To configure an EASA Server with TLS using a Certificate Authority:
The following example creates a KeyStore and then requests a certificate from: Go Daddy Secure Certificate Authority
At the outset we must decide on a 'Common Name' for the application server before requesting a certificate which will determine the structure of the URL.
1. To begin we must have the original key pair. This usually involves three files, in our example they are:
2. Open Keystore Explorer, create a 'New Keystore' with type 'JKS'.
3. Select: Tools > Generate Key Pair
Then click OK.
4. Select the address book icon to the right of the Name: field.
5. Complete using your organization's details.
6. Select OK and name the key pair: tomcat
7. Enter a password of '123123' and select OK.
8. Right-click on the tomcat line and select: Generate CSR
9. Browse to your work folder and select OK.
10. Choose 'File > Save As' and save the KeyStore with the name 'easastore.jks.
For a multiple machine installation you may use:
…or some naming convention to keep each KeyStore separate.
The KeyStore filename and password will need to match the 'Connector' attributes 'keystoreFile' and 'keystorePass', respectively, in: <EASAROOT>\tomcat\conf\server.xml
<Connector port="443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" scheme="https" secure="true" SSLEnabled="true" keystoreFile="./conf/easastore.jks" keystorePass="123123" acceptCount="100" debug="0" clientauth="false" sslProtocol="TLS" sslEnabledProtocols="...
Once you receive the certificates back from the supplier, proceed with the following steps to add them to the TrustStore.
11. <EASAROOT>\jre\lib\security\cacerts may already have the CA intermediate certs if it is a larger company like GoDaddy or Digicerts, but otherwise you must update it then copy the cacerts file to a work folder with write permission.
12. Using Keystore Explorer, open the cacerts keystore, password is: changeit
13. Select: Tools > Import Trusted Certificate
Select the .pem file: gdig2.crt.pem
14. Save the cacerts file.
15. In Keystore Explorer, select: Tools > Preferences
On the 'Authority Certificates' tab, browse to the cacerts file we just saved.
Insure 'Use CA Certificates Keystore' is checked.
16. Open the KeyStore that goes with these files; easastore or easastore.easa or easastore.jsf, etc…
17. Right-click on the 'tomcat' entry and select: Import CA Reply
18. Select the .crt file, in our example its 2097af0e09e3421.crt (do not select Bundle.crt)
19. Once this is complete, save the KeyStore
Download certs for 'Other\X509' the names are typically the same.
If you open a .p7b file on a Windows PC, it will open in the Certificate Manager.