1

I wanted to create self-signed certificate in the tomcat . I have followed the steps.

Step-1 :- keytool -genkey -alias test -keyalg RSA -keystore mykeystore

Step-2 :-CSR Generation

keytool -certreq -keyalg RSA -alias test -file testing.csr -keystore mykeystore

Next i have to generate self-sign certificate , how to generate my self-signed certificate which need to be imported into keystore ?

user3442562
  • 337
  • 1
  • 6
  • 16

2 Answers2

1

When using Java's keytool, you already end up with a self-signed certificate if you just use the -genkey command.

Try this, and you'll see there is already a certificate in the keystore:

$ keytool -list -v -keystore mykeystore

If you want to get that certificate signed by a CA, you can use the CSR you generated for that purpose, and then execute these commands.

You'll need to import the root and intermediate certificates from the CA first:

$ keytool -import -alias [Authority.CA] -trustcacerts -file [authority's CA cert] -keystore ${HOSTNAME}.jks
$ keytool -import -alias [Authority.intermediate] -trustcacerts -file [authority's intermediate cert] -keystore ${HOSTNAME}.jks
$ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore ${HOSTNAME}.jks

These days, there's really no reason not to get a freely-signed certificate from Let's Encrypt.

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77
  • do i need use keytool to generate csr or may i use openssl for sending CA. – user3442562 Nov 08 '16 at 07:57
  • 1
    OpenSSL can't read a Java Keystore, but it can read PKCS12 files, as can `keytool`. If you are going to be working with Java Keystore files, I would stick with `keytool`. Tomcat now supports using OpenSSL-style PEM files for certificates and keys, and I prefer that format to the Java Keystore for a couple of reasons. If you prefer OpenSSL, you can use that instead of `keytool` and Java Keystores. But I would be consistent once you have picked a tool/format to use. – Christopher Schultz Nov 08 '16 at 15:27
0

I posted a script that can be ran on Windows that creates self-signed certificates. Check out the accepted answer to this post to create the certificates.

Edit your tomcat server.xml port 443 connector and add:

    <Connector port="443"
               maxThreads="150"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               scheme="https"
               secure="true"
               SSLEnabled="true"
               sslProtocol="TLS"
               keystoreFile="conf/tomcat.server.net.p12"
               keystorePass="changeit"
               keyAlias="sokar.fw5540.net"
               truststoreFile="conf/truststore.p12"
               truststorePass="changeit"
               clientAuth="true"/>

Hope this helps.

Best, Ace

AceFunk
  • 684
  • 1
  • 8
  • 14