Configure SSL in a Linux Tomcat With an IIS Exported Certificate

By | August 24, 2017
Cloud Hosted Linux Web Services | QualTech360Infrastructure

Using a wildcard certificate issued for Windows 2012 R2 IIS server to configure Tomcat in a Linux server

At the first look it might seem like an improbable situation. Practically it can actually happen more often then not.

In our case for example we host in our cloud infrastructure most of the Microsoft Business Application Servers such as Dynamics 365, SharePoint 2016 and Exchange 2016 on multi and singleQualTech Cloud Hosted IaaS | QualTech360Linux tenant environments.

With this are of activity being a large part of our business our qualtechcloud.com certificate was first issued using a certificate requested from one of our Windows 2012 R2 IIS servers. With the multiple environments we setup the certificate had to be a wildcard certificate.

We have been expanding our services into the Linux/opensource market so we had the need to use the same certificate to setup SSL environments on both type of environments so having this guide made it easy and quick for us to set them up with minimum complexity and without having to re-issue the certificate for Apache and Tomcat which would have forced us to re-issue a certificate request and have to deal with 2 certificates, one issued for Apache and another for IIS.

Hope the guide will make the life easier to those managing these type of network environments.

Create a keystore

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

keytool-genkey-alias tomcat -keyalg RSA -keystore

I created a folder called ssl under tomcat’s folder /usr/share/tomcat for the keystore.

Cloud Hosted Linux Tomcat Server | QualTech360Linux

Creation of the keystore.

Key store structure:

First and Last name: <sub domain>.<domain> (dev.qualtechcloud.com)

Organizations unit: <domain> (qualtechcloud.com)

Organization name: <your company name> (QualTech-Software Solutions LLC)

City: Phoenix

State: AZ

Country: US

CN=blink.qualtechcloud.com, OU=qualtechcloud.com, O=QualTech-Software Solutions LLC, L=Phoenix, ST=AZ, C=US

keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/share/tomcat/ssl/qualtechstore.jks

 

Extracting Certificate and Private Key Files from a .pfx File

Purpose

Customers sometimes have a need to export a certificate and private key from a Windows computer to separate certificate and key files for use elsewhere. Windows doesn’t provide the means to complete this process.

Exporting Certificates from the Windows Certificate Store describes how to export a certificate and private key into a single .pfx file. Follow the procedure below to extract separate certificate and private key files from the .pfx file.

Procedure

  1. Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
  2. Run the following command to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes. If you exported the .pfx file with a password you will be asked for it as the command above executes.

openssl pkcs12 -in /root/Downloads/Export_QualTechCloud.pfx -nocerts -out qualtechcloudkey.pem -nodes

  1. Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

openssl pkcs12 -in /root/Downloads/Export_QualTechCloud.pfx -nokeys -out qualtechcloudcert.pem

  1. Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key

openssl rsa -in qualtechcloudkey.pem -out qualtechcloudserverkey.pem

Cloud Hosted Infrastructure | QualTech360Infrastructure

Exported files.

 

Combine the private key and the certificate into a PKCS12 keystore

Create PKCS12 keystore from private key and public certificate:

openssl pkcs12 -export -name -in -inkey -out

openssl pkcs12 -export -name tomcat -in qualtechcloudcert.pem -inkey qualtechcloudkey.pem -out qualtechcloud.p12

With this command you are creating a new key store so it will ask you for a password for the key store.

Merge the PKCS12 keystore the JKS store:

keytool -importkeystore -deststorepass -destkeypass -destkeystore -srckeystore -srcstoretype PKCS12 -srcstorepass -alias tomcat

keytool -importkeystore -deststorepass “keystore pwd” -destkeypass “keystore pwd” -destkeystore qualtechstore.jks -srckeystore qualtechcloud.p12 -srcstoretype PKCS12 -srcstorepass “keystore pwd” -alias tomcat

Configure SSL in Tomcat

Configure the keystore

Using a text editor open the server configuration file server.xml.

nano /usr/share/tomcat/conf/server.xml

If it’s commented out uncomment the ssl connector section and add the following settings:

    <Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11Protocol”

maxThreads=”150″

connectionTimeout=”20000″

SSLEnabled=”true”

scheme=”https”

secure=”true”

clientAuth=”false”

sslProtocol=”TLS”

keystoreFile=”/usr/share/tomcat/ssl/qualtechstore.jks”

keystorePass=”<password>” />

#QualTech360Care, #QualTech360Solutions, #QualTech360Linux, #QualTech360IaaS

Leave a Reply