SSL Certificates

Summary

Generate Custom Self Signed Certificate

Linux script to generate custom self signed certificate

makecert.sh:

#!/bin/sh

# ./makecert.sh <domain>
if [ "$1" = "" ] ; then
  echo "Error: Usage: $0 <domain> \"[cert-domain]\""
  exit 1
fi
DOMAIN=$1
if [ "$2" != "" ] ; then
  CERTDOMAIN=$2
else
  CERTDOMAIN=$1
fi
echo "Creating SSL cert for $DOMAIN ($CERTDOMAIN)"

mkdir $1
cd $1
# openssl req -config ../openssl.cnf -new -out $DOMAIN.csr
# openssl req -new -out $DOMAIN.csr
openssl req -new -out $DOMAIN.csr -passout pass:test <<EOF
US
Utah
Salt Lake City
$DOMAIN
$DOMAIN
$CERTDOMAIN



EOF
# openssl rsa -in privkey.pem -out $DOMAIN.key
openssl rsa -in privkey.pem -out $DOMAIN.key -passin pass:test
openssl x509 -in $DOMAIN.csr -out $DOMAIN.cert -req -signkey $DOMAIN.key -days 1825    # 5 years
openssl x509 -in $DOMAIN.cert -out $DOMAIN.der.crt -outform DER    # optional
cat $DOMAIN.key $DOMAIN.cert > $DOMAIN.pem
# FYI, pem for chain would be 'key, cert, chain > pem'

See openssl.cnf

GoDaddy CER Generating Instructions

GoDaddy Instructions for generating CERs [1]

Apache

Generate CER for Apache [2]

1. cd /usr/bin/ (/your path to openssl/)
   Enter a passphrase when prompted to.
2. openssl genrsa -des3 -out <name of your certificate>.key 1024
3. openssl req -new -key <name of your certificate>.key -out <name of your certificate>.csr

Tomcat

Generating Key Pair for Tomcat [3]

1. Enter the following command:
   keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
2. You will be prompted for a password. Tomcat uses the default password "changeit."
3. Enter Distinguished Name (DN) information
   First and last name - This is the Common Name: Common Name: The common name is the fully-qualified domain name - or URL - to which you plan to apply your certificate. Do not enter your personal name in this field.
4. Confirm that the Distinguished Name information is correct.

Generating CSR [4]

1. Enter the following command:
   keytool -certreq -keyalg RSA -alias tomcat -file <your file name>.csr -keystore tomcat.keystore
2. Upon prompt, enter keystore password
3. Cut/copy and paste the generated CSR into our online enrollment form.
4. Select "Tomcat" as your server software.

GoDaddy CRT Installation Instructions

Installing Your SSL Certificate [5]

Tomcat

Installation for Tomcat [6]

Installation Option One: Installing SSL Certificate and CA Bundle (gd_bundle.crt) Implementing a PKCS12 Keystore

1. Before you install your SSL certificate you must download our root certificate bundle (gd_bundle.crt) on your Web server.
2. Use the following OpenSSL command to combine the ca bundle (gd_bundle.crt) and your SSL certificate:
   openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your certificate> -inkey <name of your certificate private key file> -out keystore.tomcat -name tomcat -passout pass:changeit
3. Open the server.xml file.
4. After uncommenting the SSL/TLS connector from server.xml, locate the following Factory tag section and COMMENT IT OUT:
   <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" />
5. Add the following directives to the Connector tag:
   keystoreFile=<path to>\keystore.tomcat
   keystorePass="changeit"
   keystoreType="PKCS12"
6. Restart Tomcat.

Installation Option Two: Installing SSL Certificate and Intermediate Certificates Separately

1. Once you have downloaded the certificates to your local machine, please use the following keytool commands to import them:
   Root:
   "keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt."
   First intermediate (gd_cross_intermediate.crt):
   "keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt"
   Second intermediate (gd_intermediate.crt):
   "keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt"
2. Installing SSL Certificate
   1. Use the following command to import the issued certificate into your keystore.
   2. keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of your certificate>
3. Updating the server.xml Configuration File
   1. Open the server.xml file.
   2. After uncommenting the SSL/TLS connector from server.xml, locate the following text section:
      <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" />
   3. Add the "keystoreFile" and "keystorePass directives:
      <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="/full/path/to/tomcat.keystore" keystorePass="changeit" />
   4. Restart Tomcat.

server.xml [7]:

<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
<Connector 
           port="8443" minProcessors="5" maxProcessors="75"
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true";
           clientAuth="false" sslProtocol="TLS"/>
-->

The default password used by Tomcat is "changeit" (all lower case), although you can specify a custom password if you like. You will also need to specify the custom password in the server.xml configuration file. [8]

Additional connector parameters:

keystoreFile - Add this attribute if the keystore file you created is not in the default place that Tomcat expects (a file named .keystore in the user home directory under which Tomcat is running). You can specify an absolute pathname, or a relative pathname that is resolved against the $CATALINA_BASE environment variable.

keystorePass - Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit).

keyAlias - Add this element if your have more than one key in the KeyStore. If the element is not present the first key read in the KeyStore will be used.

Pound

Pound needs to have the files merged into one .PEM file. I use the order of:

1. domain private key (.key)
2. domain certificate (.crt)
3. ca chained certificates (.crt)

ListenHTTPS
   Address 0.0.0.0
   Port    443
   Cert    "/etc/mydomain.com.pem"
   ...

Using the Certificates with Various Applications

Jira

Running JIRA over SSL or HTTPS [9]

The keystore and alias passwords both need to be 'changeit'.

If you get an error saying "Cannot recover key" this is because the alias password is not 'changeit'.

Scalix

"Setup stunnel if you require secure SSL communication for POP, IMAP, LDAP or SMTP" [10]

• Scalix Wiki [11]
• Scalix Forums [12]
• Scalix Install Guide [13]
• Scalix Setup Guide [14]
• Use secure protocols [15]

Tomcast SSL

Tomcast SSL Configuration [16]

Conversion from Apache PEM to Java Keytool

See Conversion from Apache PEM to Java Keytool

Conversion from Java Keytool to Apache PEM

See Java Keystore#Conversion from Java Keytool to Apache PEM

SSL Wrappers

• Pound (HTTP Load Balancer)
• Stunnel

SSL Tools

OpenSSL (Apache)

See openssl

Keytool (Java)

See keytool

Errors

This is caused by an untrusted certificate or an incorrect order of the certificate chain:

javax.net.ssl.SSLHandshakeException:
  sun.security.validator.ValidatorException:
    PKIX path building failed:
      sun.security.provider.certpath.SunCertPathBuilderException:
        unable to find valid certification path to requested target

Stunnel

See Stunnel

Conversion

OpenSSL to Keytool Conversion tips

Keytool cacert extraction to PEM format using OpenSSL and keytool

RSA Encryption

Wiki: RSA

Extended Validation SSL - Green Address Bar

Extended Validation SSL (EV SSL Certificates) - Online Identity Assurance

"Extended Validation SSL Certificates give high security Web browsers information to clearly identify a Web site’s organizational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organization name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox and Opera have announced their intention to support Extended Validation SSL in upcoming releases. Older browsers will display Extended Validation SSL Certificates with the same security symbols as existing SSL Certificates."

• Get the Green Address Bar
• Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Shows various colors of bars, and explanation

• Verisign brings EV SSL green bar to Firefox
• Padlock icon, Green URL bar and SSL Security

See Also

SSL Certificates openssl keytool Java Keystore