0

I have a java web project and I have used few certificates to contact a URL. Now I have deployed project as a WAR file in a Unix server and my project has a certificate issue.

I have the certificates in my local store and I need to put them in the Unix server and need to add them to the keytool in Tomcat. How do i do that.

Can I get an example how do I do that with keytool?

jww
  • 83,594
  • 69
  • 338
  • 732
user3622196
  • 71
  • 3
  • 15
  • 1
    This question appears to be off-topic because it is not about programming. See [What topics can I ask about here](https://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Server Fault](http://serverfault.com/) or [Webmaster Stack Exchange](http://webmasters.stackexchange.com/) would be a better place to ask. – jww Jul 01 '14 at 04:24
  • Many of them have asked questions abt SSL certificates here. i don't think that is a problem. These are questions related to programming as I have mentioned deploying a war file in a server.If you know the answer you can help me. – user3622196 Jul 01 '14 at 16:25
  • See the following on Meta: [Which types of “programming related” questions are appropriate?](http://meta.stackexchange.com/questions/12373/which-types-of-programming-related-questions-are-appropriate) and [What does “not-programming-related” unequivocally mean?](http://meta.stackexchange.com/questions/40020/what-does-not-programming-related-unequivocally-mean). – jww Jul 05 '14 at 05:37
  • @jww, I know many SSL-related questions are not necessarily on-topic, but I tend to be quite tolerant on that aspect. Many people who ask such questions simply have no idea whether the problem is a configuration issue or a programming issue. I'm quite happy to leave these questions open, since often both can apply. The scope of SF is very different, and most of these questions will definitely off-topic there. Most SSL problems don't seem to fit clearly into sysadmin or programming. Knowing how to do the admin aspect often is very relevant to the programming aspects of an application using SSL. – Bruno Jul 05 '14 at 14:34

2 Answers2

1

There are at least 3 ways of handling this problem:

  • You can import the certificate into the JRE's default truststore (often in $JAVA_HOME/lib/security/cacerts). This will affect all the applications using that JRE (unless they override the default settings). You'll need to have write permissions on that cacerts file to do this too.

  • You can import the certificate into a local keystore that you will configure to be Tomcat's default truststore. Typically, you could make a copy of the default cacerts file and import your certificate into this copy, or you can create a new keystore and import only the certificates you know you need (keytool -import -keystore ... will create the keystore file if it doesn't exist). This can be done in tomcat by setting an additional system property in catalina.sh (or .bat): in JAVA_OPTS, you can add -Djavax.net.ssl.trustStore=/path/to/local/truststore.jks for example (and other related properties).

  • You can make that certificate be used only by certain connections in your application (or set the default SSLContext programmatically). For this, you'll need to alter your application so that it loads the keystore, uses it to initialise a TrustManagerFactory, in passed into an SSLContext. Then, how that SSLContext can be used depends on the client library you're using. There is an example in this answer.

Either way, you can import your cert (be it a CA cert or a specific server cert) into the truststore of your choice using:

keytool -import -file cert.pem -alias "some name" -keystore truststore.jks

(If using the programming route, you can also create your keystore in memory and load the certificate file dynamically, as shown in this answer. Using keystores might be easier, it's up to you to assess the pros and cons of the deployment you want to use.)

Community
  • 1
  • 1
Bruno
  • 110,518
  • 24
  • 258
  • 357
0

I got the answer for this. We need to find which java file the tomcat is using and we need to add the keytool to that particular thing.

this is where the tomcat has its cacerts .ie. the java which is used by the tomcat.

etc/pki/java/cacerts

Keytool command:

keytool -import -alias ttg-lys-cm1 -file /var/lib/certificates/ttg-lys-cm1.cer -keystore "/etc/pki/java/cacerts"

Once you do this restart tomcat and it works fine.

Thanks pradeepa

user3622196
  • 71
  • 3
  • 15
  • 1
    Its OK to accept your own answer. See [How does accepting an answer work?](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) on Meta. – jww Jul 05 '14 at 05:39