Nethence Newdoc Olddoc Lab Your IP BBDock  

Warning: those guides are mostly obsolete, please have a look at the new documentation.


OpenSSL notes
Creating a certificate request for Tomcat
Note. This can be done as user, in the tomcat configuration folder, you don't have to be root.
Create a java-tomcat keystore,
mkdir newcert/
cd newcert/
keytool -keysize 2048 -genkeypair -alias tomcat -keyalg RSA -keystore keystore.jks 
Enter keystore password: PASSWORD 
Re-enter new password: PASSWORD 
What is your first and last name?
[Unknown]: * 
What is the name of your organizational unit?
[Unknown]: unit 
What is the name of your organization?
[Unknown]: company 
What is the name of your City or Locality?
[Unknown]: city 
What is the name of your State or Province?
[Unknown]: region 
What is the two-letter country code for this unit?
[Unknown]: FR 
Is CN=*, OU=unit, O=company, L=city, ST=region, C=FR correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password): return 
Note. -genkey renamed to -genkeypair
Generate a tomcat certificate request,
keytool -certreq -keyalg RSA -alias tomcat -file rapidssl.csr -keystore keystore.jks -sigalg SHA1withRSA
Note. -sigalg SHA1withRSA is not required for GoDaddy but for RapidSSL/Trustico
You can then check your java keystore when ever you want,
keytool -v -list -keystore keystore.jks -storepass PASSWORD 
Note. you can rename the keystore.jks file afterwards.
Enabling the signed certificate in the keystore
Once acquired the CA will send you two keys, their own cert and your signed one.
First, import the Certificate Authority into the keystore,
keytool -import -trustcacerts -alias root -file Issuing_CA.crt -keystore svrkeystore.jks 
Then, import your signed certificate,
keytool -import -trustcacerts -alias tomcat -file server.crt -keystore svrkeystore.jks 
Ref. NIMS-SysAdmin_V4.2_v1.00.pdf
Converting a Tomcat SSL certificate to Apache
You need openssl and the keytool tool,
apt-get install openssl openjdk-7-jdk
Convert the keystore,
keytool -importkeystore -srckeystore svrkeystore.jks -destkeystore svrkeystore-convert.jks -deststoretype PKCS12 -srcstorepass PASSWORD -deststorepass PASSWORD -srcalias tomcat -destalias tomcat -noprompt
ls -l svrkeystore-convert.jks
Note. if you need to change the passphrase, add -srckeypass [original_alias_password] -destkeypass [new_password]. But it needs to be 6 characters long for the keystore so we will eventually remove it after the PEM has been extracted.
Extract the PKCS12 private key for apache,
openssl pkcs12 -in svrkeystore-convert.jks -nocerts -out privatekey.pem 
Enter Import Password: (keystore password) 
Enter PEM pass phrase: (tomcat alias passphrase in the keystore) 
cat privatekey.pem 
Extract the PKCS12 public key for apache,
openssl pkcs12 -in svrkeystore-convert.jks -clcerts -nokeys -out publicCert.pem 
cat publicCert.pem 
Remove the passphrase so you can restart apache with no passphrase,
openssl rsa -in privatekey.pem -out privatekey.nopass.pem 
How to move an SSL certificate from Tomcat to Apache:
Outils pratiques pour certificats SSL Convertir votre Certificat SSL:
Remove the passphrase from an existing OpenSSL key file:
Self-signed certificate
Create a self-signed certificate,
mkdir ssl/
cd ssl/
openssl genrsa -rand -genkey -out cert.key 2048
cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist
vi /etc/ssl/openssl.cnf
dir = ./certs
default_days = 3650
default_bits = 2048
countryName_default = FR
stateOrProvinceName_default = IDF
localityName_default = Paris
#0.organizationName_default =
openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256
Country Name (2 letter code) [FR]:
State or Province Name (full name) [IDF]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) []:YOUR_COMPANY
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []
Email Address []
Creating a self-signed certificate (old doc)
Deploy the OpenSSL configuration example (NetBSD path),
cd /etc/openssl/
cp /usr/share/examples/openssl/openssl.cnf .
Generate the private key,
cd /etc/openssl/
openssl genrsa -des3 -out server.key 1024
Note. passphrase will be removed afterwards
Generate a Certificate Signing Request,
cd /etc/openssl/
openssl req -new -key server.key -out server.csr
Note. at the end, challenge password : empty
Note. at the end, optional company name : empty
Remove Passphrase from Key,
mv server.key server.key.pass
openssl rsa -in server.key.pass -out server.key
Generate the self-signed certificate,
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You now got those available!

(obsolete, see the new doc)