Appendix: Set up Tomcat server by using a third-party (external) CA

perform the tasks in the following sections to set up the tomcat server by using an external ca openssl create an external ca generate ca private key openssl genrsa out ext ca privatekey pem 2048 generate a self signed certificate for ca (by using the previously generated private key) openssl req new x509 key ext ca privatekey pem out ext ca cert pem days 3650 this generates the following files the ca private key ext ca privatekey pem the ca self signed cert ext ca cert pem copy the ext ca cert pem file into the directory from which you execute keytool commands java keytool generate a csr to an external ca generate a server key pair and self signed certificate keytool genkeypair keyalg rsa keysize 2048 alias tomcatdemo3 keystore none storetype pkcs11 providerclass sun security pkcs11 sunpkcs11 providername sunpkcs11 futurex when prompted, enter the following information for the server certificate you want to generate and enter a new keystore password, which all subsequent keytool and jarsigner commands use what is your first and last name? \[unknown] www example com what is the name of your organizational unit? \[unknown] engineering what is the name of your organization? \[unknown] futurex what is the name of your city or locality? \[unknown] bulverde what is the name of your state or province? \[unknown] tx what is the two letter country code for this unit? \[unknown] us is cn=www example com, ou=engineering, o=futurex, l=bulverde, st=tx, c=us correct? \[no] yes java keytool generate and export a csr generate and export the csr keytool certreq alias tomcatdemo3 file tomcatserver csr keystore none storetype pkcs11 providerclass sun security pkcs11 sunpkcs11 providername sunpkcs11 futurex enter the keystore password send the csr to the external ca previously created in openssl, either third party or internal, to get it signed the ca returns a signed server certificate and a root ca certificate copy the tomcatserver csr file in the directory from which you execute openssl commands openssl sign the tomcat server csr sign the csr and generate the signed tomcat server certificate openssl x509 req days 3650 in tomcatserver csr ca ext ca cert pem cakey ext ca privatekey pem cacreateserial out ssl tomcatserver cert pem this generates the signed tomcat server cert ssl tomcatserver cert pem copy the ssl tomcatserver cert pem file into the directory from which you execute keytool commands java keytool import the ca root certificate run the following command to import the ca root certificate keytool import trustcacerts alias tomcatdemo ext ca1 keystore none file ext ca cert pem storetype pkcs11 providerclass sun security pkcs11 sunpkcs11 providername sunpkcs11 futurex enter the keystore password when prompted to trust the certificate, enter yes , as shown in the following example trust this certificate? \[no] yes if the command succeeds, you see output similar to the following certificate was added to keystore java keytool import the signed server certificate to import the signed server certificate, run the following command keytool importcert alias tomcatdemo3 keystore none file ssl tomcatserver cert pem storetype pkcs11 providerclass sun security pkcs11 sunpkcs11 providername sunpkcs11 futurex enter the keystore password if the command succeeds, you should see an output similar to the following certificate reply was installed in keystore test apache tomcat go to the apache\conf\server xml file and change keyalias to the alias user in the preceding step start up apache server and go to apache\conf\bin\startup open a web browser and go to https //localhost 8443 https //localhost 8443 the connection should show the certificate information the subject and issuer are different because this is not a self signed certificate