This blog will explain how to enable SSL on Tomcat7.x server on Linux.
Step1: Generation of Key file.
How to generate the key file using OpenSSL.
Prerequisites:
output of this command will be "myapp.key" file on current directory, if you want to create this file in different directory, you can specify the file name with the path. Last parameter is for size of the key to generate. I have used 2048 which is considered to be secure. But you can use 4096 or lesser values based on your need.
Step2: Generation of CSRfile.
Once you get the key file you need to generate the CSR file for getting the signed public certificate.
For generating the CSR use following command.
Step3: Generation of public certifcate
After generating the CSR file, get the certificate generated. And once you receive the public certificate you need to do following steps. In my case I received myapp.cer file.
Step4: Create PKCS12 keystore from private key and public certificate.
I executed following command for adding my private key and the certificate to the keystore file. Using openssl command.
Step5: Convert PKCS12 keystore into a JKS keystore.
I executed following command for adding my private key and the certificate to the jks keystore file.
Now after generation of jks keystore, next step will be to configure tomcat server to enable SSL.
Step6: Change in <TOMCAT_HOME>/conf/server.xml
uncomment the <connector> related to SSL
Step1: Generation of Key file.
How to generate the key file using OpenSSL.
Prerequisites:
- OpenSSL
Run following command to generate the key file.
openssl genrsa -out myapp.key 2048
output of this command will be "myapp.key" file on current directory, if you want to create this file in different directory, you can specify the file name with the path. Last parameter is for size of the key to generate. I have used 2048 which is considered to be secure. But you can use 4096 or lesser values based on your need.
openssl genrsa -out /app/key/myapp.key 2048
Step2: Generation of CSRfile.
Once you get the key file you need to generate the CSR file for getting the signed public certificate.
For generating the CSR use following command.
openssl req -new -key app.key -out myapp.csr
Step3: Generation of public certifcate
After generating the CSR file, get the certificate generated. And once you receive the public certificate you need to do following steps. In my case I received myapp.cer file.
Step4: Create PKCS12 keystore from private key and public certificate.
I executed following command for adding my private key and the certificate to the keystore file. Using openssl command.
openssl pkcs12 -export -name myservercert -in /app/cer/myapp.cer -inkey /app/key/myapp.key -out /app/keystore/keystore.p12
Step5: Convert PKCS12 keystore into a JKS keystore.
I executed following command for adding my private key and the certificate to the jks keystore file.
keytool -importkeystore -destkeystore /app/keystore/myappkeystore.jks -srckeystore /app/keystore/keystore.p12 -srcstoretype pkcs12 -alias myservercert
Now after generation of jks keystore, next step will be to configure tomcat server to enable SSL.
Step6: Change in <TOMCAT_HOME>/conf/server.xml
uncomment the <connector> related to SSL
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector SSLEnabled="true" clientAuth="false" keyPass="changeit" keystoreFile="conf/myappkeystore.jks"
keystorePass="changeit" keystoreType="JKS" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
No comments:
Post a Comment