SSL Certificates
Summary
Generate Custom Self Signed Certificate
Linux script to generate custom self signed certificate
makecert.sh:
#!/bin/sh # ./makecert.sh <domain> if [ "$1" = "" ] ; then echo "Error: Usage: $0 <domain> \"[cert-domain]\"" exit 1 fi DOMAIN=$1 if [ "$2" != "" ] ; then CERTDOMAIN=$2 else CERTDOMAIN=$1 fi echo "Creating SSL cert for $DOMAIN ($CERTDOMAIN)" mkdir $1 cd $1 # openssl req -config ../openssl.cnf -new -out $DOMAIN.csr # openssl req -new -out $DOMAIN.csr openssl req -new -out $DOMAIN.csr -passout pass:test <<EOF US Utah Salt Lake City $DOMAIN $DOMAIN $CERTDOMAIN EOF # openssl rsa -in privkey.pem -out $DOMAIN.key openssl rsa -in privkey.pem -out $DOMAIN.key -passin pass:test openssl x509 -in $DOMAIN.csr -out $DOMAIN.cert -req -signkey $DOMAIN.key -days 1825 # 5 years openssl x509 -in $DOMAIN.cert -out $DOMAIN.der.crt -outform DER # optional cat $DOMAIN.key $DOMAIN.cert > $DOMAIN.pem # FYI, pem for chain would be 'key, cert, chain > pem'
See openssl.cnf
GoDaddy CER Generating Instructions
GoDaddy Instructions for generating CERs [1]
Apache
Generate CER for Apache [2]
- cd /usr/bin/ (/your path to openssl/)
Enter a passphrase when prompted to. - openssl genrsa -des3 -out <name of your certificate>.key 1024
- openssl req -new -key <name of your certificate>.key -out <name of your certificate>.csr
Tomcat
Generating Key Pair for Tomcat [3]
- Enter the following command:
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore - You will be prompted for a password. Tomcat uses the default password "changeit."
- Enter Distinguished Name (DN) information
First and last name - This is the Common Name: Common Name: The common name is the fully-qualified domain name - or URL - to which you plan to apply your certificate. Do not enter your personal name in this field. - Confirm that the Distinguished Name information is correct.
Generating CSR [4]
- Enter the following command:
keytool -certreq -keyalg RSA -alias tomcat -file <your file name>.csr -keystore tomcat.keystore - Upon prompt, enter keystore password
- Cut/copy and paste the generated CSR into our online enrollment form.
- Select "Tomcat" as your server software.
GoDaddy CRT Installation Instructions
Installing Your SSL Certificate [5]
Tomcat
Installation for Tomcat [6]
Installation Option One: Installing SSL Certificate and CA Bundle (gd_bundle.crt) Implementing a PKCS12 Keystore
- Before you install your SSL certificate you must download our root certificate bundle (gd_bundle.crt) on your Web server.
- Use the following OpenSSL command to combine the ca bundle (gd_bundle.crt) and your SSL certificate:
openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your certificate> -inkey <name of your certificate private key file> -out keystore.tomcat -name tomcat -passout pass:changeit - Open the server.xml file.
- After uncommenting the SSL/TLS connector from server.xml, locate the following Factory tag section and COMMENT IT OUT:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" /> - Add the following directives to the Connector tag:
keystoreFile=<path to>\keystore.tomcat
keystorePass="changeit"
keystoreType="PKCS12" - Restart Tomcat.
Installation Option Two: Installing SSL Certificate and Intermediate Certificates Separately
- Once you have downloaded the certificates to your local machine, please use the following keytool commands to import them:
Root:
"keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt."
First intermediate (gd_cross_intermediate.crt):
"keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt"
Second intermediate (gd_intermediate.crt):
"keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt" - Installing SSL Certificate
- Use the following command to import the issued certificate into your keystore.
- keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate>
- Updating the server.xml Configuration File
- Open the server.xml file.
- After uncommenting the SSL/TLS connector from server.xml, locate the following text section:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" /> - Add the "keystoreFile" and "keystorePass directives:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="/full/path/to/tomcat.keystore" keystorePass="changeit" /> - Restart Tomcat.
server.xml [7]:
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <!-- <Connector port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"; clientAuth="false" sslProtocol="TLS"/> -->
The default password used by Tomcat is "changeit" (all lower case), although you can specify a custom password if you like. You will also need to specify the custom password in the server.xml configuration file. [8]
Additional connector parameters:
- keystoreFile - Add this attribute if the keystore file you created is not in the default place that Tomcat expects (a file named .keystore in the user home directory under which Tomcat is running). You can specify an absolute pathname, or a relative pathname that is resolved against the $CATALINA_BASE environment variable.
- keystorePass - Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit).
- keyAlias - Add this element if your have more than one key in the KeyStore. If the element is not present the first key read in the KeyStore will be used.
Pound
Pound needs to have the files merged into one .PEM file. I use the order of:
- domain private key (.key)
- domain certificate (.crt)
- ca chained certificates (.crt)
ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/mydomain.com.pem" ...
Using the Certificates with Various Applications
Jira
Running JIRA over SSL or HTTPS [9]
The keystore and alias passwords both need to be 'changeit'.
If you get an error saying "Cannot recover key" this is because the alias password is not 'changeit'.
Scalix
"Setup stunnel if you require secure SSL communication for POP, IMAP, LDAP or SMTP" [10]
- Scalix Wiki [11]
- Scalix Forums [12]
- Scalix Install Guide [13]
- Scalix Setup Guide [14]
- Use secure protocols [15]
Tomcast SSL
Tomcast SSL Configuration [16]
Conversion from Apache PEM to Java Keytool
See Conversion from Apache PEM to Java Keytool
Conversion from Java Keytool to Apache PEM
See Java Keystore#Conversion from Java Keytool to Apache PEM
SSL Wrappers
SSL Tools
OpenSSL (Apache)
See openssl
Keytool (Java)
See keytool
Errors
This is caused by an untrusted certificate or an incorrect order of the certificate chain:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Stunnel
See Stunnel
Conversion
OpenSSL to Keytool Conversion tips
Keytool cacert extraction to PEM format using OpenSSL and keytool
RSA Encryption
Extended Validation SSL - Green Address Bar
Extended Validation SSL (EV SSL Certificates) - Online Identity Assurance
- "Extended Validation SSL Certificates give high security Web browsers information to clearly identify a Web site’s organizational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organization name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox and Opera have announced their intention to support Extended Validation SSL in upcoming releases. Older browsers will display Extended Validation SSL Certificates with the same security symbols as existing SSL Certificates."
- Get the Green Address Bar
- Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers
- Shows various colors of bars, and explanation