Home TOC |
![]() ![]() ![]() |
Setting Up a Server Certificate
Certificates are used with the HTTPS protocol to authenticate Web clients. The HTTPS service of the Tomcat server will not run unless a server certificate has been installed. Use the following procedure to set up a Tomcat server certificate.
- Generate a key pair and a self-signed certificate.
- The
keytool
utility enables you to create the certificate. Thekeytool
utility that ships with the J2SE SDK version programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.- To generate the certificate, run the
keytool
utility as follows, <keystore_filename> with the name of your keystore file:keytool -genkey -keyalg RSA -alias tomcat -keystore <keystore_filename>- The
keytool
utility prompts you for the following information:
- Keystore password--Enter a password. (You may want to use
changeit
to be consistent with the default password of the J2SE SDK keystore.)- First and last name--Enter the fully-qualified name of your server. This fully-qualified name includes the host name and the domain name.
- Organizational unit--Enter the appropriate value.
- Organization--Enter the appropriate value.
- City or locality--Enter the appropriate value.
- State or province--Enter the unabbreviated name.
- Two-letter country code--For the USA, the two-letter country code is US.
- Key password for tomcat--Do not enter a password. Press Return.
- If you want to have your certificate digitally signed by a CA, do the following:
- Generate a Certificate Signing Request (CSR).
keytool -certreq -alias tomcat -keyalg RSA -file <csr_filename> -keystore <keystore_filename>- Send the contents of the
<
csr_filename>
for signing.
- If you are using Verisign CA, go to
http://digitalid.verisign.com/
. Verisign will send the signed certificate in email. Store this certificate in a file.
- Import the signed certificate that you received in email into the server:
keytool -import -alias root -trustcacerts -file <signed_cert_file> -keystore <keystore_filename>- Import the certificate.
- If your certificate will be signed by a Certification Authority (CA), you must import the CA certificate. You may skip this step if you are using only the self-signed certificate. If you are using a self-signed certificate or a certificate signed by a CA that your browser does not recognize), a dialog will be triggered the first time a user tries to access the server. The user can then choose to trust the certificate for this session only or permanently.
- To import the certificate, perform these tasks:
- Request the CA certificate from your CA. Store the certificate in a file.
- To install the CA certificate in the Java 2 Platform, Standard Edition, run the
keytool
utility as follows. (You must have the required permissions to modify the$JAVA_HOME/jre/lib/security/cacerts
file.)keytool -import -trustcacerts -alias tomcat -file <ca-cert-filename> -keystore <keystore-filename>After importing the certificate, there is still more work to be done in order to set up an HTTPS connector. For more information, please read the Tomcat document SSL Configuration HOW-TO, located at
<
JWSDP_HOME>/docs/tomcat/ssl-howto.html
.
Home TOC |
![]() ![]() ![]() |