on 12-22-2016 6:33 AM
Hi Experts,
what is the best practice to install self-signed SSL certificate(*.crt) in hybris tomcat server ?
We have got self-signed certificate generated, but not clear how it can be install on hybris tomcat server. We have instruction to install it on Apache Tomcat server, but not on hybris tomcat server.
Thanks, Yaten
First we need to convert .crt file into .p12 using openssl and then convert this *.p12 into keystore file using keytools. It worked fine.
Thanks, Yaten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Team,
I also tried to given certificate as .p12 in hybris\bin\platform\lib and given passphrase for certificate but not working and giving 400 bad request and tried to give keystore and password in server.xml as well but still facing same issue please can you help me on that?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Yaten, did you managed to solve this issue? I also tried to import a new certificate to the keystore, but not luck.
Regards, Larisa
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, it was installed successfully. as mentioned in above accepted answer, first you need to convert your .crt file into .p12 and then convert this *.12 file into keystore file. Once keystore file generated successfully, you can depoy it in your hybris tomcat server.
Below are command to achive the same. It worked fine for me.
openssl pkcs12 -export -in xx.crt -inkey xx.key -out xx.p12 -name tomcatv1 -CAfile CACert.crt -caname root
keytool -v -importkeystore -srckeystore xx.p12 -srcstoretype PKCS12 -destkeystore keystore
Hope this would help.
Thanks, Yaten
Hello Larisa,
After the certificate generated, which location do we place the certificate in? hybris\bin\platform\tomcat\lib ? as mentioned by Yatendra?
Here are the location of my hybris:
hybris\bin\platform\apache-tomcat-8.5.30\bin
OR
\hybris\bin\platform\apache-tomcat-8.5.30\lib
Thanks in advance, David
Thanks Andrew. We followed steps suggested by you. Below is overall scenario we have performed, but no luck. Could you please suggest if we are missing anything here:
We have received certificate files from our server team which have 3 files(CACert.crt, #_com.crt, #_com.key). Here password key is - "password"
Now we created keystore file via keytool using following command : keytool -import -alias tomcat -keystore localcert -file *_com.crt (we also tried with other .crt file i.e. CACert.crt)
keystore file gets generated without any issue/error and during this we have provided default password i.e. 123456. Now we replaced this keystore file with default keystore file (location - hybris\bin\platform\tomcat\lib). As we have provided default password during keystore file generation, we haven't modifiled server.xml file. After this we did ANT ALL/ANT CLEAN ALL and started the Hybris server. There are no error in logs.
But we when we tried to access hybris storefront or any hybris store(hmc/cmscockpit/backoofice) we are getting the same below certificate issue(site not trusted).
Your connection is not private
Attackers might be trying to steal your information from *.kpit.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID Automatically report details of possible security incidents to Google. Privacy policy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You need to convert your crt (and corresponding key) to a keystore
This StackOverflow link may help or just Google for convert crt to keystore
The path to keystore and password are controlled from config/tomcat/server.xml
on the ssl connector
It looks like
<Connector port="${tomcat.ssl.port}"
.... other attributes ....
keystoreFile="${catalina.home}/lib/keystore"
keystorePass="123456" />
If you save your keystore over the existing one in platform/tomcat/lib
with a password of 123456
then you won't need to edit this file. If you do edit the file to use a different path and pass then don't forget to run ant
to get it copied across to the runtime location.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
5 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.