Supposed you have already received your wildcard-certificate and the corresponding private key from StartSSL.com, revisit the website of StartSSL again to prepare a .p12 file (e.g. <wildcard.mydomain.com.p12>) because we need it for the later import process where you create a new vibe keystore.
Download additionally the certificate authority file ca.crt and the corresponding intermediate certificate fils classX.server.ca.crt files from StartCom. Depending on your certificate level you need class2.server.ca.crt for a class2 certificate.
Check as root, that the keytool is reachable, otherwise you can fix that: e.g.
# echo 'PATH=/usr/java/jdk1.6.0_29/bin:$PATH' >> ~/.profile # source ~/.profile
Preparing the new keystore
As root enter the directory where the tomcat keystore is located: e.g. /opt/novell/teaming/apache-tomcat/conf.
Backup the original keystore that is named .keystore to .keystore.orig and delete the old one.
Place your wildcard.mydomain.com.p12 file in this directory.
Building the new keystore
- Now we are going to create the new keystore with the prepared StartSSL .p12:
# keytool -v -importkeystore -srckeystore <wildcard.mydomain.com> -srcstoretype PKCS12 -destkeystore .keystore -deststoretype JKS
- Have a check, what is actually contained in the keystore:
# keytool -list -keystore .keystore
- Notice: As you can see, there is an automatically given alias “startcom, pfx certificate” for the imported certificate.
We have to rename it to the alias “tomcat”. This was the important thing for my configuration. Check your alias naming in server.xml.
Here is the changealias command:
# keytool -changealias -v -alias "startcom pfx certificate" -destalias tomcat -keystore .keystore
- Next import the ca.crt file:
# keytool -import -alias startcom.ca -file ca.crt -trustcacerts -keystore .keystore
- Import also the necessary intermediate certificate chain file:
# keytool -import -alias startcom.ca.sub -file sub.class2.server.ca.crt -trustcacerts -keystore .keystore
- Set the owner: e.g
# chown vibeadmin:vibeadmins .keystore
- Adjust the rights:
# chmod 750 .keystore
- Restart Teaming:
# /etc/init.d/teaming restart
Now you should be done.
Because the investigation and tests took a longer time, I wanted to share it.