What is SSL Certificate:
SSL Certificates are small data files that digitally bind a crypto-graphic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (port 443) and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites. SSL Certificates bind together:A domain name, server name or hostname. An organizational identity (i.e. company name) and location.
Objective:
We will install SSL certificate for my.abc.com.bd domain. In that case all requests to http://my.abc.com.bd will be redirected to https://my.abc.com.bdScenario & Tested Environment:
Domain is: my.abc.com.bdOS: Red Hat Enterprise Linux 5
Tomcat: jakarta-tomcat-4.1.24
Used Tool/Command: keytool (keytool is a key and certificate management utility)
Steps:
- CSR (Certificate Signing Request) Generation
- Submit CSR to CA (Certification Authority (CA) is an entity that issues digital certificates)
- Certificate Installation after receiving certificates from CA
- Apache Jakarta Tomcat Configuration Modification
- Restart Jakarta Tomcat Service
1. CSR (Certificate Signing Request) Generation:
What is a CSR? A CSR or Certificate Signing Request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.Here is a CSR sample:
-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
-----END CERTIFICATE REQUEST-----
[root@localhost]/opt/jdk1.5.0_21/bin/keytool -genkey -keyalg RSA -keysize 2048 -keystore /opt/sslcert/my.abc.com.bd.keystore
Enter keystore password: abcbd123
What is your first and last name?
[Unknown]: my.abc.com.bd
What is the name of your organizational unit?
[Unknown]: IT/Technology
What is the name of your organization?
[Unknown]: ABC Technologies
What is the name of your City or Locality?
[Unknown]: Road # 2 House # 2 Gulshan # 2
What is the name of your State or Province?
[Unknown]: Dhaka
What is the two-letter country code for this unit?
[Unknown]: BD
Is CN=my.abc.com.bd, OU=IT/Technology, O=ABC Technologies, L=Road # 2 House # 2 Gulshan # 2, ST=Dhaka, C=BD correct?
[no]: yes
Enter key password for <mykey>
(RETURN if same as keystore password): abcbd123
This will generate a keystore file named my.abe.com.bd.keystore
Using this file, we will generate CSR file.
[root@localhost]#/opt/jdk1.5.0_21/bin/keytool -certreq -keyalg RSA -file /opt/sslcert/my.abc.com.bd.csr -keystore /opt/sslcert/my.abc.com.bd.keystore
Enter keystore password: abcbd123
[root@localhost]# ls
my.abc.com.bd.csr my.abc.com.bd.keystore
2. Submit CSR to CA
Send necessary details to CA.3. Certificate Installation
You will receive following files from CA:- AddTrustExternalCARoot.crt
- my_abc_com_bd.crt
- TrustedSecureCertificateAuthority5.crt
- USERTrustRSAAddTrustCA.crt
Execute following commands from the directory containing both CSR & Keystore file. In our case, working directory is: /opt/sslcert/
[root@localhost]#keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore my.abc.com.bd.keystore
[root@localhost]#keytool -import -trustcacerts -alias TrustedSecureCertificateAuthority5 -file TrustedSecureCertificateAuthority5.crt -keystore my.abc.com.bd.keystore
[root@localhost]#keytool -import -trustcacerts -alias USERTrustRSAAddTrustCA -file USERTrustRSAAddTrustCA.crt -keystore my.abc.com.bd.keystore
[root@localhost]#keytool -import -trustcacerts -alias my.abc.com.bd -file my_abc_com_bd.crt -keystore my.abc.com.bd.keystore
[root@localhost]#keytool -import -trustcacerts -file my_abc_com_bd.crt -keystore my.abc.com.bd.keystore
4. Jakarta Tomcat Configuration
Open $TOMCAT_HOME/conf/server.xml file. Add below entries:<!– Define a non-SSL Coyote HTTP/1.1 Connector on port 80 –>
<Connector className=”org.apache.coyote.tomcat4.CoyoteConnector”
port=”80? minProcessors=”30? maxProcessors=”600?
enableLookups=”false” redirectPort=”8443?
acceptCount=”100? debug=”0? connectionTimeout=”20000?
useURIValidationHack=”false” disableUploadTimeout=”true” strategy=”ms” tcpNoDelay=”true” />
<!– Note : To disable connection timeouts, set connectionTimeout value to -1 –>
.............
.............
.............
.............
<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<Connector address=”1.2.3.4? className=”org.apache.coyote.tomcat4.CoyoteConnector”
port=”8443? minProcessors=”10? maxProcessors=”200?
enableLookups=”true”acceptCount=”100? debug=”0? scheme=”https” secure=”true” connectionTimeout=”20000?useURIValidationHack=”false”disableUploadTimeout=”true”>
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="/opt/sslcert/my.abc.com.bd.keystore" keystorePass="abcbd123" keystoreType="JKS" protocol="TLS" randomFile="/opt/random.pem" rootFile="/opt/root.pem"/>
……
……
……
</Connector>
<Host name=”1.2.3.4? debug=”0? appBase=”<Document root>”
unpackWARs=”true” autoDeploy=”true”>
<Alias>my.abc.com.bd</Alias>
<Context path=”” docBase=”<Document root>” debug=”0?
reloadable=”true” crossContext=”true” />
</Host>
.............
.............
Open <Document Root>/WEB-INF/web.xml file. Add below entries:
<web-app>
.............
.............
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!– auth-constraint goes here if you require authentication –>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
.............
.............
.............
.............
</web-app>
5. Restart Jakarta Tomcat Service
[root@localhost]#sh $TOMCAT_HOME/bin/shutdown.sh[root@localhost]#sh $TOMCAT_HOME/bin/startup.sh
Check the log file as well:
[root@localhost]#tail -f $TOMCAT_HOME/logs/catalina.out
Cheers :-) !!!