Søren Lund (slu) wrote,
Søren Lund
slu

Installing a SSL certificat on Apache Tomcat 5

I received a SSL certificat in the for of a PFX file and a password. I needed to install this on an Apache Tomcat. This whole thing gave me some issue, that I'm going to describe below along with how I fixed them.

The certicat issue by TDC SSL Server CA.

Configuration of Tomcat is made by editing the server.xml file, where the comments around the SSL Connector are removed and the three keystore parameters are addded:

           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="C:\jakarta-tomcat-5.0.14\conf\certificat.pfx"
           keystorePass="password"
           keystoreType="PKCS12"
           />


Unfortunately, not all browsers can find the root certificate, which means the users are presented with a nasty certificate warning, when they visit the site.

The solution that worked for me was the following.

Download danid-sslchain-20100325.pem from https://www.certifikat.dk/da/download/rodcertifikat.html

Execute the following in a terminal:

openssl pkcs12 -in certificat.pfx -out server.crt -nodes -nokeys

(enter password)
openssl pkcs12 -in certificat.pfx -out server.key -nodes -nocert

(enter password)
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name tomcat -CAfile danid-sslchain-20100325.pem -caname root -chain

(enter (possibly new) password twice)

The first two commands saves the certificate and key from the PFX file. The third command creates a new certificate from the save certificate and key along with the downloaded root certificate.

Update the configuration to point a the new file:

           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="C:\jakarta-tomcat-5.0.14\conf\server.p12"
           keystorePass="password for last step above"
           keystoreType="PKCS12"
           />


Now it should work for all browsers.

It's also possible to use the three files (server.key, server.crt og danid-sslchain-20100325.pem) on an Apache HTTP Server.

Edit conf/extra/httpd-ssl.conf and change the following three variables:

SSLCertificateFile "C:/Program Files (x86)/Apache.../conf/server.crt"
SSLCertificateKeyFile "C:/Program Files (x86)/Apache.../conf/server.key"
SSLCertificateChainFile "C:/Program Files (x86)/Apache.../conf/danid-sslchain-20100325.pem"


And in conf/httpd.conf remove the comment in front of the two lines concerning SSL:

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Tags: apache, certificate, java, keystore, openssl, pem, pfx, ssl, tomcat
Subscribe

  • Installing Hadoop 1.0.4 on Ubuntu 12.04

    I've been playing a bit with Hadoop. Below you'll find notes and screenshots showing how to install a simple development setup (on a…

  • Keeping up with the Java Release cycle

    Did you know that Java has a regular release cycle? Well, it has, and that means you'll be able to plan and prepare for future releases. If…

  • Perl for Java programmers

    A co-worker asked if/how/why he should learn Perl. He wanted a complimentary language to Java, which is what he mainly uses. Something for quick…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded 

  • 0 comments