Using trusted Certificate instead of self signed Certificate

KNIME Server
1

Hello
there is no problem configuring and running Knime(Tomcat) with a self signed certificate :

/usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 3072 -dname “CN=abcd-ef.nexus.de,O=Nexus GmbH,L=Koblenz,ST=Nordrhein-Westfalen,C=DE,EMAILADDRESS=query.many@nexus.de” -keystore ./abcd_ef_knime_2025_V2.jks
Generating it required setting a password for the jks file.

This self signed certificate was configured in conf/server.xml :

This worked. (Browser complaining of a unsecure connection)

This certificate was only configured in conf/server.xml ; it was not imported in a java keystore.

Being informed that self signed certificates are not allowed, I followed the steps mentioned here:
Apache Tomcat 9 (9.0.104) - SSL/TLS Configuration How-To → Create a local Certificate Signing Request (CSR) …

/usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/bin/keytool -certreq -keyalg RSA -validity 360 -alias tomcat -file ./abcd_ef_knime_2025_V2.csr -keystore ./abcd_ef_knime_2025_V2.jks
Enter keystore password:

With this certificate request (abcd_ef_knime_2025_V2.csr) through our internal Certificate Site I received the trusted certificate : abcd-ef.nexus.de.pem ,
which consists of

  1. Root Certificate
  2. CA Certificate
  3. Server Certificate

With certmgr.msc I imported abcd-ef.nexus.de.pem under ‘my certificates’ and used this tool to export 2) and 3) and these files were created:
abcd-ef.nexus.de.abcd.cer
abcd-ef.nexus.de.CA.cer

Both certificates where imported into the keystore.

/usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/bin/keytool -import -alias abcd -keystore cacerts -file abcd-ef.nexus.de.abcd.cer

/usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/bin/keytool -import -alias ca_abcd -keystore cacerts -file abcd-ef.nexus.de.CA.cer

Listing the contents of the keystore :
/usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/bin/keytool -v -list -keystore cacerts

Alias name: abcd
Creation date: Apr 16, 2025
Entry type: trustedCertEntry


Alias name: ca_abcd
Creation date: Apr 16, 2025
Entry type: trustedCertEntry

The current working configuration (server.xml) is:
[Connector compressibleMimeType=“text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/vnd.mason+json” compression=“on” connectionTimeout=“20000” maxParameterCount=“1000” noCompressionStrongETag=“false” port=“8080” protocol=“HTTP/1.1” redirectPort=“8443” server=“Apache Tomcat”/]
[Connector SSLEnabled=“true” compressibleMimeType=“text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/vnd.mason+json” compression=“on” maxThreads=“150” noCompressionStrongETag=“false” port=“8443” protocol=“org.apache.coyote.http11.Http11Nio2Protocol” scheme=“https” secure=“true” server=“Apache Tomcat”]
[SSLHostConfig protocols=“all,-TLSv1,-SSLv3,-SSLv2Hello”]
[Certificate certificateKeystoreFile=“conf/abcd_ef_knime_2025_V2.jks” certificateKeystorePassword=“Miramar01” type=“RSA”/]
[/SSLHostConfig]
[/Connector]

Contents of …/apache-tomcat-9.0.95/conf
-rw-r–r-- 1 knime knime 1521 Apr 15 11:04 abcd_ef_knime_2025_V2.csr <-Certificate Request based on self signed Certificate
-rw-r–r-- 1 knime knime 3672 Apr 15 11:02 abcd_ef_knime_2025_V2.jks <-self signed Certificate
-rwxr-x— 1 knime knime 3176 Apr 15 16:30 abce-ef.nexus.de.abcd.cer <-Server Certificate (extracted out of abcd-ef.nexus.de.pem by Windows tool certmgr.msc)
-rwxr-x— 1 knime knime 1984 Apr 15 16:30 abcd-ef.nexus.de.CA.cer <-CA Certificate (extracted out of abcd-ef.nexus.de.pem by Windows tool certmgr.msc)
-rw-r–r-- 1 knime knime 7366 Apr 15 12:39 abcd-ef.nexus.de.pem <-received trusted Certificate
-rw-r----- 1 knime knime 6502 Apr 15 16:32 cacerts <-keystore for importing of the 2 certs
drwxr-xr-x 3 knime knime 4096 Nov 12 11:26 Catalina
-rwxr–r-x 1 knime knime 13216 Oct 2 2024 catalina.policy
-rwxr–r-x 1 knime knime 7874 Oct 2 2024 catalina.properties
-rwxr–r-x 1 knime knime 1431 Oct 2 2024 context.xml
-rwxr–r-x 1 knime knime 646 Oct 2 2024 jaas.conf
-rwxr–r-x 1 knime knime 1172 Oct 2 2024 jaspic-providers.xml
-rwxr–r-x 1 knime knime 2365 Oct 2 2024 jaspic-providers.xsd

-rwxr–r-x 1 knime knime 10720 Apr 16 13:15 server.xml

Some advice regarding the configuration needed (including passwords for the keystore [changeit] and the certificate [Miramar01]).

Greetings and thanks in advance

B.Kochs

2

Hello,

If you could specify what advice you’re looking for in terms of configuration needed, that would be helpful - though if you prefer to discuss in private (as opposed to public form), you can reach out to us directly at support@knime.com.

Thank you,
Nickolaus

3

Hello,

I finally suceeded in configuring the ‘self signed Certificate’. (> week ago)

  1. Register your hostname in dns (abcd.de)

  2. Create a self-signed Certificate (stored in a Keystore- File with externsion .jks) with the alias ‘tomcat’
    …/keytool -genkey -alias tomcat -keyalg RSA -keysize 3072 -dname “CN=abcd.de,O=abcd GmbH,L=MyTown,ST=NWF,C=DE,EMAILADDRESS=abcd@host.de” -keystore ./abcd.jks
    Enter keystore password:
    efgh

  3. Configure it in server.xml so the certificate is recognized in the browser,
    even if the browser tags it as not valid.

server.xml ___________________________________

[SSLHostConfig protocols=“all,-TLSv1,-SSLv3,-SSLv2Hello”]
[Certificate certificateKeystoreFile=“conf/abcd.jks” certificateKeystorePassword=“efgh” type=“RSA” certificateKeyAlias=“tomcat”/]
[/SSLHostConfig]

exchange with < >

From now on server.xml does not need to be changed.

  1. Create certificate request
    …/keytool -certreq -keyalg RSA -validity 360 -alias tomcat -file ./abcd.csr -keystore ./abcd.jks
    Enter keystore password:
    efgh

  2. Order at the site of your trusted certificate provider site your trusted certificate with the generated certificate request file .
    We retreaved a abcd.host.pem - File which consisted of a
    root , a CA and the host -certificate .

  3. Extract the 3 Certifiates from the .pem-File using the Windows Tool : certmgr.msc.

  4. Make a backup copy of your abcd.jks File .

  5. Import the 3 exported certificates in the following order, the last one (server certificate the alias ‘tomcat’ is mandatory) in the following order:
    root certificate
    CA certificate
    server certificate (which substitudes the self-signed certificate)

  6. restart knime-server

  7. User registered hostname in your Url and the browser should accept it.

Greetings B.Kochs

1 Like
4

Hello @b_kochs,

Sounds like you’ve got the KNIME Server fully configured to use a custom security certificate and everything is working well. Well done!

If you have any outstanding or unresolved issues around it, please update this thread and let us know.

Regards,
Nickolaus