- First export the certificate from IIS
IIS7,8,8.5
- On the Start menu click Run and then type mmc.
- Click File > Add/Remove Snap-in.
- Click Certificates > Add.
- Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
- Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
- Right-click on the certificate you want to backup and select ALL TASKS > Export.
- Choose Yes, export the private key and include all certificates in certificate path if possible.
Warning: Do not select the delete private key option.
- Leave the default settings and then enter your password if required.
- Choose to save the file and then click Finish. You should receive an "export successful" message. The .pfx file is now saved to the location you selected.
IIS6
- Open IIS Management Console.
- Go to Start –> Administrative Tools –> Internet Information Services (IIS) Manager.
- Navigate to the site which contains the SSL certificate you want to export.
- Make a right click on the site and choose properties.
- Go to the Directory Security Tab and press the Server Certificate button.
- Click ‘next’ on the welcome screen.
- Select the option ‘Export’ the current certificate to a .pfx file.
- Select a name and location and click next.
- Type in the password for the file and keep it safe.
- Click OK.
- Close out of the wizard.
- Configure TOMCAT for using the exported SSL certificate:
Make a copy of the file ..\nxroot\bopcfg\www\CATALINA_BASE\conf\server.xml and then open it using a text editor.
Locate the following line:
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
Change it as follows:
NOTE - be sure to remove the <-- and --> tags that currently comment out the HTTPS/SSL connector for Tomcat, and set the appropriate path and password for your certificate.
<Connector SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_ CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_C BC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CB C_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" keystoreFile="C:\keystore\sdm.pfx" keystorePass="YOURPASSWORD" keystoreType="PKCS12" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>
- keystoreFile="C:\keystore\sdm.pfx", should match the location of the exported certificate from the IIS server.
- keystorePass="YOURPASSSWORD" is the password set for your environment.
- ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_ CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_C BC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CB C_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA", this tag will prevent the error described in TEC1197111.
- keystoreType=”PKCS12”, this will allow TOMCAT be able to understand or interpret the new certificate from IIS.
- sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2", this tag prevents a vulnerability described in TEC1250834.
- Repeat the same steps in all the application servers or secondary servers.
- Restart the TOMCAT servers.
- Configure Service desk to use the SSL server URL in the following path Administration tab->system-> servers.
Upload server