Tomcat and Keystore

Keystore and cacerts

Steps:

1. list the existing keys, the default file is .keystore under /usr/local/tomcat folder
# cd /usr/local/tomcat
# keytool -list -v -storepass changeit

2. delete the existing keys( key alias :tomcat)
# cd /usr/local/tomcat
# keytool -delete -alias tomcat -storepass changeit

3. generate self-signed key
# keytool -h for usage
# keytool -genkey -alias tomcat -keysize 1024 -validity 3650 -keypass changeit -storepass changeit
What is your first and last name?
[Unknown]: rmohan
What is the name of your organizational unit?
[Unknown]: IS
What is the name of your organization?
[Unknown]: rmohan
What is the name of your City or Locality?
[Unknown]: Singapore
What is the name of your State or Province?
[Unknown]: Singapore
What is the two-letter country code for this unit?
[Unknown]: SG
Is CN=rmohan, L=Singapore, ST=Singapore, C=SG correct?
[no]: yes
for above self-generated key to work without SSL warning, you need to import to ca certs file

4. list the existing CA certificates from /usr/local/jdk/jre/lib/security/cacerts
# cd /usr/local/jdk/jre/lib/security
# keytool -list -v -keystore cacerts

5. in order to add self-signed key to cacerts, export it first from .keystore file
# keytool -export -alias rmohan -keypass changeit -storepass changeit -file /tmp/rmohan.der

6. then import to cacerts file under /usr/local/jdk/jre/lib/security/cacerts
# cd /usr/local/jdk/jre/lib/security
# keytool -import -alias rmohan -trustcacerts -keystore cacerts -file /tmp/rmohan.der -storepass changeit

note: add this key to trusted cacerts and give alias as rmohan
you can add one more, but have to give the different alias name
7. you can delete the existing cacert key:
# cd /usr/local/jdk/jre/lib/security
#keytool -delete -keystore cacerts -alias rmohan

8. import a openssl generated self signed pem format certificate from openldap server into ca certs file on tomcat server (for ldaps connection from tomcat server to openldap server)

# cd /usr/local/jdk/jre/lib/security
# keytool -import -alias rmohan -trustcacerts -keystore cacerts -file /tmp/rmohan.pem -storepass changei
References:
1. convert pem to der format

openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER