How do you configure Apache/Tomcat to trust internal Certificate Authorities for server-to-server https requests
Solution 1:
I assume that you have already exported the CA certificate to a file, such as "internal-ca.pem". Also, I assume that it is Tomcat who initiates the SSL connection to the IIS server.
You can must use the Java keytool to import the certificate into the Java keystore that is being used by your Tomcat engine. The keystore for CA certs is $JAVA_HOME/jre/lib/security/cacerts. So to import your new internal-ca.pem certificate into this keystore, you would use:
$JAVA_HOME/bin/keytool -importcert \
-keystore $JAVA_HOME/jre/lib/security/cacerts \
-file /path/to/internal-ca.pem \
-trustcacerts -alias internal-ca-1
The default password for the keystore is: changeit
Verify that your cert is in the keystore:
$JAVA_HOME/bin/keytool -list \
-keystore $JAVA_HOME/jre/lib/security/cacerts -v | less
Test the connection to the server:
openssl s_client -CAfile /path/to/internal-ca.pem -connect server:port
This should give you, near the end of its output:
Verify return code: 0 (ok)
If you want to test the trust from within Tomcat, you will have to write some test code to do it. Sorry, I don't know any Java. :-)
Solution 2:
SSLProxyEngine on
SSLProxyCACertificateFile /etc/ssl/internal-ca.crt
SSLProxyVerify require