...
No Format |
---|
[root@stubing bin]# keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/.keystore -storepass "my password" What is your first and last name? [Unknown]: sakai2.ucdavis.edu What is the name of your organizational unit? [IET]: IET What is the name of your organization? [University of California Davis]: What is the name of your City or Locality? [Davis]: What is the name of your State or Province? [California]: What is the two-letter country code for this unit? [US]: Is CN=sakai2.ucdavis.edu, OU=IET, O=University of California Davis, L=Davis, ST=California, C=US correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password): [root@stubing bin]# chmod 640 /etc/.keystore [root@stubing bin]# chgrp sakai /etc/.keystore [root@stubing bin]# ls -l /etc/.keystore -rw-r----- 1 root sakai 1414 Jan 19 11:41 /etc/.keystore [root@stubing bin]# keytool -list -keystore /etc/.keystore Enter keystore password: my password Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries ... sakai-dev, Mar 7, 2006, keyEntry, Certificate fingerprint (MD5): F0:7E:4F:D4:82:FD:E4:4A:64:2A:84:7C:31:61:A9:EC ... [root@stubing bin]# |
Then enable the SSL connector in the server.xml file.
Acquire and install a certificate from an "offical" CA
Generate a new keypair, specifying an alias for the collection of records in the keystore related to this CN
No Format |
---|
[root@isaac bin]# keytool -genkey -alias sakai-dev -keyalg RSA -keystore /etc/.keystore -storepass "my password" What is your first and last name? [sakai-dev]: sakai-dev.ucdavis.edu What is the name of your organizational unit? [IET-IR]: What is the name of your organization? [University of California Davis]: What is the name of your City or Locality? [Davis]: What is the name of your State or Province? [CA]: What is the two-letter country code for this unit? [US]: Is CN=sakai-dev.ucdavis.edu, OU=IET-IR, O=University of California Davis, L=Davis, ST=CA, C=US correct? [no]: yes Enter key password for <sakai-dev> (RETURN if same as keystore password): [root@isaac bin]# |
Use the new keypair to generate the CSR, which can be verified using openssl if desired
No Format |
---|
[root@isaac bin]# keytool -certreq -alias sakai-dev -keyalg RSA -file /root/sakai-dev.csr -keystore /etc/.keystore Enter keystore password: my password [root@isaac bin]# openssl req -noout -text -in /root/sakai-dev.csr|grep CN Subject: C=US, ST=CA, L=Davis, O=University of California Davis, OU=IET-IR, CN=sakai-dev.ucdavis.edu [root@isaac bin]# |
...
Note that you can't
...
use the certificate as-is
...
, like with Apache/OpenSSL:
No Format |
---|
[root@isaac java5]# keytool -import -alias sakai-dev -file /root/sakai-dev.cert -keystore /etc/.keystore Enter keystore password: my password keytool error: java.lang.Exception: Failed to establish chain from reply [root@isaac java5]# |
You must first convert the certificate to PKCS#7 format
Grab the cert from GeoTrust (a.k.a. Equifax) using the tool of your choice, e.g.
No Format |
---|
cletus> curl https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.cer -----BEGIN CERTIFICATE----- MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1aWZheCBT ZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0MDAwMFoXDTIw MDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlmYXggU2Vj dXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJlIEdsb2JhbCBlQnVzaW5l c3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuucXkAJlsTRVPEnC UdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQytd4zjTov2/KaelpzmKNc6fuKcxtc 58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORROhI8bIpaVIRw28HFkM9yRcuoWcDNM50/ o5brhTMhHD4ePmBudpxnhcXIw2ECAwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAH MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1dr aGwwHQYDVR0OBBYEFL6ooHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUA A4GBADDiAVGqx+pf2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkA Z70Br83gcfxaz2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv 8qIYNMR1pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV -----END CERTIFICATE----- cletus> |
Note that trying to grab the certificate using a web browser will likely result in the certificate simply being imported into the browser's cache, rather than being downloaded. Once you have it, concatenate your certificate with it, then import:
No Format |
---|
[root@isaac ~]# cat equifax_ca-1.cert sakai-dev.cert > dev.pkcs [root@isaac java5]# keytool -import -alias sakai-dev -file /root/dev.pkcs -keystore /etc/.keystore Enter keystore password: my password Top-level certificate in reply: Owner: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US Serial number: 1 Valid from: Sun Jun 20 21:00:00 PDT 1999 until: Sat Jun 20 21:00:00 PDT 2020 Certificate fingerprints: MD5: 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC SHA1: 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45 ... is not trusted. Install reply anyway? [no]: yes Certificate reply was installed in keystore [root@isaac java5]# keytool -list -keystore /etc/.keystore Enter keystore password: my password Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries ... sakai-dev, Mar 9, 2006, keyEntry, Certificate fingerprint (MD5): 7D:C5:7D:A7:43:3B:F6:AD:26:E7:7F:30:05:3B:D5:54 ... [root@isaac java5]# |
Repeat with a different keystore alias for each CN
Specify a particular certificate for Tomcat to present
...