The following instructions will guide you through the SSL installation process on Self Hosted API Server. If you haven't generated your SSL certificate, refer our CSR Generation instructions steps.
Prerequisite:
1) SSL certificate which includes (Certificate, Intermediate Certificate, Private key)
3) Keystore file.
Note: You must have a password that you created with Keystore.
Installation Instructions
The installation process differs slightly depending on the format of the certificate you received from a Certificate Authority.
Important! Keystore and alias should be the same which you created to generate CSR. Otherwise, an Input not an X.509 certificate error may occur.
1. PEM
If the certificate has been received in PEM format, usually it has (*.crt) extension. you will need to add the CA root, CA intermediate, and certificate issued for your domain name in your Keystore manually
You can convert (.crt to .pkcs12) format with below OpenSSL command then import into the Keystore.
openssl pkcs12 -export -out your_domain_name.pkcs12 -inkey private.key -in certificate.crt -certfile ca_bundle.crt
keytool -v -importkeystore -srckeystore your_domain_name.pkcs12 -srcstoretype PKCS12 -destkeystore your_domain_name.jks -deststoretype JKS
or
Command to import Root, intermediate, certificate to the Keystore:
keytool -import -trustcacerts -alias root -file Root.crt -keystore your_domain_name.jks
keytool -import -trustcacerts -alias intermediate -file Intermediate.crt -keystore your_domain_name.jks
Important! If you have several intermediate certificates, please import them one by one using different aliases.
Finally, import the certificate to the Keystore.
keytool -import -trustcacerts -alias tomcat -file Certificate.crt -keystore your_domain_name.jks
2. PKCS#7
If the certificate was received in PKCS7 format usually it has (*.cer or *.p7b) extension, you need to import it in the Keystore.
You can convert (.cer to .p7b) with below OpenSSL command.
Note: replace your_domain_name with a real name.
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out your_domain_name.p7b -certfile ca_bundle.cer
Install the certificate in Keystore by running the following command:
keytool -import -trustcacerts -alias tomcat -file your_domain_name.p7b -keystore your_domain_name.jks
If you see "Certificate reply was installed in keystore" message then it's successfully imported.
To check the certificates which are added in the keystore run the command below:
keytool -list -keystore your_domain_name.jks -v
Check confirmation message
You should receive this confirmation message: “Certificate reply was installed in Keystore.”
Configure an SSL connector
Open conf/server.xml and add the following lines.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="20000"
minSpareThreads="50"
maxSpareThreads="100"
compression="on"
compressableMimeType="text/html,text/xml,text/plain"
scheme="https" secure="true" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig protocols="TLSv1.2,TLSv1.3" certificateVerification="none" disableSessionTickets="true">
<Certificate certificateKeystoreFile="/etc/ssl/certs/Certificatename" certificateKeystorePassword="password" type="RSA" />
</SSLHostConfig>
</Connector>
Note: Replace Certificate Name and password with real.
Now restart the tomcat service.
systemctl restart tomcat
Now, Test Your SSL/TLS Certificate Installation.
https://your_domain_name:8443
Comments
0 comments
Article is closed for comments.