At a customer site I had a challenge to sign a certificate for a Tomcat server using their central ADCS system. Searching the web I found bits of pieces here and there but nothing to get the whole thing done so I decided that once I got this working I had to blog about it.
The process isn’t really difficult but still there was nothing conclusive written about it.
The setup
In my case I had a Windows Enterprise CA and a Apache Tomcat Server running on a Windows server. It doesn’t matter if yours is running on a *NIX computer since the certificate process is done my Java’s keytool(.exe).
Creating the keystore in Tomcat
Tomcat uses a keystore to store the certificates while running so first we need to create the keystore.To do so run the following command from your Java folder under Tomcat ;
Enter Keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: fqdn_of_the_server.domain.com
What is the name of your organizational unit?
[Unknown]: IT Department
What if the name of your organization?
[Unknown]: Contoso Limited
What is the name of your City or Locality?
[Unknown]: Helsinki
What is the name of your State or Province?
[Unknown]: Southern Finland
What is the two-letter country code for this unit?
[Unknown]: FI
Is CN=fqdn_of_the_server.domain.com, OU=IT Department, O=Contoso Limited, L=Helsinki, ST=Southern Finland, C=FI correct?
[no]:yes
Enter key password for
(RETURN if same as keystore password):
So now we have a keystore to store our keys in.
Generating the Certificate request
Next we need to generate a request for our Enterprise CA so we can sign the certificate. So we run the following command to generate the CSR;
Before you run the command make sure you have C:\Temp folder created. The command will store the CSR in certreq.csr there.
Creating the certificate
Move over to the Windows Enterpise CA. Go to the CA webservices https://yourCAserver/certsrv and select Request a new Certificate;
Then select Advanced certificate request,
next select Submit a certificate request by using…..
Copy and paste the content of your certreq.csr file in the textbox and select Subordinate Certification Authority as the template. You could use something else that works also but this was the only one I got working and we didn’t have time to create new templates, even if you probably should do so.
Click submit and download the DER encoded file. Copy the file to your Tomcat server and let’s continue.
Adding the certificate to the keystore
Now we have a key and a cerficate so we need to add them to the keystore. The private key is already in the keystore so let’s import the new certificate;
You now have the key and the cerficate in your store. Only one more thing to do since Tomcat isn’t a part of Active Directory it won’t trust our CA so lets import the CA certificate also. Go to any computer in the organization and start mmc.exe, select add/remove snap-in. Select Certificates and select computer account, local computer. Go to Trusted Root Certification Authorities find your CA and select Export. Move the CER file to your Tomcat server.
Then let’s import this one into our keystore, run the following command;
Next let’s use our new certificates in Tomcat.
Configuring Tomcat
Find your server.xml file to configure the settings.
Make the changes to point to your new keystore. Restart the server and you are done.
I am not sure how you got the client certificate to import into the keystore prior to having the root certificate in the keystore. If you do it in the order of operations you highlighted you should get a key chain error. My key tool yelled at me until I imported the root cert first, then I was allowed to import the client certificate for tomcat… Just fyi.
Thanks for the info Khue. I might have forgotten to ad the step here. Sorry about that. Happy you got it working anyway.
Hello.
How can i import root certificate before client?