Generating an SSL/TLS Self-Signed Certificate

If you decide to generate your own self-signed certificate, adhere to the following prerequisites:

  • Use a non-root user configured with sudo privileges
  • Verify that the server has an installed Apache Tomcat web server
  • Stop the Apache Tomcat service before beginning this process

NOTE: A self-signed certificate encrypts communication between your server and any web-based clients. However, because this certificate is not signed by any of the trusted certificate authorities included with web browsers, users cannot use the certificate to validate the identity of your server automatically.

SSL/TLS works by using a combination of a public certificate and a private key. The SSL/TLS key is kept secret on the server and is used to encrypt content sent to clients. The SSL/TLS certificate is publicly shared with anyone requesting content stored on the server. The certificate can also be used to decrypt the content signed by the associated SSL/TLS key.

To generate a self-signed certificate:

  1. Change to the JDK /bin directory by entering a command similar to the following:

    cd /di/platform/downloads/jdk-<version number>/bin

  2. Generate a certificate for Tomcat with the keytool utility by entering a command similar to the following:

    sudo keytool -genkey -alias tomcat -keyalg RSA -validity 1460 -keystore /etc/tomcat<version number>/keystore -keypass tomcat -storepass tomcat

    After pressing Enter, the command prompts you to enter information about your server that will be incorporated into the self-signed certificate and visible to anyone viewing the certificate. Accept any defaults or enter information specific to your server. The prompts appear as questions in the following order:

    • What is your first and last name? – Do not enter your common name, instead enter the Fully Qualified Domain Name (FQDN) of the server. For example, portal.mycompany.com, where portal is the host name and mycompany.com is the domain name. For this example, enter the host name of the server, ubuntu.

      NOTE: Responses to the remaining command prompts are optional but recommended.

    • What is the name of your organizational unit? – For example, BI Software.
    • What is the name of your organization? – For example, Dimensional Insight.
    • What is the name of your City or Locality? – For example, Burlington.
    • What is the name of your State or Province? – For example, MA.
    • What is the two-letter country code for this unit? – For example, US.

    • At the confirmation prompt, for example:

      Is CN=ubuntu, OU=BI Software, O=Dimensional Insight, L=Burlington, ST=MA, C=US correct? [no]

      Type Y to confirm, and press Enter. N, or no, is the default.

  3. Change to the Tomcat etc directory by entering a command similar to the following:

    cd /etc/tomcat<version number>

  4. Verify the creation of the keystore file by entering the following command:

    ls

    The keystore certificate file is valid for 1460 days and can be renewed upon expiration following the directions in this topic.

    NOTE: You can restart the Tomcat service or leave it closed and move to the Enabling the Default HTTPS Connector for instructions on how to edit the server.xml file.