December 11th, 2014

Installing a SSL certificat on Apache Tomcat 5

I received a SSL certificat in the for of a PFX file and a password. I needed to install this on an Apache Tomcat. This whole thing gave me some issue, that I'm going to describe below along with how I fixed them.

The certicat issue by TDC SSL Server CA.

Configuration of Tomcat is made by editing the server.xml file, where the comments around the SSL Connector are removed and the three keystore parameters are addded:

           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="C:\jakarta-tomcat-5.0.14\conf\certificat.pfx"
           keystorePass="password"
           keystoreType="PKCS12"
           />


Unfortunately, not all browsers can find the root certificate, which means the users are presented with a nasty certificate warning, when they visit the site.

The solution that worked for me was the following.

Download danid-sslchain-20100325.pem from https://www.certifikat.dk/da/download/rodcertifikat.html

Execute the following in a terminal:

openssl pkcs12 -in certificat.pfx -out server.crt -nodes -nokeys

(enter password)
openssl pkcs12 -in certificat.pfx -out server.key -nodes -nocert

(enter password)
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name tomcat -CAfile danid-sslchain-20100325.pem -caname root -chain

(enter (possibly new) password twice)

The first two commands saves the certificate and key from the PFX file. The third command creates a new certificate from the save certificate and key along with the downloaded root certificate.

Update the configuration to point a the new file:

           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="C:\jakarta-tomcat-5.0.14\conf\server.p12"
           keystorePass="password for last step above"
           keystoreType="PKCS12"
           />


Now it should work for all browsers.

It's also possible to use the three files (server.key, server.crt og danid-sslchain-20100325.pem) on an Apache HTTP Server.

Edit conf/extra/httpd-ssl.conf and change the following three variables:

SSLCertificateFile "C:/Program Files (x86)/Apache.../conf/server.crt"
SSLCertificateKeyFile "C:/Program Files (x86)/Apache.../conf/server.key"
SSLCertificateChainFile "C:/Program Files (x86)/Apache.../conf/danid-sslchain-20100325.pem"


And in conf/httpd.conf remove the comment in front of the two lines concerning SSL:

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf