Managing a Central System Keystore
A description of some of the tasks one might need to perform when SSL-ifying Tomcat.
Generate a Self-signed Certificate
[root@stubing bin]# keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/.keystore -storepass "my password" What is your first and last name? [Unknown]: sakai2.ucdavis.edu What is the name of your organizational unit? [IET]: IET What is the name of your organization? [University of California Davis]: What is the name of your City or Locality? [Davis]: What is the name of your State or Province? [California]: What is the two-letter country code for this unit? [US]: Is CN=sakai2.ucdavis.edu, OU=IET, O=University of California Davis, L=Davis, ST=California, C=US correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password): [root@stubing bin]# chmod 640 /etc/.keystore [root@stubing bin]# chgrp sakai /etc/.keystore [root@stubing bin]# ls -l /etc/.keystore -rw-r----- 1 root sakai 1414 Jan 19 11:41 /etc/.keystore [root@stubing bin]# keytool -list -keystore /etc/.keystore Enter keystore password: my password Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries ... sakai-dev, Mar 7, 2006, keyEntry, Certificate fingerprint (MD5): F0:7E:4F:D4:82:FD:E4:4A:64:2A:84:7C:31:61:A9:EC ... [root@stubing bin]#
Acquire and install a certificate from an "offical" CA
- Generate a new keypair, specifying an alias of the CN
[root@isaac bin]# keytool -genkey -alias sakai-dev -keyalg RSA -keystore /etc/.keystore -storepass "my password" What is your first and last name? [sakai-dev]: sakai-dev.ucdavis.edu What is the name of your organizational unit? [IET-IR]: What is the name of your organization? [University of California Davis]: What is the name of your City or Locality? [Davis]: What is the name of your State or Province? [CA]: What is the two-letter country code for this unit? [US]: Is CN=sakai-dev.ucdavis.edu, OU=IET-IR, O=University of California Davis, L=Davis, ST=CA, C=US correct? [no]: yes Enter key password for <sakai-dev> (RETURN if same as keystore password): [root@isaac bin]#
- Use the new keypair to generate the CSR, which can be verified using openssl if desired
[root@isaac bin]# keytool -certreq -alias sakai-dev -keyalg RSA -file /root/sakai-dev.csr -keystore /etc/.keystore Enter keystore password: my password [root@isaac bin]# openssl req -noout -text -in /root/sakai-dev.csr|grep CN Subject: C=US, ST=CA, L=Davis, O=University of California Davis, OU=IET-IR, CN=sakai-dev.ucdavis.edu [root@isaac bin]#
- You can't import the certificate as-is!
[root@isaac java5]# keytool -import -alias sakai-dev -file /root/sakai-dev.cert -keystore /etc/.keystore Enter keystore password: my password keytool error: java.lang.Exception: Failed to establish chain from reply [root@isaac java5]#
- You must first convert the certificate to PKCS#7 format
Grab the cert from GeoTrust (a.k.a. Equifax) using the tool of your choice, e.g.
cletus> curl https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.cer -----BEGIN CERTIFICATE----- MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1aWZheCBT ZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0MDAwMFoXDTIw MDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlmYXggU2Vj dXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJlIEdsb2JhbCBlQnVzaW5l c3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuucXkAJlsTRVPEnC UdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQytd4zjTov2/KaelpzmKNc6fuKcxtc 58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORROhI8bIpaVIRw28HFkM9yRcuoWcDNM50/ o5brhTMhHD4ePmBudpxnhcXIw2ECAwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAH MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1dr aGwwHQYDVR0OBBYEFL6ooHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUA A4GBADDiAVGqx+pf2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkA Z70Br83gcfxaz2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv 8qIYNMR1pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV -----END CERTIFICATE----- cletus>
- Note that trying to grab the certificate using a web browser will likely result in the certificate simply being imported into the browser's cache, rather than being downloaded. Once you have it, concatenate your certificate with it, then import:
[root@isaac ~]# cat equifax_ca-1.cert sakai-dev.cert > dev.pkcs [root@isaac java5]# keytool -import -alias sakai-dev -file /root/dev.pkcs -keystore /etc/.keystore Enter keystore password: my password Top-level certificate in reply: Owner: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US Serial number: 1 Valid from: Sun Jun 20 21:00:00 PDT 1999 until: Sat Jun 20 21:00:00 PDT 2020 Certificate fingerprints: MD5: 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC SHA1: 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45 ... is not trusted. Install reply anyway? [no]: yes Certificate reply was installed in keystore [root@isaac java5]# keytool -list -keystore /etc/.keystore Enter keystore password: my password Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries ... sakai-dev, Mar 9, 2006, keyEntry, Certificate fingerprint (MD5): 7D:C5:7D:A7:43:3B:F6:AD:26:E7:7F:30:05:3B:D5:54 ... [root@isaac java5]#
- Repeat with a different keystore alias for each CN
Specify a particular certificate for Tomcat to present
This part of the procedure is completely undocumented, save for an obscure mailing list posting and, of course, this page. This part is actually trivial; simply specify the keyAlias in the appropriate connector in Tomcat instance's server.xml file, like so:
<Connector port="8543" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreType="JKS" keystoreFile="/etc/.keystore" keyAlias="sakai-dev" keystorePass="my password" />
then restart Tomcat.