Importing a SSL Certificate from a Certificate Authority to Tomcat

To import a SSL certificate from a certificate authority to Tomcat for the PPM secure web logon feature, do the following:

  1. Create a local Certificate Signing Request (CSR).

    1. On the PPM Server machine, generate a private key with an alias name and a specified keystore file name locally.

      The private key is used to decrypt contents that are encrypted by public key sent by CA authority.

      The alias and specify keystore file name will be used for importing certificate later.

      keytool -genkey -alias <your_alias> -keyalg RSA -keystore <the path and your_keystore_filename, such as c:\myKeystore>

      Note: When prompted for first and last name, enter the domain of the PPM Server host machine which is used by the BASE_URL parameter in the server.conf file in order to create a working certificate.

    2. On the PPM Server machine, create a certificate signing request.

      keytool -certreq -keyalg RSA -alias <your_alias that is the same one used in step a> -file <the path and your CSR file name such as c:\certreq.csr> -keystore <full path and your_keystore_filename used in step a>

      The CSR file is used to send to CA authority to request certificate.

    3. Open your CSR file, copy and paste the contents (usually it starts with begin line and ends with end line), and then submit to CA.

      When CA receives the CSR file containing your public key, they will sign it with their private key and return the public key and certificate to you in a certificate file.

  2. Import the Certificate.

    1. Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.

      Note: Usually the chain certificate has root and intermediate levels. You always import root level first, then intermediate level. If the chain certificate file is not in DER format, then you must convert to DER format before you can import.

    2. Convert the root CA to DER format.

      1. Double click your chain certificate file stored on the PPM Server machine.

        The Certificate dialog opens.

      2. Click on the Certification Path tab.

      3. Highlight the root certificate (the certificate issued by the signing authority. Example: Entrust, Verisign.)

      4. Click View Certificate.

        A new Certificate dialog for the root certificate opens.

      5. Click the Details tab.

      6. Click Copy to File.

        The Export Certificate Wizard opens.

      7. Click Next.

      8. Select DER encoded binary for X.509 (.CER), and click Next.

      9. Create a new filename to store the newly formatted root certificate and store it on the PPM Server machine.

      10. Click Finish.

    3. Convert the intermediate CA to DER format.

      1. Double click your chain certificate file stored on the PPM Server machine.

        The Certificate dialog opens.

      2. Click on the Certification Path tab.

      3. Highlight the Intermediate certificate.

      4. Click View Certificate.

        A new Certificate dialog for the root certificate opens.

      5. Click the Details tab.

      6. Click Copy to File.

        The Export Certificate Wizard opens.

      7. Click Next.

      8. Select DER encoded binary for X.509 (.CER), and click Next.

      9. Create a new filename to store the newly formatted root certificate and store it on the PPM Server machine.

      10. Click Finish.

    4. Import root CA by running the following command:

      keytool -import -alias root -keystore <the path of your_keystore_filename that used in step a) -trustcacerts -file <path and filename_of_the_root_certificate file>

      Note: We recommend you use alias (such as root) here.

    5. Import the Intermediate CA.

      keytool -import -alias intermediate -keystore <the path of your_keystore_filename that used in step a) -trustcacerts -file <path and filename_of_the_intermediate_certificate file>
    6. Import the signed certificate.

      Note: If the signed certificate file is not in DER format, follow the steps in Importing a SSL Certificate from a Certificate Authority to Tomcat to convert the certificate file to DER format before import.

      keytool -import -alias <your_alias that is the same one used in step a> -keystore <full path and your_keystore_filename used in step a> -trustcacerts -file <path and your_certificate_filename>

      Now the pair of the private key and public key is ready for use in your keystore file permanently.

    7. To verify the signed certificate is imported correctly, run the following command:

      keytool -list -v -keystore <full path of your_keystore_filename>

      You should see three entries, root certificate, intermediate certificate as well as the private key, public key and signed certificate listed in the output.

  3. Configure PPM.

    1. In the server.conf file, add the following parameters:

      #turn on SSL login 
      com.kintana.core.server.ENABLE_SSL_LOGIN=true
      #if you use http_port 8080 then https_port will be set to 8443. Please verify if your IIS is using port 443, otherwise you have to choose either stop IIS or use a different http_port and https_port here
      com.kintana.core.server.HTTPS_PORT=8443
      #
      com.kintana.core.server.HTTPS_WEB_THREAD_MIN=5
      
      #
      com.kintana.core.server.HTTPS_WEB_THREAD_MAX=75
      #keystore file physical location on PPM machine created from step a
      com.kintana.core.server.HTTPS_KEYSTORE_LOCATION=C:/Java/keystore_ppm_dev
      #Encrypted keypassword. By default it is changeit, and you need to run kEncrypt.sh to encrypt this password. Each PPM instance has its own encryption content. 
      com.kintana.core.server.HTTPS_KEYPASSWORD=#!#7w:x?vv=MdXJ}2&bJbrykTMY3FI>R1{<+Kw^fjN=hjw8hz2HrTd_X8w+~|Tx19ZiO_oS }rpTHSX(B@)LM{A~c~M<N9GVw,2jLOf(e=WZNbLo)xarUny.mKp|p{ +1LySpZS flrG{v3&:?k8|<y.y0 b`Kp|G/`s^q.GR|4?s}&jD$rtamfkqZr?$UT-#!#
    2. Modify the following parameters:

      #if your IIS on the same PPM machine has to use port 443, then you must change PPM http_port to something else other than 8080 and also update https_port parameter
      com.kintana.core.server.HTTP_PORT=8080
      #the domain name must match the name from step a when you generate a private key
      com.kintana.core.server.BASE_URL=
      http://itprojectsystem_dev.xyz.com:8080/
    3. Save the file.

    4. Stop PPM Server and run kUpdateHtml.

    5. Start PPM Server and test the login using BASE_URL such as http://itprojectsystem_dev.xyz.com:8080/.