Page History
...
Next, upon receiving the signed certificate from the third-party CA, the remote site should then bundle the private key with the chained certificates into a PKCS12 file (.pfx
or .p12
suffix) so that SHRINE can verify the chain of trust from the endpoint certificate all the way back to the root CA. Without this trust verification, SHRINE will be unable to use the certificates as intended. For our purpose, the PKCS#12 file format is ideal because it can combine a private key with all corresponding chained certificates into a single entry in the file, and because the format is accessible by both openssl
and keytool
. In the following command (again, assuming that the private key file is called private_key.pem
), the certificates_file
contains the new endpoint certificate plus all intermediate certificates plus the root certificate, and the ca_file
contains only the intermediate certificates plus the root certificate. Run this command to bundle the private key, the endpoint certificate, and all intermediate and root certificates into one single entry within the PKCS12 store:
...
Code Block | ||||
---|---|---|---|---|
| ||||
<Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/shrine/shrine.keystore" keystorePass="xxxxxxxxxxxxxxxx" keyAlias="shrine.example.edu-https"/> |
Once that change is madeall configuration files have been updated, restart Tomcat. When finished, confirm that the newly installed certificate is being used by using pointing your web browser to navigate to log into your SHRINE host. If everything has been configured properly, you should no longer see any warning messages regarding untrusted certificates.