This post is a follow-up article to my August 27, 2012 article on Creating Self-Signed Certificates for Google Web Toolkit Running on Apache HTTPD and Tomcat on Amazon Web Services EC2.
Server Configuration
Creating and installing a Secure Sockets Layer (SSL) certificate on a server should be a relatively simple task. However, most of the documentation relating to this task is confusing. Most of the confusion arises from the fact that there are a multitude of different server configurations that utilize the SSL to complete secure transactions over the web. In order not to add to this confusion, the following tutorial will refer to the following server configuration:
Server: | 64 bit Linux server running on Amazon Web Services Elastic Compute Cloud (EC2) server based on AMI ami-3bc9997e |
Server Software: | Apache HTTP Server (HTTPD) and Apache Tomcat |
Applications Type: | Google Web Toolkit and Java servlets |
In this post I will describe:
- Creating a Java Keystore
- Certificate Signing Request (CSR) Generation
- Check the Certificate Signing Request (CSR)
- Loading the Certificates into the Java Keystore
- Extracting the Key from the Keystore
- Configuring Apache Server (HTTPD) ssl.conf
- Adding Keystore to Tomcat’s server.xml
Creating of a Java Keystore
Here we will use a Java KeyStore to generate and store the SSL key and certificates. One of the limitations to this approach is that you must start by creating the KeyStore first. SSL utilities such as Java keytool and OpenSSL do not have the ability to create a keystore from an existing certificate and key. In particular, there is no way to put the key in the keystore.
First we will create and open to the directory /etc/pki/tls/keystore. The keytool command that creates the keystore, we need to supply the following:
- keystore file name: demo.colabrativ.com.jks
- key algorythm (keyalg): RSA
- alias: demo
- keysize: 2048 As of January 1, 2014 2048-bit or longer keys will be required by Certification Authority/Browser Forum.
In addition, we need to supply information on the website URL, when the keytool asks for “What is your first and last name?” The key and keystore passwords are optional. This information and information on our institution have been highlighted in green in the example below.
$ sudo mkdir /etc/pki/tls/keystore $ cd /etc/pki/tls/keystore $ sudo keytool -genkey -alias demo -keyalg RSA -keystore demo.colabrativ.com.jks -keysize 2048 Enter keystore password: password Re-enter new password: password What is your first and last name? [Unknown]: demo.colabrativ.com What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: Colabrativ, Inc. What is the name of your City or Locality? [Unknown]: Orinda What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is CN=demo.colabrativ.com, OU=Developmemt, O=Colabrativ, Inc., L=Orinda, ST=California, C=US correct? [no]: yes Enter key password for(RETURN if same as keystore password): $ ls -lt total 4 -rw-r--r-- 1 marc users 2246 Aug 30 08:53 demo.colabrativ.com.jks
Generating the Certificate Signing Request (CSR)
- alias: demo
- keystore file name: demo.colabrativ.com.jks
- CSR file name: demo.colabrativ.com.csr
$ keytool -certreq -alias demo -keystore demo.colabrativ.com.jks -file demo.colabrativ.com.csr Enter keystore password: password $ ls -lt total 8 -rw-r--r-- 1 marc users 1039 Aug 30 08:55 demo.colabrativ.com.csr -rw-r--r-- 1 marc users 2246 Aug 30 08:53 demo.colabrativ.com.jks
Check the Certificate Signing Request (CSR)
Common Name | demo.colabrativ.com |
Organization | Colabrativ, Inc. |
Organizational Unit | Unknown |
Locality | Orinda |
State | California |
Country | US |
Signature | Verified |
Signature Algorithm | SHA1 |
Key Algorithm | RSA |
Key Length | 2048 |
The signing request (demo.colabrativ.com.csr) can now be sent to the certificate authority.
Loading the Certificates into the Java Keystore
- intermediate certificate file name: intermediate.crt
- certificate file name: demo.colabrativ.com.crt
- keystore file name: demo.colabrativ.com.jks
First the certificate authorities intermediate certificate is loaded using the alias root.
$ keytool -import -trustcacerts -alias root -file intermediate.crt -keystore demo.colabrativ.com.jks Enter keystore password: password Certificate was added to keystore
Then our certificate, demo.colabrativ.com.crt is loaded in the keystore using the alias demo.
$ keytool -import -trustcacerts -alias demo -file demo.colabrativ.com.crt -keystore demo.colabrativ.com.jks Enter keystore password: password Certificate was added to keystore
Extracting the Key from the Keystore
There are three steps in extracting the key from the keystore we created above:
- Use keytool to create an intermediate PKCS12 keystore, demo.colabrativ.com.pkcs12, from the keystore, demo.colabrativ.com.jks.
