Certificate Wizard
Try our Cameyo Certificate Wizard for Tomcat after you read the article below.
Steps for turning your HTTP server into HTTPS for self-hosted Cameyo servers.
If you are a fully-hosted cloud customer, you don't need to go through all this, and in fact probably already have HTTPS enabled. If you don't already have it enabled, simply contact support and we'll enable it for you right away.
If you are hosting your own server, then you have two options - use Cameyo's certificate, or use your own certificate. Most customers choose to just use the certificate provided by Cameyo - just contact support to get them to set it up for you.
To install your own SSL certificate, follow these steps:
- Log into the server using RDP.
- Copy the pfx certificate into C:\RapPrereqs\Tomcat\conf -- let's assume it's called "mydomain.pfx". If you don't have a .pfx certificate but rather a .cer / .crt file, please see below how to convert a certificate to a .pfx file.
- Launch notepad as elevated (you can create a shortcut to notepad.exe + right-click + run as admin).
- Open C:\RapPrereqs\Tomcat\conf\server.xml configuration file, uncomment the line that looks as following, and add the following configuration line (replace keystorePass="..." with your certificate's password, or leave it empty if none):
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/mydomain.pfx" keystorePass="mysecretopassword" keystoreType="PKCS12"/>
- Restart Tomcat and connect to https://[server-ip] to see if it works (you'll get a certificate alert, that's fine).
- You'll then need to access this server using the FQDN name specified by the certificate (myserver.mydomain.tld).
Only for testing!
You can also modify c:\windows\system32\drivers\etc\hosts file (on the test computer, not the server itself), and add the ip address of the server and the server name:12.34.56.78 myserver.mydomain.tld
- Open firewall port 443.
- In Cameyo's server page, fill 443 in the external https field:
- In "External host name", enter the server's universal name (i.e. "server.company.com"), instead of the existing name ([IP]").
- Click the "Save changes" button.
Using different certificates for internal and external connections
If you are using on-prem servers which you internally access through the internal name and externally through a public DNS name (and not using WAF and not using Cloud Tunnel) you want to configure the Cameyo server with two different certificates that are identified by the name the server is called (SNI).
For this you don't use the single line above but the following SNI setting where you have to specify the default certificate in the first line and the individual certificates for each name:
<Connector port="443" defaultSSLHostConfigName="myserver.mydomain.tld" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" SSLEnabled="true" > <SSLHostConfig hostName="myserver.mydomain.tld" ciphers="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CCM_8,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_CCM_8,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" > <Certificate certificateKeystoreType="PKCS12" certificateKeystoreFile="conf/mydomain.pfx" certificateKeystorePassword="mysecretpassword" /> </SSLHostConfig> <SSLHostConfig hostName="myserver.mycorp.local" ciphers="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CCM_8,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_CCM_8,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" > <Certificate certificateKeystoreType="PKCS12" certificateKeystoreFile="conf/mycorp.pfx" certificateKeystorePassword="mysecretpassword" /> </SSLHostConfig> </Connector>
Using the Windows Certificate store
You can also directly access installed Windows certificates (in this case no passwords are exposed).
Make sure the certificate you want to use has been added to the computer's Trusted Root Certification Authorities and has an Alias:
then change the certificate entry as follows (shortened):
<Connector sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" ... > <SSLHostConfig hostName="myserver.mycorp.local" ciphers="..." > <Certificate certificateKeystoreType="Windows-ROOT" certificateKeystoreFile="" certificateKeystorePassword="" certificateKeyAlias="<AliasOfYourCertificate>" /> </SSLHostConfig> </Connector>
add sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" to the <connector> tag and make sure you define certificateKeystoreFile and certificateKeystorePassword as empty strings.
Converting certificate to .pfx
There are different ways for converting a CER certificate to PFX format. Note this is typically done on the same machine where the CSR was generated:
- If the certificate comes in text format (---BEGIN CERTIFICATE---...) save it into a .CER file with a text editor (ignore the Intermediate certificate).
- On your Windows server, run "certmgr.msc". Install the .CER and export it to .PFX with the private key.
- Then, copy the .PFX to C:\RapPrereqs\Tomcat\conf