SSL Certificates

GoDaddy CER Generating Instructions
GoDaddy Instructions for generating CERs

Apache
Generate CER for Apache
 * 1) cd /usr/bin/ (/your path to openssl/) Enter a passphrase when prompted to.
 * 2) openssl genrsa -des3 -out .key 1024
 * 3) openssl req -new -key .key -out .csr

Tomcat
Generating Key Pair for Tomcat
 * 1) Enter the following command: keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
 * 2) You will be prompted for a password. Tomcat uses the default password "changeit."
 * 3) Enter Distinguished Name (DN) information First and last name - This is the Common Name: Common Name: The common name is the fully-qualified domain name - or URL - to which you plan to apply your certificate. Do not enter your personal name in this field.
 * 4) Confirm that the Distinguished Name information is correct.

Generating CSR
 * 1) Enter the following command: keytool -certreq -keyalg RSA -alias tomcat -file .csr -keystore tomcat.keystore
 * 2) Upon prompt, enter keystore password
 * 3) Cut/copy and paste the generated CSR into our online enrollment form.
 * 4) Select "Tomcat" as your server software.

GoDaddy CRT Installation Instructions
Installing Your SSL Certificate

Tomcat
Installation for Tomcat

Installation Option One: Installing SSL Certificate and CA Bundle (gd_bundle.crt) Implementing a PKCS12 Keystore
 * 1) Before you install your SSL certificate you must download our root certificate bundle (gd_bundle.crt) on your Web server.
 * 2) Use the following OpenSSL command to combine the ca bundle (gd_bundle.crt) and your SSL certificate: openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in -inkey  -out keystore.tomcat -name tomcat -passout pass:changeit
 * 3) Open the server.xml file.
 * 4) After uncommenting the SSL/TLS connector from server.xml, locate the following Factory tag section and COMMENT IT OUT: 
 * 5) Add the following directives to the Connector tag: keystoreFile= \keystore.tomcat keystorePass="changeit" keystoreType="PKCS12"
 * 6) Restart Tomcat.

Installation Option Two: Installing SSL Certificate and Intermediate Certificates Separately
 * 1) Once you have downloaded the certificates to your local machine, please use the following keytool commands to import them: Root: "keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt." First intermediate (gd_cross_intermediate.crt): "keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt" Second intermediate (gd_intermediate.crt): "keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt"
 * 2) Installing SSL Certificate
 * 3) Use the following command to import the issued certificate into your keystore.
 * 4) keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file
 * 5) Updating the server.xml Configuration File
 * 6) Open the server.xml file.
 * 7) After uncommenting the SSL/TLS connector from server.xml, locate the following text section: 
 * 8) Add the "keystoreFile" and "keystorePass directives: 
 * 9) Restart Tomcat.

server.xml : <-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> &lt;!--  --&gt;

"The default password used by Tomcat is 'changeit' (all lower case), although you can specify a custom password if you like. You will also need to specify the custom password in the server.xml configuration file."

Additional connector parameters:
 * keystoreFile - Add this attribute if the keystore file you created is not in the default place that Tomcat expects (a file named .keystore in the user home directory under which Tomcat is running). You can specify an absolute pathname, or a relative pathname that is resolved against the $CATALINA_BASE environment variable.
 * keystorePass - Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit).
 * keyAlias - Add this element if your have more than one key in the KeyStore. If the element is not present the first key read in the KeyStore will be used.

Pound
Pound needs to have the files merged into one .PEM file. I use the order of:
 * 1) domain private key (.key)
 * 2) domain certificate (.crt)
 * 3) ca chained certificates (.crt)

ListenHTTPS Address 0.0.0.0 Port   443 Cert   "/etc/mydomain.com.pem" ...

Jira
Running JIRA over SSL or HTTPS

The keystore and alias passwords both need to be 'changeit'.

If you get an error saying "Cannot recover key" this is because the alias password is not 'changeit'.

Scalix
"Setup stunnel if you require secure SSL communication for POP, IMAP, LDAP or SMTP"


 * Scalix Wiki
 * Scalix Forums
 * Scalix Install Guide
 * Scalix Setup Guide
 * Use secure protocols

Tomcast SSL
Tomcast SSL Configuration

Conversion from Apache PEM to Java Keytool
See Conversion from Apache PEM to Java Keytool

Conversion from Java Keytool to Apache PEM
See Java Keystore

SSL Wrappers

 * Pound (HTTP Load Balancer)
 * Stunnel

OpenSSL (Apache)
See openssl

Keytool (Java)
See keytool

Errors
This is caused by an untrusted certificate or an incorrect order of the certificate chain: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Stunnel
See Stunnel

Conversion
OpenSSL to Keytool Conversion tips

Keytool cacert extraction to PEM format using OpenSSL and keytool

RSA Encryption
Wiki: RSA

Extended Validation SSL - Green Address Bar
Extended Validation SSL (EV SSL Certificates) - Online Identity Assurance
 * "Extended Validation SSL Certificates give high security Web browsers information to clearly identify a Web site’s organizational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organization name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox and Opera have announced their intention to support Extended Validation SSL in upcoming releases. Older browsers will display Extended Validation SSL Certificates with the same security symbols as existing SSL Certificates."


 * Get the Green Address Bar
 * Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers
 * Shows various colors of bars, and explanation


 * Verisign brings EV SSL green bar to Firefox
 * Padlock icon, Green URL bar and SSL Security