Sametime Proxy 11.5 and Wildcard TLS Certs

I’m working on a new Sametime 11.5 install and was setting up the Sametime Proxy. The install went very smoothly, but it came time to setup the TLS and the client uses a wildcard certificate. The HCL documentation is written to use the JKS (Java Key Store) format, which it notes is a propietary format even though PKCS12 is also supported in Tomcat. Interestingly, the APNS certs included with Sametime Proxy are in the PKCS12 format as well.

Looking at the Tomcat docs, I found a way to take the current wildcard cert we got from GoDaddy and then use OpenSSL to import that into a .p12 file that we created. You do need to have the private key and the files from GoDaddy (public cert and the intermediate key bundle) and it’s very simple once you have the files. Added bonus, you don’t have to use the keytool utility.

openssl pkcs12 -export -in c:\ssl\publiccert.crt -inkey c:\ssl\wildcard-private-key.txt -out c:\ssl\sametime.p12 -name tomcat -CAfile c:\ssl\gd_bundle-g2-g1.crt -caname root -chain

-in is the public cert file received from the CA

-inkey is the private key generated when the original CSR was created

-out is the new keystorefile to be used with Sametime Proxy (PKCS12 format)

-CAfile is the root certs provided by the CA (case matters here!)

Run that command and afterwards copy the .p12 file to the Sametime Proxy server conf folder and edit the server.xml to use the .p12 file instead of the .keystore file that the HCL docs use. And you’ll also have a standard file you can use in other places, maybe a load balancer in front of the proxy?

Here’s the section of the server.xml that is important. Find the <Connector section and change the keystoreFile parameter to be the .p12 file and the keystorePass parameter to be the password for the .p12 keystore that was created when the OpenSSL command was run.

           URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxPostSize="16777216" maxSwallowSize="-1"
           port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="conf/sametime.p12" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS" compression="on" useSendfile="false"
           sslEnabledProtocols="TLSv1.2, TLSv1.3"
           noCompressionUserAgents="gozilla, traviata">

The rest of those settings are the defaults after installing. After saving the changes, start up the Sametime Proxy and you’ll have a site secured with your own wildcard certificate.

See also