User Tools

Site Tools

Enable TLS using a Certificate Authority and Keystore Explorer

To configure an EASA Server with TLS using a Certificate Authority:

  1. Generate a KeyStore in JKS format containing a key-pair
  2. Request a certificate from a Certificate Authority
  3. Add the certificate to the EASA Server's (Tomcat's) TrustStore

The following example creates a KeyStore and then requests a certificate from: Go Daddy Secure Certificate Authority

At the outset we must decide on a 'Common Name' for the application server before requesting a certificate which will determine the structure of the URL.

  • By default an EASA Server hostname is accessible via plain HTTP:
    (replace with your own domain)
  • Once TLS and HTTPS are configured the 'Common Name' takes the place of the hostname
    (or some other custom port number)

1. To begin we must have the original key pair. This usually involves three files, in our example they are:

  • 2097af0e09e3421.crt
  • gd_bundle-g2-g1.crt
  • gdig2.crt.pem

2. Open Keystore Explorer, create a 'New Keystore' with type 'JKS'.

3. Select: Tools > Generate Key Pair

Then click OK.

4. Select the address book icon to the right of the Name: field.

5. Complete using your organization's details.

6. Select OK and name the key pair: tomcat

7. Enter a password of '123123' and select OK.

8. Right-click on the tomcat line and select: Generate CSR

9. Browse to your work folder and select OK.

10. Choose 'File > Save As' and save the KeyStore with the name 'easastore.jks.

For a multiple machine installation you may use:

  • easastore.easa.jks
  • easastore.jsf1.jks
  • easastore.jsf2.jks

…or some naming convention to keep each KeyStore separate.

The KeyStore filename and password will need to match the 'Connector' attributes 'keystoreFile' and 'keystorePass', respectively, in: <EASAROOT>\tomcat\conf\server.xml

  • By default:
    keystoreFile is: ./conf/easastore.jks
    keystorePass is: 123123
<Connector port="443" maxThreads="150"
  minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
  disableUploadTimeout="true" scheme="https" secure="true"
  SSLEnabled="true" keystoreFile="./conf/easastore.jks"
  keystorePass="123123" acceptCount="100" debug="0"
  clientauth="false" sslProtocol="TLS" sslEnabledProtocols="...

Once you receive the certificates back from the supplier, proceed with the following steps to add them to the TrustStore.

11. <EASAROOT>\jre\lib\security\cacerts may already have the CA intermediate certs if it is a larger company like GoDaddy or Digicerts, but otherwise you must update it then copy the cacerts file to a work folder with write permission.

12. Using Keystore Explorer, open the cacerts keystore, password is: changeit

13. Select: Tools > Import Trusted Certificate

Select the .pem file: gdig2.crt.pem

14. Save the cacerts file.

15. In Keystore Explorer, select: Tools > Preferences

On the 'Authority Certificates' tab, browse to the cacerts file we just saved.

Insure 'Use CA Certificates Keystore' is checked.

16. Open the KeyStore that goes with these files; easastore or easastore.easa or easastore.jsf, etc…

17. Right-click on the 'tomcat' entry and select: Import CA Reply

18. Select the .crt file, in our example its 2097af0e09e3421.crt (do not select Bundle.crt)

19. Once this is complete, save the KeyStore

  • Rename it to easastore, KeyStore explorer will save the file as: easastore.jks
  • Copy it to the appropriate server in: <EASAROOT>\tomcat\conf
  • Copy the TrustStore, cacerts file from step 14 back to: <EASAROOT>\jre\lib\security\

Go Daddy certificate files

  • 2097af0e09e3421.crt - the CA reply for easastore
  • gd_bundle-g2-g1.crt - not used
  • gdig2.crt.pem - the Intermediate Cert for cacerts

Thawte details

Download certs for 'Other\X509' the names are typically the same.

  • ssl_certificate.crt is the 'CA Reply' for easastore
  • IntermediateCA.crt is the 'Intermediate Cert' for cacerts
  • If you receive a message like:
    Certificate Reply does not contain a Public Key for <tomcat>
    Certificate Reply does not match the Public Key
  • Then you don’t have the proper key pair in easastore to match the CSR that was created

If you open a .p7b file on a Windows PC, it will open in the Certificate Manager.

  • Right-click on each one and select: Task > Export ( a 'Certificate Export Wizard' opens)
  • Choose: Base-64 encoded X.509 (.CER)

  • This will produce two certificate files that are identical to the ones we downloaded in X509 format.