Creating keystore for Tomcat 6

I've been training on Ping Identity's Ping Federate server the last two weeks. This week I'm setting up separate Tomcat servers to interact with the Ping Federate servers; on both the identity and service provider servers. Before, I hosted the quickstart apps on the same server instance as Ping Federate.

To setup SSL with Tomcat I needed to edit the server.xml file under the conf directory and then create a keystore file that Tomcat will use to verify trusted certificates sent from the federated servers.

The initial command I ran was:

>>>> : keytool -genkey -alias amf -keyalg RSA -keystore tomcat.keystore [-file 111C353A88F.crt]

The last part of the command with the -file command line argument wasn't needed. I basically created a keystore file named tomcat.keystore and a new self-signed certificate where the Java keytool prompted me with some questions listed below:

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Andrew Fernandez
What is the name of your organizational unit?
[Unknown]: Engineering
What is the name of your organization?
[Unknown]: Ping Identity
What is the name of your City or Locality?
[Unknown]: Denver
What is the name of your State or Province?
[Unknown]: CO
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Andrew Fernandez, OU=Engineering, O=Ping Identity, L=Denver, ST=CO, C=US correct?
[no]: yes

Enter key password for
(RETURN if same as keystore password):


After this I verified what was in my keystore using this command:

>>>> : keytool -list -v -keystore tomcat.keystore

Since I didn't yet have the certificate from the federate side I then ran this command, making sure I had the *.crt file I needed to place in the keystore in the same directory:

>>>>> : keytool -import -trustcacerts -alias amf2 -file 111C353A88F.crt -keystore tomcat.keystore

Finally I use export the base certificate from Tomcat and import into my Federated server

>>>>> : keytool -exportcert -alias amf -file amfIDP -keystore tomcat.keystore

Where -alias is what the certificate goes by in the keystore file, -file is what I want to call the exported certifacate, and -keystore the actually keystore where I'll be getting the certifcate to export from.

Deletion is pretty straighforward:

>>>>> : keytool -delete -alias amf -keystore tomcat.keystore

Just specify -delete, -alias the certificate you want to delete, and the keystore you want to delete from

Mac OS X differences from Windows

Having started the new job at Ping Identity I now have a MacBook Pro with OS X.

I've had to get used to two notable differences:

1) Window resizing on the OS X is only on the lower right-hand corner versus Windows XP which can be on the bottom and sides too.

2) Copying and pasting in the Finder (which is the equivalent of Windows Explorer) is not like Windows. If I chose a file and copy it I cannot just highlight a new directory and choose paste. I actually have to enter into the directory and paste making sure the dialog title for the Finder lists the correct directory where I want to paste.

At least that's what works for me without any special changes to the OS.