The following prerequisites apply:

• Certificate Manager must be installed. See Install Certificate Manager.
• Protocol Gateway must be installed. See Install Protocol Gateway.
• Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway.  

Create a PKCS#12 token procedure Ior REST API devices, according to Create token procedure in Certificate Manager with the following settings: 

1. Set Procedure name to System Token Procedure P12.
2. In Storage profile, select PKCS12.
3. In Issuer certificates, check Store all. 

For more information, see Create token procedure in Certificate Manager.

A TLS soft token is needed for Tomcat from the PKCS#12 token procedure that was created:

Issue a software token, according to Issue software token in Certificate Manager with the following settings:

1. Set File for Media to \Nexus\Tomcat\conf\localhost-rsa.p12.
2. In Procedure name, select System Token Procedure P12.
3. In Common Name, enter cm.local. 

To create a keystore: 

1. Open KeyStore Explorer.
2. Click Create a new KeyStore.
3. In New KeyStore Type, check JKS. 
4. Click Tools > Import Trusted Certificate and select System CA.cer. 

5. Save the keystore as \Nexus\Tomcat\conf\trusted.jks in the same directory as the file localhost-rsa.p12 that you just created. 

Tomcat must be configured for TLS both without client authentication (for the cacert endpoint) and TLS with client authentication (for certificate requests). 

• Open \Nexus\Tomcat\conf\server.xml for editing.

• Configure connectors for TLS with client authentication and TLS without client authentication (with clientAuth set to true and false, respectively.

  EST configuration

  For use with the EST protocol, there must be a connector with clientAuth set to false. since the /cacerts endpoint must NOT be protected behind client authentication. 

  For both connectors, set the following parameters:

  1. Set keystoreFile to conf/localhost-rsa.p12.
  2. Set keystorePass to the configured PIN of localhost-rsa.p12.
  3. Set truststoreFile to conf/trusted.jks.
  4. Set truststorePass to the configured PIN of trusted.jks.

Example for Tomcat version 8 or earlier

<Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     clientAuth="true" sslProtocol="TLS"
     keystoreFile="conf/localhost-rsa.p12"
     keystorePass="abcd1234" keystoreType="PKCS12"
     truststoreFile="conf/trusted.jks" truststorePass="1234" truststoreType="JKS" 
/>
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     clientAuth="false" sslProtocol="TLS"
     keystoreFile="conf/localhost-rsa.p12"
     keystorePass="abcd1234" keystoreType="PKCS12"
     truststoreFile="conf/trusted.jks" truststorePass="1234" truststoreType="JKS" 
/>

Example for Tomcat version 9

<Connector
        port="8444"
        protocol="HTTP/1.1"
        SSLEnabled="true"
        maxPostSize="-1"
        scheme="https"
        secure="true">
        <SSLHostConfig
            ciphers="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,
                TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
            honorCipherOrder="true"
            sslProtocol="TLSv1.3"
            protocols="TLSv1.2,+TLSv1.3"
            certificateVerification="required"
            truststoreFile="conf/trusted.jks"
            truststorePassword="changeit"
            truststoreType="JKS"
            >
            <Certificate
                certificateKeystoreFile="conf/Nexus-Server_Certificate.p12"
                certificateKeystorePassword="1234"
                certificateKeystoreType="PKCS12"
                />
        </SSLHostConfig>
    </Connector>

1. Restart the Tomcat service.