Generating and storing a self-signed certificate
Self-signed certificates are useful in cases where you require encryption but do not need to verify the website identity. Using a self-signed certificate instead of one signed by a Certificate Authority (CA), users gaining initial access to the site may get prompted that the site is untrusted and may have to perform several steps to "accept" the certificate before they can access the site. This usually only occurs the first time they access the site.
You may prefer to obtain and install a certificate from a Certificate Authority; if so, refer to the Tomcat documentation for installing a certificate from a CA.
To generate and store a self-signed certificate
- Create a .keystore file that contains the self-signed certificate. If it doesn't already exist, you can create it by running the keytool command. The new .keystore file appears in the home directory of the user used to run the keytool command.
- To specify a different location or filename, add the -keystore parameter followed by the complete pathname to the keystore file, to the keytool.
- Include the new location in the server.xml configuration file. From a command line, run the keytool command:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
- After running the keytool command, you will be prompted for two passwords: (1) the keystore password and (2) the key password for Tomcat. You must use the same value for both passwords, and the value must be either:
- "changeit" (the default Tomcat value)
Or
- A unique value you decide which you must also specify in $CATALINA_HOME/conf/server.xml by adding the following attribute to the SSL HTTP/1.1 Connector entry described earlier:
keystorePass="<password value>"
- You will be prompted for general information about the certificate. For the inquiry, "What is your first and last name?" you must enter the fully qualified hostname of the server running Viewpoint. When the client Web browser examines the certificate it checks this field and verifies that it matches the hostname. If it doesn't, it may prevent access to the site.
- Give general information such as company, contact name, and so on when prompted. This information is visible to users who attempt to access a secure page in the application, so make sure that the information provided matches user expectations.
Related topics