Enabling SSL on Tomcat with a Public Certificate

This article explains how to enable SSL on Tomcat with a public certificate. This prevents the "Safari/Firefox can't verify the identity of the website <jamf.mycompany.com>" dialog box from appearing each time you connect to the secure port of your Jamf Pro instance.
Note:

If you are attempting to bundle a certificate in a keystore for Tomcat, see the Using OpenSSL to Create a Certificate Keystore for Tomcat article.

The general procedure involves the following steps:
  • Enable and initialize an empty keystore.

  • Generate a certificate signing request (CSR).

  • Import the generated certificate(s) for use in Tomcat.

  • Modify the server.xml file to use the newly created certificates.

Note:

If you use a third-party certificate authority (CA), it is recommended that you contact your CA for information specific to your certificate before following these instructions.

General Requirements

The following components are required to enable SSL on Tomcat with a public certificate:
  • Access to the host server of Jamf Pro

  • The location of the Tomcat directory
    Note:

    The location of the Tomcat directory varies depending on the settings of your Jamf Pro installation. Common locations for the Tomcat directory are listed below.

If you used the Jamf Pro Installer to install Jamf Pro, the directory is located in:
  • Linux: /var/local/JSS/Tomcat/

  • Windows: C:\Program Files\JSS\Tomcat\

  • Mac: /Library/JSS/Tomcat/

If you did not use the Jamf Pro Installer to install Jamf Pro, the directory is located in:
  • Linux: /var/lib/tomcat8/

  • Windows: C:\Program Files\Apache Tomcat8\

  • Mac: /Library/Tomcat/

Step 1: Creating a Public Certificate for Your Jamf Pro Server

To create and configure a public certificate for your Jamf Pro server using either OpenSSL or the Java Keytool, follow the appropriate set of instructions below.
Note:

All commands in this procedure must be executed as root. On Mac and Linux, type sudo before each command. On Windows, you must execute the commands as administrator.

Creating the Certificate Using OpenSSL

  1. Open the command prompt or Terminal.
  2. Create a folder on your desktop named Certs and navigate to the directory using the following commands:
    mkdir /path/to/Desktop/Certs
    cd /path/to/Desktop/Certs
  3. Generate a Private Key and CSR by executing a command similar to the following:
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  4. When prompted, enter the appropriate information. The certificate authority (CA) administrator should be able to provide the desired values for these fields. Ensure that you use a fully qualified domain name (FQDN), such as jamf.mycompany.com.
    Note:

    These values will also be used to generate a self-signed certificate in the new private key. Using a self-signed certificate may result in the "Safari/Firefox can't verify the identity of the website <jamf.mycompany.com>" message unless the client machines have been advised to trust this self-signed certificate. If using a self-signed certificate, proceed to step 6.

  5. Send the CSR you just created to a valid CA (public or internal). You should receive a .crt, .cer, or .pem file in return. See your CA vendor's documentation for more information.
    Note:

    If you are requesting separate certificates, request a Base 64 encoded binary (X.509.)

  6. Place the certificates you receive into the Certs folder on your desktop.
  7. Import the signed certificates into your keystore. Refer to one of the following subsections depending on the type of files received from the certificate authority:

    If you receive a .p7b file from the certificate authority:

    1. Convert the .p7b file to a .cer file with the following command:
      openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
    2. Combine the new .cer file with the private key via this command:
      openssl pkcs12 -export -out SSLCertificate.p12 -inkey privateKey.key -in certificate.cer
    3. Enter an export password. This password is your keystore password, and will need to be recorded for future use.

    If you receive individual certificates from the certificate authority:

    1. Put them in place of each intermediate certificate in the following command:
      openssl pkcs12 -export -out SSLCertificate.p12 -inkey privateKey.key -in serverCertificate.crt -certfile Intermediate.crt
      Note:

      You will add or remove the -certfile /path/to/intermediate parameter based on how many intermediate certificates the vendor has provided.

