Monday, February 11, 2008

PositiveSSL and Apache Tomcat 6

I had to renew an SSL certificate for our production web server today. This proved to be more painful than I thought it'd be, mainly due to out of date instructions provided by the certificate vendor. FWIW, we use Comodo PositiveSSL, and it's cheap so I'd recommend it.
Anyway, here's how to get it to work with tomcat:
$ keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

The first question it will ask is "What is your first and last name?". Don't type your name. This should be the name of the server (eg. ""). The rest of the questions you can answer as usual.

$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.jks

Now, you fill out the PositiveSSL webform, putting your credit card and other details in. It's ask you to paste in the Certificate Signing Request as well - just copy and paste the contents of the certreq.csr file into that field. After a few minutes, you'll receive a couple of emails, the last of which will have a zip file attached, which has four crt files in it. Now you need to import these in a particular order.

$ keytool -import -alias root -keystore keystore.jks -trustcacerts -file AddTrustExternalCARoot.crt

This step may warn you saying "
Certificate already exists in system-wide CA keystore under alias". Tell it that you do want to add the certificate despite whatever it's warning you about.

Then add the rest of the certificates that were in the zip file in order:
$ keytool -import -trustcacerts -alias addtrust -keystore keystore.jks -file UTNAddTrustServerCA.crt
$ keytool -import -trustcacerts -alias positive -keystore keystore.jks -file PositiveSSLCA.crt
$ keytool -import -alias tomcat -keystore keystore.jks -file www_yourcompany_com.crt


Hari said...

I am having the same issues . I followed the same steps but my Tomcat is not starting up.

I am using the keystore format as JKS in server.xml . Can you let me know if you are using the same

Hari said...

Thanks for the post . I was able to resolve the issue. The issue was that I had generated the CSR request to a different keystore and was importing the certificates to a different keystore

Mike Diehn said...

Your post saved what's left of my hair. Thanks loads, man.