TLS offloading
Apache Tomcat
Create a Java KeyStore
6min
the tomcat secure connections rely on you storing a server private key and certificate in the java keystore saved on the hsm the system presents this server certificate to clients when they connect to the tomcat server typically, you create the keystore by using the keytool application bundled with java (located in $java home/jre/bin/ ) the following sections outline these tasks generate a server key pair (which includes a self signed certificate to be stored in the hsm) generate and export a csr to be signed by an external ca (if needed) import the external ca root certificate import server certificate signed by the external ca to test that you created the self signed certificate in the hsm and that the tomcat server is presenting it to client connections, execute the generate a server key pair and self signed certificate section and then move on to server configuration if you need a connection using an external ca, go to generate and export csr , sign the csr by using an external ca authority (which you can create with openssl), and finally proceed with the import ca root certificate and import server certificate signed by ca sections 1 | generate a server key pair and self signed certificate execute the following command alias sets a name to identify the key pair and certificate to be generated it can be any name (such as tomcatdemo1 ), but you must use the same name in the next section, configure tomcat and test the server keytool genkeypair keyalg ec alias tomcatdemo1 keystore none storetype pkcs11 providerclass sun security pkcs11 sunpkcs11 providername sunpkcs11 futurex when prompted, enter the following information for the server certificate you want to generate and enter a new keystore password be sure to save this password, which all subsequent keytool and jarsigner commands use what is your first and last name? \[unknown] www example com what is the name of your organizational unit? \[unknown] engineering what is the name of your organization? \[unknown] futurex what is the name of your city or locality? \[unknown] bulverde what is the name of your state or province? \[unknown] tx what is the two letter country code for this unit? \[unknown] us is cn=www example com, ou=engineering, o=futurex, l=bulverde, st=tx, c=us correct? \[no] yes the previous command generates a self signed certificate if you need a ca signed certificate, continue with the remaining steps otherwise, proceed to server configuration 2 | generate and export a csr to generate and export a csr, run the following command keytool certreq alias tomcatdemo1 file example csr keystore none storetype pkcs11 providerclass sun security pkcs11 sunpkcs11 providername sunpkcs11 futurex enter the keystore password send the csr to a ca, either third party or internal, to be signed you should get a signed server certificate and a root ca certificate back 3 | import the ca root certificate to import the ca root certificate, run the following command keytool import trustcacerts alias tomcatdemo ca keystore none file ca crt storetype pkcs11 providerclass sun security pkcs11 sunpkcs11 providername sunpkcs11 futurex enter the keystore password when prompted to trust the certificate, enter yes as shown in the following example trust this certificate? \[no] yes certificate was added to keystore 4 | import the server certificate signed by ca to import the signed server certificate, run the following command keytool importcert alias tomcatdemo1 keystore none file server crt storetype pkcs11 providerclass sun security pkcs11 sunpkcs11 providername sunpkcs11 futurex enter the keystore password if the command succeeds, you should see an output similar to the following certificate reply was installed in keystore