Certificate installation

1. Generate a private key with the following command:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/domainname.kdb

You will be prompted for a password. Tomcat uses a default password of "changeit". If you use a different password, you will need to specify a custom password in the server.xml configuration file.

The next field that you will be prompted for is "What is your first and last name?" At this prompt, you must specify the common name (FQDN) of your web site.

You will then be prompted for your organizational unit, organization, etc.

.2. Generate the Certificate Signing Request (CSR)

$JAVA_HOME/bin/keytool -certreq -alias tomcat -keystore /path/to/keystore.kdb -file filename.csr

You will not be prompted for the common name, organization, etc. The keytool will use the values that you specify when generating the private key.

3. Now go to ipsCA , select your certificate and fill the form with your personal data, paste your certificate request in the CSR field making sure that you inlude -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----.

4. Make a backup of the keystore.kdb key database. It would be useful for you if your server crashes.

Installing a Server Digital Certificate

Upload a New SSL Certificate

After you are emailed your certificate, two other certificates will be necessary to setup your SSL Server, IPS SERVIDORES ROOT CERTIFICATE and the intermediate CA IPSCA CLASEA1. It is essential that these certificates also be installed on your webserver in order to establish correct SSL connections with your customer's browsers. Should they be required, you may download these certificates individually or collectively as a bundled file below:

IPSServidores.crt

IPSCACLASEA1.crt

IPS-IPSCABUNDLE.CRT

You must first export the certificates in der format as follows:

1. Copy the IPSCACLASEA1 Chained CA certificate into a text editor such as notepad and save as chain.cer on a Windows machine with IE 5+.
2. Copy your web server certificate into a text editor such as notepad and save as yourdomain.cer on a Windows machine with IE 5+.
3. Copy the IPSServidores root CA certificate into a text editor and save as root.cer on a Windows machine with IE 5+.
4. Double-click the root.cer and select the Details tab, then Copy to File, then select the Base-64 option, give your copied certificate a file name of root_der.cer
5. Double-click the chain.cer and select Install. Choose "Place all certificates in following store" and select Intermediate Certification Authorities. Complete the Wizard.
6. Double-click the chain.cer again and select the Details tab, then Copy to File, then select the Base-64 option, give your copied certificate a file name of chain_der.cer
7. Double click the youdomain.cer and select the Details tab, then Copy to File, then select the PKCS#7 (p7b) option, also select the Include all certificates in the certification path, give your copied certificate a file name of yourdomain.p7b

The following certificate installations must be executed in the stated order.

1. Import the root_der.cer and chain_der.cer files using:

$ keytool -import -trustcacerts -keystore my.kdb -alias root - file root_der.cer

$ keytool -import -trustcacerts -keystore my.kdb -alias chain - file chain_der.cer

With my.kdb being your keystore.

2. Import the yourdomain.p7b file using:

keytool -import -trustcacerts -keystore my.kdb -alias tomcat -file yourdomain.p7b

With my.kdb being your keystore.