I assume that you already have a working copy of tomcat with SSL. You need a copy of the tomcat's keystore file and the keystore password.
Let us start....
First copy the existing tomcat's keystore file to a new directory so that we don't break anything that is working.
# mkdir /root/SSL_export/
# cp <path/to/tomcat/keystore/file> /root/SSL_export/tomcat.keystore
# cd /root/SSL_export/
# keytool -list -keystore tomcat.keystore
Enter keystore password:
The above command will print all the keys in the keystore.
Now we will export the key in DER format
# keytool -export -alias tomcat -keystore tomcat.keystore -file exported-der.crt
Enter keystore password:
Output will be: Certificate stored in file
The certificate will be stored in exported-der.crt
Verify the certificate with this command:
# openssl x509 -noout -text -in exported-der.crt -inform der
Output will be: The whole certificate saying - who issued it and other info like your company name etc.
Now Convert the key to PEM format so that apache can understand it:
# openssl x509 -out exported-pem.crt -outform pem -in exported-der.crt -inform der
The exported key will be in the file exported-pem.crt.
We have exported the public key and now are going to export the private key.
Download these files:
# wget http://richfreedman.googlepages.com/ExportPrivateKey.java
# wget http://www.source-code.biz/snippets/java/Base64Coder.java.txt
# mv Base64Coder.java.txt Base64Coder.java
# javac ExportPrivateKey.java Base64Coder.java
Below command will save the exported private key in the file it is redirected to.
# java ExportPrivateKey tomcat.keystore tomcat G10BalPass > exported-pkcs8.key
We have to change it to RSA format so that apache can recognise it.
# openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key
Private key is now exported to the file exported.key.
Download the intermediate certificate from your certificate authority and keep it in the same location.
Now we should configure apache accordingly:
# cd /etc/httpd/conf.d/
# cp ssl.conf ssl.conf.orig
# vi ssl.conf (Change the following line only after commenting the old lines):
SSLCertificateFile /root/SSL_export/exported-pem.crt
SSLCertificateKeyFile /root/SSL_export/exported.key
SSLCertificateChainFile /root/SSL_export/<
Restart apache. You must be able to browse https://yourdomain.com/
You can condense
ReplyDelete# keytool -export -alias tomcat -keystore tomcat.keystore -file exported-der.crt
# openssl x509 -out exported-pem.crt -outform pem -in exported-der.crt -inform der
to:
# keytool -export -rfc -keystore tomcat.keystore -alias tomcat
Also, the Base64Coder.java file is not necessary. The ExportPrivateKey.java references the sun.misc.BASE64Encoder (which is included in the JRE), and not the Base64Coder.java file your instructions list.
ReplyDeleteAlso, if you apply this diff to ExportPrivateKey.java, you can use the prompt for password feature while piping the results to a file:
ReplyDelete# java ExportPrivateKey tomcat.keystore tomcat > exported-pkcs8.key
(notice no password on command line, unlike your example which has G10BalPass, which I hope isn't your real password)
--- ExportPrivateKey.java 2009-12-01 12:39:31.000000000 -0500
+++ ExportPrivateKey.java.new 2009-12-01 12:39:07.000000000 -0500
@@ -39,7 +39,7 @@
protected static String getPassword() throws Exception
{
- System.out.print( "Keystore Password: " );
+ System.err.print( "Keystore Password: " );
String password = new BufferedReader(new InputStreamReader(System.in)).readLine();
if(password == null || password.trim().equals(""))
Thank you so much for these directions! I thought I would have to start over and pay those $@*! people at Thawte again. This works!
ReplyDeleteThanks for posting this! It worked like a charm for me and it's rare to find tips like this that work exactly as described considering the number of steps involved...
ReplyDeleteVery good post!
ReplyDeletethanks!!
One of the best Post
ReplyDelete