Using OpenSSL to configure SSL Certificates for Apache Tomcat & Nginx

Procedure to create OpenSSL Certificate and configure it for Tomcat & Nginx. 


PS: OpenSSL tool to be installed in the server.

Configure the CA:

1. Setup the file structure for your CA
D: mkdir \certs 
mkdir \certs\ca 
cd \certs\ca 
mkdir certs private newcerts 
echo 1000 > serial 
2. Create a blank file called index.txt in
D:\certs\ca
 3. Copy openssl.cnf to your certs directory
4. Edit openssl.cnf and modify the following line in the CA section
dir=D:\certs\ca
 5. Edit openssl.cnf and modify the certificate defaults as appropriate for your environment
6. Create a CA with a 10-year certificate
D: cd \certs\ca 
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private\cakey.pem -out cacert.pem -config D:\certs\openssl.cnf 
 7. To remove the pass phrase on RSA private key: --optional
openssl rsa -in private\cakey.pem -out private\cakeyout.pem à Take backup of cakey.pem and replace with cakeyout.pem

Create a host certificate:

1. Create a certificate request for tomcat
D: cd \certs\ca 
openssl req -new -nodes -out tomcathost-req.pem -keyout private\tomcathost-key.pem -config D:\certs\openssl.cnf 

To remove the pass phrase on RSA private key: --optional
openssl rsa -in private\tomcathost-key.pem -out private\tomcathost-key-out.pem à Take backup of tomcathost-key.pem and replace with tomcathost-key-out.pem

2. Sign the certificate request to create a 2-year certificate
openssl ca -days 730 -config D:\certs\openssl.cnf -out tomcathost-cert.pem -infiles tomcathost-req.pem 

Convert certificates to Java Key Store format:

1. Convert CA cert
openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER 
2. Convert tomcat host key and cert
openssl pkcs8 -topk8 -nocrypt -in private\tomcathost-key.pem -inform PEM -out private\tomcathost-key.der -outform DER 
openssl x509 -in tomcathost-cert.pem -inform PEM -out tomcathost-cert.der -outform DER 
3. Download ImportKey.class here and copy this file to
D:\certs\ca
4. Import the tomcathost key and cert in to a Java key store
java -Dkeystore=tomcathost.jks ImportKey private\tomcathost-key.der tomcathost-cert.der 
5. import the CA cert in to a Java trust store
keytool -importcert -alias CA -file cacert.der -keystore trust.jks 

Configure Tomcat to use the new certificate for SSL:

1. Copy trust.jks and tomcathost.jks to %CATALINA_BASE%\conf
2. Modify the SSL connector in server.xml to:
maxThreads="150" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS" 
keystoreFile="${catalina.base}/conf/tomcathost.jks" 
keystorePass="importkey" 
truststoreFile="${catalina.base}/conf/trust.jks" 
truststorePass="changeit" 
   

In Nginx :

PS: Edit the default file available under sites-available directory in Nginx installation home.

# HTTPS server
#
server {
 listen   443; ## listen for ipv4
        server_name  www.ktpot.com;

ssl  on;
ssl_certificate  /home/bitnami/certs/ca/cacert.pem;
ssl_certificate_key  /home/bitnami/certs/ca/private/cakey.pem;

ssl_session_timeout  5m;

ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers   on;

 location / {
                root   /var/www/nginx-default;
                index  index.html index.htm;
        }
location /examples {
   send_timeout 3600;
   proxy_read_timeout 3600;
   proxy_pass https://ktpot:8443/examples;
}
location /cas {
            send_timeout 3600;
            proxy_read_timeout 3600;
            proxy_pass https://ktpot:8443/cas;
        }

        location /doc {
                root   /usr/share;
                autoindex on;
#                allow 127.0.0.1;
 #               deny all;
        }

        location /images {
                root   /usr/share;
                autoindex on;
        }


}

0 comments: