Questions? Feedback? powered by Olark live chat software

Data Security in the Information Age

Well, once again it is that time of year where ghosts, ghouls, and Spider-man roam the streets for candy.  This Halloween, I dressed fashionably as Sherlock Holmes with pink, fuzzy Bunny slippers.  I tried to get my wife to go as Watson, but the look I received had me shivering in my boots reminding me that there are so many kinds of fear. I don’t think she appreciated my dedication to the Holmes-ian lore.  So, while I was passing out candy, I pondered that many of us might be getting goosebumps from all of the Hacking going on in the world

This led me to ask the question.  Why is security such a nightmare?!?  Most of us find ourselves beholden to Windows Updates, Antivirus Updates, Anti-Spam updates, and Email Spam filter systems.  In the pool of never-ending updates, sometimes we feel as though we don’t truly have a grip on the state of our own security.

If you don’t run a modern security tool, you live in Cyber-fear.  Today we live in the age of Cyber-warfare.  China hacks the US…the US hacks China…Russia hacks the US…we hack back…and everyone disavows that any of this is actually going on.  It can make you feel pretty powerless.

However, the one thing *every* hack has in common is lack of preparation and carelessness.

So…Let’s break it down.

Just like in any crime, criminals need a door (or a Window).  People who wish to steal or harm in the cyber-world need an entrance.  Don’t give them one.

  1. Have a proven Anti-virus application.  Yes, free ones are just fine.  AVAST, AVG, etc.  All are good choices.  A good A/V isn’t 100% fool proof, but it will let you know if something isn’t quite right.
  2. Know yourself and the people you interface with. A lot of bad guys come in through email by sending unsuspecting users emails that trick them into going somewhere on the Net they wouldn’t normally go.
  3. Use LOW TECH. If you get a suspicious email, before you open it, text your buddy or give them an old fashioned phone call to see if it is legitimate.  This is especially important if it is outside of their normal behavior.
  4. Be extremely careful on networks you don’t know. If you travel, don’t just use any WIFI.  If you are visiting a Hotel, make sure you are using only their WIFI and that they provide the password to you.  Rouge WIFI in a public place is a common hacker trick.  They setup an access point and pretend to be the hotel.  If you get a funny feeling, don’t ignore it.  Use your Cell Phone in HotSpot mode.  Be safe.
  5. Use encryption. If you travel and use networks other than work, home, or school, you must use encryption.  If your email client isn’t setup to use Encryption, then remove the account and set it back up with encryption.  Hackers steal passwords over unencrypted email all the time.  If you run Exchange, you are already protected.  If you use another email program, make sure you checked the SSL or TLS box when setting up email.  This is especially important on your phones as well.  If you don’t know, Ask your friendly neighborhood IT guy or gal.
  6. Do not download stuff you wouldn’t otherwise. No matter who tells you.  Vet it thoroughly.  You know what tools you need.
  7. Don’t be Social Engineered. There is a rash of calls where people are calling folks and pretending they are Microsoft and they need to go download some tool for them to get protected.  They then find out they are “infected” and have to spend $50 – $100 for the tool to save them.  “Hmmm….I don’t think I had a virus until I downloaded the tool you gave me….Wait a minute?!??!”  If you don’t know what Social Engineering is, go read a lot about it…TODAY!

A lot of you out there reading this article will think that you aren’t worth hacking and even if you do get hacked, there is nothing of value.  Just a bunch of the photos of the kids.  Don’t be fooled.

If you work for a small dry cleaning firm and work with the customer list, how much is that customer list worth and to whom.  It might not seem like much to you, but your competitor across town might pay a pretty penny for that list.  Yes, that makes you a prime target …. for someone.

In Information Age, it’s all about information.  Yours, mine, even your mother-in-law’s.  Information is power.  Protect it.  If you ever doubt the power of information, just ask Google.

Windows Server 2016 – The Next Generation

Windows Server 2016-The Next Generation!

LivelongI woke up this morning and was on my way to the gym when I received an annoying alert on my phone announcing Microsoft’s Product Announcement for Windows Server 2016.

It’s finally here.  Windows the Next Generation!”  Really!?!  All that was missing was the 1970s chic product gal with the glittering smile.

We just can’t wait to tell you how great it is and all the cool new things we have added to make your life simpler, faster, and better.  Somehow, I think I have been here before.

Windows the Next Generation…. hmmm.  As I sit here writing this article sipping on a cool Texas glass of Iced Tea, I can’t help but wonder how we’ve gotten here.  Travel with me back to a simpler time.

I can remember when Microsoft Windows was a simple tool that crashed daily.  You often had break out your 14, 3.5 inch floppy disks for a reload of a patch.  For those of you who are old enough, you might even remember the good old days of Windows NT in 1995.  They told me it was Windows the New Technology (NT).  Sounds an awful like the Next Generation, just without the Borg and Captain Picard!  My first experience with Windows NT involved a lot of rebooting, reinstalling, rebooting, reinstalling, and reinstalling some more.

But I digress.  Today I was just given the news that as of October 15th we will be able to download and install Windows Server 2016.  This means that those of you have been putting off your Windows Server Technology upgrades and are still running on Windows 2003.. are now officially running a 13 year-old operating system.

I wonder how many of you still have a 13-year-old refrigerator or drive 13-year-old cars?

Like a lot of Technology improvements Windows touts Server 2016 as the next best thing, but is it really?  One thing is for certain, if you are running 2003 or 2008 it’s time to come out of the closet, pull up your shorts, and move into the 21st century!

So ultimately, why do we care about Windows Server 2016?   The driving factor to move to a new Operating System has been largely driven by security concerns for the last several years.

In the end, an upgrade grants us new features, improvements, and even new tools.  Those alone don’t push people to do upgrades. However, if you can prevent the latest Chinese hacker from remoting into one of your systems, it’s an investment well worth it.

So, even if Windows Server 2016 isn’t the best, baddest, and meanest.  You need to be involved.  Your technology health is critical.  So get on board.  The news is filled with headlines like “Yahoo compromised and 500,000,000 accounts stolen.”  Don’t be the victim.

After all, new technology is the first line of defense against the new threats in the 21st century.


The Mindset Behind Aging Infrastructure

Today I was sitting at my desk in my cargo shorts and bunny slippers when one of my long term clients called to talk about their aging infrastructure.

TH and SlippersNow most of you know that I do my best thinking in bunny slippers, so he couldn’t have called at a better time. The conversation was light and pleasant with a lot of phrases like “treated me right”, “been great for my business”, “perfectly good gear”, and the famous: “if it ain’t broke, don’t fix it”.  But yet, here we were, on the phone discussing the life and times of 8-year-old server technology!

So, why were we discussing the infrastructure if it was “perfectly good gear”?

Simply put, reality had set in.  While the general feeling of nostalgia ruled the conversation, it belied the hidden issues that had been ongoing for the better part of 2 years.  They were spending a significantly larger amount of money on a monthly basis with our firm and other vendors just keeping the technology running.  Yet, this was not enough to make him want to pull the plug.  (I found that interesting, because I like saving money.)

Like I said, reality is a harsh mistress.  Customers were asking my client to produce reports and data that their systems simply couldn’t provide.  Running reports and data analysis brought the systems to their knees causing a real concern that they couldn’t keep up with the demands from their customers. This customer-facing challenge was enough to get the ball rolling and to start the conversation about how to get out of aging infrastructure and what kind of impact that would have on the business.

I am thankful for that demanding customer for getting my client to move out of ancient technology into the modern world.  However, as a professional, it leads me to ponder how easy it is for business owners and decision makers to get stuck in the technology rut. I have this conversation often and the reality is never as simple as the platitudes provided.  Most of the time, the reason people hesitate moving is simply… Change Is Hard!

With Change, a company has to change their software, systems, and licensing.  Sometimes this means training and new vendors.  New client tools, new Desktop PCs, new, new new….. New means that you can’t do everything the way you were used to.  It’s no longer the comfy leather recliner in the den.  It’s a new post-modern era sofa with leopard print…ok, bad analogy…but you get the idea.

Change Is Hard  – but it doesn’t have to be!  Really! tWhen was the last time you bought a new car and wished for the good ol’ days of crank-up windows? (I don’t know anybody that liked those things and the Drive-Thru was just painful!)  Upgrading to the nice new car smell is never a bad thing.

So, why does everyone think technology changes have to be akin to walking on hot coals or pokers in the eye?

Let’s change the conversation and the mindset.  Anticipate the future role of technology in your business with an open mind, good planning, great technology partners, and looking forward to better ways of doing things.  Time doesn’t stand still and neither should you.

Look FORWARD for your better tomorrow!

Buying the Right Technology… Classes of Gear for Business!

This quarter has been brisk helping clients with updates and upgrades to their hardware and systems.  In today’s world of IT, there are a plethora of choices.  Clients often ask me: “Keith, how do I know what to buy?  I know we need to upgrade, but vendors are quoting systems that simply leave me confused.” So, I thought it was time to help provide you (our loyal readers) the inside scoop on how to understand technology buying options and product lines.

Should I buy the Chevy or the BMW?

First, you have to understand that manufacturers of technology aren’t that much different than car manufacturers.   At some point or another, all of us have had to buy a car (or if you live in Texas … a Truck).  The first time we buy a car, we often are budget conscious and steer toward the lower models with cloth seats and few options.  Later in life, as we get more successful, we often choose more upscale models with more features and better options.  I don’t know about you, but I definitely prefer power windows, key-less entry, and push button start over my old manual, hand-crank windows.

Businesses do the same thing.  When they first start out, they often make poor technology choices in order to keep costs low.  Some of them realize that these choices are temporary, but many do not.  As their businesses grow, they still keep making the same poor technology choices without realizing that better options always exist.

Classes of Technology

The best way to think about your technology for your business is to truly understand the market. Traditionally, there are three main tiers of technology in the market place.  The lines have begun to blur in a few market-spaces, but ultimately the three tier rules still apply.

The Three Tiers of Technology

  • SOHO
  • Mid-Tier/Business Class
  • Enterprise

SOHO – Small Office / Home Office – (run, run away)

SOHO technology is where a lot of business go horribly wrong.  SOHO technology options are readily available at Best Buy, Staples, Fry’s, Microcenter, or any of your other favorite retailers.  Unless you are a startup running out of your garage, you should *never, ever, ever, ever, ever* run your business on SOHO gear.  Feel free to buy this stuff for your home office, but don’t run essential business operations on something you purchase from retail.  The quality/support just isn’t there.

Mid-Tier/Business Class Gear – (fits like your favorite soft, fluffy bunny slippers)

Most SMB/Medium-sized business clients should live here.  Mid-Tier technologyoptions are unlimited from good quality manufacturers and will typically give you 3-5 years of lifetime with little to no trouble.  There are many technologies (like switches, firewalls, and routers) that might get your business 7 years of use for only a few hundred dollars more than its small business counterpart.  This technology (with a few exceptions) is only available online or direct from the manufacturer.  You should be working with a good SMB Vendor/Partner (be sure to confirm their technology architecture experience!) to help you get the best gear for your dollar.  For the savvy IT Manager or business owner, you can find a lot of Mid-Tier gear available on Amazon today.

Here is a list of some of the main Mid-Tier vendors to help you get your bearings (a lot of these overlap into the Enterprise arena as well)

Dell, IBM, Lenovo, Apple, HP, Cisco, TrendNet, APC, Cyberpower, Nutanix, NexSan, Tegile, VMware, Microsoft, Intel

**There are hundreds, if not thousands of mid-tier software choices, so I can’t even begin to list those.  This is why a good IT partner is essential ( if they are really good, they may introduce you to great refurb equipment with a three year warranty…and boost your budget!).

Enterprise Technology – (It’s not just for your Starship anymore)

As most businesses grow, they will find that there are aspects of their business that are more important than others.  These unique components will fall into the Enterprise class of hardware and software. Enterprise technology is designed to be state-of-the-art, have exceptional quality, and provide real support for the ultimate uptime solutions.  Businesses invest (yes, it is an investment) in Enterprise-class equipment and software for the most important processes in their organization. If you need uptime, features, or exceptional support, you should always buy Enterprise-class equipment and software.

Going Wrong with the Enterprise

Several of our small and medium business clients have gotten burned (before coming to us) in their IT purchases by going Enterprise too early.  They spend a lot of money on technology they don’t truly need.  Just like going too small, going too big can be costly and hard on the company as it grows.  The cost to maintain the systems can choke the growth of any business. A lot of Vendor Partners steer their customers to Enterprise class gear for the support even if the client is too small to need it.  Don’t get burned, get educated!

Going BIG!

If your business is 250+ employees, there should be a significant portion of your non-cloud infrastructure already at the Enterprise level.  Note the word ‘significant’.   Other than hospitals or banking, there are few industries that need every piece of equipment in their organization to be Enterprise-ready.  The cost savings of just keeping the non-essential portions of your IT infrastructure Mid-Tier can be substantial.

Why is it an Investment?!?!

If you aren’t investing in Enterprise infrastructure, you are investing in “people time” instead.  Where the technology falls short, you spend more money on time.  To put it simply:


A good technology investment should save you time and money. 

A bad technology investment always costs more of both.

The price of keeping our systems and data secure (as well as our sanity) is unending vigilance!

The price of keeping our systems and data secure (as well as our sanity) is unending vigilance!

It is a given that the typical IT Shop in the small to medium business environment is busy to the max, as you work to keep things going, answer requests and jump on emergencies… much less scour the net looking to keep up with the ever changing security threat landscape.

Our Senior Security Engineer spent two tours with three letter agencies in D.C. doing for them what he now does for ECXSystems’ clients … provide timely warning of emerging threats, assisting in clean up and restoration.  One of the ways he stays current is to leverage his time thru using solid blog and newsletter sources that he trusts.

You would do well to follow up on this article in… and if you don’t have time, then be sure to contact us at  Fill out the form and we will follow up and help you fix your phishing issue.

The Nightmare of Exploits Past. How Phishing Attacks Use Old Vulnerabilities!

A Must Read…

Is Hyperconvergence in your future? – Part 2

….BUT, I like VMWare!

Of course you do!  As do I!  We all like to dance with who brung ya! (and swing with who swung ya)

Hyperconvergence as a product means to make Hyper-V and VMWare obsolete (if we let it).   The product offerings pushing Hyperconvergence will let you continue to use Hyper-V and VMWare if you like, but they make jumping ship very attractive.

For example, the Nutanix node-based compute solution is a 4 U box with compute and Disks included:

Nutanix includes their own Hyperviser called Acropolis – based on the Linux KVM solution.  Since the reason that Hyperconvergence is so attractive is the turn-key features that dominate the landscape.  Think autoprovisioning of compute, storage, and networking (called Prism).  We no longer have to think about these things as separate disparate technologies.

Need to expand, just add more nodes!

You can keep your VMWare or Hyper-V architecture…or just move them to Acropolis.  Thing is…you get to decide.  However, since Acropolis is included you might just ask yourself why you are continuing to pay for a Hypervisor.  After all, shouldn’t the next generation of technology be cheaper and better than the last?

See how Nutanix is pushing the reasons to switch HERE.

So what does this really mean for my environment?

For the average business, most of us won’t jump straight into hyperconverged platforms.  However, as our old environments age out or we have a need for expansion, this becomes the next logical choice.  Why buy 80TB of storage when you can get a full platform for just a little more?

Ultimately it provides the baseline for the migration to the next generation technology platform.

So, when faced with an aging system or you just need to look to the future….Think Hyperconvergence!  –  It’s here, fast, and ready to make you look good!


Is Hyperconvergence in your future? – Part 1

Hyperconvergence is not the name for a new German punk rock band or even the latest new Pharmaceutical being hawked on TV by the ever lengthy 90-second commercial.  So, how is hyperconvergence the next big thing and why should you care?

Up until a couple of years ago, most of us were being told that virtualization was the way of the future.  Well the future is here.  If at least 90% of your environment isn’t virtualized, you should call us immediately.  You are wasting money, time, and energy.

So if virtualization was the future, how is the next future thing Hyperconvergence?

Hyperconvergence is virtualization done better.  A hyperconverged platform provides the ultimate in software management and integration.  Imagine all of the pieces of your network managed simpler and better.  One single pane of glass for all of your infrastructure.

Now, imagine Enterprise class virtualization features without the VMWare tax, or if you want, you can continue to use VMWare.

In essence, hyperconvergence allows us to deploy an infinitely expandable environment without the hard separation between networking, compute, and storage.

What does this look like?

Most of us need to understand what the physical representation of this actually looks like.  For most of us, this will be a hardware chassis with drives and hardware blades in it.  The drives will act as converged storage while the blades offer the processing power.  The magic is in the software.

Hyperconvergence is currently being offered by both Nutanix and Scale computing.  Both are interesting and both look to completely displace VMWare.  The jury is out, but the future is here.


Read More … – Part 2

Tomcat 5 / 6/ 7 /8 – Create and Install SSL Certificate

Hi Guys,

Due to all of the positive feedback on the original article, I decided to do a brief update to nail down and simplify the process.

General Steps

  1. Create a Key and Certificate Request
  2. Issue the Certificate from your favorite Registrar
  3. Merge the Certificate into a Tomcat File

Create a Key and Certificate Request

On your favorite Linux or Windows box, make sure you have OpenSSL.

I am making a directory called /home/keystore.  Seems fitting.


mkdir /home/keystore

Run the following:

First we need a Private Key.  This is yours and yours alone.

openssl genrsa -out /home/keystore/private.key 2048

So, the private key is critical.  It’s your unique identifier for this SSL cert.

Next, we need to generate the request to send to GoDaddy, InstantSSL, etc

(If you like this article, you can get an SSL through our GoDaddy Account –  I think we make $1)

Now, the command:

openssl req -new -sha256 -key /home/keystore/private.key -out /home/keystore/mydomain.csr

You are going to be prompted for all of the details as follows. For Wildcard, use * For other hosts, just use the hostname. ie (you will get www automatically)

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Tyler
Organization Name (eg, company) [Default Company Ltd]:My Domain Inc
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:*
Email Address []

Press Enter on the Extra fields, no password needed.

Ok, once finished, take your CSR and submit to your provider. Once you submit, you wait and then you will get your certificate. You may have to check email to approve it.

Now the Easy Part!

Merge the Certificate into a Tomcat File

If you are a GoDaddy Customer, you will get two files. Other providers might send you on a wild goose chase for the Bundle file.

6e00664a60ac4578.crt  - This is the Actual Certificate
gd_bundle-g2-g1.crt   - This is your Bundle file with all the certificate chain data from GoDaddy

For simplicity and understanding, let’s rename the file:

mv 6e00664a60ac4578.crt mydomain.crt

Now, let’s make the Tomcat keystore container

openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in mydomain.crt -inkey private.key -out keystore.tomcat -name tomcat -passout pass:changeit

Ok, you have everything you need. Now, setup Tomcat.
Installing the Certificate in Tomcat

Let’s copy the file to our tomcat installation configuration directory.  My tomcat was in /usr/local/tomcat5

cp keystore.tomcat /usr/local/tomcat5/conf

Now, we need to enable SSL.  So, we need to edit the server-wide server.xml file.  Find the section like this:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

Replace it.  Mine looks like this:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="443"
maxHttpHeaderSize="8192" maxThreads="250" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tomcat"
keystoreType="PKCS12" />

Lastly, find any other references to port 8443 in the server.xml file and replace them with just 443.

Now, restart Tomcat and enjoy your newly functioning wildcard certificate.

I hope this bridges the gaps on some of the other articles out there.

Please comment if it helps you.

Good Luck!

DBML and ConnectionString Pitfall

This one bit me good, and cost quite a bit of time before I figured it out.  Therefore, I thought it best to document my findings in case it comes up again.

The Issue

As with many bugs, the behavior didn’t show up until the application was deployed – it worked fine in the development environment.  My app uses Linq-to-SQL, and includes an IDE-generated DBML file to interface with my database.  The app was connecting to my local database just fine.  However, when the app was deployed, and all the changes to the connection string in the web.config file were updated, the connection to the database failed with the error “A network-related or instance-specific error occurred while establishing a connection to SQL Server”.  What??

The Solution

After digging and googling, I discovered something about the IDE behavior when it comes to Linq-to-SQL and DBML generation.  When the DBML file is first created, the IDE inserts an entry in the Settings.settings file, which contains the full connection string details.  Since this connection string matches the settings in my web.config and the app.config for my local projects, everything works fine.  The problem is masked by the fact that both the settings file entry and the config file entries are the same.  So, to fix this requires first changing the settings on the DBML file to not use the connection string in the Settings.settings file.

After that, the constructor for the repository needs to be updated to use the configuration manager to pull in the connection string from the config file, like this:

Once this is done, the app will pull in the connection string from the config file, and no more error!

Original post from

Tomcat 5 SSL – Install GoDaddy Wildcard Certificate JKS / PKCS12 ? What?

UPDATED: February 19, 2015 – Tomcat 6 / 7 / 8 – SSL Certificate

This page has been updated and simplified, but the below is still a good reference and has a few details not in the new one.

Ok, have you ever had a day where you spent hours and hours only to feel the frustration of not reaching your goal.  I was *almost* there.

When you buy a Wildcard SSL certificate from GoDaddy and need to install it on Tomcat 5 or 6.  Don’t call GoDaddy.  I called only to be told follow the website instructions.  Ummm…yeah…I did that.  No go on that one. Riiigghhhhht…..

After 6 hours of living hell building a JKS keystore, here is what ultimately worked with the GoDaddy installation.  I will spare you the story of my pain.

Installation Environment

Tomcat 5 Installation on RedHat (CentOS) Linux with no self-signed certificate.  If you have a self -signed keystore, blow it away and start over.

Start with the CSR

Before you can get your GoDaddy Wildcard Cert, you need to generate a CSR and build a new keystore file for tomcat.  The keystore is in the JKS format and holds the chain of certificates.  The ones for your server and for your cert issuer.

I started by working in my home folder.  Let’s call it /home.

cd /home

Issue the following command to Create your keystore

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

You will be prompted for a password.  I used the default tomcat password of changeit.

My screens looked something like this.  Remember I am making a wildcard domain CSR.

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:  *
What is the name of your organizational unit?
[Unknown]:  Web
What is the name of your organization?
What is the name of your City or Locality?
[Unknown]:  Tyler
What is the name of your State or Province?
[Unknown]:  TX
What is the two-letter country code for this unit?
[Unknown]:  US
Is CN=*, OU=Web,, L=Tyler, ST=TX, C=US correct?
[no]:  yes

Enter key password for <tomcat>
(RETURN if same as keystore password):

This will create a file called tomcat.keystore.  Be sure this is referenced in every command moving forward otherwise, you will be affecting the file named .keystore in your home folder.  This then gets confusing.

Now, create the CSR so you can go through the GoDaddy SSL process.*

*If this article is helpful, you can buy it here if you haven’t already and benefit our company. It’s still GoDaddy!

keytool -certreq -keyalg RSA -alias tomcat -file mydomain.csr -keystore tomcat.keystore

You will be asked for the password again.  Remember the password is changeit

You will now have two files.

1. tomcat.keystore – back this file up somewhere just in case you screw up somewhere

2.  mydomain.csr – This is your plain text CSR to use on GoDaddy’s website to gen your wildcard SSL cert.  Copy and paste this to get your certificate file.

