Using OpenSSL to configure SSL Certificates for Apache Tomcat & Nginx
Procedure to create OpenSSL Certificate and configure it for Tomcat & Nginx.
PS: OpenSSL tool to be installed in the server.
Configure the CA:
1.
Setup the file structure for your CA
D: mkdir \certs
mkdir \certs\ca
cd \certs\ca
mkdir certs private newcerts
echo 1000 > serial
2.
Create a blank file called index.txt in
D:\certs\ca
3.
Copy openssl.cnf to your certs directory
4.
Edit openssl.cnf and modify the following line in the CA
section
dir=D:\certs\ca
5.
Edit openssl.cnf and modify the certificate defaults as appropriate for your
environment
6.
Create a CA with a 10-year certificate
D: cd \certs\ca
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private\cakey.pem -out cacert.pem -config D:\certs\openssl.cnf
7. To
remove the pass phrase on RSA private key: --optional
openssl rsa -in private\cakey.pem -out
private\cakeyout.pem à Take backup of cakey.pem and replace with
cakeyout.pemCreate a host certificate:
1.
Create a certificate request for tomcat
D: cd \certs\ca
openssl req -new -nodes -out tomcathost-req.pem -keyout private\tomcathost-key.pem -config D:\certs\openssl.cnf
To remove the pass phrase on RSA private key: --optional
openssl rsa -in private\tomcathost-key.pem -out private\tomcathost-key-out.pem à Take backup of tomcathost-key.pem and replace with tomcathost-key-out.pem
2.
Sign the certificate request to create a 2-year
certificate
openssl ca -days 730 -config D:\certs\openssl.cnf -out tomcathost-cert.pem -infiles tomcathost-req.pem
Convert certificates to Java Key Store format:
1.
Convert CA cert
openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER
2.
Convert tomcat host key and cert
openssl pkcs8 -topk8 -nocrypt -in private\tomcathost-key.pem -inform PEM -out private\tomcathost-key.der -outform DER
openssl x509 -in tomcathost-cert.pem -inform PEM -out tomcathost-cert.der -outform DER
3.
Download ImportKey.class here and copy this file to
D:\certs\ca
4.
Import the tomcathost key and cert in to a Java key store
java -Dkeystore=tomcathost.jks ImportKey private\tomcathost-key.der tomcathost-cert.der
5.
import the CA cert in to a Java trust store
keytool -importcert -alias CA -file cacert.der -keystore trust.jks
Configure Tomcat to use the new certificate for SSL:
1.
Copy trust.jks and tomcathost.jks to %CATALINA_BASE%\conf
2.
Modify the SSL connector in server.xml to:
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${catalina.base}/conf/tomcathost.jks"
keystorePass="importkey"
truststoreFile="${catalina.base}/conf/trust.jks"
truststorePass="changeit"
In Nginx :
PS: Edit the default file available under sites-available directory in Nginx installation home.
#
HTTPS server
#
server
{
listen
443; ## listen for ipv4
server_name www.ktpot.com;
ssl
on;
ssl_certificate
/home/bitnami/certs/ca/cacert.pem;
ssl_certificate_key
/home/bitnami/certs/ca/private/cakey.pem;
ssl_session_timeout
5m;
ssl_protocols
SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers
on;
location
/ {
root /var/www/nginx-default;
index index.html index.htm;
}
location
/examples {
send_timeout 3600;
proxy_read_timeout 3600;
proxy_pass https://ktpot:8443/examples;
}
location
/cas {
send_timeout 3600;
proxy_read_timeout 3600;
proxy_pass https://ktpot:8443/cas;
}
location /doc {
root /usr/share;
autoindex on;
#
allow 127.0.0.1;
#
deny all;
}
location /images {
root /usr/share;
autoindex on;
}
}
0 comments:
Post a Comment