Appendix: Tomcat Server setup using a third-party (External) CA
Perform the tasks in the following sections to set up Tomcat Server by using an external CA.
Generate CA Private Key:
Generate Self-Signed Certificate for CA (Using the previously generated private key):
Two files will be generated, the CA private key: ext-CA-privatekey.pem, and the CA self-signed cert: ext-CA-cert.pem. Copy the ext-CA-cert.pem file into the directory from where KeyTool commands are being executed.
Generate a Server Key Pair and Self-signed Certificate:
Upon the execution of the previous instruction, the Keytool application will ask for information for the server certificate to be generated.
Enter the KeyStore password: (This password must be saved. It may be required later for the Tomcat Configuration section)
Generate and export the CSR:
Enter the keystore password.
The CSR must be signed by the external CA previously create in OpenSSL, either 3rd party or internal. Once signed, the server certificate returned by the CA will be imported along with the CA certificate.
Copy the tomcatserver.csr in the directory from where openssl commands are executed.
Sign the CSR and Generate the Signed Tomcat Server Certificate:
This will generate the signed Tomcat server cert: ssl-tomcatserver-cert.pem
Copy the ssl-tomcatserver-cert.pem file into the directory from where KeyTool commands are being executed.
Run the following command to import the CA Root certificate:
Enter the keystore password.
You will be prompted to trust the certificate, enter Yes.
If the command is successful you will see an output similar to the following:
To import the signed server certificate, run the following command:
Enter the keystore password.
If the command is successful, you should see an output similar to the following:
Go to the apache\conf\server.xml file and change KeyAlias to the alias user in the last step.
Startup Apache Server. Go to apache\conf\bin\startup.
Open a web browser and navigate to https://localhost:8443
The connection should show the certificate information. The subject and issuer will be different, because this is NOT a Self-Signed cert.