Java Keystore - Apache

  • 9 February 2021
  • 5 replies


Has anyone replaced the self-signed java certificates with an in-house certificate chain?  What is the default keystore password located in (DRIVELETTER):\Program Files\Commvault\ContentStore\Apache\mykeystore.jks


Anyone?  Bueller?  Bueller?  Bueller?




Best answer by MFasulo 9 February 2021, 20:53

View original

5 replies

Userlevel 6
Badge +12

I wrote this process for the internal folks, but this should work for you.   The keystore password is set when you run the keytool.. I colored the command in green, to stand out from the rest of the process.





The below process should work on any CAs newer than windows 2008R2 (which is what my CA was running)


Find a windows box (not your CS) and install Active directory certification authority and the web enrollment roles


On your windows webconsole box  (I did not test this on Linux) run:

keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\temp\mykeystore.jks"

  • Give it a password
  • When its prompts for your first and last name this must be the webconsole host name  EX  cs.mylab.lab
  • Although the keytool will default to "unknown" do not use "unknown" for the 2 letter country code or the cert cannot be signed.  Put US.   All the other fields, put something relevant.


Now run:

keytool -certreq -keyalg RSA -alias tomcat -file c:\temp\tomcat.csr -keystore C:\temp\mykeystore.jks


Jump back over to the CA box run the following commands from a elevated command prompt:


certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc


The Subject Alternative Name are required for the certs to work and this attribute is not enabled by default on older CAs.  


Open MMC

Add "Certification Authority"

Click OK.

Right click the the CA > properties

On the general tab click view certificate

Click the "Details"  tab

Click "copy to file"

In the export wizard, export the cert with the defaults and call this "root"


Still on the CA open a web browser and navigate to: http://localhost/certsrv/ 


Click "Request a certificate"

Click "Advanced certificate request"

Click "Submit a certificate request by using a base-64...."

Leaving the request window open, go back to the WC box, open the tomcat.csr file and copy the contents

Paste it into the "Saved request:" field in the request window

Under certificate template: Select "Web Server"

   If "Web Server" doesnt show up do the following:

   Open the Certificate Authority > right click certificate templates > manage

   A new console will open for the certificate templates > right click "web server"  > properties

   Under the security tab ensure your group has "full control" .  Click OK to save and web server should show in the drop down in certsrv

Under Additional Attributes type: san:dns=cs.mylab.lab

Click "submit"

Click "download certificate"


Copy both "root" and "certnew" certs to the webconsole box (put them into the same directory as the keystore)


Run the following command:

keytool  -import -alias root -keystore C:\temp\mykeystore.jks -trustcacerts -file C:\temp\root.cer

Enter the password and when it prompts to ask if you should trust this cert type "yes"

If all goes well it should reply "Certificate was added to keystore"


Now import the web server cert:

keytool  -import -alias tomcat -keystore C:\temp\mykeystore.jks -trustcacerts -file C:\temp\certnew.cer

It should reply with "Certificate reply was installed in keystore"


Stop tomcat

Back up the server.xml that is part of the Apache configuration in the software_installation_path/Apache/Conf folder.

Copy the generated keystore file to software_installation_path/Apache

Change the "certificateKeystoreFile=" to the path of the mykeystore.jks

Change the "certificateKeystorePassword" to the keystore password

It should look something like:

<Certificate certificateKeystoreFile="C:\Program Files\Commvault\ContentStore\Apache\mykeystore.jks" certificateKeystorePassword="onpassword" certificateKeystoreType="JKS"/> 

Now double click both the "root" and "certnew" certificates to import them.  

Click "install certificate" on each

Change the storage location to "local machine"

Tick the radio button to "Place all certificates in the following store" Click browse

Select "Trusted Root Certification authorities" and click OK

Click Next

Click Finish


Start tomcat 


Hit the command center URL with HTTPS and the name used in the certs and you should get the lock!


Although this is commonly done for a domain this also works in a workgroup as seen below:



Userlevel 5
Badge +10

@MFasulo Nicely done. Perhaps worth reposting the image as it does seem to come through.

Userlevel 6
Badge +12

The image is just showing that you can do with/without a domain.  Two screenshots of my lab URLs with the lock!


@MFasulo , I tried the steps but on importing the certnew,cer I get “Failed to establish chain from reply”.  I was also looking at and see the intermediate certificate is needed in this article.  Would the Failed to establish error be related to the intermediate cert needed?

Thank you!

Userlevel 7
Badge +23

@Jamie B , can you confirm the password used to create the keystore file in step 2. contains no special character i.e. & or @?
You need to use a password without any special characters.