Creating a CA-Signed Certificate for the Tomcat Server

 Creating a CA-Signed Certificate for the Tomcat Server

Procedure

1. From the command prompt, go to the folder that contains the keytool.exe file:
 - For Windows systems, go to C:\Program Files\Commvault\ContentStore\jre\bin.
 - For Linux systems, go to /usr/lib/jvm/jdkx/bin.


2. To create the keystore file containing the key-pair/certificate to be signed, run the following command:

For Windows:
> keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\mykeystore.jks" -ext SAN=dns:<domainname>
> keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\mykeystore.jks" -ext "SAN=dns:myserv.eg.com,dns:cnameserv.eg.com,EMAIL:admin@eg.com"

For Linux:
# keytool -genkey -alias tomcat -keyalg RSA -keystore "/mykeystore.jks" -ext SAN=dns:<domainname>


3. Generate a CSR, run the following command:

keytool -certreq -keyalg RSA -alias tomcat -file C:\tomcat.csr -keystore C:\mykeystore.jks -validity <daysValid> -ext SAN=dns:<domainname>

keytool -certreq -keyalg RSA -alias tomcat -file C:\tomcat.csr -keystore C:\mykeystore.jks -validity 365 -ext SAN=dns:myserv.eg.com,dns:cnameserv.eg.com

4. Upload the CSR to the CA website, indicate the type of Tomcat server, and submit for signing.
5. Download the root, intermediate, and issued server/domain certificates.

6. Import each signed certificate that is issued by the CA using the following commands:

    a. Root certificate:
    keytool -import -alias root -keystore C:\mykeystore.jks -trustcacerts -file C:\valicert_class2_root.crt

    b. Intermediate certificate:
    keytool -import -alias intermed -keystore C:\mykeystore.jks -trustcacerts -file C:\gd_intermediate.crt

    c. Issued server/domain certificate:
    keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\server_certificate_whatevername.crt


Note: The keystore parameter must be the path to the keystore file that was used to generate the CSR. You must use the same keystore file throughout this procedure.


https://documentation.commvault.com/commvault/v11/article?p=50497.htm

7. Configure certificate
1. Stop the Tomcat Server.
2. Go to software_installation_path/Apache/Conf, and then back up the server.xml file that is part of the Apache configuration.
3. Copy the generated keystore file to software_installation_path/Apache.

4. For new installations of Version 11 SP9 or higher, in the server.xml file, modify the path to the generated keystore file and the keystore password values:

<Certificate certificateKeystoreFile="software_installation_path/Apache/your_file" certificateKeystorePassword="password" certificateKeystoreType="JKS"/>

8. Restart the service
a. Click Start and point to All Programs.
b. Click Commvault > Process Manager.
c. Under the Services tab, right-click a running service and then click Restart.