Using OpenSSL to configure SSL Certificates for Apache Tomcat & Nginx

Procedure to create OpenSSL Certificate and configure it for Tomcat & Nginx. 

PS: OpenSSL tool to be installed in the server.

Configure the CA:

1. Setup the file structure for your CA

D: mkdir \certs 

mkdir \certs\ca 

cd \certs\ca 

mkdir certs private newcerts 

echo 1000 > serial 

2. Create a blank file called index.txt in

D:\certs\ca

 3. Copy openssl.cnf to your certs directory

4. Edit openssl.cnf and modify the following line in the CA section

dir=D:\certs\ca

 5. Edit openssl.cnf and modify the certificate defaults as appropriate for your environment

6. Create a CA with a 10-year certificate

D: cd \certs\ca 

openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private\cakey.pem -out cacert.pem -config D:\certs\openssl.cnf 

 7. To remove the pass phrase on RSA private key: --optional

openssl rsa -in private\cakey.pem -out private\cakeyout.pem à Take backup of cakey.pem and replace with cakeyout.pem

Create a host certificate:

1. Create a certificate request for tomcat

D: cd \certs\ca 

openssl req -new -nodes -out tomcathost-req.pem -keyout private\tomcathost-key.pem -config D:\certs\openssl.cnf 

To remove the pass phrase on RSA private key: --optional
openssl rsa -in private\tomcathost-key.pem -out private\tomcathost-key-out.pem à Take backup of tomcathost-key.pem and replace with tomcathost-key-out.pem

2. Sign the certificate request to create a 2-year certificate

openssl ca -days 730 -config D:\certs\openssl.cnf -out tomcathost-cert.pem -infiles tomcathost-req.pem 

Convert certificates to Java Key Store format:

1. Convert CA cert

openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER 

2. Convert tomcat host key and cert

openssl pkcs8 -topk8 -nocrypt -in private\tomcathost-key.pem -inform PEM -out private\tomcathost-key.der -outform DER 

openssl x509 -in tomcathost-cert.pem -inform PEM -out tomcathost-cert.der -outform DER 

3. Download ImportKey.class here and copy this file to

D:\certs\ca

4. Import the tomcathost key and cert in to a Java key store

java -Dkeystore=tomcathost.jks ImportKey private\tomcathost-key.der tomcathost-cert.der 

5. import the CA cert in to a Java trust store

keytool -importcert -alias CA -file cacert.der -keystore trust.jks 

Configure Tomcat to use the new certificate for SSL:

1. Copy trust.jks and tomcathost.jks to %CATALINA_BASE%\conf

2. Modify the SSL connector in server.xml to:

maxThreads="150" scheme="https" secure="true" 

clientAuth="false" sslProtocol="TLS" 

keystoreFile="${catalina.base}/conf/tomcathost.jks" 

keystorePass="importkey" 

truststoreFile="${catalina.base}/conf/trust.jks" 

truststorePass="changeit" 

   

In Nginx :

PS: Edit the default file available under sites-available directory in Nginx installation home.

# HTTPS server

#

server {

 listen   443; ## listen for ipv4

        server_name  www.ktpot.com;

ssl  on;

ssl_certificate  /home/bitnami/certs/ca/cacert.pem;

ssl_certificate_key  /home/bitnami/certs/ca/private/cakey.pem;

ssl_session_timeout  5m;

ssl_protocols  SSLv2 SSLv3 TLSv1;

ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

ssl_prefer_server_ciphers   on;

 location / {

                root   /var/www/nginx-default;

                index  index.html index.htm;

        }

location /examples {

   send_timeout 3600;

   proxy_read_timeout 3600;

   proxy_pass https://ktpot:8443/examples;

}

location /cas {

            send_timeout 3600;

            proxy_read_timeout 3600;

            proxy_pass https://ktpot:8443/cas;

        }

        location /doc {

                root   /usr/share;

                autoindex on;

#                allow 127.0.0.1;

 #               deny all;

        }

        location /images {

                root   /usr/share;

                autoindex on;

        }

}