How to Enable SSL in dotCMS

Published on February 18, 2009 by in Administration


Having just gone through this process, I thought I’d share the steps I took to enable SSL in DotCMS.  On the DotCMS wiki there are some fairly brief instructions on how to enable SSL.  A quick search on Tomcat and SSL will point you to their documentation which explains it step-by-step.  So here it is all laid out in once nice How To.  Note that I am using windows and our Certificate Authority id DigiCert.  Your experience my vary.

Step 1 – Generating a Keystore

The first steps is to generate the keystore.  Tomcat, the java application server that DotCMS runs on, uses a format called Java KeyStore (JKS) for it’s keystores.  The Java SDK provides all the tools necessary to get the task done.  So, hop on over to where you have your SDK installed and follow along

C:\Program Files\Java\jdk1.6.0_03\bin>keytool -genkey -alias tomcat -keyalg RSA -keystore C:\DotCMS_keystore.key

You will need to enter some information about your organization and location.  You will have have to choose a password for your keystore.  Don’t forget the password or you’ll have to start over.  You should now have a valid keystore with the alias of tomcat.

Step 2 – Generating a Certificate Request

With the keystore in place you could skip all the way to the end now and have a fully functioning self-signed certificate.  This is nice, but more likely you are looking to have a certificate authority such as DigiCert or Verisign sign your certificate.  To do this you are going to need to generate a CSR or Certificate Signing Request.  Thankfully the keytool takes care of that for us as well.

C:\Program Files\Java\jdk1.6.0_03\bin>keytool -certreq -alias tomcat -keyalg RSA -keystore C:\DotCMS_keystore.key -file c:\DotCMS_certreq.csr

You are going to be required to enter your keystore password, but this should generate the certificate request for you without too much trouble.  Now you can take your DotCMS_certreq.csr to your signing authority and submit a request for a certificate.  I am not going to cover that process because  I don’t do that part, my sys admin does.  Well, it is also different with each signing authority.   Once you have your certificate you are ready to start the next step.

Step 3 – Importing Your Certificate

C:\Program Files\Java\jdk1.6.0_03\bin>keytool -import -trustcacerts -alias tomcat -file c:\star_edinboro_edu.p7b -keystore c:\DotCMS_keystore.key

Again, the keytool handles the dirty work for you and you’ll need that password again.

Step 4 – Checking the Details

You could probably skip this step if you know you have the right password.  Honestly the output of this command really didn’t tell me much other than I could see that my certificated had imported.

C:\Program Files\Java\jdk1.6.0_03\bin>keytool -list -v -keystore c:\DotCMS_keystore.key

Step 5 – Configure dotCMS to Listen on Port 443

The next step is going to require you to head to your DotCMS’s server.xml  Add the following lines:

<Connector port="443" address=""
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keypass="..."  />

You will have to change the address and keypass to match your system.

Step 6 –

That’s really all there is to it.  Restart your DotCMS service and you can use openSSL to test the connection just like telnet.

C:\Program Files\Java\jdk1.6.0_03\bin>openssl s_client -connect -state

After it establishes a connection you should see your certificate information.  You will of course want to test the whole setup in a browser.

In order for DotCMS to use SSL you also need to set a page to use SSL in the properties.  Create a test page, but before you save and publish head to the advanced properties and check the force https option.  Now when you try to visit that page it should redirect you https if you are not already using it.

Hopefully this small little guide helps out anyone trying to figure out how to setup SSL in DotCMS.

Photo credit: / CC BY-NC-ND 2.0

No comments yet.

Leave a Reply