Importing an Existing SSL Certificate and Private Key to Tomcat

To import an existing SSL certificate and private key to Tomcat, do the following:

  1. Convert the certificate and private key to a PKCS12 file

    You cannot directly import private key information to a keystore using keytool. You must convert the certificate and private key into a PKCS12 (.p12) file, and then you can import the PKCS12 file to your keystore.

    Run the following command:

    openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]
  2. Import the certificate to your keystore

    1. Import the PKCS12 certificate by executing the following command:

      keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12

      where the [password] is the password you specified when you created the private key.

    2. Run one of the following commands:

      • If you have a CA bundle file, import it by running the following command:

        keytool -import -alias bundle -trustcacerts -file [ca_bundle] -keystore [filename-new-keystore.jks]
      • If you do not have a CA bundle file, import certificates by running the following command:

        keytool -import -alias [certificate-type] -trustcacerts -file [certificate-file] -keystore [filename-new-keystore.jks]

        where the [certificate-type] is the type of certificate, for example, root or intermediate.

  3. Configure PPM.

    1. In the server.conf file, add the following parameters:

      #turn on SSL login 
      com.kintana.core.server.ENABLE_SSL_LOGIN=true
      #if you use http_port 8080 then https_port will be set to 8443. Please verify if your IIS is using port 443, otherwise you have to choose either stop IIS or use a different http_port and https_port here
      com.kintana.core.server.HTTPS_PORT=8443
      #
      com.kintana.core.server.HTTPS_WEB_THREAD_MIN=5
      
      #
      com.kintana.core.server.HTTPS_WEB_THREAD_MAX=75
      #keystore file physical location on PPM machine created from step 2-a
      com.kintana.core.server.HTTPS_KEYSTORE_LOCATION=C:/Java/keystore_ppm_dev
      #Encrypted keypassword. By default it is changeit, and you need to run kEncrypt.sh to encrypt this password. Each PPM instance has its own encryption content. 
      com.kintana.core.server.HTTPS_KEYPASSWORD=#!#7w:x?vv=MdXJ}2&bJbrykTMY3FI>R1{<+Kw^fjN=hjw8hz2HrTd_X8w+~|Tx19ZiO_oS }rpTHSX(B@)LM{A~c~M<N9GVw,2jLOf(e=WZNbLo)xarUny.mKp|p{ +1LySpZS flrG{v3&:?k8|<y.y0 b`Kp|G/`s^q.GR|4?s}&jD$rtamfkqZr?$UT-#!#
    2. Modify the following parameters:

      #if your IIS on the same PPM machine has to use port 443, then you must change PPM http_port to something else other than 8080 and also update https_port parameter
      com.kintana.core.server.HTTP_PORT=8080
      #the domain name must match the name that you specified when you created the private key
      com.kintana.core.server.BASE_URL=
      http://itprojectsystem_dev.xyz.com:8080/
    3. Save the file.

    4. Stop PPM Server and run kUpdateHtml.

    5. Start PPM Server and test the login using BASE_URL such as http://itprojectsystem_dev.xyz.com:8080/.