Use Cases

Securing Web Servers with SSL/TLS

Scenario: Setting up SSL/TLS on a Tomcat server.

Generate a Keystore:

keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore tomcat.keystore -dname "CN=www.example.com, OU=IT, O=Example Corp, L=City, ST=State, C=Country" -storepass changeit -keypass changeit

Generate a CSR:

keytool -certreq -alias tomcat -file tomcat.csr -keystore tomcat.keystore -storepass changeit

Submit CSR to CA: Submit tomcat.csr to a Certificate Authority (CA) to get a signed certificate.

Import the CA Certificate:

keytool -importcert -alias root -file rootCA.crt -keystore tomcat.keystore -storepass changeit

Import the Signed Certificate:

keytool -importcert -alias tomcat -file tomcat.crt -keystore tomcat.keystore -storepass changeit

Configure Tomcat: Update server.xml in Tomcat's conf directory:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="conf/tomcat.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>

Authenticating Clients in a Secure Environment

Scenario: Using client certificates for authentication.

Generate Client Keystore:

keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore client.keystore -dname "CN=Client Name, OU=IT, O=Example Corp, L=City, ST=State, C=Country" -storepass changeit -keypass changeit

Generate a CSR for Client:

keytool -certreq -alias client -file client.csr -keystore client.keystore -storepass changeit

Sign the CSR with Root CA: Use the CA's private key to sign the CSR and generate the client certificate.

Import CA Certificate into Client Keystore:

keytool -importcert -alias root -file rootCA.crt -keystore client.keystore -storepass changeit

Import Client Certificate into Client Keystore:

keytool -importcert -alias client -file client.crt -keystore client.keystore -storepass changeit

Client Uses Keystore for SSL/TLS Authentication: The client application can now use the client.keystore to authenticate to servers.

PreviousConcept NextKey & Certificate File Formats

Last updated 8 months ago

Was this helpful?

Securing Web Servers with SSL/TLS

Scenario: Setting up SSL/TLS on a Tomcat server.

Generate a Keystore:

keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore tomcat.keystore -dname "CN=www.example.com, OU=IT, O=Example Corp, L=City, ST=State, C=Country" -storepass changeit -keypass changeit

Generate a CSR:

keytool -certreq -alias tomcat -file tomcat.csr -keystore tomcat.keystore -storepass changeit

Submit CSR to CA: Submit tomcat.csr to a Certificate Authority (CA) to get a signed certificate.

Import the CA Certificate:

keytool -importcert -alias root -file rootCA.crt -keystore tomcat.keystore -storepass changeit

Import the Signed Certificate:

keytool -importcert -alias tomcat -file tomcat.crt -keystore tomcat.keystore -storepass changeit

Configure Tomcat: Update server.xml in Tomcat's conf directory:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="conf/tomcat.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>

Authenticating Clients in a Secure Environment

Scenario: Using client certificates for authentication.

Generate Client Keystore:

keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore client.keystore -dname "CN=Client Name, OU=IT, O=Example Corp, L=City, ST=State, C=Country" -storepass changeit -keypass changeit

Generate a CSR for Client:

keytool -certreq -alias client -file client.csr -keystore client.keystore -storepass changeit

Sign the CSR with Root CA: Use the CA's private key to sign the CSR and generate the client certificate.

Import CA Certificate into Client Keystore:

keytool -importcert -alias root -file rootCA.crt -keystore client.keystore -storepass changeit

Import Client Certificate into Client Keystore:

keytool -importcert -alias client -file client.crt -keystore client.keystore -storepass changeit

Client Uses Keystore for SSL/TLS Authentication: The client application can now use the client.keystore to authenticate to servers.