- Use OpenSSL to create a Privacy-enhanced Electronic Mail (PEM) formatted file containing both the certificate and the key, demo.colabrativ.com.pem.
- Extract the key, demo.colabrativ.com.key, from the PEM file using a text editor.
$ sudo keytool -importkeystore -srckeystore demo.colabrativ.com.jks -destkeystore demo.colabrativ.com.pkcs12 -deststoretype PKCS12 Enter destination keystore password: password Re-enter new password: password Enter source keystore password: password Entry for alias tomcat successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled $ sudo openssl pkcs12 -in demo.colabrativ.com.pkcs12 -out demo.colabrativ.com.pem -nodes Enter Import Password: password MAC verified OK $ sudo cp demo.colabrativ.com.pem demo.colabrativ.com.key $ sudo vi demo.colabrativ.com.key $ ls -lt total 20 -rw-r--r-- 1 marc users 1224 Aug 30 13:57 demo.colabrativ.com.key -rw-r--r-- 1 marc users 509 Aug 30 13:53 demo.colabrativ.com.pem -rw-r--r-- 1 marc users 509 Aug 30 13:50 demo.colabrativ.com.pkcs12 -rw-r--r-- 1 marc users 2246 Aug 30 13:48 demo.colabrativ.com.jks -rw-r--r-- 1 marc users 1039 Aug 30 13:46 demo.colabrativ.com.crt -rw-r--r-- 1 marc users 1039 Aug 30 13:45 intermediate.crt -rw-r--r-- 1 marc users 1039 Aug 30 08:55 demo.colabrativ.com.csr
After the certificate and key have been prepared, they are moved the /etc/pki/tls/certs/, and /etc/pki/tls/private/ directories, respectively.
$ sudo mv intermediate.crt /etc/pki/tls/certs/. $ sudo mv demo.colabrativ.com.crt /etc/pki/tls/certs/. $ sudo mv demo.colabrativ.com.key /etc/pki/tls/private/.
Configuring Apache Server (HTTPD) ssl.conf
We will place all the SSL information for this server in the ssl.conf file in the /etc/httpd/conf.d directory. The ssl.conf file is loaded into the Apache Server (HTTPD) from the command “include conf.d/*.conf” in httpd.conf in directory /etc/httpd/conf. You should check to be sure that this command is in your httpd.conf file.
$ cd /etc/httpd/conf.d $ sudo cp –p ssl.conf ssl.conf.orig $ sudo vi ssl.conf $ sudo diff ssl.conf.orig ssl.conf 19a20,21 > NameVirtualHost *:443 > 74c76,77 > <VirtualHost _default_:443> --- > #<VirtualHost _default_:443> > <VirtualHost *:443> 78a82 > ServerName demo.colabrativ.com:443 85a90,100 > # > # Proxy Server directives. Uncomment the following lines to > # enable the proxy server: > # > ProxyRequests Off > ProxyPass /admin https://demo.colabrativ.com:8443/admin > ProxyPass /demoapp https://demo.colabrativ.com:8443/demoapp > > SSLProxyEngine on > 105c120,121 < SSLCertificateFile /etc/pki/tls/certs/localhost.crt --- > #SSLCertificateFile /etc/pki/tls/certs/localhost.crt > SSLCertificateFile /etc/pki/tls/certs/demo.colabrativ.com.crt 112c128,129 < SSLCertificateKeyFile /etc/pki/tls/private/localhost.key --- > #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key > SSLCertificateKeyFile /etc/pki/tls/private/demo.colabrativ.com.key 143c143 < #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt --- > SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt
Download: demo_ssl.conf
Adding Keystore to Tomcat’s server.xml
$ cd /etc/tomcat7 $ sudo cp -p server.xml server.xml.orig $ sudo vi server.xml $ sudo diff server.xml.orig server.xml 84,88c84,92 < <!-- < <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" < maxThreads="150" scheme="https" secure="true" < clientAuth="false" sslProtocol="TLS" /> < --> --- > > <Connector port="8443" > protocol="HTTP/1.1" > SSLEnabled="true" > maxThreads="150" > scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/etc/pki/tls/keystore/demo.colabrativ.com.jks" > keystorePass="password" />
Useful Resources
- SSL Shopper’s The Most Common Java Keytool Keystore Commands
- SSL Shopper’s The Most Common OpenSSL Commands
- Wikipedia’s page on X.509