Creation of Keystore and CSR file
Follow below steps for creation of Keystore:
Create
new folder on D drive.
Example: D:/SSLCertificate
Go to
command prompt
Go to D
drive by entering d: and hit ENTER
Go to
Program filesà Java à JDK version à Bin
Example: - D:\Program Files\Java\jdk1.7.0_67\bin
Enter
below command on command prompt to generate KEYSTORE
Command for creation of Keystore:
Example for creation of keystore:
After
entering above command it will ask for Password.
Enter password as “changeit” [All small characters]
Or get the password from
the path “D:\TrackWiseWeb\apache-tomcat\conf\server.xml” attribute name key
store Password
Below
mandatory information needs to be filled after entering password
Common Name = <<Certificate URL>>
Organizational Unit = <<Organization unit>>
Organization = <<Organization name>>
Locality = <<Location where the server
located>>
State = <<State of the location>>
Country = <<2 digit country code>>
Important Note:Common name, location, State & country
will change as per certificate location. Organizational unit, Organization
information will not be change.
Once
above information provided it will show information like
Enter YES for confirmation of information. This will create keystore.
Below are the steps for creation of CSR:
On same command window enter below
command for creation of
CSR File
Command for creation of CSR:
keytool -certreq -keyalg RSA -alias tomcat -file "<<Full Path for CSR file generation>>" -keystore "<<Full Path of Keystore
file>>"
Example for creation of CSR:
Once CSR
command enter in to the command prompt, it will ask for the
Password. Enter password as “changeit” [All small characters]
IMP Note: Keystore file needs for deployment activity, please keep file in Safe location.
Go to
command prompt
Go to D
drive by entering d: and hit ENTER
Go to
Program filesà Java à JDK version à Bin
Download latest Primarty.cer and Secondary.cer files from http://www.verisign.com/support/roots.html site. Keep Primary and secondary files on same folder
where keystore generated
Import Primary,
Secondary and new certificate to keystore
Command to import files as:
"D:/SSLCertificateRenew/tomcat.keystore" -trustcacerts
–file
"D:/SSLCertificateRenew/primary.cer"
keytool
-import -alias root -keystore
"D:/SSLCertificateRenewal/Latest/tomcat.keystore" -trustcacerts -file
"D:/SSLCertificateRenewal/Latest/primary.cer"
"D:/SSLCertificateRenew/tomcat.keystore" -trustcacerts –file
"D:/SSLCertificateRenew/secondary.cer"
keytool
-import -alias intermediate -keystore
"D:/SSLCertificateRenewal/Latest/tomcat.keystore" -trustcacerts -file
"D:/SSLCertificateRenewal/Latest/secondary.cer"
"D:/SSLCertificateRenew/tomcat.keystore" -trustcacerts
–file
"D:/SSLCertificateRenew/cert.p7b"
keytool -import -alias tomcat -keystore
"D:/SSLCertificateRenewal/Latest/tomcat.keystore" -trustcacerts -file
"D:/SSLCertificateRenewal/Latest/cert.p7b"
How to move an SSL certificate from Tomcat to Apache
Resolution
Note: Keytool and OpenSSL are third party tools which are
not supported by Symantec
1.1: Use keytool to convert the keystore to a p12 file
1.
Run the following keytool command to create a p12 file:
keytool -importkeystore -srckeystore [originalkeystore]
-destkeystore [new_keystore_mystore.p12] -deststoretype PKCS12 -srcstorepass
[keystore_password] -deststorepass [new_password] -srcalias [original_alias]
-destalias [new_alias] -srckeypass [original_alias_password] -destkeypass
[new_password] -noprompt
1.2.The output file is [new_keystore_mystore.p12]
1.3.Use Openssl to extract the private key:
openssl.exe pkcs12 -in new_keystore_mystore.p12 -nocerts
-out privatekey.pem
1.4.Use Openssl to extract the certificate:
openssl.exe pkcs12 -in new_keystore_mystore.p12 -clcerts
-nokeys -out publicCert.pem
Save the two files (privatekey.pem and publicCert.pem) to
the Apache server
Step 2): Import files into the Apache server:
2.2. Using a
plain text editor, save the Intermediate CA certificate as intermediate.crt, to
the appropriate folder.
keytool -import -alias root -keystore
"D:/UpgradeRepos/_STAGING/Production_SSL/tomcat.keystore"
-trustcacerts -file "D:/UpgradeRepos/_STAGING/Production_SSL/secondary.cer"
keytool -import -alias intermediate -keystore
"D:/UpgradeRepos/_STAGING/Production_SSL/tomcat.keystore"
-trustcacerts -file
"D:/UpgradeRepos/_STAGING/Production_SSL/secondary.cer"
keytool -import -alias tomcat -keystore
"D:/UpgradeRepos/_STAGING/Production_SSL/tomcat.keystore"
-trustcacerts -file
"D:/UpgradeRepos/_STAGING/Production_SSL/pww.trackwise-intf.amec.dharmaraj.com.cer"
keytool -import -alias tomcat -keystore "D:\UpgradeRepos\_STAGING\Production_SSL\tomcat.keystore"
-trustcacerts -file
"D:\UpgradeRepos\_STAGING\Production_SSL\cert.p7b"
keytool -import -alias tomcat -keystore
"D:\UpgradeRepos\_STAGING\Production_SSL\tomcat.keystore"
-trustcacerts -file "D:\UpgradeRepos\_STAGING\Production_SSL\cert.p7b"
keytool -list -v -keystore
"D:/SSL_PK7/SSLCertificate/tomcat.keystore"
keytool -importkeystore -srckeystore
"D:/SSL_PK7/SSLCertificate/tomcat.keystore" -destkeystore
"D:/SSL_PK7/SSLCertificate/tomcat.keystoreNew.p12" -deststoretype
PKCS12 -srcstorepass "changeit" -deststorepass "changeit"
-srcalias "tomcat" -destalias "tomcat" -srckeypass
"changeit" -destkeypass "changeit" –noprompt
3.Use Openssl to extract the private key:
openssl.exe pkcs12 -in new_keystore_mystore.p12 -nocerts
-out privatekey.pem
openssl.exe pkcs12 -in
"D:/SSL_PK7/SSLCertificate/tomcat.keystoreNew.p12" -nocerts -out
"D:/SSL_PK7/SSLCertificate/privatekey.pem"
openssl.exe pkcs12 -in
"D:/SSL_PK7/SSLCertificate/tomcat.keystoreNew.p12" -nocerts -out
"D:/SSL_PK7/SSLCertificate/publicCert.pem"