained from the CA
Once you have obtained a certificate, you need to import it into the keystore. (In addition to your certificate, the CA might provide an Chain/Root Certificate, which must also be imported.)
If you have received a chain certificate from the CA, then:
- 1. Copy the contents of the chain certificate into a file called chain
- 2. Import the chain certificate into your keystore:
keytool -import -alias root -keystore {keystore_filename} -trustcacerts -file chain
When the chain certificate (if any) has been imported, you are ready for the final step:
- 3. Import the certificate received from the CA:
keytool -import -alias tomcat -keystore {keystore_filename} -trustcacerts -file {certificate_filename}
Replacing the Default SSL Certificate
To replace the certificate:
- Add the new certificate to this directory:
- {install_dir}/tomcat/conf/RN
- Edit {install_dir}/tomcat/conf/server.xml file
- Replace the following line:
- keystoreFile="conf/RN/thirdParty" keystorePass="algrsa"
- with:
- keystoreFile="conf/RN/your_certficate_file_name"
- keystorePass="your_password_for_certificate_store"
- keystoreFile="conf/RN/thirdParty" keystorePass="algrsa"
- Save the file
- Restart the application server
The Application Server will now use your certificate file for communication over https.
Learn More
- Certificate Signing Request (CSR) Generation Instructions-Tomcat, at
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227