Versions Compared

Version Old Version 13 New Version 14
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Old title: Create custom certificates for Tomcat installations (non-Docker)

TODO: replace this page entirely with a page new content explaining the new dev-/test tooling for WAR and Docker deployments

Info

This article is valid for Smart ID Identity Manager 24.R1.

In a production environment, the certificates used must be created by a real certificate authority (CA). By doing so, the trust is clear.

...

  • Double-check PINs
    You need to make sure that WEB-INF\classes\engineSignEncryptConfig.xml has the correct PINs that were used during bootstrapping.

Requirements

  • These scripts use OpenSSL 1.x. This can be installed on Windows and added to the PATH environment variable, or you can use a WSL2 Linux distribution with OpenSSL 1.x instead (e.g. Ubuntu 20.04).

...

  • Active Java installation is selected via JAVA_HOME environment variable.

Steps with installed OpenSSL for Windows

This was successfully tested with https://slproweb.com/download/Win64OpenSSL_Light-1_1_1m.msi .

  1. Ensure that JAVA_HOME points to the folder of the Windows Java installation that will be used by Tomcat.

  2. Download certsetup.zip.

  3. Unpack it. (For example to C:\primestuff\certsetup)

  4. Start a command line as administrator to execute the following:

    1. Navigate to the batch files (cd c:\primestuff\certsetup)

    2. createca.bat

    3. trustlocalCA.bat

    4. createP12s.bat

  5. Copy sign.p12, signConfig.p12, signJWS.p12, signJWT.p12, encryptConfig.p12, emailSigning.p12, deviceEncCA.p12 and hybridEncKeypair.p12 to WEB-INF\classes of your web applications.

  6. Edit WEB-INF\classes\engineSignEncryptConfig.xml in your web applications and make sure it uses the pins that were set during bootstrapping for the respective files.

Steps using WSL2

  1. Ensure that JAVA_HOME points to the folder of the Windows Java installation that will be used by Tomcat.

  2. Download certsetup.zip.

  3. Unpack it. (For example toC:\primestuff\certsetup)

  4. Open WSL distribution using OpenSSL 1.x (e.g. Ubuntu 20.04)to execute the following:

    1. Navigate to the batch files (cd /mnt/c/primestuff/certsetup → depends on distribution, example is Ubuntu) 

    2. ./createca.sh

    3. ./createP12s.sh

  5. Start a command line as administrator (Establishing the trust has to be done to the Java of Windows)

    1. Navigate to the batch files (cd c:\primestuff\certsetup)

    2. trustlocalCA.bat

  6. Copy sign.p12, signConfig.p12, signJWS.p12, signJWT.p12, encryptConfig.p12, emailSigning.p12, deviceEncCA.p12 and hybridEncKeypair.p12 to WEB-INF\classes of your web applications.

  7. Edit WEB-INF\classes\engineSignEncryptConfig.xml in your web applications and make sure it uses the pins that were set during bootstrapping for the respective files.

Additional information

Expand
titleUseful links

...