Wednesday, December 26, 2012

How to Apply Verified SSL Certificate for Tomcat Using OpenSSL

Before anything else, I suggest that you work all of this in a single directory, something like apache_certs/.

1. Create the CSR (below is an example of generating CSR for - an actual and existing domain):
openssl req -new -newkey rsa:2048 -nodes -out host_name_com.csr
-keyout host_name_com.key -subj "/C=US/ST=Colorado/L=Denver/
LLC/OU=Test Department/"

2. The command above will produce two files : host_name_com.csr and host_name_com.key. You have to submit the contents of host_name_com.csr to the certificate authority, like, DigiCert, VeriSign, CACert, etc. You may use the URL below to validate your csr:

3. Once the validated certificate has been received, you have to combine the private key and verified certificate into a file as PKCS12 (set password; you may use tomcat's default, 'changeit'):
openssl pkcs12 -export -inkey host_name_com.key 
-in host_name_com.crt -out host_name_com.p12

host_name_com.key = key generated along with the csr host_name_com.crt = certificate received from the certificate authority host_name_com.p12 = the new file that will contain the key and the certificate

4. Add the p12 to your keystore, password should be similar to the one used on #3 (or tomcat's default, 'changeit')
keytool -importkeystore -destalias tomcat -destkeystore keystore.jks 
-srckeystore host_name_com.p12 -srcstoretype PKCS12 -alias 1
keystore.jks = my named keystore, default is ".keystore"

5. Modify tomcat's server.xml under conf folder:
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" 
SSLEnabled="true" keystoreFile="~/apache_certs/keystore.jks"
keystorePass="changeit" maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

6. Restart the server. And when you access your applications, you should now see the verified certificate on your site.