Creating SSL Certificates for Google Web Toolkit Running on Apache HTTPD and Tomcat on Amazon Web Services EC2

This post is a follow-up article to my August 27, 2012 article on Creating Self-Signed Certificates for Google Web Toolkit Running on Apache HTTPD and Tomcat on Amazon Web Services EC2.

Server Configuration

Creating and installing a Secure Sockets Layer (SSL) certificate on a server should be a relatively simple task. However, most of the documentation relating to this task is confusing. Most of the confusion arises from the fact that there are a multitude of different server configurations that utilize the SSL to complete secure transactions over the web. In order not to add to this confusion, the following tutorial will refer to the following server configuration:

Server: 64 bit Linux server running on Amazon Web Services Elastic Compute Cloud (EC2) server based on AMI ami-3bc9997e
Server Software: Apache HTTP Server (HTTPD) and Apache Tomcat
Applications Type: Google Web Toolkit and Java servlets

In this post I will describe:

  1. Creating a Java Keystore
  2. Certificate Signing Request (CSR) Generation
  3. Check the Certificate Signing Request (CSR)
  4. Loading the Certificates into the Java Keystore
  5. Extracting the Key from the Keystore
  6. Configuring Apache Server (HTTPD) ssl.conf
  7. Adding Keystore to Tomcat’s server.xml

Creating of a Java Keystore

Here we will use a Java KeyStore to generate and store the SSL key and certificates. One of the limitations to this approach is that you must start by creating the KeyStore first. SSL utilities such as Java keytool and OpenSSL do not have the ability to create a keystore from an existing certificate and key. In particular, there is no way to put the key in the keystore.

First we will create and open to the directory /etc/pki/tls/keystore. The keytool command that creates the keystore, we need to supply the following:

  • keystore file name: demo.colabrativ.com.jks
  • key algorythm (keyalg): RSA
  • alias: demo
  • keysize: 2048 As of January 1, 2014 2048-bit or longer keys will be required by Certification Authority/Browser Forum.

In addition, we need to supply information on the website URL, when the keytool asks for “What is your first and last name?” The key and keystore passwords are optional. This information and information on our institution have been highlighted in green in the example below.

$ sudo mkdir /etc/pki/tls/keystore
$ cd /etc/pki/tls/keystore
$ sudo keytool -genkey -alias demo -keyalg RSA -keystore demo.colabrativ.com.jks -keysize 2048
Enter keystore password: password
Re-enter new password: password
What is your first and last name?
  [Unknown]:  demo.colabrativ.com
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  Colabrativ, Inc.
What is the name of your City or Locality?
  [Unknown]:  Orinda
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=demo.colabrativ.com, OU=Developmemt, O=Colabrativ, Inc., L=Orinda, ST=California, C=US correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):

$ ls -lt
total 4
-rw-r--r-- 1 marc users 2246 Aug 30 08:53 demo.colabrativ.com.jks

Generating the Certificate Signing Request (CSR)

We need to supply the following:

  • alias: demo
  • keystore file name: demo.colabrativ.com.jks
  • CSR file name: demo.colabrativ.com.csr
$ keytool -certreq -alias demo -keystore demo.colabrativ.com.jks -file demo.colabrativ.com.csr
Enter keystore password: password

$ ls -lt
total 8
-rw-r--r-- 1 marc users 1039 Aug 30 08:55 demo.colabrativ.com.csr
-rw-r--r-- 1 marc users 2246 Aug 30 08:53 demo.colabrativ.com.jks

Check the Certificate Signing Request (CSR)

Symantec Corporation provides a set of SSL tools at https://ssl-tools.verisign.com/#certChecker?sl=DENJS-0000-04-00, including a CSR Validation. After pasting your CSR into the window provided and running the validator, then following information on your CCR is shown:

Common Name demo.colabrativ.com
Organization Colabrativ, Inc.
Organizational Unit Unknown
Locality Orinda
State California
Country US
Signature Verified
Signature Algorithm SHA1
Key Algorithm RSA
Key Length 2048

The signing request (demo.colabrativ.com.csr) can now be sent to the certificate authority.

Loading the Certificates into the Java Keystore

After receiving the certificates from the certificate authority, they need to be loaded in the keystore before exporting the key. You need both the certificate for your URL and the intermediate certificate from the certificate authority. This example uses the following certificates and keystore:

  • intermediate certificate file name: intermediate.crt
  • certificate file name: demo.colabrativ.com.crt
  • keystore file name: demo.colabrativ.com.jks

First the certificate authorities intermediate certificate is loaded using the alias root.

$ keytool -import -trustcacerts -alias root -file intermediate.crt -keystore demo.colabrativ.com.jks
Enter keystore password: password
Certificate was added to keystore

Then our certificate, demo.colabrativ.com.crt is loaded in the keystore using the alias demo.

