Appendix: Set up Tomcat server by using a third-party (external) CA

Perform the tasks in the following sections to set up the Tomcat server by using an external CA.

OpenSSL: Create an external CA

Perform the following steps to use OpenSSL to create an External CA:

Generate CA Private Key:

Shell

openssl genrsa -out ext-CA-privatekey.pem 2048

Generate a self-signed certificate for CA (by using the previously generated private key):

Shell

openssl req -new -x509 -key ext-CA-privatekey.pem -out ext-CA-cert.pem -days 3650

This generates the following files:

The CA private key: ext-CA-privatekey.pem
The CA self-signed cert: ext-CA-cert.pem

Copy the ext-CA-cert.pem file into the directory from which you execute keytool commands.

Java KeyTool: Generate a CSR for an external CA

Perform the following steps to use Java KeyTool to generate a CSR for an external CA:

Generate a server key pair and self-signed certificate:

Shell

keytool -genkeypair -keyalg RSA -keysize 2048 -alias tomcatdemo3 -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex

When prompted, enter the following information for the server certificate you want to generate and enter a new KeyStore password, which all subsequent keytool and jarsigner commands use:

None

What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes

Java KeyTool: Generate and export a CSR

Perform the following steps to use JavaKeyTool to generate and export a CSR:

Generate and export the CSR:

Javascript

keytool -certreq -alias tomcatdemo3 -file tomcatserver.csr -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex

Enter the KeyStore password.

Send the CSR to the external CA previously created in OpenSSL, either third-party or internal, to get it signed.

The CA returns a signed server certificate and a root CA certificate.

Copy the tomcatserver.csr file in the directory from which you execute openssl commands.

OpenSSL: Sign the Tomcat server CSR

Perform the following steps to use OpenSSL to sign the Tomcat server CSR:

Sign the CSR and generate the signed Tomcat server certificate:

Shell

openssl x509 -req -days 3650 -in tomcatserver.csr -CA ext-CA-cert.pem -CAkey ext-CA-privatekey.pem -CAcreateserial -out ssl-Tomcatserver-cert.pem

This generates the signed Tomcat server cert: ssl-tomcatserver-cert.pem

Copy the ssl-tomcatserver-cert.pem file into the directory from which you execute keytool commands.

Java KeyTool: Import the CA root certificate

Perform the following steps to use Java KeyTool to import the CA root certificate:

Run the following command to import the CA root certificate:

Shell

keytool -import -trustcacerts -alias tomcatdemo_ext_ca1 -keystore NONE -file ext-CA-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex

Enter the KeyStore password.

When prompted to trust the certificate, enter yes, as shown in the following example:

Shell

Trust this certificate?
[no]: yes

If the command succeeds, you see output similar to the following:

Shell

Certificate was added to keystore.

Java KeyTool: Import the signed server certificate

Perform the following steps to use Java KeyTool to import the signed server certificate:

To import the signed server certificate, run the following command:

Shell

keytool -importcert -alias tomcatdemo3 -keystore NONE -file ssl-Tomcatserver-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex

Enter the KeyStore password.

If the command succeeds, you should see an output similar to the following:

Shell

Certificate reply was installed in keystore

Test Apache Tomcat

Perform the following steps to test Apache Tomcat:

Go to the apache\conf\server.xml file and change KeyAlias to the alias user in the preceding step.

Start up Apache Server and go to apache\conf\bin\startup.

Open a web browser and go to https://localhost:8443.

The connection should show the certificate information.The subject and issuer are different because this is not a self-signed certificate.

​OpenSSL: Create an external CA

​Java KeyTool: Generate a CSR for an external CA

​Java KeyTool: Generate and export a CSR

​OpenSSL: Sign the Tomcat server CSR

​Java KeyTool: Import the CA root certificate

​Java KeyTool: Import the signed server certificate

​Test Apache Tomcat

OpenSSL: Create an external CA

Java KeyTool: Generate a CSR for an external CA

Java KeyTool: Generate and export a CSR

OpenSSL: Sign the Tomcat server CSR

Java KeyTool: Import the CA root certificate

Java KeyTool: Import the signed server certificate

Test Apache Tomcat