Install SSL on Tomcat with certificate .cer

Question

My question is whether it is possible to add SSL to a Windows Server with Tomcat 7 installed using only a .cer file.

I have a client that uses SSL in your applications with ISS and whenever you need to install SSL on your ISS server only install this .cer file: But as I did an application with Tomcat for it and I need to protect that application with HTTPS I asked for a certificate and it I sent this .cer file.

I have already tried to generate the .JKS file and add it to Tomcat in some ways and with none I was successful. Ex:

keytool -import -alias root -keystore example.jks -trustcacerts -file certificate.cer

With this I generate the jks file and map it to tomcat and it happens that it does not work. I know the Tomcat settings are fine because I did a test generating the file using genkey which returns me a .keystore file and with that it works.

Edit:

Connector in server.xml:

    <Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="443" 
       maxThreads="200"
       scheme="https" 
       secure="true" 
       SSLEnabled="true"
       keystoreFile="C:/path/example.jks" 
       keystorePass="password"
       clientAuth="false"
       sslProtocol="TLS"
       keyAlias="root" />

Should I request this certificate in another format?

Has anyone gone through this and can you give me some hint at least?

Thank you.

Answer 1

To answer your question: A single CER file will usually not be enough to properly configure an HTTPS-Connector in Tomcat or any other Web-/Application-Server.

Not sure how this is configured in IIS but you will always need a private/secret key to use SSL.

Basically the standard flow when using a signed certificate (not self-signed) is like this:

1. Generate a private/secret key

    $ keytool -genkey -keystore tomcat.jks -alias tomcat -keyalg RSA -keystore tomcat.jks -dname "CN=<hostname>" 

2. Generate a certificate signing request for this key

    $ keytool -certreq -keystore tomcat.jks -alias tomcat -file tomcat.csr 

3. This signing request (the CSR file) is submitted to a signing authority and you get a signed certificate (the CER file) in return

    $ keytool -gencert -keystore root-ca.jks -alias root -infile tomcat.csr -outfile tomcat.cer -rfc 

4. This certificate together with the certificate of the signing authority are imported into your keystore

    $ keytool -import -keystore tomcat.jks -file my-root-ca.cer -trustcacerts -alias my-root-ca $ keytool -importcert -keystore tomcat.jks -alias tomcat -file tomcat.cer 

Now the tomcat.jks file can be used in Tomcat as keystore for an HTTPS connector.

There is no information on what your certificate.cer file contains in the question. To check the contents using keytool you can use this command

$ keytool -printcert -file certificate.cer

In my example above the output looks like this:

Owner: CN=<hostname>
Issuer: CN=My-Root-CA, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 222f266a
Valid from: Sat Aug 25 12:41:01 CEST 2018 until: Fri Nov 23 11:41:01 CET 2018
...

Maybe you could add the output to your question to get more help, if needed.