At a customer site I had a challenge to sign a certificate for a Tomcat server using their central ADCS system. Searching the web I found bits of pieces here and there but nothing to get the whole thing done so I decided that once I got this working I had to blog about it.
The process isn’t really difficult but still there was nothing conclusive written about it.
In my case I had a Windows Enterprise CA and a Apache Tomcat Server running on a Windows server. It doesn’t matter if yours is running on a *NIX computer since the certificate process is done my Java’s keytool(.exe).
Creating the keystore in Tomcat
Tomcat uses a keystore to store the certificates while running so first we need to create the keystore.To do so run the following command from your Java folder under Tomcat ;
Enter Keystore password:
Re-enter new password:
What is your first and last name?
What is the name of your organizational unit?
[Unknown]: IT Department
What if the name of your organization?
[Unknown]: Contoso Limited
What is the name of your City or Locality?
What is the name of your State or Province?
[Unknown]: Southern Finland
What is the two-letter country code for this unit?
Is CN=fqdn_of_the_server.domain.com, OU=IT Department, O=Contoso Limited, L=Helsinki, ST=Southern Finland, C=FI correct?
Enter key password for
(RETURN if same as keystore password):
So now we have a keystore to store our keys in.
Generating the Certificate request
Next we need to generate a request for our Enterprise CA so we can sign the certificate. So we run the following command to generate the CSR;
Before you run the command make sure you have C:\Temp folder created. The command will store the CSR in certreq.csr there.
Creating the certificate
Move over to the Windows Enterpise CA. Go to the CA webservices https://yourCAserver/certsrv and select Request a new Certificate;
Then select Advanced certificate request,
next select Submit a certificate request by using…..
Copy and paste the content of your certreq.csr file in the textbox and select Subordinate Certification Authority as the template. You could use something else that works also but this was the only one I got working and we didn’t have time to create new templates, even if you probably should do so.
Click submit and download the DER encoded file. Copy the file to your Tomcat server and let’s continue.
Adding the certificate to the keystore
Now we have a key and a cerficate so we need to add them to the keystore. The private key is already in the keystore so let’s import the new certificate;
You now have the key and the cerficate in your store. Only one more thing to do since Tomcat isn’t a part of Active Directory it won’t trust our CA so lets import the CA certificate also. Go to any computer in the organization and start mmc.exe, select add/remove snap-in. Select Certificates and select computer account, local computer. Go to Trusted Root Certification Authorities find your CA and select Export. Move the CER file to your Tomcat server.
Then let’s import this one into our keystore, run the following command;
Next let’s use our new certificates in Tomcat.
Find your server.xml file to configure the settings.
Make the changes to point to your new keystore. Restart the server and you are done.