(Click to open topic with navigation)
In this topic:
2.18.2 Retrieve the Server's X.509 Public Certificate
2.18.3 Add the Server's Certificate to Java's Keystore
Some of these instructions refer to JAVA_HOME, which must point to the same directory that Tomcat uses. To set JAVA_HOME, do this:
[root]# source /etc/tomcat/tomcat.conf
Your system administrator might have defined Tomcat's JAVA_HOME in a different file.
2.18.2 Retrieve the Server's X.509 Public Certificate
To retrieve the server's certificate, use the following command:
[root]# $JAVA_HOME/bin/keytool -printcert -rfc -sslserver <servername>:<port> > /tmp/public.cert.pem
Replace <servername> with the server's host name and <port> with the secure port number. The default port for https is 443. The default port for ldaps is 636. If successful, /tmp/public.cert.pem contains the server's public certificate. Otherwise, /tmp/public.cert.pem contains an error message. This message is typical: keytool error: java.lang.Exception: No certificate from the SSL server. This message suggests that the server name or port is incorrect. Consult your IT department to determine the correct server name and port.
2.18.3 Add the Server's Certificate to Java's Keystore
Java stores trusted certificates in a database known as the keystore. Because each new version of Java has its own keystore, you need to add the server certificate to the Java keystore (using the steps below) every time you install a new version of Java.
Java's keystore is located at $JAVA_HOME/lib/security/cacerts. If Tomcat's JAVA_HOME points to a JDK, then the keystore is located at $JAVA_HOME/jre/lib/security/cacerts. To add the server certificate to the keystore, run the following command:
[root]# $JAVA_HOME/bin/keytool -import -trustcacerts -file /tmp/public.cert.pem -alias <servername> -keystore $JAVA_HOME/lib/security/cacerts
You will be prompted for the keystore password, which is "changeit" by default.
Your system administrator might have changed this password.
After you've entered the keystore password, you'll see the description of the server's certificate. At the end of the description it prompts you to trust the certificate.
Trust this certificate? [no]:
Type yes and press Enter to add the certificate to the keystore.