CommVault - Creating a CA-Signed Certificate for the Tomcat Server

 Creating a CA-Signed Certificate for the Tomcat Server

Procedure

1. From the command prompt, go to the folder that contains the keytool.exe file:
 - For Windows systems, go to C:\Program Files\Commvault\ContentStore\jre\bin.
 - For Linux systems, go to /usr/lib/jvm/jdkx/bin.


2. To create the keystore file containing the key-pair/certificate to be signed, run the following command:

For Windows:
> keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\mykeystore.jks" -ext SAN=dns:<domainname>
> keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\mykeystore.jks" -ext "SAN=dns:myserv.eg.com,dns:cnameserv.eg.com,EMAIL:admin@eg.com"

For Linux:
# keytool -genkey -alias tomcat -keyalg RSA -keystore "/mykeystore.jks" -ext SAN=dns:<domainname>


3. Generate a CSR, run the following command:

keytool -certreq -keyalg RSA -alias tomcat -file C:\tomcat.csr -keystore C:\mykeystore.jks -validity <daysValid> -ext SAN=dns:<domainname>

keytool -certreq -keyalg RSA -alias tomcat -file C:\tomcat.csr -keystore C:\mykeystore.jks -validity 365 -ext SAN=dns:myserv.eg.com,dns:cnameserv.eg.com

4. Upload the CSR to the CA website, indicate the type of Tomcat server, and submit for signing.
5. Download the root, intermediate, and issued server/domain certificates.

6. Import each signed certificate that is issued by the CA using the following commands:

    a. Root certificate:
    keytool -import -alias root -keystore C:\mykeystore.jks -trustcacerts -file C:\valicert_class2_root.crt

    b. Intermediate certificate:
    keytool -import -alias intermed -keystore C:\mykeystore.jks -trustcacerts -file C:\gd_intermediate.crt

    c. Issued server/domain certificate:
    keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\server_certificate_whatevername.crt


Note: The keystore parameter must be the path to the keystore file that was used to generate the CSR. You must use the same keystore file throughout this procedure.


7. Configure certificate
1. Stop the Tomcat Server.
2. Go to software_installation_path/Apache/Conf, and then back up the server.xml file that is part of the Apache configuration.
3. Copy the generated keystore file to software_installation_path/Apache.

4. For new installations of Version 11 SP9 or higher, in the server.xml file, modify the path to the generated keystore file and the keystore password values:

<Certificate certificateKeystoreFile="software_installation_path/Apache/your_file" certificateKeystorePassword="password" certificateKeystoreType="JKS"/>

8. Restart the service
a. Click Start and point to All Programs.
b. Click Commvault > Process Manager.
c. Under the Services tab, right-click a running service and then click Restart.



https://documentation.commvault.com/commvault/v11/article?p=50497.htm