Setting up HTTPS for tomcat with authority signed-certificate

Question

How can I create a .keystore which would eventually be used in tomcat. Or what are my options?

As opposed to self-signed certificate that I am used to, I have a directory with Authority Signed Certificate (ASC), but do not know how to create the .keystore which would eventually be used in tomcat server.xml configuration.

In my directory, I have {req.cnf, req.pem, priv.key, cert_me.pem and dhparamxxx.pem} I am not sure what to use among these to create the .keystore for tomcat8

Answer 1

Lets assume the Authority is a RootCA, the RootCA must know the details(name, ip-address, date ...) about the certificate and server that is used to be used in your tomcat server. Furhtermore your Certificate must point to the correct RootCA.

The idea behind is that:

1. The browser goes to your tomcat.
2. The tomcat report his public certificate with the RootCA-public-key in his certifcate chain.
3. The browser takes contact to the RootCA and ask if its a valid certificate
4. After the confirmation from the RootCA the browser contacts the OCSP of the RootCA.
5. If both (RootCA Certificate validation and RootCA OCSP validation) confirms the validity of the certificate, the browser opens a trusted TLS session to the tomcat-server.

The process of signing your server's-certificate in the keytool created keystore is the CSR (Certificate Signing Request). The CSR is generated in the Tomcat-Side and transported to the RootCA. The RootCA accepts the upload of the CSR and let you create the RootCA for your certificate chain.