Nethence Documentation Lab Webmail Your IP BBDock  


Those documents are obsolete, please use the Nethence Documentation instead.

HomeUnixWindowsOracleObsoleteHardwareDIYMechanicsScriptsConfigsPrivate

OpenSSL notes
 
Creating a certificate request for Tomcat
Note. This can be done as user, in the tomcat configuration folder, you don't have to be root.
 
Create a java-tomcat keystore,
mkdir newcert/
cd newcert/
keytool -keysize 2048 -genkeypair -alias tomcat -keyalg RSA -keystore keystore.jks 
Enter keystore password: PASSWORD 
Re-enter new password: PASSWORD 
What is your first and last name?
[Unknown]: *.example.com 
What is the name of your organizational unit?
[Unknown]: unit 
What is the name of your organization?
[Unknown]: company 
What is the name of your City or Locality?
[Unknown]: city 
What is the name of your State or Province?
[Unknown]: region 
What is the two-letter country code for this unit?
[Unknown]: FR 
Is CN=*.example.com, OU=unit, O=company, L=city, ST=region, C=FR correct?
[no]: yes

Enter key password for <tomcat>
(RETURN if same as keystore password): return 
Note. -genkey renamed to -genkeypair
 
Generate a tomcat certificate request,
keytool -certreq -keyalg RSA -alias tomcat -file rapidssl.csr -keystore keystore.jks -sigalg SHA1withRSA
Note. -sigalg SHA1withRSA is not required for GoDaddy but for RapidSSL/Trustico
 
You can then check your java keystore when ever you want,
keytool -v -list -keystore keystore.jks -storepass PASSWORD 
 
Note. you can rename the keystore.jks file afterwards.
 
Refs.
https://fr.godaddy.com/help/generation-dune-demande-de-certificat-et-installation-dun-certificat-ssl-avec-tomcat-4x5x6x7x-5239
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO13990
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO6506&actp=search&viewlocale=en_US&searchid=1270237704682
 
Enabling the signed certificate in the keystore
Once acquired the CA will send you two keys, their own cert and your signed one.
 
First, import the Certificate Authority into the keystore,
keytool -import -trustcacerts -alias root -file Issuing_CA.crt -keystore svrkeystore.jks 
 
Then, import your signed certificate,
keytool -import -trustcacerts -alias tomcat -file server.crt -keystore svrkeystore.jks 
 
Ref. NIMS-SysAdmin_V4.2_v1.00.pdf
 
Converting a Tomcat SSL certificate to Apache
You need openssl and the keytool tool,
apt-get install openssl openjdk-7-jdk
 
Convert the keystore,
keytool -importkeystore -srckeystore svrkeystore.jks -destkeystore svrkeystore-convert.jks -deststoretype PKCS12 -srcstorepass PASSWORD -deststorepass PASSWORD -srcalias tomcat -destalias tomcat -noprompt
ls -l svrkeystore-convert.jks
Note. if you need to change the passphrase, add -srckeypass [original_alias_password] -destkeypass [new_password]. But it needs to be 6 characters long for the keystore so we will eventually remove it after the PEM has been extracted.
 
Extract the PKCS12 private key for apache,
openssl pkcs12 -in svrkeystore-convert.jks -nocerts -out privatekey.pem 
Enter Import Password: (keystore password) 
Enter PEM pass phrase: (tomcat alias passphrase in the keystore) 
check,
cat privatekey.pem 
 
Extract the PKCS12 public key for apache,
openssl pkcs12 -in svrkeystore-convert.jks -clcerts -nokeys -out publicCert.pem 
check,
cat publicCert.pem 
 
Remove the passphrase so you can restart apache with no passphrase,
openssl rsa -in privatekey.pem -out privatekey.nopass.pem 
 
Refs.
How to move an SSL certificate from Tomcat to Apache
Outils pratiques pour certificats SSL Convertir votre Certificat SSL
Remove the passphrase from an existing OpenSSL key file
 
Self-signed certificate
Create a self-signed certificate,
mkdir ssl/
cd ssl/
openssl genrsa -rand -genkey -out cert.key 2048
cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist
vi /etc/ssl/openssl.cnf
dir = ./certs
default_days = 3650
default_bits = 2048
countryName_default = FR
stateOrProvinceName_default = IDF
localityName_default = Paris
#0.organizationName_default =
openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256
Country Name (2 letter code) [FR]:
State or Province Name (full name) [IDF]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) []:YOUR_COMPANY
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:mail.example.net
Email Address []:root@example.net
Ref. https://www.freebsd.org/doc/handbook/openssl.html
 
Creating a self-signed certificate (old doc)
Deploy the OpenSSL configuration example (NetBSD path),
cd /etc/openssl/
cp /usr/share/examples/openssl/openssl.cnf .
 
Generate the private key,
cd /etc/openssl/
openssl genrsa -des3 -out server.key 1024
Note. passphrase will be removed afterwards
 
Generate a Certificate Signing Request,
cd /etc/openssl/
openssl req -new -key server.key -out server.csr
Note. at the end, challenge password : empty
Note. at the end, optional company name : empty
 
Remove Passphrase from Key,
mv server.key server.key.pass
openssl rsa -in server.key.pass -out server.key
 
Generate the self-signed certificate,
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
 
You now got those available!
/etc/openssl/server.crt
/etc/openssl/server.key
 
Refs.
http://www.akadia.com/services/ssh_test_certificate.html
http://gagravarr.org/writing/openssl-certs/others.shtml
 

Last update: Dec 26, 2015