How to install SSL certificates on Tomcat in AWS Linux Infrastructure

shamijohn123 · 04-16-2021, 03:18 AM

could use a little help. I am taking an internship for AWS Certified DevOps Engineer - Professional in one of a company. I was pushed into a DevOps / sys-admin role in a 150 person business when our DevOps guy quit with a week's notice. Our internal company.org sites are down because our go daddy SSL certs expired. I am trying to restore everything and having a bit of trouble understanding the process everything is requiring here. We have an AWS infrastructure, couple DNS servers, tomcat, apache servers, etc. What I do know is that these renewed cert files from go daddy need to be imported into tomcat, then tomcat needs to be restarted. The servers are AWS Linux. I think how this all goes down is I take the 3 .crt files from GoDaddy, cat them into a .pem file, then using openssl export that and our private key to a p12(I’m sure it’s p12), then using keytool import that into tomcat. Then restart tomcat. This is where I’m at.

openssl pkcs12 -export -in company.pem -inkey /usr/local/bin/backups/privatekey.pem -out company.p12

No certificate matches private key
where company.pem is all the godaddy certs merged using cat. I found the private key using find.

Researching is giving me some conflicting information, so I am not understanding anything. I think maybe I must have to somehow export the private key into the .pem file by first decrypting it? I’m not even sure that’s the road I should take. Maybe I’m way off. Any sort of insight would be greatly appreciated. Thank you all.

boughtonp · 04-16-2021, 07:02 AM

Quote:

Originally Posted by shamijohn123

could use a little help. I am taking an internship for AWS Certified DevOps Engineer - Professional in one of a company. I was pushed into a DevOps / sys-admin role in a 150 person business when our DevOps guy quit with a week's notice. Our internal company.org sites are down because our go daddy SSL certs expired. I am trying to restore everything and having a bit of trouble understanding the process everything is requiring here.

Sounds like your company should consider hiring a consultant to help you and someone else understand the setup.

(A business that size with any piece of knowledge inside a single head is asking for trouble.)

Quote:

What I do know is that these renewed cert files from go daddy need to be imported into tomcat, then tomcat needs to be restarted. The servers are AWS Linux. I think how this all goes down is I take the 3 .crt files from GoDaddy, cat them into a .pem file, then using openssl export that and our private key to a p12(I’m sure it’s p12), then using keytool import that into tomcat. Then restart tomcat. This is where I’m at.

openssl pkcs12 -export -in company.pem -inkey /usr/local/bin/backups/privatekey.pem -out company.p12

No certificate matches private key
where company.pem is all the godaddy certs merged using cat.

I haven't done certs with Tomcat, and don't use GoDaddy for anything, but what I use for Jetty + Let's Encrypt is the following:

Code:

pkpass=p
storepass=storep

openssl pkcs12 -export \
 -inkey privkey.pem -in fullchain.pem \
 -out jetty.pkcs12 -passout "pass:$pkpass"

keytool -importkeystore -noprompt \
 -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -srcstorepass "$pkpass" \
 -destkeystore keystore -deststorepass "$storepass"

The openssl command is equivalent to yours except for the passout param - which is needed because keytool can't handle files without passwords - but from memory the openssl command itself worked without it, so if that's where your error is, that suggests maybe your company.pem is not equivalent to the fullchain.pem which Let's Encrypt produces.

If GoDaddy doesn't provide an already-merged fullchain for you, there's probably a suitable guide somewhere, but if not then checking how Certbot combines them might help.