Pre-requisites
- SSL certificate is generated (refer [APPM]Generate a Certificate Signing Request (CSR) )
1. Upload key_client.key and certificate file provided by customer to APPM (e..g /home/appm/tmp)
2. Login to APPM. Go to /home/appm/tmp.
3. Convert key and crt/cer to pkcs12 and import to keystore (if cert is generated with .key and .cer/.crt/.pem)
$ openssl pkcs12 -export -out tomcat.p12 -inkey key_client.key -in pam.crt
4. If prompted for password, enter 'tomcat'
5. Import Certification Chain (Optional)
$ keytool -import -trustcacerts -alias SSL_CA -file SSL_CA.crt -keystore tomcat.p12
$ keytool -import -trustcacerts -alias INTERNAL_CA -file INTERNAL_CA.crt -keystore tomcat.p12
6. Check keystore (MUST have 1 PrivateKeyEntry)
$ keytool -list -keystore tomcat.p12
7. Copy the keystore to Tomcat folder
$ cp /home/appm/tmp/tomcat.p12 /home/appm/apache-tomcat/tomcat.p12
8. Edit server.xml (Change to PKCS12)
$ cp /home/appm/apache-tomcat/conf/server.xml /home/appm/apache-tomcat/conf/server.xml.backup
$ vi /home/appm/apache-tomcat/conf/server.xml
From
keystoreFile="tomcat.ks"
to
keystoreFile="tomcat.p12" keystoreType="PKCS12"
9. Verify keystorePass in server.xml (Ensure keystorePass is the same password entered in step 4)
$ vi /home/appm/apache-tomcat/conf/server.xml
keystoreFile="tomcat.p12" keystoreType="PKCS12" keystorePass="tomcat"
[OPTIONAL] To mask/encode the keystorePass, refer https://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=none
copy and paste the output value to keystorePass.
10. Restart Web Services
To verify if a certificate matches the private key
$ openssl req -noout -modulus -in server.csr | openssl md5
$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in key_client.key | openssl md5
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article