Installing an SSL certificate on Apache Tomcat

Part one: Download and save your certificates

1. Open the email we sent you, that contains the certificate for your domain name.

2. Copy the certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

3. Paste the certificate into a blank document in a text editor. Use an editor that will not add characters, such as TextPad.

4. Save the document. We recommend that you name it YourDomainName.crt and save it in your Web server's default directory for SSL certificates.

   We recommend that you also back up your certificate on another computer or storage device.

5. Confirm which certificate you purchased, and determine which set of Intermediate and Root certificates to download.

   To confirm which certificate you purchased, review your order confirmation.

   • If you purchased SBS Instant, download set A below.

   • If you purchased SBS Secure or Secure Plus, download set B below.

   A -- SBS Instant

   • Instant Validation UTN Global Root CA
   • Instant Validation AddTrust Intermediate 1 CA
   • Instant Validation SBS Intermediate 2 CA

   B -- SBS Secure and Secure Plus

   • Full Validation AddTrust Root CA
   • Full Validation Intermediate CA

6. Download the Root-Intermediate set for your domain name certificate. To download, right-click each certificate file name and select Save Target As.

   Save the Root and Intermediate certificates to the same directory where you saved the certificate for your domain name.

Part two: Build a Certificate Chain

1. Open your certificates in a text editor.

2. Open another instance of the text editor. Use an editor that will not add characters, such as TextPad.

3. Copy the text from each certificate and paste into the blank document to form one file (the certificate chain). The certificates should be pasted so that the Root certicate is placed at the top and the certificate for your domain name is at the bottom. For example, if you purchased SBS Instant, the order should be:

   *UTN*GlobalRoot.crt
   *Intermediate1CA.crt
   *Intermediate2CA.crt
   YourDomainName.crt

   The resulting file should have one CRLF between each certificate, and no added characters or whitespace:

   -----BEGIN CERTIFICATE-----
   *UTN*GlobalRoot text
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   *Intermediate1CA text
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   *Intermediate2CA text
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   Your Site Certificate text
   -----END CERTIFICATE-----

4. Save the chain with extension .cer.

Part three: Import the Certificate Chain

Importing the Certificate Chain allows browsers to recognize the certificate for your domain name. In the relevant Virtual Host section for your site, complete the following:

1. From the command line, run the following:

   keytool -import

2. Supply several pieces of information at the prompt. Make a note of the keystore name and password you create here, to use in the next section.

Part four: Enable security in Tomcat

1. In a text editor, open the Tomcat configuration file:

   DirectoryWhereTomcatIsInstalled/conf/server.xml

2. Find the section where the secure socket is configured.

3. Edit the socket configuration section to be consistent with the following:

   maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
   enableLookups="false" disableUploadTimeout="true"
   acceptCount="100" debug="0" scheme="https" secure="true"
   clientAuth="want"
   keystoreFile="/certificatesPath/hostKeystore.pkcs12"
   keystorePass="newPassword"
   keystoreType="PKCS12"
   truststoreFile="/certificatesPath/caKeystore.jks"
   truststorePass="newPassword"
   truststoreType="JKS"/>

   Where:

   port: port in which Tomcat will be listening for secured connections
   clientAuth: specifies if client authentication is required. Permitted values are:

   • true always require a valid certificate
   • false no certificate is required
   • want use a valid certificate if present, but don't require a certificate
   keystoreFile: path to the keystore containing the server certificate
   keystorePass: password of the keystore file
   keystoreType: keystore type (JKS or PKCS12)
   truststoreFile: path to the trustore file containing the CAs
   truststorePass: password of the truststore file
   truststoreType: truststore type (JKS or PKCS12)

Part five: Finish

1. Restart Tomcat.

For further reference

For more information, please see http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html