Creating and installing a self-signed Secure Sockets Layer (SSL) certificate on a server should be a relatively simple task. However, most of the documentation relating to these tasks is confusing. Most of the confusion arises from the fact that there are a multitude of different server configurations that utilize the SSL to complete secure transactions over the web. In order not to add to this confusion, the following tutorial will refer to the following server configuration:
Server: | 64 bit Linux server running on Amazon Web Services Elastic Compute Cloud (EC2) server based on AMI ami-3bc9997e |
Server Software: | Apache HTTP Server (HTTPD) and Apache Tomcat |
Applications Type: | Google Web Toolkit and Java servlets |
In this post I will describe:
- Creation of self-signed SSL certificate in a Java keystore
- Adding keystore to Tomcat’s server.xml
- Extracting the certificate and the key from the keystore
- Configuring Apache Server (httpd) ssl.conf
Creation of self-signed SSL certificate
Here we will use a Java KeyStore to supply Apache Tomcat the certificates we generate. One of the limitations to this approach is that you must start by creating the KeyStore first. SSL utilities such as Java keytool and OpenSSL do not have the ability to create a keystore from an existing certificate and key. In particular, there is no way to put the key in the keystore.
First we will create and open to the directory /etc/pki/tls/keystore. The keytool command that creates the keystore, we need to supply the following:
- keystore file name: demo.colabrativ.keystore
- alias: tomcat
- keypass: password
- storepass: password
In addition, we need to supply information on the website URL, when the keytool asks for “What is your first and last name?” and our institution information. This information has been highlighted in green below in the example below.
$ sudo mkdir /etc/pki/tls/keystore $ cd /etc/pki/tls/keystore $ sudo keytool -genkey -alias tomcat -keypass password -keystore demo.colabrativ.keystore -storepass password What is your first and last name? [Unknown]: demo.colabrativ.com What is the name of your organizational unit? [Unknown]: Developmemt What is the name of your organization? [Unknown]: Colabrativ, Inc. What is the name of your City or Locality? [Unknown]: El Sobrante What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is CN=demo.colabrativ.com, OU=Developmemt, O=Colabrativ, Inc., L=El Sobrante, ST=California, C=US correct? [no]: y
A useful command to check to keystore before preceeding is:
$ sudo keytool -list -keystore demo.colabrativ.keystore Enter keystore password: password Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Aug 27, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): 1A:2D:B5:C1:E9:1E:5C:A2:79:D3:8A:9B:A1:CE:14:72
Adding Keystore to Tomcat’s server.xml
We configure Tomcat to support applications and services under the secure https protocol on port 8443. We do this by editing the server.xml file in /etc/tomcat7. We need to supply the keystore password in the 8443 Connector we enable. I have saved the original server.xml, and only show the difference between the two files below.
$ cd /etc/tomcat7 $ sudo cp -p server.xml server.xml.orig $ sudo vi server.xml $ sudo diff server.xml.orig server.xml 84,88c84,92 < <!-- < <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" < maxThreads="150" scheme="https" secure="true" < clientAuth="false" sslProtocol="TLS" /> < --> --- > > <Connector port="8443" > protocol="HTTP/1.1" > SSLEnabled="true" > maxThreads="150" > scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/etc/pki/tls/keystore/demo.colabrativ.keystore" > keystorePass="password" />
Extracting the Certificate and Key from the Keystore
There are three steps in extracting the certificate and key from the keystore we created above:
- Use keytool to create an intermediate PKCS12 keystore.
- Use OpenSSL to create a Privacy-enhanced Electronic Mail (PEM) formatted file containing the certificate and the key.
- Extract the certificate and key from the PEM file using a text editor.
After the certificate and key have been prepared, they are moved the /etc/pki/tls/certs/, and /etc/pki/tls/private/ directories, respectively.
The ASCII demo.colabrativ.pem file created during the preparation of this tutorial can be download at the bottom of this section.
$ sudo keytool -importkeystore -srckeystore demo.colabrativ.keystore -destkeystore demo.colabrativ.intermediate -deststoretype PKCS12 Enter destination keystore password: password Re-enter new password: password Enter source keystore password: password Entry for alias tomcat successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled $ sudo openssl pkcs12 -in demo.colabrativ.intermediate -out demo..colabrativ.pem -nodes Enter Import Password: password MAC verified OK $ sudo cp demo.colabrativ.pem demo.colabrativ.key $ sudo cp demo.colabrativ.pem demo.colabrativ.crt $ sudo vi demo.colabrativ.key $ sudo vi demo.colabrativ.crt $ ls -lt total 20 -rw-r--r-- 1 root root 1224 Aug 27 10:11 demo.colabrativ.crt -rw-r--r-- 1 root root 509 Aug 27 10:11 demo.colabrativ.key -rw-r--r-- 1 root root 2294 Aug 27 10:02 demo.colabrativ.pem -rw-r--r-- 1 root root 1852 Aug 27 10:00 demo.colabrativ.intermediate -rw-r--r-- 1 root root 1333 Aug 27 09:37 demo.colabrativ.keystore $ sudo mv demo.colabrativ.crt /etc/pki/tls/certs/. $ sudo mv demo.colabrativ.key /etc/pki/tls/private/.
Download: demo.colabrativ.pem
Configuring Apache Server (HTTPD) ssl.conf
We will place all the SSL information for this server in the ssl.conf file in the /etc/httpd/conf.d directory. The ssl.conf file is loaded into the Apache Server (HTTPD) from the command “Include conf.d/*.conf” in httpd.conf in directory /etc/httpd/conf. You should check to be sure that this command is in your httpd.conf file.
We will place all the SSL information for this server in the ssl.conf file in the /etc/httpd/conf.d directory. Shown below are the differences between the original ssl.conf file and the edited version. It is a bit hard to tell where these changes were made from the file differences, so a copy of a demonstration ssl.conf file can be downloaded at the bottom of the section.
$ cd /etc/httpd/conf.d $ sudo cp –p ssl.conf ssl.conf.orig $ sudo vi ssl.conf $ sudo diff ssl.conf.orig ssl.conf 19a20,21 > NameVirtualHost *:443 > 74c76,77 > <VirtualHost _default_:443> --- > #<VirtualHost _default_:443> > <VirtualHost *:443> 78a82 > ServerName demo.colabrativ.com:443 85a90,100 > # > # Proxy Server directives. Uncomment the following lines to > # enable the proxy server: > # > ProxyRequests Off > ProxyPass /admin https://demo.colabrativ.com:8443/admin > ProxyPass /demoapp https://demo.colabrativ.com:8443/demoapp > > SSLProxyEngine on > 105c120,121 < SSLCertificateFile /etc/pki/tls/certs/localhost.crt --- > #SSLCertificateFile /etc/pki/tls/certs/localhost.crt > SSLCertificateFile /etc/pki/tls/certs/demo.colabrativ.crt 112c128,129 < SSLCertificateKeyFile /etc/pki/tls/private/localhost.key --- > #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key > SSLCertificateKeyFile /etc/pki/tls/private/demo.colabrativ.key
Download: ssl.conf
Useful Resources
- SSL Shopper’s The Most Common Java Keytool Keystore Commands
- SSL Shopper’s The Most Common OpenSSL Commands
- Wikipedia’s page on X.509