Creating a tomcat keystore and CA signing

keytool
cmd showing keytool

Many a time we want to setup SSL but setting up a keystore can be tricky, below are the steps in summary, please note, the path to your java directory might be different, while i performed this on Linux, you can do the same on Windows by using powershell or cmd shell in the %program files%jre(version)bin directory.

 

 

 

 

Steps;

Please find below where;
• kujahapa.com is the host alias and CN can be your domain name e.g. http://www.kujahapa.com
• kujahapa.com.crt is the Certificate signing reply
• ca-cert.crt is the Certificate authority certificate;
• ca-cert is the Certificate Authority Certificate from for example verisgn, digicert, comodo and other certificate authorities depending on what the server you are connecting to is using

===> When you have a Certificate Authority certificate

#Import CA Certificate, if you are using self signed certificates, i.e. certificates you are not paying for, read the self signed section
/usr/java/default/bin/keytool -import -file /<path to CA file>/ca-cert.crt -keystore /opt/tomcat/keystore.jks

#Generate Node Keys (Private and public Keys)
/usr/java/default/bin/keytool -genkey -dname “CN=kujahapa.com” -alias kujahapa.com -keyalg RSA -keystore /opt/tomcat/keystore.jks -keysize 2048

#Create certificate signing request for the node public key
/usr/java/default/bin/keytool -certreq -alias kujahapa.com -keystore /opt/tomcat/keystore.jks -file kujahapa.com.csr

#Have CA sign public key by sending them the above .csr file

#Import certificate reply
/usr/java/default/bin/keytool -importcert -alias kujahapa.com -file kujahapa.com.crt -keystore /opt/tomcat/keystore.jks

#Verify Certificate is signed
/usr/java/default/bin/keytool -list -keystore /opt/tomcat/keystore.jks

#As an addition change keystore owners to the application owner and the access permissions to 0600 (chown 0600 /opt/tomcat/keystore.jks)

=====> Self signed section
Simply generate the keys and that should do it
#Generate Node Keys (Private and public Keys), note keysize can vary
/usr/java/default/bin/keytool -genkey -dname “CN=kujahapa.com” -alias kujahapa.com -keyalg RSA -keystore /opt/tomcat/keystore.jks -keysize 2048
If you have a tomcat server, you can configure it to start using SSL by updating the /opt/tomcat/conf/server.xml for linux and the similar server.xml file in windows in the tomcat conf directory

#Un-comment out the 8443 SSLEnabled=”true” section and add the keystore file path
<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” keystoreFile=”/opt/tomcat/conf/keystore.jks” keystorePass=”lasjdfajd” />

===> Exporting my private

Below we export our private key, if all you wanted was to create a cert and have it signed the below steps are not required.
The reasons for exporting a private key are many and vary from individual to individual some are;

  • You would like to install your same certificates on multiple servers
  • You would like to hard code your keys in an application
  • You would like to carry out IP traffic dumps and decrypt them.

Our public key is already with us since we had to got it from our CA after having it signed, below is also show you to export
the same sert in PKCS12 format (you can choose to ignore the public key export)

// Convert your JKCS keystore into a PKCS12 format keystore
/usr/java/default/bin/keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias kujahapa.com
you will be prompted for the destination keystore password that you enter twice followed by the password for you existing keystore, keystore.jks

//Export public cert from PKCS12 keystore
openssl pkcs12 -in keystore.p12 -nokeys -out kujahapa.com.pem

//Export Private Key from PKCS12 keystore
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem

Where key.pem is my private key and kujahapa.pem is my public key, doing a head on the certs you can see this;

Private Key 

#head -6 key.pem
Bag Attributes
friendlyName: kujahapa.com
localKeyID: 12 69 46 65 20 31 34 32 37 35 34 23 37 34 37 34 36 89
Key Attributes: <No Attributes>
—–BEGIN PRIVATE KEY—–
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdZuzz4z3qympK

 

Public Key
#head -6 kujahapa.com.pem
Bag Attributes
friendlyName: kujahapa.com
localKeyID: 54 69 6D 65 20 31 34 32 37 35 34 35 37 34 37 34 36 35
subject=/CN=kujahapa.com
issuer=/CN=Inifi CA
—–BEGIN CERTIFICATE—–
MIIDrTCCAZWgAwIBAgIIwa1Btsm3SSowDQYJKoZIhvcNAQEFBQAwFDESMBAGA1UE

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s