![]() Keytool -importcert -file DoD_Root_CA_4_0x01_DoD_Root_CA_4.cer -alias DODRoot4 -keystore truststore.jks -storepass changeit Keytool -importcert -file DoD_Root_CA_3_0x01_DoD_Root_CA_3.cer -alias DODRoot3 -keystore truststore.jks -storepass changeit Keytool -importcert -file DoD_Root_CA_2_0x05_DoD_Root_CA_2.cer -alias DODRoot2 -keystore truststore.jks -storepass changeit Run the following commands to import the three certificates: Here we will use the keytool command to import the certificates into a truststore. Open up a command prompt and navigate to that directory. Next select the three DoD Root CA certs from the list of certificates and click “PEM” under Export tool group:Īfter clicking the “PEM” export button choose a location to export the certificates to and click OK. Expand the Install DoD Certificates pane and click on the Certificate tab: To do this download “InstallRoot 5.0” from. To create the truststore we need to get a copy of the DoD root certificates. The certificates in this truststore will be considered as trusted by tomcat and it will only accept client certificates that have one of the trusted certs in their certificate chain. The next thing that is needed is to create a truststore that will contain the DoD root certificates. You will be prompted for various bits of information and then a keystore file named “\path\to\my\keystore” with a password of ‘changeit’ will be created and it will contain the generate self-signed certificate.Ĭreate truststore containing DoD root certificates Keytool -genkey -alias tomcat -keyalg RSA -keystore \path\to\my\keystore -storepass changeit To do that you can issue the following command from a command prompt: It can be used to create a self signed certificate and add it to a keystore. Java comes packaged with a utility called keytool ( ) that is used to managed certificates and keystores. For a development environment creating a self-signed certificate is ok but it’s discouraged for production. The certificate is what is required to create an https connection and doesn’t have anything to do with making the server request CAC certificates from the client but https connections are required for client certificate authentication. We need to create a keystore file that holds the SSL certificate for the server. This is documented on the tomcat website here: for completeness the steps to set it up with a self-signed certificate are listed below: The first step is to set up SSL on tomcat. (For example it shows using a self-signed certificate for https and it doesn’t consider checking for revoked certificates.)Ĭreate Keystore for enabling HTTPS connections ![]() It is focused on setting up a development environment, so some features that should be considered for production are not here. This writeup walks though steps to configure Tomcat to request CAC certificates from the client. ![]()
0 Comments
Leave a Reply. |