Generate SSL Certificate and add it to JVM and Tomcat

# Steps to generate a certificate file in linux.
# Keep a common password whenever asked during the process. Commonly used password is "changeit".
# Minimum requirement - openssl and jdk must be installed.
# In this example domain name used for demonstration is "localhost".

# Run these commands in the same order as written.

# Generate a key
 

openssl genrsa -des3 -out localhost.key 1024 

# Generate a local certificate sigining request.
# In this step some information related to company will be asked to enter, keep in mind that "common name" must be the domain name.
 

openssl req -new -key localhost.key -out localhost.csr 

# Generate a certificate from csr file, it has validity of 365 days.  
openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt
 

# Generate a pem file  
openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.pem 

# Generate a keystore file which will be placed in tomcat. 
sudo keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore localhost.keystore -srckeystore localhost.pem -srcstoretype PKCS12 -srcstorepass changeit -srcalias 1 -destalias localhost 

# Add certificate in jvm 
sudo keytool -import -alias localhost -file localhost.crt -keystore /usr/lib/jvm/jdk1.6.0_33/jre/lib/security/cacerts 

# Modification of server.xml in tomcat 
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/mukesh/Documents/keystore/localhost.keystore" keystorePass="changeit"/>
 

 # File type explanation
  1. .csr file - This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.
  2. .pem file -  This is the public-key of a specific certificate in X.509 format. This is also the format used for Certificate Authority certificates.
  3. .key file - This is the private-key of a specific certificate.
  4. .pkcs12 .pfx .p12 file - A passworded container format that contains both public and private certificate pairs. It can be broekn it into .key and .pem files.
  5. .cert, .cer, .crt file - A .pem file with a different extension in X.509 format. This extension is recognized by Windows Explorer as a certificate, which .pem is not.

1 comment:

  1. Great instructions! I found them very useful! For anyone that need it, I found a great site that offers instructions on how to generate a CSR on different types of computer software, including tomcat! www.secure128.com/verisign-generate-csr-tomcat.aspx

    ReplyDelete