This is to go through the process of making a website SSL compliant on
Tomcat. Which is just very VERY particular. On the server that needs the
certificate, I suggest creating a directory on the root of the C drive as a
temporary working area. Something like c:\newkeys In this example, I will be
using the server, cm-testserver
You need to add a java tool to your environment path first, go to
Properties of My Computer, Click the Advanced Tab, Click Environment
Variables.
In the System Variables group, select path and click Edit.
Type the path the JRE directory in the Variable Value Text box, on
cm-testserver this is
D:\Program Files\VMware\VMware
View\Server\jre\bin
Note: use a semi colon to separate the path variables.
On the server in question (cm-testserver), open a cmd prompt and navigate to
c:\newkeys. Type in
keytool -genkey -keyalg "RSA" -keystore keys.p12
-storetype pkcs12 -validity 360 -keysize 2048
This is telling the server to create a keystore (genkey).
A keystore is analogous to a safe. This safe is used to hold your certificates
and use the RSA algorithm (RSA). The safe is to be called keys.p12 The
keystore will be created in the pkscs12 format, it's valid for 360 days and the
safe will be generated with 2048-bit encryption.
When keytool prompts you for the first and last name, type
the FQDN (Fully Qualified Domain Name) of the server. So this example would be
cm-testserver.<yourdomain>.co.uk
Enter all the rest of the information, remembering that
the country code is GB for ISO compliance.
Now you need to type in the following to generate a
certificate request. You will then send out the request, they send back a
certificate and you store it inside the keystore.
keytool -certreq -keyalg "RSA" -file certificate.csr
-keystore keys.p12 -storetype pkcs12 -storepass ATopSecretPassword
At the time of writing, we are using Janet, which in turn
uses Comodo to authorise certificates. Janet / Comodo only send back *.cer
certificates, and not PKCS7 standard certificates. The ZIP file that contains
all of the certificates needs to be extracted to a new empty temporary
directory. Highlight one of the extracted certificates, right mouse click, and
click select Open on the menu.
A new window pops open. Click the details tab at the top,
and then click the Copy To File button on the lower right. Click Next on the
wizard. We are now exporting your new certificate out into PKCS#7 format.
Select the third option down "Cryptographic Message Syntax Standard - PKCS #7
Certificates (.P7B) and ENSURE that the tick box "Include all certificates in
the certification path if possible" IS ticked. Unlike in other configurations
where you might install the root certificates one by one, here you bundle them
all together.
Export it out to a file name, your choice, but I called
mine testserver.p7b, and remember where you save it.
Now go back to the server where you were creating the
keystores and copy the file that you've created with the merged certificates
into your c:\newkeys
Go back to your DOS prompt, making sure that you are at
the path c:\newkeys type in the following command
keytool -import -keystore keys.p12 -storetype pkcs12
-storepass ATopSecretPassword -keyalg "RSA" -trustcacerts -file testserver.p7b
With the above command, you are telling the keytool to
import into your keys.p12 file (the keystore) the merged certificates that are
held in your testserver.p7b file.
Yay! You now have a certificated keystore file! Now we
have to make your Tomcat environment work with it
You need to copy that keys.p12 file to d:\program
files\vmware\vmware view\server\sslgateway\conf\
Within that same directory, you need to edit a file called
locked.properties
If the file does not exist, you need to create
it.
In that file, you need two lines.
keyfile=keys.p12
keypass=ATopSecretPassword
The password is the same one that you typed in earlier
(remember?!!)
Then restart the View Connection Server service. Job
done!
