EASA Help Pages

User Tools

Site Tools

You are here: EASA 6.1 » Administrator Guide » Enable TLS using a Certificate Authority and Keystore Explorer

Sidebar

About EASA | Contact

Contents

Table of Contents

Enable TLS using a Certificate Authority and Keystore Explorer

To configure an EASA Server with TLS using a Certificate Authority:

  1. Generate a KeyStore in JKS format containing a key-pair
  2. Request a certificate from a Certificate Authority
  3. Add the certificate to the EASA Server's (Tomcat's) TrustStore
  4. Then Configure EASA to use TLS

The following example creates a KeyStore and then requests a certificate from: Go Daddy Secure Certificate Authority

At the outset we must decide on a 'Common Name' for the application server before requesting a certificate which will determine the structure of the URL.

  • By default an EASA Server hostname is accessible via plain HTTP:
    http://easaserver1.myeasa.com/easa
    (replace myeasa.com with your own domain)
  • Once TLS and HTTPS are configured the 'Common Name' takes the place of the hostname
    https://commonname1.myeasa.com/easa
       or
    https://commonname1.myeasa.com:8443/easa
    (or some other custom port number)

1. To begin we must have the original key pair. This usually involves three files, in our example they are:

  • 2097af0e09e3421.crt
  • gd_bundle-g2-g1.crt
  • gdig2.crt.pem

2. Open Keystore Explorer, create a 'New Keystore' with type 'JKS'.

3. Select: Tools > Generate Key Pair

Then click OK.

4. Select the address book icon to the right of the Name: field.

5. Complete using your organization's details.

6. Select OK and name the key pair: tomcat

7. Enter a password of '123123' and select OK.

8. Right-click on the tomcat line and select: Generate CSR

9. Browse to your work folder and select OK.

10. Choose 'File > Save As' and save the KeyStore with the name 'easastore.jks.

For a multiple machine installation you may use:

  • easastore.easa.jks
  • easastore.jsf1.jks
  • easastore.jsf2.jks

…or some naming convention to keep each KeyStore separate.

The KeyStore filename and password will need to match the 'Connector' attributes 'keystoreFile' and 'keystorePass', respectively, in: <EASAROOT>\tomcat\conf\server.xml

  • By default:
    keystoreFile is: ./conf/easastore.jks
    keystorePass is: 123123
<Connector port="443" maxThreads="150"
  minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
  disableUploadTimeout="true" scheme="https" secure="true"
  SSLEnabled="true" keystoreFile="./conf/easastore.jks"
  keystorePass="123123" acceptCount="100" debug="0"
  clientauth="false" sslProtocol="TLS" sslEnabledProtocols="...

Once you receive the certificates back from the supplier, proceed with the following steps to add them to the TrustStore.

11. <EASAROOT>\jre\lib\security\cacerts may already have the CA intermediate certs if it is a larger company like GoDaddy or Digicerts, but otherwise you must update it then copy the cacerts file to a work folder with write permission.

12. Using Keystore Explorer, open the cacerts keystore, password is: changeit

13. Select: Tools > Import Trusted Certificate

Select the .pem file: gdig2.crt.pem

14. Save the cacerts file.

15. In Keystore Explorer, select: Tools > Preferences

On the 'Authority Certificates' tab, browse to the cacerts file we just saved.

Insure 'Use CA Certificates Keystore' is checked.

16. Open the KeyStore that goes with these files; easastore or easastore.easa or easastore.jsf, etc…

17. Right-click on the 'tomcat' entry and select: Import CA Reply

18. Select the .crt file, in our example its 2097af0e09e3421.crt (do not select Bundle.crt)

19. Once this is complete, save the KeyStore

  • Rename it to easastore, KeyStore explorer will save the file as: easastore.jks
  • Copy it to the appropriate server in: <EASAROOT>\tomcat\conf
  • Copy the TrustStore, cacerts file from step 14 back to: <EASAROOT>\jre\lib\security\

Go Daddy certificate files

  • 2097af0e09e3421.crt - the CA reply for easastore
  • gd_bundle-g2-g1.crt - not used
  • gdig2.crt.pem - the Intermediate Cert for cacerts

Thawte details

Download certs for 'Other\X509' the names are typically the same.

  • ssl_certificate.crt is the 'CA Reply' for easastore
  • IntermediateCA.crt is the 'Intermediate Cert' for cacerts
  • If you receive a message like:
    Certificate Reply does not contain a Public Key for <tomcat>
       or
    Certificate Reply does not match the Public Key
  • Then you don’t have the proper key pair in easastore to match the CSR that was created

If you open a .p7b file on a Windows PC, it will open in the Certificate Manager.

  • Right-click on each one and select: Task > Export ( a 'Certificate Export Wizard' opens)
  • Choose: Base-64 encoded X.509 (.CER)

  • This will produce two certificate files that are identical to the ones we downloaded in X509 format.

Page Tools