Step by step to install SSL cert for Crowd server

In this article, I am going to show you how to install or renew SSL certificate for Crowd server step by step.

Note: In my example, my hostname is

  1. (skip if you already have your new certificate) Run the following command to generate a csr file for your certificate, and you will get two files: (this is the csr file which you need to send to your CA to sign) and (this is the private key which you need to keep it in a secure place)
    openssl req -new -newkey rsa:2048 -nodes -sha256 -out "$DOMAIN".csr -keyout "$DOMAIN".key -subj "/C=AU/ST=NSW/L=Sydney/O=Jackie Chen/OU=IT Workshop/CN="$DOMAIN"" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:"$DOMAIN"\n"))
  2. (skip if your signed certificate is not DER encoded) In case that your signed certificate is DER encoded, you need to run the following command to convert it to Base64 encoded. In the example, is signed by the CA and it is DER encoded. So I need to convert it to Base64 encoded and name it to
    openssl x509 -inform DER -in $DOMAIN.cer -out $DOMAIN.crt
  3. The web application server of Crowd is Apache Tomcat which uses keystore to store the public and private key pair. So we need to import the key pair into a keystore.
    # Create PKCS12 keystore from the key pair. You will be asked to set a password for the pkcs12 keystore (lets say it is 111111)
    openssl pkcs12 -export -name $DOMAIN -in $DOMAIN.crt -inkey $DOMAIN.key -out $DOMAIN.p12
    # Convert PKCS12 keystore to JKS keystore (keytool comes with JRE). You will be asked to set a password for the JKS keystore (lets say it is 222222), and you also need to the above password 111111.
    keytool -importkeystore -destkeystore $DOMAIN.jks -srckeystore $DOMAIN.p12 -srcstoretype pkcs12 -alias $DOMAIN
  4. By now, you should have the JKS file ready. In my example, it is, and alias is, and password is 222222. It is time to update the Apache Tomcat configuration file <path to Crowd Installation>/apache-tomcat/conf/server.xml to use the new jks file. It looks like this in my case:
    Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="[path to keystore]/" keystorePass="222222"
  5. Restart the Crowd service, the you should be able to see the new certificate. You can verify it with the following command.
    openssl s_client -connect | openssl x509 -noout -text



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s