Purpose:

This document provides a step-by-step guide for creating a Java KeyStore (JKS), importing a CA-signed SSL certificate, and configuring AutomationEdge for secure HTTPS communication.

Prerequisites:

Before starting, ensure you have:

• Certificates from your Certificate Authority (CA):

  • Scenario A: Three separate files — Root, Intermediate, and Application (Main) certificate.

  • Scenario B: A single bundled certificate containing the full chain or a single certificate file.

• Keystore password (you will set this during creation/import).

• Access to the Tomcat server.xml configuration file.

• Ability to restart the Tomcat service.

Step 1: Import CA Certificates into the JKS

Scenario A — Three Separate Certificate Files

1. Import the Root Certificate

     keytool -import -trustcacerts -alias intermediate -keystore your_JKS.jks -file <Root_Certificate>

2. Import the Intermediate Certificate

   keytool -import -trustcacerts -alias intermediate -keystore your_JKS.jks -file <Intermediate_Certificate>

3. Import the Application (Main) Certificate

   keytool -import -trustcacerts -alias aeserver -keystore your_JKS.jks -file <Application_Certificate>

Scenario B — Single Bundled Certificate or Single Certificate File

If your CA provides:

• One .cer or .crt file containing the full chain, or

• A single certificate file for your domain

Use:

keytool -import -trustcacerts -alias aeserver -file your_certificate_file.cer -keystore your_JKS.jks

Step 2: Verify Certificate and Private Key in Keystore

Check the contents of the keystore:

keytool -list -keystore your_JKS.jks

• Ensure all certificates appear in the list.

• Confirm there is one “PrivateKeyEntry” for your main certificate.
  

Important:

If thePrivateKeyEntry is missing, you must first import the private key into your main certificate, then re-import that updated certificate (which includes the private key) into your JKS file.

Step 3: Configure Tomcat for SSL

For Tomcat 9.x and earlier (Traditional Connector Format)

Edit $TOMCAT_HOME/conf/server.xml and add or update the connectors:

• Redirect HTTP to HTTPS:

  <Connector port="80" protocol="HTTP/1.1"
             connectionTimeout="20000"
             redirectPort="443" />

• SSL Connector

  <Connector port="443"
      protocol="org.apache.coyote.http11.Http11NioProtocol"
      maxThreads="150"
      SSLEnabled="true"
      scheme="https" secure="true"
      sslProtocol="TLS"
      alias="aeserver"
      keystoreFile="./conf/your_JKS.jks"
      keystorePass="<password_to_keystore>" />
  

Replace <password_to_keystore> with your keystore password.

For Tomcat 10.x or 11.x (Recommended New Format Using <SSLHostConfig>)

Edit $TOMCAT_HOME/conf/server.xml and configure:

• Redirect HTTP to HTTPS

  <Connector port="80" protocol="HTTP/1.1"
             connectionTimeout="20000"
             redirectPort="443" />

• SSL Connector

  <Connector port="443"
             protocol="org.apache.coyote.http11.Http11NioProtocol"
             maxThreads="150"
             SSLEnabled="true"
             scheme="https"
             secure="true"
             sslProtocol="TLS">
      <SSLHostConfig>
          <Certificate
              certificateKeystoreFile="conf/your_JKS.jks"
              certificateKeystorePassword="<password_to_keystore>"
              type="RSA"
              certificateKeyAlias="aeserver" />
      </SSLHostConfig>
  </Connector>

Update file paths and passwords as required.

Step 4: Restart Tomcat

Restart the Tomcat service to apply the SSL changes.

Step 5: Update AutomationEdge for HTTPS

1. Clear your browser cache and history.

2. Log in to AutomationEdge as sysadmin.

3. Update the HTTPS URL in the system/application settings.

4. Verify the connection and save the changes.

This completes the process for installing and configuring your CA-signed SSL certificate with AutomationEdge and Tomcat.