Hello every one..I started to write this blog after struggling couple of days for Enabling SSL and importing certificate into Apache tomcat server on Windows..
I have read a lot of posts regarding Enable SSO and importing certificate into Apache server.But every one is explaining from the beginning,ie how to create key store and how to create CSR.How to buy certificate with this CSR and importing and etc..But what I wanted is how to import an existing certificate.
So am going to explain only how to import existing certificate...
If you really want to know from the scratch then Read this or this or this
But in my scenario we have already bought the certificate from Godaddy couple of months back and we only have the private & public key.
With this we started to create wild card certificate.
Prerequisites:
**OpenSSL needs to be installed in your machine(If you are using windows you can download openSSL from this site http://slproweb.com/products/Win32OpenSSL.html ).
**Change the host entry of your machine/server.Do not use the localhost while going for enabling SSL.Change the host entry with the same domain name to which we bought the certificates for.
Okay.........lets start,
We need three files now,
I have read a lot of posts regarding Enable SSO and importing certificate into Apache server.But every one is explaining from the beginning,ie how to create key store and how to create CSR.How to buy certificate with this CSR and importing and etc..But what I wanted is how to import an existing certificate.
So am going to explain only how to import existing certificate...
If you really want to know from the scratch then Read this or this or this
But in my scenario we have already bought the certificate from Godaddy couple of months back and we only have the private & public key.
With this we started to create wild card certificate.
Prerequisites:
**OpenSSL needs to be installed in your machine(If you are using windows you can download openSSL from this site http://slproweb.com/products/Win32OpenSSL.html ).
**Change the host entry of your machine/server.Do not use the localhost while going for enabling SSL.Change the host entry with the same domain name to which we bought the certificates for.
Okay.........lets start,
We need three files now,
- private key
- public key(your_domain_name.crt)
- gd_bundle.crt
Copy all the necessary file into your OpenSSL bin folder.In my case the folder path is C:\OpenSSL-Win32\bin\.
Open command prompt and change the path to open ssl bin folder and issue the following commands,
C:\OpenSSL-Win32\bin>Openssl pkcs12 -export -out <new_p12_filename>.p12 -inkey <existing_filename>.key -in <certificate_filename>.crt
here,
<new_p12_filename> - output file name(I gave my company name )
<existing_filename>.key - this is your private key file name
<certificate_filename>.crt - this is your domain_name.crt
Once you issued this command it will ask for the password, type your own password.I just entered the default password 'changeit'
C:\OpenSSL-Win32\bin>Openssl pkcs12 -export -out myCompany.p12 -inkey privateKey.key -in domain_name.crt
now we have created myCompany.p12 with our domain public and private keys.
2. Then we need to create a '.pem' file.
Issue the following command,
C:\OpenSSL-Win32\bin>openssl pkcs12 -in myCompany.p12 -nocerts -out privateKey.pem
Now we have created prviateKey.pem file.
3. We reached the final step,all new files will be available in the openSSL bin directory,
so now issue the following command to proceed further,
so now issue the following command to proceed further,
openssl pkcs12 -export -chain -CAfile <gd_bundle.crt> -in <mydomain.com.crt> -inkey <pemfile.pem> -out <keystore.tomcat> -name tomcat -passout pass:changeit
This command will create keystore.tomcat file.
Now we need to tell about this file to our Apache Tomcat server.
Stop the server and open the server.xml from Apache Tomcat conf folder.
Open the file and search for the below commented section,
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
Now you can uncomment the lines and modify as shown below or just copy and paste the following code after these commented lines,
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="250" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS" keystoreFile="C:/apache-tomcat-6.0.35/conf/keystore.tomcat" keystorePass="changeit" keystoreType="PKCS12" />
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
Now you can uncomment the lines and modify as shown below or just copy and paste the following code after these commented lines,
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="250" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS" keystoreFile="C:/apache-tomcat-6.0.35/conf/keystore.tomcat" keystorePass="changeit" keystoreType="PKCS12" />
Restart your server.That's all.Try to access the server url with https://test.domain.com:8443 and you should see the lock icon(in firefox and chrome) stating that the page is secured and while clicking on that lock icon it should show your CA name.
If you do not want to display the port number 8443 then just change the Connector port="443" while changing server.xml for enabling SSL.
If you do not want to display the port number 8443 then just change the Connector port="443" while changing server.xml for enabling SSL.
Enjoy...