…..Wait….. After will wait. ….just wait….zzzzzzzzzzzzzzzzzzzzzzzzzzz

Install the Certificate

Once you have completed your waiting, you will receive a zip file containing several files.  The file we need the most is mydomain.crt.  This contains your certificate.  Now, if you were to attempt to follow GoDaddy’s installation certificate problems you would find you don’t have the materials to perform option 1.

As a result you would try option 2 and fail miserably.  Here is where we get creative.

Let’s examine the command for “Option 1” and see what we need.

openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your certificate> -inkey <name of your certificate private key file> -out keystore.tomcat -name tomcat -passout pass:changeit

Here is my checklist:

gd_bundle.crt – Don’t need it.  Found this out the hard way.  Just bear with me.

<name of your certificate> – this is mydomain.crt file – we have that. Check!

<name of your certificate private key file> – WTF?  Where do I get this?  See below.

keystore.tomcat – Oh yeah, we made that file earlier. Check!

sf_bundle.crt – You need this instead of gd_bundle.crt.  Needed to face lots of errors to figure that out.

Get GoDaddy Bundle files here:

Getting your Private Key File

There are lots of ways to extract your private key, but I found the best way to be a  GUI Java app called KeyStore Explorer.  This is a super great tool.

1.  Download and install Keystore Explorer.  If you need java, goto and install it first.

2.  Upload your tomcat.keystore file to your windows box.  This is a binary file.  Treat it as such.

3.  Open your tomcat.keystore file in Keystore Explorer.  Find the tomcat alias entry we craeated.  right click and Export -> Export Key Pair.  Do NOT enter a password.  Simply put the name of the file.  I called mine mykey.p12

4.  Copy this file back to your /home folder.

You now have a PKCS12 file with both your public and private key in there.  However, we still aren’t quite there.  We need to extract the Private key for the command above.

openssl pkcs12 -in mykey.p12 -nocerts -out privateKey.pem

Press Enter when prompted for the Import password.  When prompted for the PEM Pass phrase, I used changeit.


Now we have a Private Key file that we can use in our OpenSSL command above.  The top of the file will look something like this:

[root@www tools]# head privateKey.pem
Bag Attributes
localKeyID: B7 5F 05 B7 5F FD 6C 33 EE F2 83 02 CE 13 2A 14 55 A2 BD 24
friendlyName: tomcat
Key Attributes: <No Attributes>
Proc-Type: 4,ENCRYPTED



Now in order to get the file clean enough to use as our import, we need JUST the key.  So, edit the file and delete the lines before:


Now the top of your file looks like this:

Proc-Type: 4,ENCRYPTED



Save and let’s get finished.

Finally – Importing your Certificate

Let’s go back and get us a working keystore for our SSL installation for Tomcat.  We now have everything we need.

openssl pkcs12 -export -chain -CAfile sf_bundle.crt -in -inkey privateKey.pem -out keystore.tomcat -name tomcat -passout pass:changeit

Ok, notice we are NOT referencing tomcat.keystore, but instead we created a new PKCS12 Keystore called keystore.tomcat.

Now, let’s see if it works.

Installing the Certificate in Tomcat

Let’s copy the file to our tomcat installation configuration directory.  My tomcat was in /usr/local/tomcat5

cp keystore.tomcat /usr/local/tomcat5/conf

Now, we need to enable SSL.  So, we need to edit the server-wide server.xml file.  Find the section like this:

<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<Connector port=”8443″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ debug=”0″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” />

Replace it.  Mine looks like this:

<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<Connector port=”443″
maxHttpHeaderSize=”8192″ maxThreads=”250″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ debug=”0″ scheme=”https” secure=”true” SSLEnabled=”true”
clientAuth=”false” sslProtocol=”TLS” keyAlias=”tomcat”
keystoreType=”PKCS12″ />

Lastly, find any other references to port 8443 in the server.xml file and replace them with just 443.

Now, restart Tomcat and enjoy your newly functioning wildcard certificate.

I hope this bridges the gaps on some of the other articles out there.

Please comment if it helps you.

Good Luck!