Existing key pair
If you already have a key pair (private and signed public) in a keystore (.jks, or .pfx/pkcs12) or as separate files (.pem) just make sure the server.xml file is pointing to them and restart the Noodle service. (see below for server.xml examples)
Making a keystore
1. Prepare
- Before a HTTPS connection is created and linked to the keys, make a backup of the server.xml file.
- Use CMD to add Keytool to your path (use the real path to keytool) e.g.:
SET PATH=%PATH%;%PROGRAMFILES%\java\bin
2. Generate Keystore
keytool -genkey -alias noodle.domain.tld -validity 365 -keyalg RSA -keystore noodle.pfx
Once this command has been entered, Keytool will ask some questions regarding your company. Enter information as follows:
- Keystore Password: The first time you run this tool, it will create the keystore file protected by a password. You will need this password every time you access the keystore file.
- First and Last name: the domain name, for example noodle.domain.tld .
- Name of organizational unit: This is not the company name, but may be an internal department, e.g. Marketing Department.
- Name of your organization: Your company name, e.g. Vialect Inc.
- City or location, e.g. Windsor
- State or Province, e.g. Ontario
- 2-Letter Country code, e.g. CA
- Certificate password: This can be the same as the password for the keystore file.
3. Get your Certificate signed
Popular Certificate Authorities (CA) include Let's Encrypt, Thawte, VeriSign, GoDaddy, Network Solutions.
- Make a certificate signing request (CSR):
keytool -certreq -alias noodle.domain.tld -keystore noodle.pfx -file noodlecert.csr
After uploading the file or pasting the text from that file in the CA,
Select "Tomcat" as the format when downloading your signed public key from your CA.
- Import root certificates, if required:
keytool -import -alias carootcert -trustcacerts -file ca-root.crt -keystore noodle.pfx
- Import intermediate certificates, if required:
keytool -import -alias intermediate -trustcacerts -file intermediate.crt -keystore noodle.pfx
- Apply the Certificate Signature:
keytool -import -alias noodle.domain.tld -trustcacerts -file noodlecert.crt -keystore noodle.pfx
4. Create a HTTPS Connection
Edit server.xml by adding and adjusting the following example:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" defaultSSLHostConfigName="null" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="null" protocols="TLSv1.2,+TLSv1.3">
<Certificate type="RSA" certificateKeystoreFile="noodle.pfx" certificateKeystorePassword="123456"/>
</SSLHostConfig>
</Connector>
5. Restart the Noodle service
Noodle can now be accessed using the HTTPS protocols.
If using Windows make sure The NoodleHTTPS entry in the your firewall is enabled and the correct port.
Options
Let's Encrypt
Consider a free certificate (not self signed) as an alternative to not using SSL. server.xml example:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" defaultSSLHostConfigName="noodle.domain.tld" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig hostName="noodle.domain.tld" protocols="TLSv1.2,+TLSv1.3"> <Certificate certificateKeyFile="/etc/letsencrypt/live/noodle.domain.tld/privkey.pem" certificateFile="/etc/letsencrypt/live/noodle.domain.tld/cert.pem" certificateChainFile="/etc/letsencrypt/live/noodle.domain.tld/fullchain.pem" type="RSA" /> </SSLHostConfig> </Connector>
Linux script
Redirect HTTP to HTTPS
Read how here.
Use Strong Encryption
Read how here.
Converting
Converting is not required as jks, pfx(pkcs12), pem are all supported.