To use X.509 client certificates for authentication, a keystore with CA certificate(s) must be placed in the installation directory.
Procedure
-
If you do not yet have a keystore, follow these steps:
-
Create a keystore and import the CA certificate(s) by executing the following command:.
><installation dir>/jdk/bin/keytool -importcert -alias cacert -keystore <installation dir>/tomcat/certs/<keystore filename> -file <certificate filename>
CA certificates can be in either PEM format or DER format.
Example for Windows:
> C:\tibco\tss\<version>\jdk\bin\keytool -importcert -alias cacert -keystore C:\tibco\tss\<version>\tomcat\certs\example.jks -file cacert.cer
where "example" in
example.jks is the server hostname.
-
Repeat the previous step for each additional CA certificate.
-
When you have a keystore containing the CA certificate(s), copy the keystore file to the
<installation dir>/tomcat/certs directory.
Note: The keystore containing the CA certificate(s) can be in either PKCS #12 or JKS format.