$ keytool -import -trustcacerts -alias demo -file demo.colabrativ.com.crt -keystore demo.colabrativ.com.jks
Enter keystore password: password
Certificate was added to keystore

Extracting the Key from the Keystore

There are three steps in extracting the key from the keystore we created above:

  1. Use keytool to create an intermediate PKCS12 keystore, demo.colabrativ.com.pkcs12, from the keystore, demo.colabrativ.com.jks.
  2. Use OpenSSL to create a Privacy-enhanced Electronic Mail (PEM) formatted file containing both the certificate and the key, demo.colabrativ.com.pem.
  3. Extract the key, demo.colabrativ.com.key, from the PEM file using a text editor.
$ sudo keytool -importkeystore -srckeystore demo.colabrativ.com.jks -destkeystore demo.colabrativ.com.pkcs12 -deststoretype PKCS12
Enter destination keystore password: password
Re-enter new password: password
Enter source keystore password: password
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

$ sudo openssl pkcs12 -in demo.colabrativ.com.pkcs12 -out demo.colabrativ.com.pem -nodes
Enter Import Password: password
MAC verified OK

$ sudo cp demo.colabrativ.com.pem demo.colabrativ.com.key
$ sudo vi demo.colabrativ.com.key

$ ls -lt
total 20
-rw-r--r-- 1 marc users 1224 Aug 30 13:57 demo.colabrativ.com.key
-rw-r--r-- 1 marc users  509 Aug 30 13:53 demo.colabrativ.com.pem
-rw-r--r-- 1 marc users  509 Aug 30 13:50 demo.colabrativ.com.pkcs12
-rw-r--r-- 1 marc users 2246 Aug 30 13:48 demo.colabrativ.com.jks
-rw-r--r-- 1 marc users 1039 Aug 30 13:46 demo.colabrativ.com.crt
-rw-r--r-- 1 marc users 1039 Aug 30 13:45 intermediate.crt
-rw-r--r-- 1 marc users 1039 Aug 30 08:55 demo.colabrativ.com.csr

After the certificate and key have been prepared, they are moved the /etc/pki/tls/certs/, and /etc/pki/tls/private/ directories, respectively.

$ sudo mv intermediate.crt /etc/pki/tls/certs/.
$ sudo mv demo.colabrativ.com.crt /etc/pki/tls/certs/.
$ sudo mv demo.colabrativ.com.key /etc/pki/tls/private/.

Configuring Apache Server (HTTPD) ssl.conf

We will place all the SSL information for this server in the ssl.conf file in the /etc/httpd/conf.d directory. The ssl.conf file is loaded into the Apache Server (HTTPD) from the command “include conf.d/*.conf” in httpd.conf in directory /etc/httpd/conf. You should check to be sure that this command is in your httpd.conf file.

Shown below are the differences between the original ssl.conf file and the edited version. It is a bit hard to tell where these changes were made from the file differences, so a copy of a demonstration ssl.conf file can be downloaded at the bottom of the section.

$ cd /etc/httpd/conf.d
$ sudo cp –p ssl.conf ssl.conf.orig
$ sudo vi ssl.conf
$ sudo diff ssl.conf.orig ssl.conf
19a20,21
> NameVirtualHost *:443
>
74c76,77
> <VirtualHost _default_:443>
---
> #<VirtualHost _default_:443>
> <VirtualHost *:443>
78a82
> ServerName demo.colabrativ.com:443
85a90,100
> #
> # Proxy Server directives. Uncomment the following lines to
> # enable the proxy server:
> #
> ProxyRequests Off
> ProxyPass        /admin   https://demo.colabrativ.com:8443/admin
> ProxyPass        /demoapp https://demo.colabrativ.com:8443/demoapp
>
> SSLProxyEngine on
>
105c120,121
< SSLCertificateFile /etc/pki/tls/certs/localhost.crt
---
> #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateFile /etc/pki/tls/certs/demo.colabrativ.com.crt
112c128,129
< SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
---
> #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> SSLCertificateKeyFile /etc/pki/tls/private/demo.colabrativ.com.key
143c143
< #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
---
> SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt

Download: demo_ssl.conf

Adding Keystore to Tomcat’s server.xml

We configure Tomcat to support applications and services under the secure https protocol on port 8443. We do this by editing the server.xml file in /etc/tomcat7. We need to supply the keystore password in the 8443 Connector we enable. I have saved the original server.xml, and only show the difference between the two files below.

$ cd /etc/tomcat7
$ sudo cp -p server.xml server.xml.orig
$ sudo vi server.xml
$ sudo diff server.xml.orig server.xml
84,88c84,92
<     <!--
<     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
<                maxThreads="150" scheme="https" secure="true"
<                clientAuth="false" sslProtocol="TLS" /&gt
<     -->
---
>
>     <Connector port="8443"
>                protocol="HTTP/1.1"
>                SSLEnabled="true"
>                maxThreads="150"
>                scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="/etc/pki/tls/keystore/demo.colabrativ.com.jks"
>                keystorePass="password" />

Useful Resources

  1. SSL Shopper’s The Most Common Java Keytool Keystore Commands
  2. SSL Shopper’s The Most Common OpenSSL Commands
  3. Wikipedia’s page on X.509
Posted in Technical | Tagged , , , | 4 Comments