Solution: Tomcat Standalone SSL with CA Certificate

We wrote a Java program to import the certification and the key from an CA into the keystore. Here comes the description how it works. CAUTION: This is a description how it works for us ! We cannot guarantee anything with this procedure - usually it should work. But since where're dealing with SSL you should know what you are doing!

First install tomcat with ssl support. Documentation can be found here.

Here're the basics:

  • First get the ImportKey.java file and check it for backdoors :-).
    The sourcecode description is translated and there are some bug fixes added - thanks to Jens Carlberg and Axel Nennker.
    API-Doc can be found here.
  • This class imports a certificate into the keystore ($home/keystore.ImportKey). If the file already exists it will be deleted.
  • Both key and certificate have to be available in DER-format. The key must be encoded as PKCS#8. The certificate must be encoded as X.509. This should be standard from an CA.

Convert the key (we use the openssl):

  • openssl pkcs8 -topk8 -nocrypt -in YOUR.KEY -out YOUR.KEY.der -outform der

Convert the certificate:

  • openssl x509 -in YOUR.CERT -out YOUR.CERT.der -outform der

Now apply the java program:

  • java comu.ImportKey YOUR.KEY.der YOUR.CERT.der
    CAUTION: The old keystore will be deleted and replaced by the new one. At that point the keystore is not protected by any password ! You can set a password using:
    keytool -keypasswd und keytool -storepasswd
    The keys will be stored with an importkey alias. You can change this with keytool -keyclone.

 

The following Description is from Kevin Pang (thanks for it):

Tomcat standalone with SSL support, step by step (by Kevin Pang):
(My enviroment: RedHat7.0, openssl0.9.5a, JDK1.3, Tomcat3.2.1 and JSSE1.02)
Before you do the following step, your tomcat should work well. :-)

  1. Download JSSE1.02, copy three jars in it(jsse.jar, jcert.jar, jcert.jar) to "%JAVA_HOME%/jre/lib/ext" and "%TOMCAT_HOME%/lib".
  2. Add this line:
    security.provider.2=com.sun.net.ssl.internal.ssl.Provider
    in file %JAVA_HOME%/jre/lib/security/java.security
  3. %JAVA_HOME%/bin/keytool -genkey -alias tomcat -keyalg RSA
    Use "changeit" as key password, can leave all other parameters blank.
  4. openssl req -new -out REQ.pem -keyout KEY.pem
    I still use "changit" as pass phase
  5. openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
  6. openssl pkcs8 -topk8 -nocrypt -in KEY.pem -out KEY.der -outform der
  7. openssl x509 -in CERT.pem -out CERT.der -outform der
  8. Download ImportKey.java from www.comu.de/docs/tomcat_ssl.htm.
    java comu.ImportKey KEY.der CERT.der
  9. Modify server.xml, suppose that you use "tomcat" account.
    <Connector className="org.apache.tomcat.service.PoolTcpConnector">
    <Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
    <Parameter name="port" value="8443"/>
    <Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory" />
    <Parameter name="keystore" value="/home/tomcat/.keystore" />
    <Parameter name="keypass" value="changeit"/>
    <Parameter name="clientAuth" value="false"/>
    </Connector>
  10. Restart Tomcat, now, you can test https://hostname:8443/

Copyright © Computer Mutter GmbH. All Rights Reserved. Designed by lisa.

Ihre IP Adresse: 38.107.179.212