I wrote this process for the internal folks, but this should work for you. The keystore password is set when you run the keytool.. I colored the command in green, to stand out from the rest of the process.
The below process should work on any CAs newer than windows 2008R2 (which is what my CA was running)
Find a windows box (not your CS) and install Active directory certification authority and the web enrollment roles
On your windows webconsole box (I did not test this on Linux) run:
keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\temp\mykeystore.jks"
- Give it a password
- When its prompts for your first and last name this must be the webconsole host name EX cs.mylab.lab
- Although the keytool will default to "unknown" do not use "unknown" for the 2 letter country code or the cert cannot be signed. Put US. All the other fields, put something relevant.
Now run:
keytool -certreq -keyalg RSA -alias tomcat -file c:\temp\tomcat.csr -keystore C:\temp\mykeystore.jks
Jump back over to the CA box run the following commands from a elevated command prompt:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
The Subject Alternative Name are required for the certs to work and this attribute is not enabled by default on older CAs.
Open MMC
Add "Certification Authority"
Click OK.
Right click the the CA > properties
On the general tab click view certificate
Click the "Details" tab
Click "copy to file"
In the export wizard, export the cert with the defaults and call this "root"
Still on the CA open a web browser and navigate to: http://localhost/certsrv/
Click "Request a certificate"
Click "Advanced certificate request"
Click "Submit a certificate request by using a base-64...."
Leaving the request window open, go back to the WC box, open the tomcat.csr file and copy the contents
Paste it into the "Saved request:" field in the request window
Under certificate template: Select "Web Server"
If "Web Server" doesnt show up do the following:
Open the Certificate Authority > right click certificate templates > manage
A new console will open for the certificate templates > right click "web server" > properties
Under the security tab ensure your group has "full control" . Click OK to save and web server should show in the drop down in certsrv
Under Additional Attributes type: san:dns=cs.mylab.lab
Click "submit"
Click "download certificate"
Copy both "root" and "certnew" certs to the webconsole box (put them into the same directory as the keystore)
Run the following command:
keytool -import -alias root -keystore C:\temp\mykeystore.jks -trustcacerts -file C:\temp\root.cer
Enter the password and when it prompts to ask if you should trust this cert type "yes"
If all goes well it should reply "Certificate was added to keystore"
Now import the web server cert:
keytool -import -alias tomcat -keystore C:\temp\mykeystore.jks -trustcacerts -file C:\temp\certnew.cer
It should reply with "Certificate reply was installed in keystore"
Stop tomcat
Back up the server.xml that is part of the Apache configuration in the software_installation_path/Apache/Conf folder.
Copy the generated keystore file to software_installation_path/Apache
Change the "certificateKeystoreFile=" to the path of the mykeystore.jks
Change the "certificateKeystorePassword" to the keystore password
It should look something like:
<Certificate certificateKeystoreFile="C:\Program Files\Commvault\ContentStore\Apache\mykeystore.jks" certificateKeystorePassword="onpassword" certificateKeystoreType="JKS"/>
Now double click both the "root" and "certnew" certificates to import them.
Click "install certificate" on each
Change the storage location to "local machine"
Tick the radio button to "Place all certificates in the following store" Click browse
Select "Trusted Root Certification authorities" and click OK
Click Next
Click Finish
Start tomcat
Hit the command center URL with HTTPS and the name used in the certs and you should get the lock!
Although this is commonly done for a domain this also works in a workgroup as seen below:
@MFasulo Nicely done. Perhaps worth reposting the image as it does seem to come through.
The image is just showing that you can do with/without a domain. Two screenshots of my lab URLs with the lock!
@Jamie B , can you confirm the password used to create the keystore file in step 2. contains no special character i.e. & or @?
You need to use a password without any special characters.