Tomcat Cert Generation

First we create the cert to asociate the tomcat instance:

tomcat@achtung:~$ keytool -genkey -alias tomcat -keyalg RSA -validity 3650 -keystore $HOME/.keystore
Enter keystore password:
What is your first and last name?
  [Unknown]:  achtung
What is the name of your organizational unit?
  [Unknown]:  telco
What is the name of your organization?
  [Unknown]:  telco
What is the name of your City or Locality?
  [Unknown]:  cambridge
What is the name of your State or Province?
  [Unknown]:  worcestershire
What is the two-letter country code for this unit?
  [Unknown]:  en
Is CN=achtung, OU=telco, O=telco, L=cambridge, ST=worcestershire, C=en correct?
  [no]:  yes

Enter key password for <tomcat>
        (RETURN if same as keystore password):
ocm@achtung:~$

Ask as the security level you want to reach, same password at both less secure, you decice.

Checking the new cert is generated:

tomcat@achtung:~$ keytool -list
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Jan 18, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): KK:D9:7A:KK:30:57:DC:E9:KK:89:59:B8:89:6C:BD:KK

And now we can point to the cert at the CATALINA_HOME/conf/server.xml file:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/usr/tomcat/.keystore" keystorePass="changeme"/>

This section is commented by default, you have to remove the <!— —>

Now you can run a shutdown.sh && startup.sh, and test the log and listening ports!

Jan 18, 2012 5:44:03 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
tomcat@achtung:~$ netstat -tnlp | grep 8443
tcp6       0      0 :::8443                 :::*                    LISTEN      6023/java