Welcome to Headwind MDM Q&A, where you can ask questions and receive answers from other members of the community.

Please do not post bug reports, missing feature requests, or demo inquiries. If you have such an inquiry, submit a contact form.

0 votes
How to setup a certificate on Tomcat so mobile devices access the server via SSL?
by (32.2k points)

4 Answers

0 votes

Tomcat uses a proprietary key format "JKS" (Java Key Store).

Certificate (public key), certification chain (if available) and a private key are converted to JKS in the following way:

1. Convert the key and the certificates into the PKCS12 format

openssl pkcs12 -export -out server.p12 -inkey domain.com.key -in ServerCertificate.cer -certfile CAchain.crt

Important! The certificate chain of authority centers must be entered, otherwise you may get a "Trust anchor for certification path not found" error! 

The certificate chain is created by concatenation of all available certificates into one file:

cat CACertificate-ROOT-2.cer CACertificate-INTERMEDIATE-1.cer > CAchain.crt

Important! After running this command, view the CAchain.crt file and make sure the certificate boundaries didn't concatenate: each boundary should be on its own line!



2. Convert PKCS12 into JKS

keytool -importkeystore -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12

Here the passwords for source and destination keystore must be entered.

3. Add path to the JKS file and password to the Tomcat settings (/etc/tomcat9/server.xml):

 <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"               maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="your-domain.com">

        <SSLHostConfig hostName="your-domain.com">

                <Certificate certificateKeystoreFile="/var/lib/tomcat9/ssl/server.jks" type="RSA" certificateKeystorePassword="******" />



4. Change the URL in the Headwind MDM configuration file (ROOT.xml or hmdm.xml) from HTTP to HTTPS

<Parameter name="base.url" value="https://your-domain.com"/>

5. Restart tomcat

service tomcat9 restart

6. Forward the port 443 to 8443, also for the local network interface (here's why):

/sbin/iptables -A PREROUTING -t nat -i eno1 -p tcp -m tcp -d your-domain.com --dport 443 -j REDIRECT --to-ports 8443

/sbin/iptables -A OUTPUT -t nat -o lo -p tcp -m tcp -d your-domain.com --dport 443 -j REDIRECT --to-ports 8443

7. Check that the iptables setup is restored after reboot. Make iptables settings permanent if required.

by (32.2k points)
edited by
0 votes
Note: you shouldn't use self-signed certificates even for testing purposes, because they will not be recognized by mobile devices during the enrollment and the enrollment will fail. Also, the Tomcat engine couldn't display the QR code, because it couldn't download the launcher due to "Unknown certificate" error.

Best practice to use HTTPS is to choose a domain name for your server and get a simplest and cheapest certificate issued by CA.

For example, Comodo PositiveSSL costs about $5-$10/year.
by (32.2k points)
0 votes

After you purchase the certificate, you need to configure it and confirm the domain ownership.

To configure the certificate, first you need to generate a private key and a certificate signing request (CSR). This could be done by the openssl utility.

# openssl genrsa -out domain.com.key 2048

# openssl req -new -sha256 -key domain.com.key -out domain.com.csr

IMPORTANT: the common domain name requested by openssl should be the domain name where you install Headwind MDM!

After setting up the certificate, you need to confirm the domain ownership. You can either use HTTP confirmation or DNS confirmation.

To confirm the domain ownership by HTTP, you can install Apache web server:

# apt install apache2

Then start the service 

# service apache2 start

and create the file required by the certificate authority in /var/www/html directory.

After you confirmed the domain ownership, stop the Apache service and uninstall it (otherwise, it may interfere with Tomcat service).

by (32.2k points)
0 votes

Here is the certificate generation flow if you prefer using JKS keystore from the beginning. For example, when the CA suggests you to generate a certificate for Tomcat.

Private key generation:

keytool -genkey -keysize 2048 -keyalg RSA -alias tomcat -keystore yourkeystore.jks

CSR generation:

keytool -certreq -alias tomcat -file your.csr -keystore yourkeystore.jks

Submit the file your.csr to the CA and confirm the domain ownership. The CA will provide you with the certificate in PKCS #7 format. 

You need to add the certificate to your JKS file.

keytool -import -trustcacerts -alias tomcat -file certificate.p7b -keystore yourkeystore.jks

After executing this command, you will be able to use JKS file in your Tomcat configuration.

by (32.2k points)