Enable SSL/TLS on your website

Enable SSL/TLS on your website using keytool

"keytool" command helps you to drive through the complete process of enabling SSL/TLS for your website. I will be talking only JKS (Java Key Store) which can be used for Java based servers like apache tomcat...

 These steps should get you going : 

1. Generate a key pair - private and public key(cert) along with Keystore (JKS file)

keytool -genkey - alias my_alias -keyAlg RSA -keystore /home/me/mykeystore.jks -keysize 2048

This should ask you bunch of questions like : keystoreFirst name, last name, Organizational unit, Organization, City or Locality and 2 digit country code.

The above step should create a file named 'mykeystore.jks' in the directory you specified. In my case, its /home/me/mykeystore.jks. You can list the contents of this JKS file via 'keytool' command by executing below:

keytool -list -keystore /home/me/mykeystore.jks
 

2. Generate a CSR - Certificate Signed Request for existing keystore (JKS)


 keytool -certreq -alias my_alias -file /home/me/cert.csr -keystore /home/me/mykeystore.jks -sigAlg SHA1withRSA

   This command should ask you for the keystore password. Just enter the password you used in the step #1.

The above step should create a file named 'cert.csr' with "-----BEGIN CERTIFICATE REQUEST------" and "-----END CERTIFICATE REQUEST-----" tags.

If you are planning (probably) to obtain a signed cert, then you need to submit this CSR to providers like : verisign, symantec etc. You need to pay some money to them for them to sign it (Visit provider website to get clear instructions). Once they sign it, you will get a signed certificate. The signed certificate file will have a  .cer extension. Lets call the cert obtained as verisigned.cer

3. (2 step process) Import Certificates in to your keystore


After you obtain the signed certificate, you need to add it your keystore (i.e /home/me/mykeystore.jks). The keytool can help you to import it.

 3.1 Import Root/Intermediate CA

One important thing to note is that before you add the verisigned.cer (the signed certificate received from provider) to our keystore, you need to add their ROOT CA or also called as CHAIN certificate to our keystore. This should be available from their public website. For example in Symantec, you can download from here.

keytool -import -trustcacerts -alias Intermediate -keystore /home/me/mykeystore.jks -file intermediate.cer 

Note : intermediate.cer is obtained from providers like verisign, symantec etc. 

3.2 Install signed SSL certificate:   

You should now import the signed cert (verisigned.cer) in to the same key store.

keytool -import -trustcacerts -alias my_alias -keystore /home/me/mykeystore.jks -file verisigned.cer

 Finally, you can confirm the list of contents in your key store. You can use the same command mentioned in step #1 :

keytool -list -keystore /home/me/mykeystore.jks

The above command should list you all the imported certificates.

4. Use the JKS in your tomcat application server


We can enable SSL via server.xml config file for tomcat. The server.xml is usually present at : $TOMCAT_HOME/conf/server.xml
 An example :
   <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
      port="443" minProcessors="5"
      maxProcessors="75"
      enableLookups="false"
      acceptCount="10"
      connectionTimeout="60000" debug="0"
      scheme="https" secure="true">
    <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
             clientAuth="false" protocol="TLS"
             keystoreFile="/home/me/mykeystore.jks"
             keystorePass="<Your_keystore_password>"/>
    </Connector>

Restart Tomcat server to reflect SSL. You should now see a SSL certificate when you visit your website at https://

 

Comments

Post a Comment

Popular posts from this blog

sde-interview-ramp-up

SDE/SDET Interview questions that will ramp-up your interview preparation Note : These questions might help you ramp-up your speed in path of preparing to SDE /SDET interviews in most techie companies.   SDE - Software Development Engineer  SDET - Software Development Engineer in Test  Heap - Max Heaps and Min Heaps Conversions : Decimal ,Binary, Hex, Octal (All other possible combinations)  90 Degrees Matrix conversion Quick Sort + Applications Merge Sort + Applications Remove duplicates in a String -- In place Reverse a string - Inplace Decide if 2 strings are anagrams or not ? Binary Search Reverse SLL without using any extra nodes Maximum Sub array [Kadane Algorithm] Find an element which is repeated more than n/2 times in a given set/array. [Moores Voting algorithm] Find and element in rotated Binary sorted array Implement power function without pow() function  Verify if given linked list is circular/cyclic o...
Read more

Installing YUM on OpenSUSE

Install yum on OpenSUSE Linux Based servers How to install "yum" on OpenSUSE Linux based servers Yum is an awesome util to install various linux based binaries. However, OpenSUSE missed it. Here I mention a workaround on how to get it and start enjoying using yum. STEPS : (RPM Based installation) Step #1 Download dependent RPMs including yum Step #2 Install the RPMs #1 Download yum and all its dependencies from this link: http://download.opensuse.org/distribution/10.2/repo/oss/suse/i586/ python-urlgrabber python-sqlite rpm-python yum-metadata-parser (used option --nodeps) yum #2. Install them all using this command: -> rpm -Uvh (name of packages above) but for yum-metadata-parser use -> rpm -Uvh --nodeps yum-metadata-parser 3. Prepare yum config file a. -> cd /etc/yum.repos.d/ b. create file with .repo (ex: suse.repo) containing: [base] name=OpenSUSE_10.2 Base type=rpm-md baseurl=http://download.opensuse.org/distribution/10.2/repo/oss...
Read more

Youtkit - Java Profiler

" Yourkit " is a useful profiler for Java based applications. The "Yourkit" is not a free product but it does come with a free trial of one month or so when writing this article. Its worth to give a hands on trial with this tool : You can read more on "Yourkit" profiler itself here : https://www.yourkit.com/ As a developer, one important factor to consider while writing your code is how well your application handles stress/load, latencies, memory foot prints, CPU usage etc. The main goal of this article is to show how to use YOURKIT profiler and debug performance of applications (typically JAVA  - atleast what I have tried so far..) Lets go through some basics of Yourkit agents. There exists a "yourkit" agent on server side which we can directly attach to a running JAVA process. One thing to note its awesomeness is that there is no need to re-run/stop the JAVA process for attaching this debugging agent (aka Yourkit agent) on fly. On cli...
Read more