This document was provided by Bruan Consulting, but was modified by me (Chris Arnett) as I went through the process of getting it setup on our MagicInfo server.  I tried to fill in some areas that they did not elaborate on to make it easier to understand, mostly how to create the private key/CSR request using OpenSSL, which is installed/setup on the MagicInfo Server.  Note: I did setup the required environment variables for OpenSSL.

Requirements

1. OpenSSL installed on Magic Info Server, with necessary environment variables set.  See this article: https://public.cloud.myinfo.gov.sg/docs/OpenSSL_installation_guide.pdf

2. KeyStore Explorer software

(http://keystore- http://explorer.org )

3. PEM text file containing private key (generated by OpenSSL)

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAnySubRWZ6UqELWBD1fS0tPiGkn6oPKhDqTnnOozcOOTEwEwH (omitted) d456kBB7H5/wYTrgFnJrhqxwcK7SET5h10sUOQUZqEUPpWxYw3WiXL6995xX5yer ls0pmH1c9wZ9vfn9NbXs6tKlz35tYDskWdYbhkVBgOaAU0aHrlOlMA==

-----END RSA PRIVATE KEY-----

4. PEM text file containing identity (domain) certificate, and Intermediate Certificate (From InCommon). Default *.cer format is fine.

-----BEGIN CERTIFICATE----- MIIFZjCCBE6gAwIBAgISBJiEsb1809kw7kquaX8oZA7eMA0GCSqGSIb3DQEBCwUA

(omitted) EceQatJ2S9pB+fA9SL3Wj3ydGoxJw1K2BFWLY9lIgiYyKj1wSHe3WQmIal/EqVCf GcUyXeLY5CTIhjZRrZeBLqPxO+zqtTTevALDJQQVn6ayMqjkaEX5+qsZ

-----END CERTIFICATE-----

 Instructions

Generating CSR with OpenSSL/DigiCert Website

Inspecting SSL certificate:

Any PEM text file can be previewed in Windows when file extension is set to *.crt or *.cer. Just double click on it.

Open

Open

It is always good to check certification path tab to see how many intermediate certificates are in the

path. Usually there is at least one, in this case Let’s Encrypt Authority X3.

For each of intermediate certificate it will be required to obtain PEM text file. Sometimes those files are provided with signed identity certificate from certification authority (CA). If not, those files can be easily obtained from CA website or by exporting from above path using Windows functionality.

Obtaining PEM text files for intermediate certificates

Generate an CSR form the MagicInfo server.

Browse to: https://www.digicert.com/easy-csr/openssl.htm  

Fill out the certificate details and click generate button. 

Next copy the generated command.  You will use this in an elevated command prompt to generate the CSR using OpenSSL.  Once you open the command prompt go to the OpenSSL directory (E:\OpenSSL-Win64\bin>) and paste the command. 

OpenSSL will create both your private key and your certificate signing request, and saves them to two files: your_common_name.key, and your_common_name.csr. You can then copy the contents of the CSR file and paste it into the CSR text box in our order form on the InCommon site.  Be prepared to set a password for your private key. 

Since our MagicInfo server has OpenSSL 3.X installed, you will need to convert the private key to PKCS1 format.  To do this, run the following command:

openssl rsa -in your_common_name.key -out your_common_name_new.key -traditional

The “-traditional” flag coverts the key to PKCS1/OpenSSL format, which is what Keystore Explorer will be expecting.  By default OpenSSL 3 will create the key in PKCS8 format.  If you try to use that key, you’ll get an invalid format error when you try to create the JKS Keystore file in Keystore Explorer.  Newer versions of OpenSSL say BEGIN PRIVATE KEY because they contain the private key + an OID that identifies the key type (this is known as PKCS8 format).  In PKCS1 format, if you examine the Private Key with Notepad++, the key will start with “-----Begin RSA Private Key--------”.  That’s how you can confirm you have the correct format. 

**I found this next part about converting the cert was not really necessary, since the InCommon certs come in X.509 format by default.

1. Open identity certificate preview, go to certification path tab, select first intermediate certificate from the path and click View Certificate button. Next, go to Details tab.

2. Click Copy to File… button to open Export Wizard. Click Next button on first page. On second page select Base-64 encoded X.509 (.CER) option and click Next button.

3. Provide file name along with file path and click Next button. On summary window click Finish button.

4. Repeat above steps for each intermediate certificate in the path.

Creating JKS keystore from PEM files (private key and certificates)

1. Start KeyStore Explorer software

2. Click on Create a new KeyStore option on welcome screen or select File > New from menu.

3. Select JKS as keystore type and click OK button.

4. Right-click (or click on Tools menu) and select Import Key Pair option.

5. Choose OpenSSL key pair type and click OK button.

6. Provide password for private key if used, otherwise untick Encrypted Private Key option.

7. Next select private key and certificate files, then click Import button.  **This will fail if your private key is not in PKCS1 format has mentioned above.

8. Enter alias for new key pair entry and click OK button. Alias could be any character string but using ‘magicinfo’ or domain name is recommended. 

9. If desired, provide new password for key pair entry and click OK button.

At this point new key pair entry should be successfully imported. Click OK button.

10. Save keystore either by clicking floppy drive icon or by selecting File > Save from menu. New keystore password dialog will appear. Provide password if desired. Click OK button.

Next, provide file name with *.jks extension and click Save. It is recommended to use domainname as filename, f. ex. ‘magicinfo.company.com.jks’.

11. Append all intermediate certificates to imported key pair entry. Right click on key pair entry, select Edit Certificate Chain and then Append Certificate.  In our case, you will need to append the “InCommon RSA Server CA 2.cer”.  This can be downloaded from:

https://spaces.at.internet2.edu/display/ICCS/InCommon+Cert+Types#InCommonCertTypes-SSL/TLSCertificates

Certificates should be appended in order from the closest one to identity certificate (the one used to directly sign identity certificate) to the one signed by root certificate. Root certificate should not be appended to the chain.

KeyStore Explorer will not allow to add intermediate certificates in wrong order. In such attempt it will produce below warning message. Otherwise, certificate append confirmation will appear.

12. To verify if certificate chain is complete, double click on key pair entry to open certificate details window.

13. Save keystore file. At this point keystore should be ready for deployment.

HTTPS configuration in Tomcat

1. Copy created JKS keystore file onto Magicinfo server and place it in a folder accessible by MagicInfo service. Default MagicInfo keystores are in <MagicInfo_dir>\runtime\keystore folder.

2. Go to <MagicInfo dir>\tomcat\conf\ folder and open server.xml file. If HTTPS option was selected during MagicInfo server installation, there should be a predefined connector with SSL support enabled like the one below. Otherwise add below connector definition to server.xml file.

3. Make sure that protocol attribute has value org.apache.coyote.http11.Http11Nio2Protocol. In older MagicInfo server versions different protocol type has been used.

4. Update value of keystoreFile attribute with a path to copied JKS keystore file.

5. If there was password set for a key pair entry (step 9 in previous section), add keyPass attribute with key pair entry password as value.

6. If there was password set for a keystore file (step 10 in previous section) update value of keystorePass attribue. Otherwise remove that attribute or set empty value.

For more information about SSL configuration please refer to official Tomcat documentation at

For a keystore created in previous section, minimal Tomcat SSL configuration would look like the one below.

Open

 Related articles