Last active
August 7, 2018 23:11
-
-
Save yanokwa/399a7fcbc3d9ad8a0bd3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### SSL Part 1: Creating Java SSL KeyStore (JKS) | |
This is part one of a three-part series on how to configure a single SSL certificate for use on both Tomcat and Apache. I'll take you through creating a new Java KeyStore (JKS), submitting a Certificate Signing Request (CSR), and finally, importing the singed certificate into your KeyStore. | |
#### 1\. First, create a directory for your SSL files | |
# sudo mkdir /etc/my_ssl | |
#### 2\. Now change into that directory | |
# cd /etc/my_ssl | |
#### 3\. Create a new Java KeyStore file for our certificate | |
Note: You can replace **mysite** with whatever alias you choose, but I recommend leaving the command as is, so that the rest of the commands in this tutorial will work without modification. | |
# sudo keytool -genkey -alias mysite -keyalg RSA -keystore mysite.jks -keysize 2048 | |
Enter your information in the prompts, using the example below as a guide. Replace everything shown in red with your information. Also, make sure your domain contact info is visible on whois (i.e. domain privacy is disabled), and that it matches what you enter here, as the signing authority will use this information to verify that you own the domain. You can enable domain privacy after you install the signed certificate. | |
Enter keystore password: <span style="color: red;">changeit</span> | |
Re-enter new password: <span style="color: red;">changeit</span> | |
What is your first and last name? | |
[Unknown]: <span style="color: red;">your.domain.com</span> | |
What is the name of your organizational unit? | |
[Unknown]: <span style="color: red;">your dept</span> | |
What is the name of your organization? | |
[Unknown]: <span style="color: red;">business name</span> | |
What is the name of your City or Locality? | |
[Unknown]: <span style="color: red;">your city</span> | |
What is the name of your State or Province? | |
[Unknown]: <span style="color: red;">your state</span> | |
What is the two-letter country code for this unit? | |
[Unknown]: <span style="color: red;">your country code e.g. US</span> | |
After you enter all your information, you'll have an opportunity to verify it. | |
Is CN=your.domain.com, OU=your dept, O=business name, L=your city, ST=your state, C=US correct? [no]: <span style="color: red;">yes</span> | |
If all looks good, type **yes** and hit **ENTER.** | |
Enter key password for <mysite> | |
(RETURN if same as keystore password): | |
Hit **ENTER** one more time. | |
#### 4\. Generate a Certifice Signing Request (CSR) | |
Now that you've entered all of your info into the KeyStore, it's time to generate a CSR, which is what you will submit to the Certificate Authority for signing. | |
# sudo keytool -certreq -keyalg RSA -alias mysite -file mysite.csr -keystore mysite.jks | |
You should now see a file named mysite.csr in your /etc/my_ssl directory. | |
#### 5\. Submit your CSR | |
Open the mysite.csr file with the following command: | |
# sudo nano mysite.csr | |
The contents should look something like this: | |
-----BEGIN CERTIFICATE REQUEST----- | |
9n08hlgknu6874lk87noy... | |
more random characters | |
...r88errmvuinOIUNoi7yo7 | |
-----END CERTIFICATE REQUEST----- | |
Open a web browser, and go to your Certificate Authority's website. I recommend [GeoTrust](http://www.geotrust.com/) simply because I've had good experience using their certificates, and their documentation is fairly thourogh. | |
Go through the process of purchasing your certificate. When it comes time to enter your CSR text, copy the entire contents of your mysite.csr file into the text field in your browser, and finish the checkout process. | |
Once you receive the signed certificate, proceed to the next step. | |
#### 6\. Save your new certificate | |
You should receive and email with your signed certificate within 24 hours of submitting your CSR. This email will likely include a link where you can download your certificate, and should also include the certificate contents in plain text at the bottom of the email. For our purposes, this text is all we need. It looks something like this: | |
-----BEGIN CERTIFICATE----- | |
9n08hlgknu6874lk87noy... | |
more random characters | |
...r88errmvuinOIUNoi7yo7 | |
-----END CERTIFICATE----- | |
Run the following command to open the nano text editor, and create the mysite.cer file for your certificate: | |
# sudo nano mysite.cer | |
Copy the certificate text from your email, and paste it into your new file. | |
Press **Ctrl+X** to close nano. Press **Y** to confirm you want to save the file, then press **ENTER**. | |
#### 7\. Import your certificate into your KeyStore | |
Import your signed certificate into your Java Keystore file. | |
# sudo keytool -import -alias mysite -trustcacerts -file mysite.cer -keystore mysite.jks | |
#### 8\. Setting proper permissions for your KeyStore | |
Ensure that your KeyStore is readable with the following commmand: | |
# sudo chmod 644 /etc/my_ssl/mysite.jks | |
This will ensure that only root can edit the KeyStore, but other users can still read it. | |
If all went well, your are now ready to proceed to [SSL Part2: Configuring Tomcat 6 with Java KeyStore (JKS)](https://gist.github.com/yanokwa/15d4d9a81cd81e7fa0fb) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
how can i download the ssl and install it on my pc?
thanks