Skip to content

Instantly share code, notes, and snippets.

@brccabral

brccabral/Keystore.md

Last active March 31, 2023 21:15
Show Gist options
  • Save brccabral/6f33f1577f808b3380a57fdced288b35 to your computer and use it in GitHub Desktop.
Save brccabral/6f33f1577f808b3380a57fdced288b35 to your computer and use it in GitHub Desktop.
Download ZIP
Keystore
Raw
Keystore.md

Keystore

  • Download Keystore Explorer

https://keystore-explorer.org/downloads.html

  • Get the certificate with private key

Set the password (save it, we will need it later)
Make sure you select “Include CA chain”
Choose format as “DER – P12”

  • Open Keystore

  • Create a new KeyStore

Create a new KeyStore

  • Select JKS type

jks

  • Select Import Key Pair

Import Key Pair

  • Select PKCS #12 as key pair type

key pair type

  • It will ask for the password of the downloaded certificate

password of the downloaded certificate

  • Enter an alias

Alias can be anything, I just left the suggested one

alias

  • Choose a new password

Here is a new password. It can be the same as before, but I used a new one, and we will use it later

new password

  • The import should be successful

Import confirmation

  • Click to save

Click to save

  • It will ask to set another new password

Save this password to use in Tomcat or Jboss/Wildfly

save new password

  • Save to your local machine

Some save as .keystore, but the actual extension is .jks

keystore jks

  • Next steps will export .cer and .key from certificate, we will use in Apache Httpd.

  • Export certificate chain

certificate chain

  • Make sure to select Entire Chain, X.509, PEM and choose file location

chain options

  • Export private key

Export private key

  • Choose OpenSSL as private key type

private key type

  • Private key options

Uncheck Encrypt, make sure PEM is selected and choose a save location.

private key options

Jboss / Wildfly

Copy keystore.jks into your server.

Set ${keystore.name} as your .jks file, and ${keystore.password} as the password.

Edit file jboss\standalone\configuration\standalone.xml

...
<system-properties>
    ...
    <property name="keystore.name" value="keystore.jks"/>
    <property name="keystore.password" value="strong_and_complicated_password"/>
    ...
</system-properties>

<management>
    <security-realms>
    ...
        <security-realm name="SslRealm">
            <server-identities>
                <ssl>
                    <keystore path="${keystore.name}" relative-to="jboss.server.config.dir" keystore-password="${keystore.password}"/>
                </ssl>
            </server-identities>
        </security-realm>
    ...
    </security-realms>
...
</management>
...

Tomcat

Copy keystore.jks into your server.

Edit file tomcat\conf\server.xml

...
<Service ...>
...
<Connector port="443"
           redirectPort="80"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="20"
           minSpareThreads="20"
           scheme="https"
           secure="true"
           SSLEnabled="true"
           clientAuth="false"
           sslProtocol="TLS"
           keystoreFile="tomcat/conf/keystore.jks"
           keystorePass="strong_and_complicated_password" />
...
<Connector 
	port="443" 
	protocol="org.apache.coyote.http11.Http11AprProtocol" 
	maxThreads="150" 
	minSpareThreads="25" 
	SSLEnabled="true" 
	sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
	scheme="https" 
	secure="true" 
	enableLookups="false" 
	disableUploadTimeout="true" 
	acceptCount="400" 
	URIEncoding="UTF-8" 
	defaultSSLHostConfigName="host1.domain1" 
	SSLCertificateFile="${catalina.base}/conf/host1.domain1.cer" 
	SSLCertificateKeyFile="${catalina.base}/conf/host1.domain1.key"
	>
	<SSLHostConfig 
		hostName="host1.domain1" 
		ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" 
		certificateFile="${catalina.base}/conf/host1.domain1.cer" 
		certificateKeyFile="${catalina.base}/conf/host1.domain1.key"
		>
	  </SSLHostConfig>
	<SSLHostConfig 
		hostName="host2.domain2" 
		ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" 
		certificateFile="${catalina.base}/conf/host2.domain2.cer" 
		certificateKeyFile="${catalina.base}/conf/host2.domain2.key"
		>
	   </SSLHostConfig>
</Connector>
...
</Service>
...

Apache Httpd

Need to export the 1.cer and 1.key from the certificate (check here) save them in your server.

Edit file Apache24\conf\extra\httpd-ssl.conf or Apache24\conf\extra\httpd-ahssl.conf

Inside <VirtualHost>, set SSLCertificateFile and SSLCertificateKeyFile.

...
<VirtualHost *:80> 
	...
	ServerName host1.domain1

	Redirect permanent / https://host1.domain1:443/
	...
</VirtualHost>

<VirtualHost *:80> 
	...
	ServerName host2.domain2

	Redirect permanent / https://host2.domain2:443/
	...
</VirtualHost>

Define CERT_PATH "D:/Apache24/conf"

<VirtualHost *:443>
	...
	ServerName host1.domain1
	SSLEngine on
	SSLCertificateFile "${CERT_PATH}/host1.domain1.cer"
	SSLCertificateKeyFile "${CERT_PATH}/host1.domain1.key"

	Include conf/extra/extra_config.conf
	...
</VirtualHost>

<VirtualHost *:443>
	...
	ServerName host2.domain2
	SSLEngine on
	SSLCertificateFile "${CERT_PATH}/host2.domain2.cer"
	SSLCertificateKeyFile "${CERT_PATH}/host2.domain2.key"

	Include conf/extra/extra_config.conf
	...
</VirtualHost>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment