Skip to main content

Generating SSL Certificates for Progeny

For the below steps, you must be logged in to the server as an admin or have admin credentials for the server readily available. The client will also need to have the information for step 6 readily available as well as someone to generate the certificate from the csr file generated in step 8. 

1. Open an Elevated Command Prompt 

  • Right-click on Command Prompt and select Run as administrator

2. Verify Java Path 

  • Type path and press Enter
  • If the output includes the Java bin directory (e.g., C:\Program Files\Java\…), proceed to Step 4. 
  • If not, follow the steps below to add it: 

Add Java to System Path 

  1. Search for Environment Variables in the Windows search bar. 
  1. Click Edit the system environment variables
  1. In the System Properties window, click Environment Variables
  1. Under System variables, select Path and click Edit
  1. Click New and add the Java bin path (e.g., C:\Program Files\Java\jrex.x.x_xxx\bin or C:\Program Files\Eclipse Adoptium\jdk-xx.xx.xxx.x-hotspot\bin). 

3. Create Working Directory 

  • Create a folder on the C: drive (e.g., C:\SSL). 
  • In the command prompt, navigate to this folder using the below command 
     
    cd C:\SSL 

4. Generate Keystore 

Run the following command, replacing placeholders with your values: 
 
keytool -genkeypair -keyalg RSA -keystore {CERTNAME}.jks -alias {ALIAS} -storepass {PASSWORD} 
 

You will be prompted to enter the following information (provided by the client): 

Prompt  Required Information 
First and last name  Fully Qualified Domain Name (FQDN), e.g., www.example.com 
Organizational unit  Department or group name 
Organization name  Legal company name 
City or locality  City of company headquarters 
State or province  Full state name 
Country code  Two-letter country code (e.g., US) 
Confirm details  Type yes to confirm 

When prompted for a password again, press Enter (already set in the command). 

5. Generate Certificate Signing Request (CSR) 

Run the following command where the alias must match step 4: 
 
keytool -certreq -keystore {CERTNAME}.jks -alias {ALIAS} -storepass {PASSWORD} > {REQUESTNAME}.csr -ext SAN=dns:{FQDN} 

6. Submit CSR to Certificate Authority 

  • Provide the .csr file to the client for submission. 
  • Wait for the validated SSL certificate to be returned. 

7. Prepare Certificate Files 

  • Save all received certificate files (including the server, intermediate, and root certificates) in the same folder as your keystore (e.g., C:\SSL). 
  • Ensure all certificates are in Base-64 encoded format with .cer or .crt extensions. 

Extract Root and Intermediate Certificates (if needed) 

If your certificate authority provided a single bundled certificate file, follow these steps to extract the Root and Intermediate/Chain certificates: 

A. Open the Server Certificate 

  1. Double-click the server certificate file (e.g., server.crt) to open it. 
  1. Navigate to the Certification Path tab. 
  1. Select the certificate you want to export (e.g., Intermediate or Root). 
  1. Click View Certificate

B. Export the Selected Certificate 

  1. In the new window, go to the Details tab. 
  1. Click Copy to File
  1. In the Certificate Export Wizard: 
  1. Choose Base-64 encoded X.509 (.CER) format. 
  1. Save the file with a clear name (e.g., intermediate.cer, root.cer). 

8. Import Certificates into Keystorecd  

  1. Save all received certificate files (including root and intermediate) in the same folder as the keystore. 
  1. Ensure certificates are in .cer or .crt format. 
  1. You may need to open the server certificate and pull the Root and Intermediate/Chain certificates out into their own file 
    • Open the server certificate by double clicking it 
    • Navigate to the “Certification Path” tab and select the file you would like to export on its own (Root or Intermediate). Click View Certificate 
    • In the new window, select the “Details” tab and click “Copy to File” 
      • Make this a base 64-encoded file with a name you can recognize and distinguish between root and intermediate/chain 
  1. Repeat the above steps for any other certificates you need to export 

Import Intermediate/Root Certificates 

Repeat the following command for the Root and Intermediate/Chain certificates, creating a new unique alias for each (default is to use Root/Intermediate/Chain) 
 
keytool -import -trustcacerts -file {CERTIFICATE FILENAME}.cer -alias {CREATE NEW ALIAS} -keystore {CERTNAME}.jks –storepass {PASSWORD} 

Import Server Certificate 
Run the following command for the Server certificate where the alias must match the alias used in step 4: 
 
keytool -import -trustcacerts -file {SERVER_CERTIFICATE}.cer -alias {ALIAS} -keystore {CERTNAME}.jks -storepass {PASSWORD} 

9. Configure Apache Tomcat 

  1. Stop the Tomcat service. 
  1. Open server.xml in the conf directory of your Tomcat installation. 
  1. Uncomment and modify the following connector configuration: 
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
           maxThreads="150" SSLEnabled="true"> 
    <SSLHostConfig> 
        <Certificate certificateKeystoreFile="{KEYSTOREPATH}.jks" 
                certificateKeystorePassword="{PASSWORD}" 
                type="RSA" /> 
    </SSLHostConfig> 
</Connector>

Use port 443 if HTTP is on port 80, or 8443 if HTTP is on port 8080. 

  1. Start Tomcat and test both HTTP and HTTPS access to the site. 

10. Configure HTTP to HTTPS Redirection 

  1. Open web.xml in the conf directory. 
  1. Add the following block at the end of the document just before </web-app>: 
<security-constraint> 
	<display-name>RPC Request Encryption</display-name> 
	<web-resource-collection> 
		<web-resource-name>RPCRequests</web-resource-name> 
 		<description>RPC Requests</description> 
		<url-pattern>/*</url-pattern> 
		<http-method>GET</http-method> 
 		<http-method>POST</http-method> 
	</web-resource-collection> 
	<user-data-constraint> 
		<description>Encrypt all RPC request data destined for server</description> 
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint> 
</security-constraint>

3. Restart Tomcat and verify automatic redirection from HTTP to HTTPS. 

PFX Importing into a keystore (Optional) 

  1. Pulling the wildcard cert whole with private key intact and exporting as .pfx 
  1. Using cmd and pathing to java, run the below command to generate a new .jks off of the wildcard cert: keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS 
  1. Run the command below and note the alias listed next to the server cert: keytool -v -list -keystore /path/to/keystore 
  1. Pull a 2nd copy of the certificate as a .cer in whole without the private key 
  1. Pull the chain and root certificates out of the .cer server certificate 
  1. Trust the chain and root file to the newly made .jks file, do not trust the server certificate 
  1. Update the server.xml in the Tomcat directory to point to the new .jks file 
  1. If it isn’t already present, add a new line below the .jks password line that reads the below, with the alias noted in step 3 added in between the quotes: certificateKeyAlias=”” 
  1. Restart Tomcat 
Was this article helpful?
Yes No

Related Articles

Need Support?

Can't find the answer you're looking for?
Contact Support