Monday, September 12, 2011

tomcat keystore and cacerts

Objective: create SSL certificate for tomcat
Enrironment: Linux server, tomcat, keytool, keystore, cacerts

.keystore file which resides /usr/local/tomcat is the default keystore file for tomcat. It's SSL certificate container for server itself, the CA certs file is under /usr/local/jdk/jre/lib/security/.

The self signed SSL certificate generated by keytool or openssl has to be imported to ca certs file in order to avoid SSL warning when the https URL is being accessed from one server to another, without using browser.


1. list the existing keys, the default file is .keystore under /usr/local/tomcat folder
# cd /usr/local/tomcat
# keytool -list -v -storepass changeit

2. delete the existing keys( key alias :tomcat)
# cd /usr/local/tomcat
# keytool -delete -alias tomcat -storepass changeit

3. generate self-signed key
# keytool -h for usage
# keytool -genkey -alias tomcat -keysize 1024 -validity 3650 -keypass changeit -storepass changeit
What is your first and last name?
[Unknown]: jephe
What is the name of your organizational unit?
[Unknown]: IS
What is the name of your organization?
[Unknown]: Jephe
What is the name of your City or Locality?
[Unknown]: Singapore
What is the name of your State or Province?
[Unknown]: Singapore
What is the two-letter country code for this unit?
[Unknown]: SG
Is CN=jephe, OU=IS, O=somename, L=Singapore, ST=Singapore, C=SG correct?
[no]: yes

for above self-generated key to work without SSL warning, you need to import to ca certs file

4. list the existing CA certificates from /usr/local/jdk/jre/lib/security/cacerts
# cd /usr/local/jdk/jre/lib/security
# keytool -list -v -keystore cacerts

5. in order to add self-signed key to cacerts, export it first from .keystore file
# keytool -export -alias jephe -keypass changeit -storepass changeit -file /tmp/jephe.der

6. then import to cacerts file under /usr/local/jdk/jre/lib/security/cacerts
# cd /usr/local/jdk/jre/lib/security
# keytool -import -alias jephe -trustcacerts -keystore cacerts -file /tmp/jephe.der -storepass changeit

note: add this key to trusted cacerts and give alias as jephe
you can add one more, but have to give the different alias name

7. you can delete the existing cacert key:
# cd /usr/local/jdk/jre/lib/security
#keytool -delete -keystore cacerts -alias jephe

8. import a openssl generated self signed pem format certificate from openldap server into ca certs file on tomcat server (for ldaps connection from tomcat server to openldap server)

# cd /usr/local/jdk/jre/lib/security
# keytool -import -alias jephe -trustcacerts -keystore cacerts -file /tmp/jephe.pem -storepass changei

1. convert pem to der format 

openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER