# Old implementation

The following is the old, manual, way of installing SSL certs.

## <span class="mw-headline" id="bkmrk-tomcat-7-automatic-i-1">Tomcat 7 automatic installation</span>

Using the TS commandline tools, you specify the domain and your email

```
  tsinstallssl.sh server.acme.com sslresponsible@acme.com
```

After a couple of minutes you will be rquired to enter the domain an email again, and accept the terms of service

## <span class="mw-headline" id="bkmrk-tomcat-7-manual-inst-1">Tomcat 7 manual installation</span>

### <span class="mw-headline" id="bkmrk-install-and-configur-1">Install and configure letsencrypt</span>

Download an build certbot (letsencrypt client)

```bash
sudo yum -y install python27-devel git (deprecated)
```

```bash
sudo yum -y install python36 python36-pip
sudo yum -y install git-all
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
/opt/letsencrypt/letsencrypt-auto --debug --agree-tos
```

Create a config file

```bash
sudo touch /etc/letsencrypt/config.ini
sudo chmod 777 /etc/letsencrypt/config.ini
sudo echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini
sudo echo "email = kpe@tempusserva.dk" >> /etc/letsencrypt/config.ini
```

### <span class="mw-headline" id="bkmrk-generate-pkcs12-cert-1">Generate PKCS12 certificate</span>

Generate a certificate

```bash
sudo mkdir /usr/share/tomcat7/webapps/ROOT
/opt/letsencrypt/letsencrypt-auto certonly --debug --webroot -w /usr/share/tomcat7/webapps/ROOT -d letsencrypt.tempusserva.dk --config /etc/letsencrypt/config.ini --agree-tos 
```

Convert to pkcs12 format

```
  sudo -s
```

```bash
cd /etc/letsencrypt/live/letsencrypt.tempusserva.dk
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:TempusServaSecret
chmod 755 bundle.pfx
chmod 755 /etc/letsencrypt/live
```

```
  Press: ctrl + d
```

### <span class="mw-headline" id="bkmrk-install-certificate--1">Install certificate in Tomcat</span>

Edit Tomcat configuration

```bash
sudo nano  /usr/share/tomcat7/conf/server.xml
```

```xml
          <Connector
          protocol="org.apache.coyote.http11.Http11NioProtocol"
          port="8443" maxThreads="200"
          scheme="https" secure="true" SSLEnabled="true"
          keystoreFile="/etc/letsencrypt/live/letsencrypt.tempusserva.dk/bundle.pfx" keystorePass="TempusServaSecret"
          ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
          clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>

```

Reboot the server

```bash
service tomcat7 restart
```