This article describes how to configure Tomcat for TLS client authentication in Protocol Gateway.
TLS client authentication is a prerequisite for EST, ACME and Certificate Manager REST API.
Create a PKCS#12 token procedure Ior REST API devices, according to Create token procedure in Certificate Manager with the following settings:
- Set Procedure name to System Token Procedure P12.
- In Storage profile, select PKCS12.
- In Issuer certificates, check Store all.
For more information, see Create token procedure in Certificate Manager.
A TLS soft token is needed for Tomcat from the PKCS#12 token procedure that was created:
Issue a software token, according to Issue software token in Certificate Manager with the following settings:
- Set File for Media to \Nexus\Tomcat\conf\localhost-rsa.p12.
- In Procedure name, select System Token Procedure P12.
- In Common Name, enter cm.local.
To create a keystore:
- Open KeyStore Explorer.
- Click Create a new KeyStore.
- In New KeyStore Type, check JKS.
- Click Tools > Import Trusted Certificate and select System CA.cer.
Save the keystore as \Nexus\Tomcat\conf\trusted.jks in the same directory as the file localhost-rsa.p12 that you just created.
Tomcat must be configured for TLS both without client authentication (for the cacert endpoint) and TLS with client authentication (for certificate requests).
- Open \Nexus\Tomcat\conf\server.xml for editing.
Configure connectors for TLS with client authentication and TLS without client authentication (with
For use with the EST protocol, there must be a connector with
false. since the
/cacertsendpoint must NOT be protected behind client authentication.
For both connectors, set the following parameters:
keystorePassto the configured PIN of
truststorePassto the configured PIN of
Example for Tomcat version 8 or earlier
Example for Tomcat version 9
- Restart the Tomcat service.