Due to all of the positive feedback on the original article, I decided to do a brief update to nail down and simplify the process.
- Create a Key and Certificate Request
- Issue the Certificate from your favorite Registrar
- Merge the Certificate into a Tomcat File
Create a Key and Certificate Request
On your favorite Linux or Windows box, make sure you have OpenSSL.
I am making a directory called /home/keystore. Seems fitting.
Run the following:
First we need a Private Key. This is yours and yours alone.
openssl genrsa -out /home/keystore/private.key 2048
So, the private key is critical. It’s your unique identifier for this SSL cert.
Next, we need to generate the request to send to GoDaddy, InstantSSL, etc
(If you like this article, you can get an SSL through our GoDaddy Account – I think we make $1)
Now, the command:
openssl req -new -sha256 -key /home/keystore/private.key -out /home/keystore/mydomain.csr
You are going to be prompted for all of the details as follows. For Wildcard, use *.mydomain.com. For other hosts, just use the hostname. ie mydomain.com (you will get www automatically)
----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :Texas Locality Name (eg, city) [Default City]:Tyler Organization Name (eg, company) [Default Company Ltd]:My Domain Inc Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :*.mydomain.com Email Address :firstname.lastname@example.org Press Enter on the Extra fields, no password needed.
Ok, once finished, take your CSR and submit to your provider. Once you submit, you wait and then you will get your certificate. You may have to check email to approve it.
Now the Easy Part!
Merge the Certificate into a Tomcat File
If you are a GoDaddy Customer, you will get two files. Other providers might send you on a wild goose chase for the Bundle file.
6e00664a60ac4578.crt - This is the Actual Certificate gd_bundle-g2-g1.crt - This is your Bundle file with all the certificate chain data from GoDaddy
For simplicity and understanding, let’s rename the file:
mv 6e00664a60ac4578.crt mydomain.crt
Now, let’s make the Tomcat keystore container
openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in mydomain.crt -inkey private.key -out keystore.tomcat -name tomcat -passout pass:changeit
Ok, you have everything you need. Now, setup Tomcat.
Installing the Certificate in Tomcat
Let’s copy the file to our tomcat installation configuration directory. My tomcat was in /usr/local/tomcat5
cp keystore.tomcat /usr/local/tomcat5/conf
Now, we need to enable SSL. So, we need to edit the server-wide server.xml file. Find the section like this:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <!-- <Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->
Replace it. Mine looks like this:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector port="443" maxHttpHeaderSize="8192" maxThreads="250" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="tomcat" keystoreFile="/usr/local/tomcat5/conf/keystore.tomcat" keystorePass="changeit" keystoreType="PKCS12" />
Lastly, find any other references to port 8443 in the server.xml file and replace them with just 443.
Now, restart Tomcat and enjoy your newly functioning wildcard certificate.
I hope this bridges the gaps on some of the other articles out there.
Please comment if it helps you.