Completely new to installing a certificate

Hello,

I’ve just registered here and I’m completely new to configuring a server to use an SSL certificate. Previously I used shared hosting for which a free SSL certificate was provided. Recently I switched to VPS hosting as I wish to use one or more servers of my choice so as to be able to run applications that may not be supported with shared hosting.

I’m using a Linux CentOS 7 x64 system and installed the EE version of Tomcat. I configured the server without a certificate to use the “https” protocol, and additionally configured it so that if “http” is entered the protocol switches to “https”, and the URL is https://cs-cubed.com. However, browsers warn and block the website for security reasons without having to force access to it. Obviously this has to be fixed.

In following some instructions online I created a the folder ssl in Tomcat’s home directory and created the file cs-cubed.jks, then I edited the server.xml file in the conf directory with the code:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
   maxThreads="150" SSLEnabled="true" keystoreFile="/home/tomee/ssl/cs-cubed.jks" keystorePass=[password]>
<!--<SSLHostConfig>
  <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
    type="RSA" xpoweredBy="false" server="Apache TomEE" />
  </SSLHostConfig>-->
</Connector>

and keeping the old code by commenting it out.

There appear to be various options of installing a certificate, but some of these may change the configuration that is already set up, which I do not want.

My question is, how do I set up a (free) certificate on the server with making as few changes as possible?

A reply would be most appreciated - many thanks in advance.

1 Like

Hi @csharp,

Did you intentionally post your question in the Portuguese-language help category, or was that an accident? It seems like you write English at a native level.

The JKS format is pretty specific to Tomcat and related tooling and can be an inconvenient point between a lot of Let's Encrypt tools and Tomcat. Do you know if your web server would support PEM format instead? I remember researching this and finding that it depends on the version of Tomcat and how it was compiled (which cryptographic library it uses, or something along those lines).

You can create JKS files with a script using an openssl command line, which is normally going to be necessary if you need to plug them into a Tomcat configuration that references a JKS file. If you're using Certbot to manage your Let's Encrypt certificates, this would be a --deploy-hook option, which is run automatically whenever Certbot issues a new certificate, including a replacement ("renewal") version of an expiring certificate.

Another option that's been useful to some Tomcat users is to put a reverse proxy in front of Tomcat, typically nginx or recently often Caddy. The reverse proxy is configured with the certificate and listens on port 443, then forwards all connections to HTTP on localhost port 80. This can be easy because then you can use the existing Let's Encrypt integrations for the proxy tool, and handle all of the HTTPS stuff there, without making any other changes to Tomcat. (With Caddy, it would automatically get the certificates for you inside of Caddy itself, and the reverse proxy rule declaration can be just a tiny few-line configuration.)

1 Like

Many thanks for your reply, and yes it was a mistake to post in the Portuguese language section. A related help topic was displayed in that section, but I didn’t know it was specifically the Portuguese section or in fact there was any section for any language, so I just posted there not knowing this. Yes, I am a native English speaker living in the USA.

Anyway, I uploaded an Apache Tomcat Plume 8.0.1 zip file to the VPS, then unzipped it and got it working straight away out of the box, but don’t know if it supports PEM. Then I configured it in the way stated in my first message, and used the command:

keytool -genkey -alias loclahost -keyalg RSA -keystore filename.jks

in the Linux shell to generate the jks file, and entered replies to the prompts I was given, such as my name. Is this different to the script with the openssl command? I’ve also never heard of a reverse proxy before.

My options seem either to start again from scratch, perhaps using openssl, or somehow complete the configuration with a certificate that I have done so far without a certificate.

Some ideas would be most appreciated. In the mean time I can do some background reading on some of the points you mentioned.

1 Like

Did you already get a Let's Encrypt certificate using some Let's Encrypt client application?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.