COMODO SSL Configuration for WSO2 API and IS Domains

Question

I have a single node configuration of WSO2 APIM and IS and its domain also, like https://wso2.example.com:9444/publisher and https://wso2.example.com:9444/carbon respectively...

I have purchased SSL certificate from COMODO for my domain "wso2.example.com".

Now, how can I add SSL certificate for these domains? Note: there is no web server. it's a wso2 APIM and Identity server.

Could you please share your answers here. This is my CA files: AddTrustExternalCARoot.crt, wso2.example.com.crt,COMODORSAAddTrustCA.crt,COMODORSADomainValidationSecure

Answer 1

Your private key used for ssl needs to be in a keystore configured in /repository/conf/tomcat/catalina-server.xml This is the keystore used for SSL.

Now - backup your keystore with the private key, you will change it, so in case you do something wrong, you won't loose your private key

If your are not familiar with the default jdk tool keytool, you may want to download keytool-explorer to manipulate the keystores

and to import

• import all CA certificates (not the wso2.example.com) into the keystore.
• attach the target certificate (wso2.example.com) to the private key

To attach the certificate - with the keytool you just import the certificate with the same alias as the private key, in the keystore-explorer there is a context menu "Add CA Reply" or something like that

good luck

Answer 2

All the WSO2 servers ships with its own keystore and truststore. These files are found under <PRODUCT_HOME>/repository/resources/security/ directory. The keystore file is wso2carbon.jks and it contains the private key and the certificate of the server. The truststore file is client-truststore.jks and it stores all the public certs that the server will use when it is acting as a client to connect with other endpoints.

If you have your own keystore and truststore files, you can simply change the relevant configurations and make the server to use your new keystore file. But you have to make sure that your new certificates created for your expected domain name are imported into the keystore and truststore.

Following is an example command line based approach to import the certificates into the keystore. It uses the keytool application for importing certificates into keystore.

keytool -import -v -trustcacerts -alias ExternalCARoot -file AddTrustExternalCARoot.crt -keystore newkeystore.jks -storepass mypassword
keytool -import -v -trustcacerts -alias TrustCA -file COMODORSAAddTrustCA.crt -keystore newkeystore.jks -storepass mypassword
keytool -import -v -trustcacerts -alias SecureServerCA -file COMODORSADomainValidationSecureServerCA.crt -keystore newkeystore.jks -storepass mypassword   

So like the above, you can import your own certificate and use with the WSO2 servers. A guide on creating new keystores, importing certificating, etc can be found in here - https://docs.wso2.com/display/ADMIN44x/Creating+New+Keystores

A guide on how to change configurations with new keytore and truststore files is found in here - https://docs.wso2.com/display/AM260/Configuring+Keystores+in+WSO2+API+Manager