This document describes how to enable and initialize an empty keystore, generate a Certificate Signing Request (CSR), add a root Certificate Authority(CA) to your keystore, and import the generated certificate for use in Tomcat.

This will prevent the "Safari/Firefox can't verify the identity of the website your.jss.url" dialog box from appearing each time you connect to the secure port of your JSS (port 8443).

Please note this is provided for informational purposes only, and is not supported by JAMF Software.

To create and configure a public certificate for your JSS:

1) Launch Terminal.app and connect to your JSS.

2) In terminal, navigate to the Tomcat directory with the following command:

 cd /Library/Tomcat/

3) In terminal, type the following command to generate the keystore and fill in the pertinent information when prompted.

sudo keytool -genkey -alias Tomcat -keyalg RSA –keystore /Library/Tomcat/.3pkeystore

Type a new keystore password. When the prompt asks for a first and last name, it is requesting the Fully Qualified Domain Name for the JSS Server (ie. your.jss.url). Answer the remaining questions for the Organizational Unit, Organization, City or Locality, State or Province, and the Country Code.  The Certificate Authority administrator should be able to provide the desired values for the questions.  The answers here will also be used to generate a self-signed certificate in the new keystore. Using a self-signed will still result in the "Safari/Firefox can't verify the identity of the website your.jss.url" unless the client machines have been advised to trust this self-signed certificate. If using a self-signed certificate skip to step 8.

4) Generate a Certificate Signing Request:

sudo keytool -certreq -alias tomcat -keystore /Library/Tomcat/.3pkeystore -file tomcatCert.req

5) Send the "tomcatCert.req" file to your Certificate Authority (Public or Internal). Request a Base 64 encoded binary (X.509), and you will receive a .crt or .cer file in return.

6) If the generated certificate has been signed by an internal root Certificate Authority, import the CA's certificate using the command:

sudo keytool -import -trustcacerts -alias rootCA –file /Users/admin/Desktop/RootCA.cer -keystore /Library/Tomcat/.3pkeystore

7) Then import the certificate signed by the Certificate Authority, use the command:

keytool -import -alias tomcat -keystore /Library/Tomcat/.3pkeystore -trustcacerts -file /Users/admin/Desktop/tomcatCert.cer

 
8) The final step is to edit the /Library/Tomcat/conf/server.xml and point the "keystoreFile" attribute to the location of the keystore, and include the "keystorePass" containing the password to your keystore

   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS"

               keystoreFile="/Library/Tomcat/.3pkeystore"

               keystorePass="your keystore password" />

NOTE: You may need to repeat this change to the server.xml file if there has been a software update which affects Tomcat.

NOTE:  If a certificate file requires an update due to expiration, there are additional steps to perform prior to adding a new file. 

To add the new certificates we will need to clear out the alias created in the steps above.  First, create a backup of the previous alias with the following command:

sudo keytool -export -alias Tomcat -keystore /Library/Tomcat/.3pkeystore -file TomcatBackup.cer

After a successful backup, run the following command to clear out the Tomcat alias:

sudo keytool -delete -alias Tomcat -keystore /Library/Tomcat/.3pkeystore

You should now be able to run the commands to create and import the certificate.