1. Generate Keystore
First, uses “keytool”
command to create a self-signed certificate. During the keystore
creation process, you need to assign a password and fill in the
certificate’s detail.$Tomcat\bin>keytool -genkey -alias slc -keyalg RSA -keystore c:\keystore Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: f What is the name of your organizational unit? //omitted to save space [no]: yes Enter key password for <slc> (RETURN if same as keystore password): Re-enter new password:
Certificate Details
You can use same “keytool” command to list the existing certificate’s detail
$Tomcat\bin>keytool -list -keystore c:\keystoreEnter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry slc, 14 Disember 2010, PrivateKeyEntry, Certificate fingerprint (MD5): C8:DD:A1:AF:9F:55:A0:7F:6E:98:10:DE:8C:63:1B:A5
2. Connector in server.xml
Next, locate your Tomcat’s server configuration file at $Tomcat\conf\server.xml, modify it by adding a connector element to support for SSL or https connection.File : $Tomcat\conf\server.xml
//... <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="c:\keystore" keystorePass="password" />
3 . Done
Saved it and restart Tomcat, access to https://localhost:8443/4) Installing a Certificate from a Certificate Authority:
In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". To create a CSR follow these steps
- Create a local Certificate (as described in the previous section):
Note: In some cases you will have to enter the domain of your website (i.e.
keytool -genkey -alias slc -keyalg RSA \ -keystore <your_keystore_filename>www.myside.org) in the field "first- and lastname" in order to create a working Certificate.
- The CSR is then created with:
keytool -certreq -keyalg RSA -alias slc -file certreq.csr \ -keystore <your_keystore_filename>
Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the
documentation of the Certificate Authority website on how to do this). In return you get a Certificate.
| Importing the Certificate |
Now that you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.
|
example:
<VirtualHost *:443>
DocumentRoot "/vol/data/src/docRoot"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/conf.d/sslcert/self_signed/self-ssl.crt
SSLCertificateKeyFile /etc/httpd/conf.d/sslcert/self_signed/self-ssl.key
ServerName my.box.com
RewriteEngine on
DirectoryIndex index.html
JkMount /myapp tomcat1
JkMount /myapp/* tomcat1
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Alias /doc "/vol/data/src/doc/my_docs1/"
<Directory /vol/data/src/doc/my_docs1/>
Require all granted
SSLRequireSSL
Allow From all
AllowOverride all
</Directory>
</VirtualHost>
No comments:
Post a Comment