000030881 - How to generate an SSL certificate for tomcat.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030881
Applies ToAAOP 7.1
Netscaler Adapter 2.2. 
IssueCSG_AAOP-Cert expired as a result users unable to authenticate.
Cert expired as a result users unable to authenticate on the tomcat server.
 
ResolutionSteps to build a cert for Tomcat
 
Need to use "keytool". This is to be found in the Java/bin or Java/jre/bin
 
1. Generate the keys (the file name can be certificate.jks):
     keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore <your_keystore_filename>
 
You must enter the full domain name, i.e., external-site.mycompany.com, in response to enter "first- and lastname".  State name cannot be abbreviated.
 
2. Create the CSR to request file
      keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr   -keystore <your_keystore_filename>
 
3. Use the CSR file to request certificate. in this step you need to click on the .csr and copy and paste the entire
txt to the notepad and submit it back to issuer for example if is godaddy.com and then thr certs will be email to your Admin. Once you get the certs back then you need to move to step 4 and import root and interm.
For example you will copy and paste this to then notepad and then copy this to the certificate issuer. 
 -----BEGIN NEW CERTIFICATE REQUEST-----
MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNV
BAcTB0JlZGZvcmQxDDAKBgNVBAoTA2F0czEQMA4GA1UECxMHc3VwcG9ydDETMBEGA1UEAxMKbnMu
cnNhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAICId+IaK8CsRpkmwBbHfkHR
sNqsKMtdag3vXyMsuEeDUftnf2cgzfacs95Rn+hiXepwcUMGi5wYm4unCk6Y3UItb8N4DCpT2JAp
sN//nVxm3qrzlsi9ZD98nz96b/fLIn1sThvDdcwcoilNZlELuqKbLbbTnKSA2cVM4ZiDOpDFLURG
mltELZmIr4gi6lL5tUFS3DauJCBRJqjeWKZlDV4tzm81Rkcr75iPWMuzSLFKyIw4PYxlEg50+xrf
AN9RDzqIZ1I52gQg56gbG1Jc3iZwyzqaQip3bxN+1aJJ9DwweBeXeTCQKcnbVqEwcvrFv9RQ0iK7
4ci02L3w7iKK3R8CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBPW7xfmN5VSuwR4J4rkJwkdnJ8
LPmvkFpox8dx5dXP+pwB4n0OXiD4jU3Sf0VKFKoDjR3mPD6Z4aEW8wluvfCBPugkrzIYvf7r9/Rr
q5rNaeMh/PJy8vk0nj2FHYJnQ27S5ZFm5x1rxVuwhSik1y3NO+5ZgZwqgxTw25iInb9Hm3IE1Lgs
ERSQEQGH+7zmewOI4EG7iz25pscvrfCPSrGOcdHUxkLPWMsZPOm0lqrGcQJYeHJX4rqEwTDkX56V
B5x+XbeFuyOyeLwQNM6pOT4apRAQxFAcUlBfRjh8VK93sUo61mSS9ObWqNmb7mw3G/AcrsiBUU2K
llfvTYm+9TDi
-----END NEW CERTIFICATE REQUEST-----

4. Import any chain certificate if any
                keytool -import -alias root -keystore <your_keystore_filename>  -trustcacerts -file <filename_of_the_chain_certificate>
 
5. finally import your new Certificate
     keytool -import -alias tomcat -keystore <your_keystore_filename>   -file <your_certificate_filename>
 
                CN=commonName
                OU=organizationUnit
                O=organizationName
                L=localityName
                S=stateName
                C=country
NotesFor trouble shooting SSL if you are not progressing with new certificate.
Adapter usually have certificates configured in the conf/server.xml file if they are deployed on Tomcat.
The path to certificate is configurable in the server.xml.

 
For SSL debugging.
This is great command which needs to be added to the JVM arguments.

 
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html
 
-Djavax.net.debug=all
Or
-Djavax.net.debug=ssl
 
All the ssl handshake will be in  logs/catalinat.out or logs/localhost
For websphere will be SystemOut.log.
 

Attachments

    Outcomes