Obtaining a Certificate for Tomcat
 
Send an e-mail to the SensorNetCA (romeja@ornl.gov) requesting a Tomcat certificate. The e-mail should contain:
  • The ip name of your server
  • Your name and e-mail address
  • Your phone number
  • Your Organization
  • Your Organizational Unit
  • Your City
  • Your State
  • Your Country

When your request is approved, I will mail you an e-mail with a URL for you to pick up your certificate. Tomcat requires a jks certificate store format, so be sure to select jks when you get the certificate. You will have to save the jks keystore using your Web browser. Call the file tomcat.jks. The jks keystore is encrypted using the password in your e-mail. But there is more work to do before you can use the jks file in Tomcat.

You should be able to use the keystore as given. However, the password for the store and the private key (which are set to the password in your e-mail) need to be changed to something stronger. Use keytool to do this:

First, list the keystore to get the alias for your certificate (see below for sample output). My alias was ca.sensornet.gov. (Do not type the angle brackets in the commands below!)

$ keytool -list -keystore tomcat.jks 
      Enter keystore password: e-mail_password
$ keytool -keypasswd -alias <alias for your server> -keypass <e-mail password> -new <new password> \
 -keystore tomcat.jks
      Enter keystore password: e-mail_password
$ keytool -storepasswd -keystore tomcat.jks -new <new password>
      Enter keystore password: e-mail_password

You should repeat the list command to be sure that your new password works. This should be all you need to do to get the jks file to work. But if not, you can try the following procedure:

The jks file generated by the SensorNet CA has two parts in it. One part is the SensorNetCA certificate to allow your server certificate to be verified. The other part is your server certificate. It also is encrypted using the password in your e-mail message. You can view the contents of your jks file using keytool (in your Java jdk/bin directory).

$ keytool -list -keystore tomcat.jks 
       Enter keystore password: your_password
Keystore type: jks
         Keystore provider: SUN
Your keystore contains 2 entries
ca.sensornet.gov, Nov 13, 2006, keyEntry,
         Certificate fingerprint (MD5): FC:97:3F:B6:27:66:39:4E:CD:87:2E:7E:03:31:F1:B6
cacert, Nov 13, 2006, trustedCertEntry,
         Certificate fingerprint (MD5): 61:C4:07:4B:4A:BA:78:67:7D:60:F9:9B:E9:FE:3B:C5

The first step is to extract your server certificate (for me, ca.sensornet.gov) from this file so we can remove the password, and then put it back into the jks keystore. The easiest way to do these steps is to use pkeytool. The zip file contains an executable jar that will work on any platform.

In the steps below, 'pkeytool' is something like

$ java -jar /usr/local/pkeytool/pkeytool.jar

1) Extract your server certificate and your server key (use your alias from the step above):

$ 'pkeytool' -exportkey -alias ca.sensornet.gov -file server.key -keystore tomcat.jks
  (enter keystore password from the e-mail)
  (enter key password from the e-mail)
$ keytool -export -alias ca.sensornet.gov -file server.cert -keystore tomcat.jks
   (enter keystore password from the e-mail)

2) Import the certificate and key back into the jks file with no password:

$ 'pkeytool' -importkey -keyfile server.key -certfile server.cert -alias ca.sensornet.
gov -keystore tomcat.jks
  (enter keystore password from the e-mail)

3) Protect your keystore with a better password:

$ keytool -storepasswd -new <new_storepass> -keystore tomcat.jks
  (enter keystore password from the e-mail)

Install the resulting tomcat.jks file at the location pointed to in your tomcat ssl configuration file.