# Steps to generate a certificate file in linux.
# Keep a common password whenever asked during the process. Commonly used password is "changeit".
# Minimum requirement - openssl and jdk must be installed.
# In this example domain name used for demonstration is "localhost".
# Run these commands in the same order as written.
# Generate a key
openssl genrsa -des3 -out localhost.key 1024
# Generate a local certificate sigining request.
# In this step some information related to company will be asked to enter, keep in mind that "common name" must be the domain name.
openssl req -new -key localhost.key -out localhost.csr
# Generate a certificate from csr file, it has validity of 365 days.
openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt
# Generate a pem file
openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.pem
# Generate a keystore file which will be placed in tomcat.
sudo keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore localhost.keystore -srckeystore localhost.pem -srcstoretype PKCS12 -srcstorepass changeit -srcalias 1 -destalias localhost
# Add certificate in jvm
sudo keytool -import -alias localhost -file localhost.crt -keystore /usr/lib/jvm/jdk1.6.0_33/jre/lib/security/cacerts
# Modification of server.xml in tomcat
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/mukesh/Documents/keystore/localhost.keystore" keystorePass="changeit"/>
# File type explanation
# Keep a common password whenever asked during the process. Commonly used password is "changeit".
# Minimum requirement - openssl and jdk must be installed.
# In this example domain name used for demonstration is "localhost".
# Run these commands in the same order as written.
# Generate a key
openssl genrsa -des3 -out localhost.key 1024
# Generate a local certificate sigining request.
# In this step some information related to company will be asked to enter, keep in mind that "common name" must be the domain name.
openssl req -new -key localhost.key -out localhost.csr
# Generate a certificate from csr file, it has validity of 365 days.
openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt
# Generate a pem file
openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.pem
# Generate a keystore file which will be placed in tomcat.
sudo keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore localhost.keystore -srckeystore localhost.pem -srcstoretype PKCS12 -srcstorepass changeit -srcalias 1 -destalias localhost
# Add certificate in jvm
sudo keytool -import -alias localhost -file localhost.crt -keystore /usr/lib/jvm/jdk1.6.0_33/jre/lib/security/cacerts
# Modification of server.xml in tomcat
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/mukesh/Documents/keystore/localhost.keystore" keystorePass="changeit"/>
# File type explanation
- .csr file - This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.
- .pem file - This is the public-key of a specific certificate in X.509 format. This is also the format used for Certificate Authority certificates.
- .key file - This is the private-key of a specific certificate.
- .pkcs12 .pfx .p12 file - A passworded container format that contains both public and private certificate pairs. It can be broekn it into .key and .pem files.
- .cert, .cer, .crt file - A .pem file with a different extension in X.509 format. This extension is recognized by Windows Explorer as a certificate, which .pem is not.
Great instructions! I found them very useful! For anyone that need it, I found a great site that offers instructions on how to generate a CSR on different types of computer software, including tomcat! www.secure128.com/verisign-generate-csr-tomcat.aspx
ReplyDelete