SSL Tomcat Keystore Wildcard Certificate¶
If you are planning on installing the existing SSL Certificate to tomcat it is not as simple as one had hoped. The instructions provided below is a summary of what finally worked after many hours of trial and error. The instructions below are specific to Kablink Teaming but any existing pem certificate import into a java keystore can be applied.
Prepare the Existing PEM Certificates
In order to properly import the certificates we will need to edit and then concatenate the certificate chain files. For the purposes of this example we will use Wildcard.crt, Wildcard-bundle.crt, and Wildcard.key as the file names.
cd /path/to/crt/files/ vi Wildcard.crt # Remove any extra lines outside of ----BEGIN CERTIFICATE ---- and -----END CERTIFICATE------ vi Wildcard-bundle.crt # Remove any extra lines outside of ----BEGIN CERTIFICATE ---- and -----END CERTIFICATE------ cp Wildcard.crt Wildcard.master.crt.pem cat Wildcard-bundle.crt >> Wildcard.master.crt.pem cd /path/to/key/file/ cp Wildcard.key Wildcard.master.key.pem
Now that we have prepared the files you will be using Wildcard.master.crt.pem and Wildcard.master.key.pem for the remaining steps
Acquire the KeyTool IUI
The following link has both a standalone application as well as a Java WebStart application available to create a new keystore. Please visit the link and choose your preferred method of running the application.
Creating the Keystore using KeyTool IUI
For the next part of the discussion I am going to assume that you have placed both .pem files from above as well as the extracted KeyTool IUI into a folder.
# cd /path/to/folder/ktl241sta # run_ktl.sh
Once the application has started follow the remaining steps.
- Click on View->Select Task->Create->Keystore
- Make sure that JKS is selected and then click on the Save icon next to Keystore file
- Navigate to the folder you want to save the keystore to and give it a name.
- Click on the Keystore password button and enter in "changeit" without the quotes (This password applies to Teaming).
- Click on OK
- Click on View->Select Task->Import->Keystore's Entry->Private Key->PEM File format
- For Private key file use the Wildcard.master.key.pem file you created.
- For Certificate chain file use the Wildcard.master.crt.pem file you created.
- Select the Keystore file you created above
- Enter in the Keystore password of "changeit" without the quotes (Again, we set this as the password for use with Teaming).
- Click on OK
- Enter in the new private key entry's alias and make it "tomcat" without the quotes (Teaming recommendation).
- Enter in the password of "changeit" (Teaming requirement).
- Click on OK
- If you chose to view the entry you can right click on the tomcat aliast and choose view certificate to see the details.
- Close the application and proceed to the next step.
If you want to check the keystore file you can run the following command and use the password of "changeit" without the quotes
keytool -list -v -keystore keystore.jks
Installing the Keystore in Kablink Teaming
The final stage of instructions only applies to Kablink Teaming. If you have a different application you should review its documentation for details on where to install the keystore
# cd /opt/novell/teaming/apache-tomcat-6.0.18/conf/ # cp -a .keystore .keystore.bak # cp -a /path/to/keystore/created ./.keystore # chmod 750 .keystore # rcteaming restart; tail -f /opt/novell/teaming/apache-tomcat-6.0.18/logs/catalina.out
Hopefully you do not see any errors while the server is starting up. Once the server has booted check to make sure that the SSL service is reachable.
Tips and Links on keystore
Here are some helpful links and tips on keytool.
List existing certificates in keystore
keytool -list -v -keystore .keystore
Change the keystore password
keytool -storepasswd -new changeit -keystore .keystore
Other links I reveiwed that may be of help to others:
- SUSE Studio and Kiwi mke2fs Error
- LUKS Encrypting USB Drive in openSUSE 11.2