Using OpenSSL to configure SSL Certificates for Apache Tomcat & Nginx

Procedure to create OpenSSL Certificate and configure it for Tomcat & Nginx. 

PS: OpenSSL tool to be installed in the server.

Configure the CA:

1. Setup the file structure for your CA
D: mkdir \certs 
mkdir \certs\ca 
cd \certs\ca 
mkdir certs private newcerts 
echo 1000 > serial 
2. Create a blank file called index.txt in
 3. Copy openssl.cnf to your certs directory
4. Edit openssl.cnf and modify the following line in the CA section
 5. Edit openssl.cnf and modify the certificate defaults as appropriate for your environment
6. Create a CA with a 10-year certificate
D: cd \certs\ca 
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private\cakey.pem -out cacert.pem -config D:\certs\openssl.cnf 
 7. To remove the pass phrase on RSA private key: --optional
openssl rsa -in private\cakey.pem -out private\cakeyout.pem à Take backup of cakey.pem and replace with cakeyout.pem

Create a host certificate:

1. Create a certificate request for tomcat
D: cd \certs\ca 
openssl req -new -nodes -out tomcathost-req.pem -keyout private\tomcathost-key.pem -config D:\certs\openssl.cnf 

To remove the pass phrase on RSA private key: --optional
openssl rsa -in private\tomcathost-key.pem -out private\tomcathost-key-out.pem à Take backup of tomcathost-key.pem and replace with tomcathost-key-out.pem

2. Sign the certificate request to create a 2-year certificate
openssl ca -days 730 -config D:\certs\openssl.cnf -out tomcathost-cert.pem -infiles tomcathost-req.pem 

Convert certificates to Java Key Store format:

1. Convert CA cert
openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER 
2. Convert tomcat host key and cert
openssl pkcs8 -topk8 -nocrypt -in private\tomcathost-key.pem -inform PEM -out private\tomcathost-key.der -outform DER 
openssl x509 -in tomcathost-cert.pem -inform PEM -out tomcathost-cert.der -outform DER 
3. Download ImportKey.class here and copy this file to
4. Import the tomcathost key and cert in to a Java key store
java -Dkeystore=tomcathost.jks ImportKey private\tomcathost-key.der tomcathost-cert.der 
5. import the CA cert in to a Java trust store
keytool -importcert -alias CA -file cacert.der -keystore trust.jks 

Configure Tomcat to use the new certificate for SSL:

1. Copy trust.jks and tomcathost.jks to %CATALINA_BASE%\conf
2. Modify the SSL connector in server.xml to:
maxThreads="150" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS" 

In Nginx :

PS: Edit the default file available under sites-available directory in Nginx installation home.

# HTTPS server
server {
 listen   443; ## listen for ipv4

ssl  on;
ssl_certificate  /home/bitnami/certs/ca/cacert.pem;
ssl_certificate_key  /home/bitnami/certs/ca/private/cakey.pem;

ssl_session_timeout  5m;

ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_prefer_server_ciphers   on;

 location / {
                root   /var/www/nginx-default;
                index  index.html index.htm;
location /examples {
   send_timeout 3600;
   proxy_read_timeout 3600;
   proxy_pass https://ktpot:8443/examples;
location /cas {
            send_timeout 3600;
            proxy_read_timeout 3600;
            proxy_pass https://ktpot:8443/cas;

        location /doc {
                root   /usr/share;
                autoindex on;
#                allow;
 #               deny all;

        location /images {
                root   /usr/share;
                autoindex on;