Tomcat–not my favorite.
General Steps
- Create a Key and Certificate Request
- Issue the Certificate from your favorite Registrar
- Merge the Certificate into a Tomcat File
Create a Key and Certificate Request
On your favorite Linux or Windows box, make sure you have OpenSSL.
I am making a directory called /home/keystore. Seems fitting.
So:
mkdir /home/keystoreFirst we need a Private Key. This is yours and yours alone.
So, the private key is critical. It’s your unique identifier for this SSL cert.
Next, we need to generate the request to send to GoDaddy, InstantSSL, etc
Now, the command:
You are going to be prompted for all of the details as follows. For Wildcard, use *.mydomain.com. For other hosts, just use the hostname. ie mydomain.com (you will get www automatically)
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Tim
Organization Name (eg, company) [Default Company Ltd]:My Domain Inc
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:*.mydomain.com
Email Address []:support@mydomain.com
Press Enter on the Extra fields, no password needed.
Ok, once finished, take your CSR and submit to your provider. Once you submit, you wait and then you will get your certificate. You may have to check email to approve it.
Now the Easy Part!
Merge the Certificate into a Tomcat File
If you are a GoDaddy Customer, you will get two files. Other providers might send you on a wild goose chase for the Bundle file.
6e00664a60ac4578.crt - This is the Actual Certificate
gd_bundle-g2-g1.crt - This is your Bundle file with all the certificate chain data from GoDaddyFor simplicity and understanding, let’s rename the file:
mv 6e00664a60ac4578.crt mydomain.crtNow, let’s make the Tomcat keystore container
openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in mydomain.crt -inkey private.key -out keystore.tomcat -name tomcat -passout pass:changeitOk, you have everything you need. Now, setup Tomcat.
Installing the Certificate in Tomcat
Let’s copy the file to our tomcat installation configuration directory. My tomcat was in /usr/local/tomcat5
cp keystore.tomcat /usr/local/tomcat5/confNow, we need to enable SSL. So, we need to edit the server-wide server.xml file. Find the section like this:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
Replace it. Mine looks like this:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="443"
maxHttpHeaderSize="8192" maxThreads="250" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tomcat"
keystoreFile="/usr/local/tomcat5/conf/keystore.tomcat"
keystorePass="changeit"
keystoreType="PKCS12" />
Lastly, find any other references to port 8443 in the server.xml file and replace them with just 443.
Now, restart Tomcat and enjoy your newly functioning wildcard certificate.
I hope this bridges the gaps on some of the other articles out there.
Database Blog 