I finally managed to move our ssl certificates, from apache to tomcat.
First I just tried to
import the existing openssl cert using the keytool. I failed miserably, gave up and went down the reissue road.
Which turned out to be really simple, even though it took thawte 2 days and a live chat before I received the new cert. And then, the live openssl certificate stopped to work! So all of a sudden I hade to switch to the pure tomcat solution a bit head of schedule.. Luckily I've had that working for while now with functional and load tests already made.
- Create your java keystore with a tomcat keyentry.
keytool -genkey -keyalg RSA -alias tomcat -keystore [keystore name]
- Generate a CSR and submit it to Thawte, using the reissue form.
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore [keystorename]
- Wait a couple of days, receive the new cert and save it into a file on your server
- Import the cert into your tomcat keystore
keytool -import -alias tomcat -trustcacerts -file mythawtecert.txt -keystore [keystorename]
- Configure server.xml
<connector port="443" protocol="HTTP/1.1" sslenabled="true"
maxthreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="conf/tomcat.keystore" keystorePass="xxxx">
Basically, to reissue is almost like creating new certificate, except for having to pay for it. For more details, check out Thawte's supportpage.
