Take advantage of our commitment to Fanatical Service, enhance your Peace of Mind and get Fully Managed®.
Purpose: These instructions will provide a detailed step-by-step guideline in order to use an existing CA-signed SSL certificate for your Tomcat keystore, allowing you to leverage the same certificate for your JSS server.
Requirements: Mac OS X Server (10.6.8), Casper Suite 8.21, access to download a copy of SSL provider cert bundle, web server certificate, and admin access to Mac OS X server computer being used for installation.
Obtain Server Private Key
Launch Keychain Utility on your server with root privileges:
1) In terminal, type:
sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access
Type your administrator password when prompted.
2) Once Keychain utility launches, select “Keys” in the Category pane.
3) Select your existing web server private key and certificate pair, and click File > Export Items.
When choosing a location to save, remember you’re authenticated as root, and the hidden root home folder may be displayed as a default location. Choose a location on the desktop of your currently-logged in user (e.g. Desktop).
The file format should be .p12. I will name my exported file “mykeypair.p12?.
You will be asked to create a password for the exported .p12 file, choose something secure but easy to remember.
Extract the private key from exported .p12
Please note, the private key is very sensitive, and a file should *not* be left sitting around with the server’s private key. Protect it very carefully.
sudo openssl pkcs12 -in mykeypair.p12 -nocerts -nodes -out privatekey.key
Where privatekey.key is the arbitrary name of the exported file. The
Authenticate when prompted (administrator password). Then type the export password previously configured.
The new private key file will be created, but it will have additional information that’s not needed.
Open the new file in a text editor:
sudo nano /path_to_key_file/privatekey.key
Trim the file contents so you only have:
—–BEGIN RSA PRIVATE KEY—–
UNWNW2304983…..(REST OF CONTENTS TRUNCATED)
—–END RSA PRIVATE KEY—–
Save and close the privatekey.key file.
Obtain CA-signed Webserver and CA Bundle Certificates
Download a copy of your web server SSL certificate and CA bundle certificate from your SSL provider. In the case of GoDaddy, for instance, these look like this (when downloaded for Tomcat):
The ones we want, in particular, are gd_bundle.crt and hostname.tld.com.crt (hostname.tld.com will actually be the FQDN of your web server). Move these to your working folder, alongside the privatekey.key file previously created.
You should now have a folder with your exported .p12 file from Keychain Access, web server certificate, and CA bundle file.
Create a PKCS12 keystore for use with Tomcat
Now, we will create the PKCS12 file that Tomcat will use:
openssl pkcs12 -export -in hostname.tld.com.crt -inkey privatekey.key -out jsscert.p12 -name tomcat -CAfile gd_bundle.crt -caname root -chain
In the above command are these variables:
After executing the command, you will be prompted for an export password to be used with the resulting PKCS12 file, enter the password “changeit”.
Once the file is created, move it to the JSS Tomcat directory, like so:
sudo mv /path_to_new_p12/jsscert.p12 /Library/JSS/Tomcat/jsscert.p12
Edit /Library/JSS/Tomcat/conf/server.xml. In the area for the 8443 connector port, you will need to add/edit the following:
The fully configured connector port should look similar to this (the two lines I added/edited are highlighted in blue):
Save the file and close it.
Restart the Tomcat service:
sudo launchctl unload /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist
sudo launchctl load /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist
Upon visiting your JSS admin page again, it should now be using your SSL cert!