Ok, so the title mentions some specific services and technologies, namely GoDaddy, Tomcat and Ubuntu 14.04. That’s what I used, so that’s how I’ll describe it here. If you’re using something slightly different, maybe you can still glean some useful information from this.
First, purchase the SSL certificate from GoDaddy.
Next, log in to the server you want to run Tomcat on and create a key pair (public/private keys aka private key + certificate) using keytool. This key pair will be used to generate a certificate signing request that we’ll give to GoDaddy to make our certificate. keytool is a tool for creating keys (duh) but it also acts like a keyring to store several keys in one “keystore” file. In this instance, you’ll want to make sure you create your keystore file in PKCS12 format so we can export the private key. You might be able to export the private key using other formats, but I didn’t explore that, so just follow these instructions. The following command will ask for a password, so remember it. Also, as of this writing, for some strange reason, you need to enter the desired hostname “subdomain.example.com” when prompted for First Name and Last Name. No, this does not make any fucking sense. Don’t ask me to explain.
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore
tomcat.keystore -storetype PKCS12
The above command says, “Create a key pair of string 2048 with the alias ‘tomcat’ using the algorithm RSA and put it in the keyring ‘tomcat.keystore’ (in this directory) with the PKCS12 format.”
To export the private key in unencrypted format:
openssl pkcs12 -in tomcat.keystore -nodes -nocerts -out
Note that this file has a built-in password (the same you used for the keystore file) and for some systems (e.g. Amazon AWS), need you to remove the password before upload. To get the same private key without a password attached do this:
openssl rsa -in private-key_withpass.pem -out private-key_nopass.pem
Now we’re ready to create the CSR for GoDaddy:
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore
Paste the CSR data (from csr.csr) into the GoDaddy certificate creation text input. (Other services should provide something similar.) Once the certificate is ready, download the zip file and unpack it on your instance. It contains your certificate (<serialnumber>.crt) and some GoDaddy root certs (gd_bundle-g2-g1.crt and gdig2.crt).
AWS side note (why not?): To use your certificate with AWS (assuming you’re doing this on an AWS instance), you have to use their “iam-servercertupload” command (which comes with any Amazon Linux instance). Here’s how you’d upload the certificate you created:
iam-servercertupload -b serialnumbered.crt -c gd_bundle-g2-g1.crt -k
private-key_nopass.pem -s whateveryouwanttonameit --aws-credential-file
See elsewhere for the format of the AWS credential file.
Back to Tomcat: It appears that Tomcat has issues with the PKCS12-formatted keystore and, instead, wants the JKS type. To convert the keystore you’ve created, do this:
keytool -importkeystore -srcstoretype PKCS12 -srckeystore
tomcat.keystore -destkeystore tomcat.keystore.jks -deststoretype JKS
Once that’s complete, add both the GoDaddy chain cert and the serialnumbered.crt to the new keystore like so:
keytool -import -alias rootbundle -keystore tomcat.keystore.jks
-trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore.jks
-trustcacerts -file serialnumbered.crt
Now it’s time to edit your Tomcat server.xml. If you are running Tomcat as a standalone (without apache2/httpd) and want it to run on ports 80 (nonsecure) and 443 (secure) (where apache2/httpd usually runs), rather than the default 8080/8443, change your connector values to use 80 and 443.
<Connector port=”80″ protocol=”HTTP/1.1″
SSLEnabled=”true” scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” />
And that should be it. Here’s a trick you can use to test your SSL cert on Tomcat if it’s currently deployed elsewhere. Let’s say you’ve already got a subdomain.example.com certificate already deployed elsewhere and you’ve just created this new cert for deployment to this Tomcat server. If you visit the new server at https://999.999.999.999, you’re going to get a certificate error.
To trick your local computer into thinking 999.999.999.999 is actually subdomain.example.com, edit your /etc/hosts file and add a line that says: “999.999.999.999 subdomain.example.com”.
Now when you visit https://subdomain.example.com, you’ll be hitting the new server at 999.999.999.999 and should not get any certificate errors if everything is correct.
Enjoy! I hope this helps!