The instructions below are for version 12 and assumes you already have a certificate.
If you are running version 12 and need a new certificate, you will want to reference this article.
If you are running version 11, you will want to reference this article.
If you are running a version prior to 11.0, please contact firstname.lastname@example.org for more information.
The following steps are to enable SSL support in the instance of Tomcat that MITS installs and uses. This is independent of any other instances of Tomcat that may be running on the server.
This configuration may be lost during an upgrade of MITS. It's likely you'll need to reapply these changes after each upgrade.
A) Create PFX using existing SSL cert from IIS.
- From the web server, click Start
- In the Search programs and files field, type mmc
- From the Programs list, click mmc.exe
- At the permission prompt, click Yes
- From the Microsoft Management Console (MMC), click File > Add/Remove Snap-in
- From the list of snap-ins, select Certificates
- Click Add
- Select Computer account
- Click Next
- Select Local computer (the computer this console is running on)
- Click Finish
- In the Add/Remove Snap-in window, click OK
- Save these console settings for future use
- Double click on Certificates (Local Computer) in the center window.
- Double click on the Personal folder, and then on Certificates.
- Right Click on the Certificate you would like to backup and choose > All Tasks > Export
- Follow the Certificate Export Wizard to backup your certificate to a .pfx file. Use the"Personal Information Exchange - PKCS #12 (.PFX)" format.
- Choose to 'Yes, export the private key'
- Choose to "Include all certificates in certificate path if possible." (do NOT select the delete Private Key option)
- Enter a password you will remember
- Choose to save file on a set location
- Click Finish
- You will receive a message > "The export was successful." > Click OK
- The .pfx file backup is now saved in the location you selected.
Take note of exported PFX filename and password used. You will need this information later.
B) Make a backup of the server.xml file. It is located here:
[MITS Install Location]/webserver/conf/server.xml
C) Edit the server.xml file by making the changes highlighted in red below.
D) Now uncomment the SSL connector. Find the following SSL connector in the server.xml file and remove the <!-- and --> from the ends.
Make the changes highlighted in red below.
Be sure to remove type="RSA" at the end.
Depending on your specific version of MITS, the section in green may be slightly different. This is okay.
<SSLHostConfig protocols="+TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA">
<Certificate certificateKeystoreFile="conf/wildcard.cert.pfx" certificateKeystorePassword="password_goes_here"
D) Restart the MITS service to pick up new settings.
E) Reconfigure any firewall port(s) to allow 443 to this server.