this is obsolete doc -- see http://doc.nethence.com/ instead

OpenSSL notes 

 

Creating a certificate request for Tomcat 

Note. This can be done as user, in the tomcat configuration folder, you don't have to be root. 

 

Create a java-tomcat keystore, 

  mkdir newcert/ 

  cd newcert/ 

keytool -keysize 2048 -genkeypair -alias tomcat -keyalg RSA -keystore keystore.jks 

Enter keystore password: PASSWORD 

Re-enter new password: PASSWORD 

What is your first and last name? 

[Unknown]: *.example.com 

What is the name of your organizational unit? 

[Unknown]: unit 

What is the name of your organization? 

[Unknown]: company 

What is the name of your City or Locality? 

[Unknown]: city 

What is the name of your State or Province? 

[Unknown]: region 

What is the two-letter country code for this unit? 

[Unknown]: FR 

Is CN=*.example.com, OU=unit, O=company, L=city, ST=region, C=FR correct? 

[no]: yes 

 

Enter key password for <tomcat

(RETURN if same as keystore password): return 

Note. -genkey renamed to -genkeypair 

 

Generate a tomcat certificate request, 

keytool -certreq -keyalg RSA -alias tomcat -file rapidssl.csr -keystore keystore.jks -sigalg SHA1withRSA 

Note. -sigalg SHA1withRSA is not required for GoDaddy but for RapidSSL/Trustico 

 

You can then check your java keystore when ever you want, 

  keytool -v -list -keystore keystore.jks -storepass PASSWORD 

 

Note. you can rename the keystore.jks file afterwards. 

 

Refs. 

https://fr.godaddy.com/help/generation-dune-demande-de-certificat-et-installation-dun-certificat-ssl-avec-tomcat-4x5x6x7x-5239 

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO13990 

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO6506&actp=search&viewlocale=en_US&searchid=1270237704682 

 

Enabling the signed certificate in the keystore 

Once acquired the CA will send you two keys, their own cert and your signed one. 

 

First, import the Certificate Authority into the keystore, 

  keytool -import -trustcacerts -alias root -file Issuing_CA.crt -keystore svrkeystore.jks 

 

Then, import your signed certificate, 

  keytool -import -trustcacerts -alias tomcat -file server.crt -keystore svrkeystore.jks 

 

Ref. NIMS-SysAdmin_V4.2_v1.00.pdf 

 

Converting a Tomcat SSL certificate to Apache 

You need openssl and the keytool tool, 

  apt-get install openssl openjdk-7-jdk 

 

Convert the keystore, 

  keytool -importkeystore -srckeystore svrkeystore.jks -destkeystore svrkeystore-convert.jks -deststoretype PKCS12 -srcstorepass PASSWORD -deststorepass PASSWORD -srcalias tomcat -destalias tomcat -noprompt 

  ls -l svrkeystore-convert.jks 

Note. if you need to change the passphrase, add -srckeypass [original_alias_password] -destkeypass [new_password]. But it needs to be 6 characters long for the keystore so we will eventually remove it after the PEM has been extracted. 

 

Extract the PKCS12 private key for apache, 

  openssl pkcs12 -in svrkeystore-convert.jks -nocerts -out privatekey.pem 

Enter Import Password: (keystore password) 

Enter PEM pass phrase: (tomcat alias passphrase in the keystore) 

check, 

  cat privatekey.pem 

 

Extract the PKCS12 public key for apache, 

  openssl pkcs12 -in svrkeystore-convert.jks -clcerts -nokeys -out publicCert.pem 

check, 

  cat publicCert.pem 

 

Remove the passphrase so you can restart apache with no passphrase, 

  openssl rsa -in privatekey.pem -out privatekey.nopass.pem 

 

Refs. 

How to move an SSL certificate from Tomcat to Apache: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?vproductcat=R&vdomain=RAPIDSSL_COM&page=content&id=SO17995&actp=PRINT&impressions=false 

Outils pratiques pour certificats SSL Convertir votre Certificat SSL: https://www.trustico.fr/ssltools/ssl-certificate-tools.php 

Remove the passphrase from an existing OpenSSL key file: http://www.microhowto.info/howto/remove_the_passphrase_from_an_existing_openssl_key_file.html 

 

Self-signed certificate 

Create a self-signed certificate, 

mkdir ssl/ 

cd ssl/ 

openssl genrsa -rand -genkey -out cert.key 2048 

cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist 

vi /etc/ssl/openssl.cnf 

dir = ./certs 

default_days = 3650 

default_bits = 2048 

countryName_default = FR 

stateOrProvinceName_default = IDF 

localityName_default = Paris 

#0.organizationName_default = 

openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256 

Country Name (2 letter code) [FR]: 

State or Province Name (full name) [IDF]: 

Locality Name (eg, city) [Paris]: 

Organization Name (eg, company) []:YOUR_COMPANY 

Organizational Unit Name (eg, section) []: 

Common Name (e.g. server FQDN or YOUR name) []:mail.example.net 

Email Address []:root@example.net 

Ref. https://www.freebsd.org/doc/handbook/openssl.html 

 

Creating a self-signed certificate (old doc) 

Deploy the OpenSSL configuration example (NetBSD path), 

  cd /etc/openssl/ 

  cp /usr/share/examples/openssl/openssl.cnf . 

 

Generate the private key, 

  cd /etc/openssl/ 

  openssl genrsa -des3 -out server.key 1024 

Note. passphrase will be removed afterwards 

 

Generate a Certificate Signing Request, 

  cd /etc/openssl/ 

  openssl req -new -key server.key -out server.csr 

Note. at the end, challenge password : empty 

Note. at the end, optional company name : empty 

 

Remove Passphrase from Key, 

mv server.key server.key.pass 

openssl rsa -in server.key.pass -out server.key 

 

Generate the self-signed certificate, 

  openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 

 

You now got those available! 

  /etc/openssl/server.crt 

  /etc/openssl/server.key 

 

Refs. 

http://www.akadia.com/services/ssh_test_certificate.html 

http://gagravarr.org/writing/openssl-certs/others.shtml