Ssl – How to configure Apache/Tomcat to trust internal Certificate Authorities for server-to-server https requests

apache-2.2certificate-authorityssltomcat

I need to perform web service calls from within my own web server running on Apache/Tomcat. Apache/Tomcat running on Linux needs to make calls out to a Microsoft server running IIS over HTTPS that uses an internal Certificate Authority (CA) for SSL.

How do I get Apache/Tomcat to trust the proper root certificate from this CA?

Also, how do I test that this trust is working? I assume a browser request from the server hosting Apache/Tomcat is insufficient.

Best Answer

I assume that you have already exported the CA certificate to a file, such as "internal-ca.pem". Also, I assume that it is Tomcat who initiates the SSL connection to the IIS server.

You can must use the Java keytool to import the certificate into the Java keystore that is being used by your Tomcat engine. The keystore for CA certs is $JAVA_HOME/jre/lib/security/cacerts. So to import your new internal-ca.pem certificate into this keystore, you would use:

$JAVA_HOME/bin/keytool -importcert \
  -keystore $JAVA_HOME/jre/lib/security/cacerts \
  -file /path/to/internal-ca.pem  \
  -trustcacerts -alias internal-ca-1

The default password for the keystore is: changeit

Verify that your cert is in the keystore:

$JAVA_HOME/bin/keytool -list \
  -keystore $JAVA_HOME/jre/lib/security/cacerts -v | less

Test the connection to the server:

openssl s_client -CAfile /path/to/internal-ca.pem -connect server:port

This should give you, near the end of its output:

Verify return code: 0 (ok)

If you want to test the trust from within Tomcat, you will have to write some test code to do it. Sorry, I don't know any Java. :-)

Related Topic