Here is a short step-by-step for enabling ssl in tomcat + enforcing user certificates from CERN.

First you have to create a host certificate. See https://ca.cern.ch/ca/HostCertificates/ManageHostCertificates.aspx for this.

Download the Base64 files. You should now have: privkey.pem (your private key) and newcert.cer (CERN signed).

Download the CERN CA files and convert them to PEM format:

$ wget --no-check-certificate https://ca.cern.ch/ca/CRL/CERN%20Root%20CA.crt -O CERN_ROOT_CA.der
$ openssl x509 -in CERN_ROOT_CA.der -inform DER -outform PEM -out CERN_ROOT_CA.pem
$ wget --no-check-certificate https://ca.cern.ch/ca/CRL/CERN%20Trusted%20Certification%20Authority.crt -O CERN_Trusted_Certification_Authority.der
$ openssl x509 -in CERN_Trusted_Certification_Authority.der -inform DER -outform PEM -out CERN_Trusted_Certification_Authority.pem

If you want to accept old CERN certificates take the PEM file from http://service-grid-ca.web.cern.ch/service-grid-ca/crt/root_crt.html.

Concatenate the PEM files in a single chain:

$ cat newcert.cer CERN_Trusted_Certification_Authority.pem CERN_ROOT_CA.pem >hostcertchain.pem

Download this tool to convert to Sun JKS format:

$ wget http://juliusdavies.ca/commons-ssl/not-yet-commons-ssl-0.3.11.jar

And do the actual conversion:

$ java -cp not-yet-commons-ssl-0.3.11.jar org.apache.commons.ssl.KeyStoreBuilder 'password' privkey.pem hostcertchain.pem

Now you have a file named hostname.cern.ch.jks. This is your server certificate. This is enough for enabling SSL in the server. The only thing left is to configure tomcat. In server.xml you have to add something like:


<Connector port="8443"
maxThreads="20" minSpareThreads="2" maxSpareThreads="5"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
sslProtocol="TLS"
keystoreFile="/home/user/tomcat/hostname.cern.ch.jks"
keystorePass="password"
keystoreType="JKS"
/>

Now, if you want to force the clients to have a certificate signed by CERN authority you have to create another JKS file with the following commands:

$ keytool -importcert -keystore trusted_authorities.jsk -alias CERN_ROOT_CA -file CERN_ROOT_CA.pem
$ keytool -importcert -keystore trusted_authorities.jsk -alias CERN_Trusted_Certification_Authority -file CERN_Trusted_Certification_Authority.pem

and optionally

$ keytool -importcert -keystore trusted_authorities.jsk -alias OLD_CERN_ROOT_CA -file OLD_CERN_ROOT_CA.pem

Then add to the Connector above these lines:

clientAuth="true"
truststoreFile="/home/user/tomcat/trusted_authorities.jsk"
truststorePass="password"
truststoreType="JKS"

Now, an interesting feature is the automatic redirection from http to https when the security constraint requires SSL. On the http Connector you have to specify the correct port for SSL in this parameter:

redirectPort="8443"

This will be used when you put the following options in the security-constraint section of each zones’ web.xml:

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

Special thanks to Adi for his patience in guiding me through the SSL maze! All the commands are belong to him :)