    2. Enter an export password. This password is your keystore password, and will need to be recorded for future use.

    If you get a bundle certificate from the certificate authority:

    You may use it in place of the root certificate. This removes the need for any intermediate certificates.

  8. Enter an export password. This password is your keystore password, and will need to be recorded for future use.

Creating the Certificate Using Java Keytool

Requirements

This workflow requires Java to be installed on the workstation on which you build the keystore.

  1. Open a command prompt or Terminal window.
  2. Create a folder on your desktop named Certs and navigate to the directory using the following commands:
    mkdir /path/to/Desktop/Certs
    cd /path/to/Desktop/Certs
  3. Generate a keystore by executing a command similar to the following:
    /path/to/keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keypass "password" -storepass "password" -keystore keystore.jks
    Note:

    Make sure to use the same password for both the keypass and the storepass. The password cannot contain special characters. You must remember this password for future imports.

  4. Create a backup copy of the keystore and store it in a safe location.
  5. When prompted, enter the appropriate information. The certificate authority (CA) administrator should be able to provide the desired values for these fields. Be sure to use a fully qualified domain name (FQDN), such as jamf.mycompany.com.
    Note:

    These values will also be used to generate a self-signed certificate in the new keystore. Using a self-signed certificate may result in the "Safari/Firefox can't verify the identity of the website <jamf.mycompany.com>" unless the client machines have been advised to trust this self-signed certificate. If using a self-signed, certificate skip to step 6.

  6. Generate a certificate signing request (CSR) from the keystore you just created by executing the following command:
    /path/to/keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.jks
  7. Send the CSR you just created to a valid CA (public or internal). You should receive a .crt, .cer, or .pem file in return.
    Note:

    If you are requesting separate certificates, request a Base 64 encoded binary (X.509).

  8. Place the certificates you received into the Certs folder on your desktop.
  9. Import the signed certificate(s) into your keystore. If you are using a combined certificate, execute the following command:
    /path/to/keytool -import -alias tomcat -keystore keystore.jks -trustcacerts -file root.cer

    If you are using multiple certificates (such as an intermediate and/or root certificate and a signed web certificate), execute commands like the following to install each certificate:

    /path/to/keytool -import -alias root -keystore keystore.jks -trustcacerts -file root.cer
    /path/to/keytool -import -alias intermediate1 -keystore keystore.jks -trustcacerts -file intermediate1.cer
    /path/to/keytool -import -alias tomcat -keystore keystore.jks -trustcacerts -file cert.cer

Step 2: Importing the Certificate Into Jamf Pro

To import the certificate into Jamf Pro server using the Tomcat Assistant or by manually editing the server.xml file, follow the appropriate set of instructions below.

Importing the Certificate Using the Tomcat Assistant

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. Click System Settings.
  3. Click Apache Tomcat Settings.
  4. Click Edit.
  5. Select the Change the SSL certificate used for HTTPS option and click Next.
  6. Select Upload an existing SSL certificate and click Next.
  7. Click the Upload button and select either your keystore.jks file or the SSLCertificate.p12 file and click Next.
  8. Enter your keystore password and click Next.
  9. Click Finish and restart Tomcat.

Importing the Certificate by Manually Editing the server.xml File

  1. Move your keystore.jks file or SSLCertificate.p12 file into your Jamf Pro Tomcat folder. The location for this folder can be found above.
  2. Edit the server.xml file located in the /Tomcat/conf/ directory. Add or modify the certificateKeystoreFile and certificateKeystorePassword attributes in the Certificate element for port 8443 so that it looks similar to the following:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
       SSLEnabled="true" maxThreads="150" scheme="https"
       secure="true" clientAuth="false"
       <SSLHostConfig
              sslProtocol="TLS"
              <Certificate type="RSA"
                     certificateKeystoreFile="${catalina.home}/.keystore"
                     certificateKeystorePassword="changeit" />
  3. Restart Tomcat from the command line. For more information, see the Starting and Stopping Tomcat article.