globe with meridians Language: Deutsch · English

hammer and wrench SSL encryption

Secure Nuclos with SSL/TLS – create a Java keystore from certificates, self-signed certificates and verification.

HOW-TO ADMINISTRATOR UPDATED: JUL 2026 APPLIES TO NUCLOS 4.2026.X

On this page

Nuclos can be secured with SSL/TLS. The easiest way is to enable SSL in the installer and provide a ready-made Java keystore there. This page shows how to create and check the keystore.

Create a Java keystore from certificates

Starting point: root certificate, optional intermediate certificates and the private key.

1. Concatenate the certificate chain

cat root.crt chain1.crt chain2.crt > certificate.crt

2. Export to PKCS#12

openssl pkcs12 -export -inkey private.key -in certificate.crt -name certificate_name -out keystore.p12

3. Convert to a Java keystore (JKS)

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks

Note

It may be necessary to create the keystore directly on the server (not on another machine).

Self-signed certificate (launcher)

For the launcher the certificate needs a matching subject alternative name and must be added to the launcher's truststore:

keytool -genkey -keyalg RSA -alias localhost -keystore keystore.jks -storepass password -keysize 2048 -ext SAN=dns:localhost,ip:127.0.0.1 -dname "CN=test, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"
keytool -export -alias localhost -file localhost.cer -keystore keystore.jks
keytool -import -v -trustcacerts -alias localhost -file localhost.cer -keystore "<path_to_launcher>\cacerts"

Verify the keystore

keytool -v -list -keystore keystore.jks

Troubleshooting

If the certificate is rejected when accessing the Nuclos address, verifying the keystore helps to check the chain.

Related pages

gear Tomcat administration


Tomcat.

Open →

gear Running Nuclos behind a reverse proxy


Reverse proxy.

Open →

  • Keine Stichwörter