Existing key pair
If you already have a key pair (private and signed public) in a keystore (.jks, or .pfx/pkcs12) or as separate files (.pem) just make sure the server.xml file is pointing to them and restart the Noodle service. (see below for server.xml examples)
Making a keystore
1. Prepare
- Before a HTTPS connection is created and linked to the keys, make a backup of the server.xml file.
- Use CMD to add Keytool to your path (use the real path to keytool) e.g.:
SET PATH=%PATH%;%PROGRAMFILES%\java\jre17\bin
2. Generate Keystore
keytool -genkey -alias noodle.domain.tld -validity 365 -keyalg RSA -keystore noodle.pfx
Once this command has been entered, Keytool will ask some questions regarding your company. Enter information as follows:
- Keystore Password: The first time you run this tool, it will create the keystore file protected by a password. You will need this password every time you access the keystore file.
- First and Last name: the domain name, for example noodle.domain.tld .
- Name of organizational unit: This is not the company name, but may be an internal department, e.g. Marketing Department.
- Name of your organization: Your company name, e.g. Vialect Inc.
- City or location, e.g. Windsor
- State or Province, e.g. Ontario
- 2-Letter Country code, e.g. CA
- Certificate password: This can be the same as the password for the keystore file.
3. Get your Certificate signed
Popular Certificate Authorities (CA) include Let's Encrypt, Thawte, VeriSign, GoDaddy, Network Solutions.
- Make a certificate signing request (CSR):
keytool -certreq -alias noodle.domain.tld -keystore noodle.pfx -file noodlecert.csr
Select "Tomcat" as the format when downloading your signed public key from your CA.
- Import root certificates, if required:
keytool -import -alias carootcert -trustcacerts -file ca-root.crt -keystore noodle.pfx
- Import intermediate certificates, if required:
keytool -import -alias intermediate -trustcacerts -file intermediate.crt -keystore noodle.pfx
- Apply the Certificate Signature:
keytool -import -alias noodle.domain.tld -trustcacerts -file noodlecert.crt -keystore noodle.pfx
4. Create a HTTPS Connection
Edit server.xml by adding and adjusting the following example:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" defaultSSLHostConfigName="null" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="null" protocols="TLSv1.2,+TLSv1.3">
<Certificate type="RSA" certificateKeystoreFile="noodle.pfx" certificateKeystorePassword="123456"/>
</SSLHostConfig>
</Connector>
5. Restart the Noodle service
Noodle can now be accessed using the HTTPS protocols.
Options
Let's Encrypt
Consider a free certificate (not self signed) as an alternative to not using SSL. server.xml example:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" defaultSSLHostConfigName="noodle.domain.tld" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig hostName="noodle.domain.tld" protocols="TLSv1.2,+TLSv1.3"> <Certificate certificateKeyFile="/etc/letsencrypt/live/noodle.domain.tld/privkey.pem" certificateFile="/etc/letsencrypt/live/noodle.domain.tld/cert.pem" certificateChainFile="/etc/letsencrypt/live/noodle.domain.tld/fullchain.pem" type="RSA" /> </SSLHostConfig> </Connector>
Linux script
Redirect HTTP to HTTPS
Read how here.
Use Strong Encryption
Read how here.
Converting
Converting is not required as jks, pfx(pkcs12), pem are all supported.