Attix5 Pro FAQ
Search:     Advanced search

Using signed SSL certificates for WebAccess

Article ID: 66
Last updated: 13 Aug, 2014

To use SSL certificates signed by a Certificate Authority (CA) for Attix5 WebAccess, follow these steps:

Create a new self-signed key

Using the Command Prompt, navigate to the Java\jdk\bin directory (e.g. C:\Program Files\Java\jdk1.5.0_01\bin).

Run the command "keytool -genkey -alias tomcat -keyalg RSA".
This will prompt you for details.

Note: Keytool will ask you for your first and last name. You may find that you need to enter in the full domain name of the server running the web access, Eg webaccess.attix5server.com, rather than your name for the signed certificate import to be successful. If in doubt, enter the full domain name of your webaccess server at this point.

You will also be prompted for a password twice, please enter the same password.

Note: You will also need to specify this password in the server.xml file.

The .keystore file will be written to the root path of the Windows user you are logged in as (e.g. C:\Documents and Settings\Administrator\).

Generate a Certificate Signing Request (CSR)

In the Java\jdk\bin directory, run:
"keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore "

Note: If you do not specify the path for the CSR, this will be written to the jdk\bin directory.

Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a certificate.

Importing the Certificate(s)

Note: It is recommended that you make a copy of your keystore files before attempting any certificate imports. If you make a mistake, you can easily restart the process.

When you receive your certificate back from the CA it needs to be imported to your keystore along with any root and intermediate certificates. (If updating certificates, see Further Commands below).

To import the root certificate, run the command:
"keytool -import -alias root -keystore -trustcacerts -file "

If an intermediate certificate is provided, run the following command (note different alias):
"keytool -import -alias inter -keystore -trustcacerts -file "

Finally, run the following command to import your certificate (again, note different alias):
"keytool -import -alias tomcat -keystore -trustcacerts -file "

Note: It is very important to import any intermediate certificates if instructed to do so by your CA. If you do not, your own certificate will not be considered trusted and will display as such in web browsers.

Configure Tomcat Settings.xml

You now need to specify the path to the keystore and keystore password in the Tomcat server.xml file.

For example:

address="192.168.10.88"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\Users\Administrator\.keystore"
keystorePass="yourpassword"/>
/>

Restart Tomcat for any changes to take effect.

Further Commands

The contents of the keystore can be listed with the following command: "keytool -list –v -keystore ".

This will enable you to find which aliases were used to import certificates previously.
If updating certificates, make sure the new certificate is imported using the same alias that the old certificate was imported with.

Many more common keytool commands can be found here:
http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Article ID: 66
Last updated: 13 Aug, 2014
Revision: 4
Views: 6008
Comments: 0
Posted: 16 Jun, 2011 by Flood A.
Updated: 13 Aug, 2014 by Van Rensburg J.
This article was:  
Prev   Next
Article 65 - SP installer crashes during upgrade from V5     Article 67 - System related files not backed up by VSS