Tuesday, January 7, 2014

Configuring Apache Tomcat with SSL Certificate

Refer post for Apache Tomcat Installation for installing the apache tomcat

If Apache Tomcat is already installed, Go to conf folder  and open the server.xml file

Go to section

<!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL HTTP/1.1 Connector on port 8080
  -->   
<Connector port="8080" protocol="HTTP/1.1" 
               connectionTimeout="20000" 
               redirectPort="8443" /> 



Just comment the section as follows


<!-- A "Connector" represents an endpoint by which requests are received


         and responses are returned. Documentation at :


         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)


         Java AJP  Connector: /docs/config/ajp.html


         APR (HTTP/AJP) Connector: /docs/apr.html


         Define a non-SSL HTTP/1.1 Connector on port 8080


    <Connector port="8080" protocol="HTTP/1.1"


               connectionTimeout="20000"


               redirectPort="8443" />


  -->  

Now go to section

<!-- 
Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR 
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" /> -->


And uncomment it as follows


<!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation   
 -->


 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />


Now copy the SSL certificate path and add to attributes keystoreFile and  keystorePass  in connector  tag for ssl

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
sslProtocol="TLS" 
keystoreFile="C:\Documents and Settings\Narendra\Desktop\testcsr\client.jks"
      keystorePass="test123" />

Deploy any web application and run the apache tomcat server
Now try accesing the web application using following URL

https://localhost:8443/login


Click o Proceed anyway to accept the certificate
When you click on Lock near https in addres bar , following window appears . Click on certificate information , Certificate window will appear. As you can see, Issued to is example.com (the client) and Issued by is sspl.com which is the Certificate Authority .



Posted by hari at 10:40 PM 0 comments
Labels:
Import the CA certificate into the client keystore

Use the following command to import CA certificate


keytool –import  -keystore client.jks –file new_ca.pem –alias theCARoot
Posted by hari at 10:37 PM 0 comments
Labels:
Import the CA certificate into the client keystore

Use the following command to import CA certificate

keytool –import  -keystore client.jks –file new_ca.pem –alias theCARoot


Enter keystore password : test123

Import the signed certificate for the associated client alias in the keystore.Here we have used alias as clientcls while creating the keystore client.jks
Use the following command
keytool –import –keystore clientkeystore –file client.cer –alias client

Posted by hari at 10:35 PM 1 comments
Labels:
Using CA to sign our CSR

Note that the CSR file generated in previous tutorial has arrived to CA. Now the CA will sign the CSR file.

Here is the content of CSR file named as ClientCertificate_csr.pem


-----BEGIN NEW CERTIFICATE REQUEST-----
MIICXzCCAh0CAQAwWjELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJhMQ0wCwYDVQQK
EwRTU1BMMRAwDgYDVQQLEwdTU1BMIE9VMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCAbgwggEsBgcq
hkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6
v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPF
HsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfh
oIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88J
MozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2Ze
gHtVJWQBTDv+z0kqA4GFAAKBgQC7lgoimVAL4UcigXU0moV+F21y5hFy1IxpbFXneOVBTNtTVEBK
/HHnXqqOZY/zt4pZAzxREznd6N8OQ/jMiQloCqdBbkBJB/wFBBQWu2LNje1w9xeBCXxTHZCDHPIS
MmSvXBle8Ea8Dx4XHc/YElj2Mh+nJJrjbD3z7LD75Rky3KAAMAsGByqGSM44BAMFAAMvADAsAhRB
e3g6WqpdjFl7n9W92kXDEUe4IgIUWDagaMduPq+qx2/jsfjfFdrgxXU=
-----END NEW CERTIFICATE REQUEST-----

Generate a signed certificate for the associated Certificate Signing Request.

CA uses the following command to sign the CSR file

openssl ca   -config openssl.cnf -in certs/ClientCertificate_c

sr.pem -out client.cer  -days 365
Above command will create a client.cer file
Note that CA has kept the ClientCertificate_csr.pem inside certs folder in X509CA directory

Convert to PEM format
Use the following command to convert the client.cer  so generated to PEM only format

openssl x509 -in client.cer -out CertName.pem -outform PEM



 Above command will generate a csr file named as ClientCertificate_csr.pem

Content of ClientCertificate_csr.pem 

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICXzCCAh0CAQAwWjELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJhMQ0wCwYDVQQK
EwRTU1BMMRAwDgYDVQQLEwdTU1BMIE9VMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCAbgwggEsBgcq
hkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6
v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPF
HsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfh
oIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88J
MozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2Ze
gHtVJWQBTDv+z0kqA4GFAAKBgQC7lgoimVAL4UcigXU0moV+F21y5hFy1IxpbFXneOVBTNtTVEBK
/HHnXqqOZY/zt4pZAzxREznd6N8OQ/jMiQloCqdBbkBJB/wFBBQWu2LNje1w9xeBCXxTHZCDHPIS
MmSvXBle8Ea8Dx4XHc/YElj2Mh+nJJrjbD3z7LD75Rky3KAAMAsGByqGSM44BAMFAAMvADAsAhRB
e3g6WqpdjFl7n9W92kXDEUe4IgIUWDagaMduPq+qx2/jsfjfFdrgxXU=
-----END NEW CERTIFICATE REQUEST-----

Generate a signed certificate for the associated Certificate Signing Request.

CA uses the following command to sign the CSR file

openssl ca   -config openssl.cnf -in certs/ClientCertificate_c
sr.pem -out client.cer  -days 365
Now the CA has signed the CSR and will give the signed file to the client
Posted by hari at 10:30 PM 2 comments
Labels:
Creating a Certificate Signing Request (CSR)

Download java development kit(JDK) software and install it in your system. Add the bin directory of JDK installation to you system environment variable path. Now keytool command can be accessed from anywhere in the system folder.


Open command prompt and change your directory to say following location.



Now we will create a keystore using keytool utility provided by JDK

Use following command to create a keystore client.jks
keytool -genkey -dname "CN=example.com, OU=SSPL OU, O=SSPL, ST=Maharashtra, C=IN" -validity 365 -alias clientcls  -keystore client.jks
Enter keystore password:
Re-enter new password:
Enter key password for
        (RETURN if same as keystore password):

Keystore password entered is: test123
Some parts of the subject DN must match the values in the CA certificate (specified in the CA Policy section of the openssl.cnf file).

The default openssl.cnf file requires the following entries to match:
Country Name (C)
State or Province Name (ST)
Organization Name (O)
NOTE THAT
If you do not observe the constraints, the OpenSSL CA will refuse to sign the certificate

Create a new certificate signing request (CSR) for the client.jks certificate as follows:
Use the following command to generate CSR
keytool -certreq -alias clientcls -file ClientCertificate_csr.pem -keystore client.jks
Enter keystore password  as test123
Note also that alias is clientcls which we have used while creating a keystore client.jks


Above command will generate a csr file named as ClientCertificate_csr.pem



 Content of ClientCertificate_csr.pem

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICXzCCAh0CAQAwWjELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJhMQ0wCwYDVQQK
EwRTU1BMMRAwDgYDVQQLEwdTU1BMIE9VMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCAbgwggEsBgcq
hkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6
v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPF
HsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfh
oIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88J
MozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2Ze
gHtVJWQBTDv+z0kqA4GFAAKBgQC7lgoimVAL4UcigXU0moV+F21y5hFy1IxpbFXneOVBTNtTVEBK
/HHnXqqOZY/zt4pZAzxREznd6N8OQ/jMiQloCqdBbkBJB/wFBBQWu2LNje1w9xeBCXxTHZCDHPIS
MmSvXBle8Ea8Dx4XHc/YElj2Mh+nJJrjbD3z7LD75Rky3KAAMAsGByqGSM44BAMFAAMvADAsAhRB
e3g6WqpdjFl7n9W92kXDEUe4IgIUWDagaMduPq+qx2/jsfjfFdrgxXU=
-----END NEW CERTIFICATE REQUEST-----


We will send CSR file ClientCertificate_csr.pem to the CA to sign


Posted by hari at 10:24 PM 0 comments
Labels:
Creating our own Certificate Authority (CA)

Download openssl software and install it in your system. Add the bin directory of openssl installation to you system environment variable path. Now openssl command can be accessed from anywhere in the system folder.

Create the CA directory hierarchy


Create a new directory X509CA, to hold the new CA. This directory is used to hold all of the files associated with the CA.
Under the X509CA directory, create the following hierarchy of directories:
X509CA/ca
X509CA/certs
X509CA/newcerts
X509CA/crl

Create openssl.cnf file in X509CA directory.
Copy following content to openssl.cnf file


#
# SSLeay example properties file.
# This is mostly being used for generation of certificate requests.
#

RANDFILE        = .rnd

####################################################################
[ ca ]
default_ca    = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir        = D:\\testssl\\X509CA    # Where everything is kept
certs      = $dir/certs  # Where issued certs are kept
crl_dir    = $dir/crl          # Where the issued crl are kept
database   = $dir/index.txt    # Database index file
new_certs_dir = $dir/newcerts  # Default place for new certs
   
certificate   = $dir/ca/new_ca.pem # The CA certificate
serial        = $dir/serial        # The current serial number
crl           = $dir/crl.pem       # The current CRL
private_key   = $dir/ca/new_ca_pk.pem  # The private key
RANDFILE      = $dir/ca/.rand

x509_extensions    = x509v3_extensions    # The extentions to add to the cert
default_days        = 365            # how long to certify for
default_crl_days    = 30            # how long before next CRL
default_md        = md5            # which md to use.
preserve        = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy        = policy_match

# For the CA policy
[ policy_match ]
countryName            = match
stateOrProvinceName        = match
organizationName        = match
organizationalUnitName    = optional
commonName            = supplied
emailAddress            = optional

# For the ’anything’ policy
# At this point in time, you must list all acceptable ’object’
# types.
[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName            = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits        = 1024
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_min        = 2
countryName_max        = 2

stateOrProvinceName        = State or Province Name (full name)

localityName            = Locality Name (eg, city)

0.organizationName        = Organization Name (eg, company)

organizationalUnitName    = Organizational Unit Name (eg, section)

commonName            = Common Name (eg, your website’s domain name)
commonName_max        = 64

emailAddress            = Email Address
emailAddress_max        = 40

[ req_attributes ]
challengePassword        = A challenge password
challengePassword_min    = 4
challengePassword_max    = 20

[ x509v3_extensions ]
Now open command and change directory to X509CA

In the X509CA directory, initialize two files, serial and index.txt
To initialize the serial file in Windows, enter the following command:

> echo 01 > serial


To create an empty file, index.txt, in Windows start Windows Notepad at the command line in the X509CA directory, as follows:

> notepad index.txt

In response to the dialog box with the text, Cannot find the text.txt file. Do you want to create a new file? Click Yes, and
Close Notepad.

These files are used by the CA to maintain its database of certificate files.
Note that the index.txt file must initially be completely empty, not even containing white space.


Create a self-signed CA certificate and private key
Create a new self-signed CA certificate and private key with the following Command:

openssl req -x509 -new -config X509CA/openssl.cnf -days 365 -out X509CA/ca/new_ca.pem -keyout X509CA/ca/new_ca_pk.pem



The command prompts you for a pass phrase for the CA private key and details of the CA distinguished name.

We have entered pass phrase as:

welcometossl

Other details entered are as follows:

Country Name (2 letter code) []:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) []:Pune
Organization Name (eg, company) []:SSPL
Organizational Unit Name (eg, section) []:SSPL OU
Common Name (eg, your websiteÆs domain name) []:sspl.com
Email Address []:sspl@sspl.com

 You must ensure that the file names and location of the CA certificate and private key, new_ca.pem and new_ca_pk.pem, are the same as the values specified in openssl.cnf (see the preceding step).




You are now ready to sign certificates with your CA.
Posted by hari at 9:47 PM 0 comments
Labels:
Subscribe to: Posts (Atom)