Loading...

Creating a CA-Signed Certificate for the Tomcat Server

To use HTTPS to access the Web Console or Compliance Search, you must use a CA-signed certificate. To create a certificate signed by the CA (certificate authority), create a certificate and generate a Certificate Signing Request (CSR).

You must use a CA-signed certificate in the following situations:

  • You are configuring SSL on the Tomcat Server for the Web Console on a CommServe computer where a Private Metrics Reporting Server is installed. If you use a self-signed certificate, data will not upload to the Private Metrics Reporting Server.
  • You are configuring an ObjectStore for Salesforce. Use a CA-signed certificate for the Web Console.
  • You are configuring HTTP Public Key Pinning (HPKP).

Note:

  • Self-signed certificates are automatically created and installed by the Commvault software. If you use a self-signed certificate, users see a warning in the browser indicating that it is not safe to proceed. Do not use self-signed certificates in a production environment.
  • To replace an expired CA-signed certificate, delete the existing keystore file (after backing up the existing keystore and server.xml files), follow the procedure in this topic to create a new CA-signed certificate, and then configure SSL on the Tomcat server.

Before You Begin

  • Install the Java Key and the Certificate Management tool. For more information, see keytool - Key and Certificate Management Tool.
  • For the Web Console, perform this task on the Web Console computer.
  • For Compliance Search, perform this task on the Compliance Search computer.

Procedure

  1. From the command prompt, go to the folder that contains the keytool.exe file:
    • For Windows systems, go to C:\Program Files\Commvault\ContentStore\jre\bin.
    • For Linux systems, go to /usr/lib/jvm/jdkx/bin.
  2. To create the keystore file containing the key-pair/certificate to be signed, run the following command:

    For Windows:

    keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\mykeystore.jks" -ext SAN=dns:<domainname>,ip:<Tomcat server IP address>

    For Linux:

    keytool -genkey -alias tomcat -keyalg RSA -keystore "/mykeystore.jks" -ext
    SAN=dns:<domainname>,ip:<Tomcat server IP address>

    Important: This keystore file must be used throughout this procedure.

    Note: Depending on your browser, you might need to perform additional configurations to complete the creation of a CA-Signed Certificate. For example, for Google Chrome version 58 and later, you must specify the Subject Alternative Name (SAN), while running the keytool command.

    During the command execution, you are prompted to provide information about your organization:

    Parameter

    Description

    Alias

    The alias that is used by Tomcat for reference purposes while importing or installing the certificate. The alias can be any simple name used for cross reference.

    After certificate signing is done by the certificate authority and returned back to the customer, then you must use the same alias to import the certificate.

    Password

    The keystore password. Use a strong password.

    Note: Do not use special characters.

    First and Last name

    The fully qualified domain site name, such as someName.somecompany.com, which has to run using HTTPS. If you are requesting a wildcard certificate, you can enter the site name as *.someportal.com.

    If you enter a value that does not include the starting part of the website URL for which you are requesting the certificate, then the browser might treat the website as an untrusted website. In these cases, an error message such as the following is shown:

    The security certificate presented by this website was issued for a different website's address.

    Organizational Unit

    Optional: If applicable, you can specify the DBA (Doing Business As) name.

    Organization Name

    The full legal name of your organization.

    The organization name must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, enter the certificate requester’s name.

    City / Locality

    The city (without abbreviation) where your organization is located.

    State / Province

    The state or province (without abbreviation) where your organization is located.

    Country Code

    The two letter country code (ISO, International Organization for Standardization, format) where your organization is legally registered.

  3. To generate a CSR, run the following command:

    keytool -certreq -keyalg RSA -alias tomcat -file C:\somename.csr -keystore C:\mykeystore.jks -validity <daysValid> -ext SAN=dns:<domainname>

    Parameter

    Description

    certreq

    Do not remove or change this parameter.

    keyalg

    Do not remove or change this parameter.

    Valid value is RSA.

    Alias

    The same alias name used for generating the keystore.

    File

    The path to the file for CSR creation.

    Keystore

    The path to the keystore that was recently created. You must use the same keystore file throughout this procedure.

    validity

    The number of days the keystore file is valid starting from the day the keystore file is created.

  4. Upload the CSR to the CA website, indicate the type of Tomcat server, and submit for signing.
  5. Download the root, intermediate, and issued server/domain certificates.

    Important: This step might be different based on the CA. Follow the guidelines provided by your CA.

  6. Import each signed certificate that is issued by the CA using the following commands:
    • Root certificate:

      keytool -import -alias root -keystore C:\mykeystore.jks -trustcacerts -file C:\valicert_class2_root.crt

    • Intermediate certificate:

      keytool -import -alias intermed -keystore C:\mykeystore.jks -trustcacerts -file C:\gd_intermediate.crt

    • Issued server/domain certificate:

      keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\server_certificate_whatevername.crt

      Important: The keystore parameter must be the path to the keystore file that was used to generate the CSR. You must use the same keystore file throughout this procedure.

  7. Close the command line.

What to Do Next

Configure the SSL Connector for Tomcat.

Last modified: 4/9/2020 3:06:29 AM