I. Overview
Certificate is a very important key in SSO authentication system. The interaction security between client and server depends on certificate. This tutorial is a demonstration of their own use of the JDK keytool generated certificate. If it is used in the production environment in the future, it must be purchased from a certificate provider, which is generally certified by internationally recognized CA organizations such as VeriSign and GlobalSign.
This article introduces a method to generate SSL certificate in Windows system and configure it in Tomcat server.
II. Steps
1. Create the certificate
1) Install the JRE, then run cmd or Windows Powershell, right-click to run as administrator, and click OK to start the command prompt window. Enter the bin directory of the JRE frist and run the following command to create:
Note: This JRE was used to configure the Tomcat.
keytool -genkey -alias tomcat-servers -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore
2) To migrate to PKCS12, run the following command:
keytool -importkeystore -srckeystore server.keystore -destkeystore server.keystore -deststoretype pkcs12
Enter the keystore password: changeit, as shown below:
Note: For your first and last name, please enter your domain name instead of your IP address.
In this example, maria is entered. In fact, this domain name does not exist, but this domain name is virtual for demonstration purposes. Therefore, a virtual domain name needs to be mapped to the hosts file, as shown in the following figure:
So when you access maria, you're actually accessing 127.0.0.1, which is the local machine.
2. Export the certificate
Run the following command:
keytool -export -alias tomcat-servers -storepass changeit -file server.cer -keystore server.keystore
Export the certificate as shown below:
3. Import the certificate into the JDK certificate truststore
Run the following command:
keytool -import -trustcacerts -alias servers -file server.cer -keystore cacerts -storepass changeit
The system asks whether it trusts this certificate and answers y, as shown in the figure below:
4. Move the certificate to the Tomcat installation directory
1) Go to the %JRE_HOME%\bin directory and copy the newly generated server.keystore, server.cer, cacerts to the Tomcat installation directory %TOMCAT_HOME%, as shown in the following figure:
2) Overwrite the cacerts file in %JRE_HOME%\bin to %JRE_HOME%\lib\security, as shown below:
5. Apply the certificate to the Web server
1) Configure the server.xml file, open %TOMCAT_HOME%\conf\server.xml. Find the address keystoreFile and password keystorePass of SSL configuration to add the certificate, as shown below:
Note: The address can be an absolute path or a relative path in Tomcat.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" keystoreFile="C:\apache-tomcat-8.5.50\server.keystore" keystorePass="changeit"/>
2) Restart the Tomcat service and visit https://maria:8443/, as shown below:
If the preceding information is displayed, the SSL configuration of Tomcat is successful.
III. Precautions
1. Other instructions
1) If the Tomcat service cannot be started after the configuration, it indicates that the configuration in Section II.5 is incorrect. Check whether the configuration is performed in the preceding steps.
2) If the access link displays "Your connection is not private", it is because the certificate generated using Java will prompt a certificate risk when accessing using HTTPS, you can apply for a free certificate of Aliyun Cloud Shield.
2. HTTPS settings
Tomcat after SSL certificate is configured to implement HTTPS access, HTTPS Setting need to be configured to ensure normal Websocket connection, as shown in the following figure:
Note: For details about HTTPS Setting, see Section II.10 of General Setting.
