The SSL was successfully setup on the APPSERVER.COMPANY.COM server today. I have done a little write up on the steps to setup for a tomcat7 – linux(Ubuntu) server as follows and for future reference.
NOTE: follow examples of commands below closely for the consistency of –alias used in the keystore.
1. Generate Key in keystore with JKS format (default).
Make sure the field "First and Last name" contains the servername or servers fully qualified domain name (FQDN)
Duplicate other fields as it appears below (certs are case sensitive)
root@appserver:/etc/tomcat7# keytool -genkey -keyalg RSA -alias tomcat-fqdn -keystore keystore.jks -validity 999 -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: appserver.company.com
What is the name of your organizational unit?
[Unknown]: SW-CUDA
What is the name of your organization?
[Unknown]: Company Corporation
What is the name of your City or Locality?
[Unknown]: Santa Cruz
What is the name of your State or Province?
[Unknown]: California
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=appserver.company.com, OU=SW, O=Company Corporation, L=Santa Cruz, ST=California, C=US correct?
[no]: yes
Enter key password for <tomcat-fqdn>
(RETURN if same as keystore password):
2. Check the keystore for the list of keys you added, setup alias for listing keys it comes in handy notice "no filename" in alias.
root@appserver:/etc/tomcat7# alias listkey='keytool -list -storepass urpass -keystore '
root@appserver:/etc/tomcat7# listkey keystore.jks
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
tomcat-fqdn, Jul 18, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): 51:F8:A8:31:BC:63:5A:BD:8E:A5:3B:29:0D:4B:98:03:8C:2A:63:C5
root@appserver:/etc/tomcat7#
3. Configure the tomcat7 configuration file "server.xml" in "/etc/tomcat7/" directory to the keystore.jks path
...
..
<Connector
protocol="HTTP/1.1"
port="443"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/etc/tomcat7/keystore.jks"
keystorePass="urpass"
clientAuth="false"
keyAlias="tomcat-fqdn"
sslProtocol="TLS"
/>
...
4. Restart the tomcat server, At this point the https will start working.
P.S: use the following alias, it comes in handy
alias tomreboot='/etc/init.d/tomcat7 stop ; /etc/init.d/tomcat7 start'
root@appserver:/etc/tomcat7# tomreboot
* Stopping Tomcat servlet engine tomcat7 [ OK ]
* Starting Tomcat servlet engine tomcat7 [ OK ]
root@appserver:/etc/tomcat7#
*. Import the Root Cert
root@appserver:/etc/tomcat7# keytool -import -alias root -keystore keystore.jks -trustcacerts -file /root/certs/root.cer
Enter keystore password:
Owner: CN=HQSERVER-NAME, DC=company, DC=com
Issuer: CN=HQSERVER1-NAMERTCA
Serial number: 61. . . . 0004
Valid from: Tue Jan 24 13:36:39 PST 2012 until: Mon Jan 24 13:46:39 PST 2022
...
...
..
Trust this certificate? [no]: yes
Certificate was added to keystore
root@appserver:/etc/tomcat7#
Follow Step 2. as follows
root@appserver:/etc/tomcat7# listkey keystore.jks
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
root, Jul 18, 2014, trustedCertEntry,
Certificate fingerprint (SHA1): 37:D2:D6:64:7E:40:51:94:43:63:E8:3B:6C: BD:8E:A5:3B:29:0D:4B
tomcat-fqdn, Jul 18, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): 51:F8:A8:31:BC:63:5A: 51:F8:A8:31:BC:63:5A:51:F8:A8:31:BC:63
root@appserver:/etc/tomcat7#
4. Generate Certificate Signing Request (CSR) for the Certificate Athority to approve.
root@appserver:/etc/tomcat7# keytool -certreq -keyalg RSA -keysize 2048 -alias tomcat-fqdn -file appserver.company.com.csr -keystore keystore.jks
Enter keystore password:
P.S: Verify the new file named "appserver.company.com.csr" got created.
root@appserver:/etc/tomcat7# ls
Catalina catalina.properties context.xml appserver.company.com.csr keystore.jks logging.properties policy.d server.xml tomcat-users.xml web.xml
root@appserver:/etc/tomcat7#
5. Send over the ".csr" file to the Signing Athority
First will take the .csr and will return a .crt file in return.
If requested he will provide the .cer file as well.
**NOTE: All the files are in binary format.
6. Convert the files from binary to text with base-64 encoding
No special tool is needed for this task.
Double click on the certificate file provided to you in a Windows 7/8 machine.
Click -> "Details" tab --> "Copy to file" button
-> Next
--> select "Base-64 encoded" radiobutton
-> Next
--> "Browse" button and select a location and "name.cer" for the file
-> Finish
7. Do the above steps for both the certificate files and combine the content in seperate file
a. the "root.cer"
b. the "appserver.company.com.cer"
- Create a new file "combo.cer" and copy paste the content from both the files into the new file in seperate lines
- Copy over the combo.cer over to the appserver.company.com servers "/etc/tomcat7/" directory.
8. copy and IMPORT the "combo.cer" file over to the the linux server wit tomcat server
To import the combo.cer into the "keystore.jks" type following command
root@appserver:/etc/tomcat7# keytool -import -alias tomcat-fqdn -keystore keystore.jks -file combo.cer
Enter keystore password:
Certificate reply was installed in keystore
root@appserver:/etc/tomcat7#
Follow the step 2. List the keys, Notice how the "tomcat-fqdn" key has changed after the succesful import
root@appserver:/etc/tomcat7# listkey keystore.jks
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
root, Jul 18, 2014, trustedCertEntry,
Certificate fingerprint (SHA1): 37:D2:D6:64:7E:40:51: 37:D2:D6:64:7E:40:51: 37:D2:D6:64:7E:40
tomcat-fqdn, Jul 18, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): 51:F8:A8:31:BC:63:5A: 51:F8:A8:31:BC:63:5A:51:F8:A8:31:BC:63
root@appserver:/etc/tomcat7#
9. Repeat Step 4. Reboot the tomcat7 service
No comments:
Post a Comment