Hello
there is no problem configuring and running Knime(Tomcat) with a self signed certificate :
/usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 3072 -dname “CN=abcd-ef.nexus.de,O=Nexus GmbH,L=Koblenz,ST=Nordrhein-Westfalen,C=DE,EMAILADDRESS=query.many@nexus.de” -keystore ./abcd_ef_knime_2025_V2.jks
Generating it required setting a password for the jks file.
This self signed certificate was configured in conf/server.xml :
This worked. (Browser complaining of a unsecure connection)
This certificate was only configured in conf/server.xml ; it was not imported in a java keystore.
Being informed that self signed certificates are not allowed, I followed the steps mentioned here:
Apache Tomcat 9 (9.0.104) - SSL/TLS Configuration How-To → Create a local Certificate Signing Request (CSR) …
/usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/bin/keytool -certreq -keyalg RSA -validity 360 -alias tomcat -file ./abcd_ef_knime_2025_V2.csr -keystore ./abcd_ef_knime_2025_V2.jks
Enter keystore password:
With this certificate request (abcd_ef_knime_2025_V2.csr) through our internal Certificate Site I received the trusted certificate : abcd-ef.nexus.de.pem ,
which consists of
- Root Certificate
- CA Certificate
- Server Certificate
With certmgr.msc I imported abcd-ef.nexus.de.pem under ‘my certificates’ and used this tool to export 2) and 3) and these files were created:
abcd-ef.nexus.de.abcd.cer
abcd-ef.nexus.de.CA.cer
Both certificates where imported into the keystore.
/usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/bin/keytool -import -alias abcd -keystore cacerts -file abcd-ef.nexus.de.abcd.cer
/usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/bin/keytool -import -alias ca_abcd -keystore cacerts -file abcd-ef.nexus.de.CA.cer
Listing the contents of the keystore :
/usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/bin/keytool -v -list -keystore cacerts
…
Alias name: abcd
Creation date: Apr 16, 2025
Entry type: trustedCertEntry
…
…
Alias name: ca_abcd
Creation date: Apr 16, 2025
Entry type: trustedCertEntry
…
The current working configuration (server.xml) is:
[Connector compressibleMimeType=“text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/vnd.mason+json” compression=“on” connectionTimeout=“20000” maxParameterCount=“1000” noCompressionStrongETag=“false” port=“8080” protocol=“HTTP/1.1” redirectPort=“8443” server=“Apache Tomcat”/]
[Connector SSLEnabled=“true” compressibleMimeType=“text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/vnd.mason+json” compression=“on” maxThreads=“150” noCompressionStrongETag=“false” port=“8443” protocol=“org.apache.coyote.http11.Http11Nio2Protocol” scheme=“https” secure=“true” server=“Apache Tomcat”]
[SSLHostConfig protocols=“all,-TLSv1,-SSLv3,-SSLv2Hello”]
[Certificate certificateKeystoreFile=“conf/abcd_ef_knime_2025_V2.jks” certificateKeystorePassword=“Miramar01” type=“RSA”/]
[/SSLHostConfig]
[/Connector]
Contents of …/apache-tomcat-9.0.95/conf
-rw-r–r-- 1 knime knime 1521 Apr 15 11:04 abcd_ef_knime_2025_V2.csr <-Certificate Request based on self signed Certificate
-rw-r–r-- 1 knime knime 3672 Apr 15 11:02 abcd_ef_knime_2025_V2.jks <-self signed Certificate
-rwxr-x— 1 knime knime 3176 Apr 15 16:30 abce-ef.nexus.de.abcd.cer <-Server Certificate (extracted out of abcd-ef.nexus.de.pem by Windows tool certmgr.msc)
-rwxr-x— 1 knime knime 1984 Apr 15 16:30 abcd-ef.nexus.de.CA.cer <-CA Certificate (extracted out of abcd-ef.nexus.de.pem by Windows tool certmgr.msc)
-rw-r–r-- 1 knime knime 7366 Apr 15 12:39 abcd-ef.nexus.de.pem <-received trusted Certificate
-rw-r----- 1 knime knime 6502 Apr 15 16:32 cacerts <-keystore for importing of the 2 certs
drwxr-xr-x 3 knime knime 4096 Nov 12 11:26 Catalina
-rwxr–r-x 1 knime knime 13216 Oct 2 2024 catalina.policy
-rwxr–r-x 1 knime knime 7874 Oct 2 2024 catalina.properties
-rwxr–r-x 1 knime knime 1431 Oct 2 2024 context.xml
-rwxr–r-x 1 knime knime 646 Oct 2 2024 jaas.conf
-rwxr–r-x 1 knime knime 1172 Oct 2 2024 jaspic-providers.xml
-rwxr–r-x 1 knime knime 2365 Oct 2 2024 jaspic-providers.xsd
…
-rwxr–r-x 1 knime knime 10720 Apr 16 13:15 server.xml
Some advice regarding the configuration needed (including passwords for the keystore [changeit] and the certificate [Miramar01]).
Greetings and thanks in advance
B.Kochs