Ssl – How to secure an internal website for internal users, using SSL and Server 2008 as a CA

certificate-authorityssltomcat

I'm needing an experienced person to guide me on this little project 🙂

We have one Domain Controller [Win2k8 R2] with the Active Directory Certificate Services role. Let's call it ServerOne.OurDomain.com.

I've got a second Windows 2008 R2 server, ServerTwo.OurDomain.com, that runs an Apache Tomcat web server. We are setting up an Outlook plug-in for all users that requires an SSL connection to an OAuth server. I fumbled through the instructions to add the OAuth module to Tomcat and enable a connector using SSL on port 8443 [default SSL port for Tomcat].

But now I don't know how to "put 2 and 2 together" — How can I generate a certificate from our internal CA so there are no SSL certificate errors when connecting to ServerTwo.OurDomain.com? So far I made the "keystore" file on ServerTwo using the JRE "keytool.exe" program, and of course the certificate shows it [like, when you click the lock icon in a browser] as a self-signed cert with no CA chain.

Any help in this area is greatly appreciated.

Best Answer

I ended up figuring this out on my own. I documented my steps; Hopefully this helps anybody with the same issue in the future:

  1. Generate CSR on Tomcat

    • Create the keystore and private key: keytool -genkey -alias tomcat -keyalg RSA -keystore keystore
    • "Keytool" is in your Java's JDK or JRE home directory's "bin" folder
    • "keystore" includes the path to your keystore file, such as "C:\store\keystore"
    • Fill out the information it asks, noting that "first and last name" is really asking for the FQDN
    • Create the CSR file: keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore
    • [I then copied to a common share:] copy certreq.csr Z:\

  2. Sign the certificate

    • On the server with Active Directory Certificate Services role, in an elevated command prompt: certreq -submit -attrib "CertificateTemplate: WebServer" Z:\certreq.csr certificate.cer
    • Choose the CA you're working on in the popup
    • [Then I copied back to the share:] copy certificate.cer Z:\

  3. Import the Root CA certificate

    • On the server with Active Directory Certificate Services role:
    • Server Manager --> Roles --> Active Directory Certificate Services --> [Your CA] --> Issued Certificates
    • Open any from the list signed by your CA, go to the Certification Path tab
    • "View Certificate" for the root CA, if it is your server's CA
    • Details tab --> Copy to File... [then I saved to Z:\RootCA.cer]
    • On the Tomcat server:
    • keytool -import -trustcacerts -alias rootca -file Z:\RootCA.cer -keystore keystore
    • Type "yes" to trust the certificate

  4. Import the certificate for Tomcat

    • keytool -import -trustcacerts -alias tomcat -file Z:\certificate.cer -keystore keystore

References:

Note, if at this point your browser still doesn't trust that it was signed by a trusted Root CA, you may have to push out the Root CA server through Group Policy . . . It was a quick Google for me. I had already set that up before these steps, so I'm not sure if it matters or not.

Related Topic