First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA.
At the selected directory:
keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore
Fill in all the information that is asked.
A keystore with the name name.keystore is generated.
Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate
keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR file name>.csr
Enter the keystore password.
A < CSR file name>.csr file is generated.
If you are getting the CSR signed by a certifying authority, then skip the next step.
If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are:
(This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from www.openssl.org. Follow the procedure to install OpenSSL)
To Sign the certificate:
Make a new directory:
Copy openssl.cnf and CA.sh
from the OpenSSL apps directory to your new directory (newCA)
cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
cp ../../openssl-0.9.6a/apps/CA.sh newCA/
Edit your new copy of openssl.cnf and CA.sh:
Set the dir variable to the current directory
dir . # (. Specifies current directory where everything is kept)
Set the CATOP variable to the current directory:
CATOP=. # (. Specifies current directory where everything is kept)
Create the certificates for Certification Authority:
chmod 744 CA.sh (only if necessary)
Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate
cp < CSR file name>.csr /usr/local/newCA
or ftp the < CSR file name>.csr file to the m/c acting as CA.
Create the certificate
openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM
Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:
openssl x509 -inform pem -outform der < cacert.pem > cacert.cer
We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!):
keytool -import -alias <alias name> -file cacert.der -keystore ./name.keystore
keytool -import -alias <alias name> -file <pem file name>.pem -keystore ./name.keystore
Important remark: if you get an exception that looks like this: java.security.NoSuchAlgorithmException: Algorithm TLS not available, take a look at this file: $JAVA_HOME/jre/lib/security/java.security. Check if the com.sun.net.ssl.internal.ssl.Provider is in the list of Providers:
# List of providers and their preference orders (see above):
And we have to add jcert.jar, jnet.jar and jsse.jar files to the $JAVA_HOME /jre/lib/ext folder and set the class path to the same.
Tomcat over SSL (HTTPS)
If we have Tomcat running as a jBoss service, we need to make a few changes in some configuration files:
We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file:
<!-- JAAS security manager and realm mapping -->
Add the below lines after the paragraph mentioned above in jboss-service.xml
<arg type="java.lang.String" value="TomcatSSL" />
<attribute name="KeyStoreURL">put the path to your name.keystore file here</attribute>
<attribute name="KeyStorePass">put your name.keystore password here</attribute>
This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443
Add the following lines:
port="8443" enableLookups="true" scheme="https" secure="true" debug="0">
keystoreFile="d:\.keystore" keystorePass="123456" clientAuth="false" protocol="TLS"/>
<!-- A HTTP Connector on port 8080 -->
<Connector className = "org.apache.catalina.connector.http.HttpConnector"
port = "8080" minProcessors = "3" maxProcessors = "10" enableLookups = "true"
acceptCount = "10" debug = "0" connectionTimeout = "60000"/>
When you connect to your server now, don't use port http://localhost
:8080, use https://localhost:8443
instead. If you used a selfsigned certificate or if your CA is not known in your browser, a confirmation dialog box will open and ask if you 'trust' the issuer of the certificate.