Using a wildcard certificate issued for Windows 2012 R2 IIS server to configure Tomcat in a Linux server
At the first look it might seem like an improbable situation. Practically it can actually happen more often then not.
In our case for example we host in our cloud infrastructure most of the Microsoft Business Application Servers such as Dynamics 365, SharePoint 2016 and Exchange 2016 on multi and single tenant environments.
With this are of activity being a large part of our business our qualtechcloud.com certificate was first issued using a certificate requested from one of our Windows 2012 R2 IIS servers. With the multiple environments we setup the certificate had to be a wildcard certificate.
We have been expanding our services into the Linux/opensource market so we had the need to use the same certificate to setup SSL environments on both type of environments so having this guide made it easy and quick for us to set them up with minimum complexity and without having to re-issue the certificate for Apache and Tomcat which would have forced us to re-issue a certificate request and have to deal with 2 certificates, one issued for Apache and another for IIS.
Hope the guide will make the life easier to those managing these type of network environments.
Create a keystore
keytool-genkey-alias tomcat -keyalg RSA -keystore
I created a folder called ssl under tomcat’s folder /usr/share/tomcat for the keystore.
Key store structure:
First and Last name: <sub domain>.<domain> (dev.qualtechcloud.com)
Organizations unit: <domain> (qualtechcloud.com)
Organization name: <your company name> (QualTech-Software Solutions LLC)
CN=blink.qualtechcloud.com, OU=qualtechcloud.com, O=QualTech-Software Solutions LLC, L=Phoenix, ST=AZ, C=US
keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/share/tomcat/ssl/qualtechstore.jks
Extracting Certificate and Private Key Files from a .pfx File
Customers sometimes have a need to export a certificate and private key from a Windows computer to separate certificate and key files for use elsewhere. Windows doesn’t provide the means to complete this process.
Exporting Certificates from the Windows Certificate Store describes how to export a certificate and private key into a single .pfx file. Follow the procedure below to extract separate certificate and private key files from the .pfx file.
- Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
- Run the following command to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes. If you exported the .pfx file with a password you will be asked for it as the command above executes.
openssl pkcs12 -in /root/Downloads/Export_QualTechCloud.pfx -nocerts -out qualtechcloudkey.pem -nodes
- Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
openssl pkcs12 -in /root/Downloads/Export_QualTechCloud.pfx -nokeys -out qualtechcloudcert.pem
- Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key
openssl rsa -in qualtechcloudkey.pem -out qualtechcloudserverkey.pem
Combine the private key and the certificate into a PKCS12 keystore
Create PKCS12 keystore from private key and public certificate:
openssl pkcs12 -export -name -in -inkey -out
openssl pkcs12 -export -name tomcat -in qualtechcloudcert.pem -inkey qualtechcloudkey.pem -out qualtechcloud.p12
With this command you are creating a new key store so it will ask you for a password for the key store.
Merge the PKCS12 keystore the JKS store:
keytool -importkeystore -deststorepass -destkeypass -destkeystore -srckeystore -srcstoretype PKCS12 -srcstorepass -alias tomcat
keytool -importkeystore -deststorepass “keystore pwd” -destkeypass “keystore pwd” -destkeystore qualtechstore.jks -srckeystore qualtechcloud.p12 -srcstoretype PKCS12 -srcstorepass “keystore pwd” -alias tomcat
Configure SSL in Tomcat
Configure the keystore
Using a text editor open the server configuration file server.xml.
If it’s commented out uncomment the ssl connector section and add the following settings:
<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11Protocol”