Formatting code for JavaKeystoreCert
{{parent page="Certificate"}}
===Configuring SSL on Tomcat===
**Use Apache + tomcat connector or mod_proxy whenever possible. Using tomcat as a web server is a bad idea.**
==Step 1: Generate a keystore with a private key==
%%
$ keytool -genkey -keystore my.keystore -storepass mysecret -alias tomcat -dname "cn=tomcat,ou-admin,o=myorg,c=us"
%%
==Step 2: Generate a CSR from that private key==
%%
$ keytool -certreq -keystore my.keystore -storepass mysecret -alias tomcat -file tomcat_req.csr
%%
==Step 3: Sign the CSR with a self-generated CA cert or submit the CSR to a trusted signer==
%%
$ openssl x509 -in tomcat_req.csr -out www.mydomain.com.crt -CA ca.crt -CAkey ca.key -days 360 -req
%%
==Step 4: Import the CA certificate into the keystore. If the certificate is issued by a trusted signer, import their CA certificated==
If you skip this step and go directly to step 5, you will get this error message:
%%
keytool error: java.lang.Exception: Failed to establish chain from reply
%%
**Self-signed**
%%
$ keytool -import -keystore my.keystore -storepass mysecret -alias MyCA -file ca.crt -trustcacerts
%%
**GoDaddy**
GoDaddy 's CA certs: https://certificates.godaddy.com/Repository.go
%%
$ keytool -import -keystore my.keystore -storepass mysecret -alias gd_intermediate -file gd_intermediate.crt.1 -trustcacerts
$ keytool -import -keystore my.keystore -storepass mysecret -alias gd_cross_intermediate -file gd_cross_intermediate.crt.1 -trustcacerts
$ keytool -import -keystore my.keystore -storepass mysecret -alias gd-class2-root -file gd-class2-root.crt -trustcacerts
# say yes on the last one
%%
==Step 5: Import the SSL certificate into the keystore==
%%
$ keytool -import -keystore my.keystore -storepass mysecret -alias tomcat -file www.mydomain.com.crt
Certificate reply was installed in keystore
%%
==Step 6: Configuring Tomcat connetor==
Create a connector like the following one
%%
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
address="1.2.3.4"
port="443" minProcessors="5" maxProcessors="75" enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true"
useURIValidationHack="false">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreFile="/secure/my.keystore" keystorePass="mysecret" />
</Connector>
%%
==Converting existing PEM key / cert into Java Keystore==
Original link: http://www.agentbob.info/agentbob/79-AB.html
===Change key and cer tinto DER format===
%%
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
%%
===Run ImportKey===
%%
java ImportKey key.der cert.der alias_name
%%
==List cert content==
Export the cert and pipe it to openssl. -rfc option will produce PEM output.
%%
keytool -export -keystore server.keystore -alias www.domain.com -storepass foo1234 -rfc | openssl x509 -noout -subject
%%
==Other notes==
One may also use a graphical tool from IBM to do the same thing. The tool is called ikeyman, which is bundled with IBM HTTP Server. Google IHS download and you'll find it. You will need ikeyman to work with IBM CMS keystore, which is the default keystore used by IHS.
===Configuring SSL on Tomcat===
**Use Apache + tomcat connector or mod_proxy whenever possible. Using tomcat as a web server is a bad idea.**
==Step 1: Generate a keystore with a private key==
%%
$ keytool -genkey -keystore my.keystore -storepass mysecret -alias tomcat -dname "cn=tomcat,ou-admin,o=myorg,c=us"
%%
==Step 2: Generate a CSR from that private key==
%%
$ keytool -certreq -keystore my.keystore -storepass mysecret -alias tomcat -file tomcat_req.csr
%%
==Step 3: Sign the CSR with a self-generated CA cert or submit the CSR to a trusted signer==
%%
$ openssl x509 -in tomcat_req.csr -out www.mydomain.com.crt -CA ca.crt -CAkey ca.key -days 360 -req
%%
==Step 4: Import the CA certificate into the keystore. If the certificate is issued by a trusted signer, import their CA certificated==
If you skip this step and go directly to step 5, you will get this error message:
%%
keytool error: java.lang.Exception: Failed to establish chain from reply
%%
**Self-signed**
%%
$ keytool -import -keystore my.keystore -storepass mysecret -alias MyCA -file ca.crt -trustcacerts
%%
**GoDaddy**
GoDaddy 's CA certs: https://certificates.godaddy.com/Repository.go
%%
$ keytool -import -keystore my.keystore -storepass mysecret -alias gd_intermediate -file gd_intermediate.crt.1 -trustcacerts
$ keytool -import -keystore my.keystore -storepass mysecret -alias gd_cross_intermediate -file gd_cross_intermediate.crt.1 -trustcacerts
$ keytool -import -keystore my.keystore -storepass mysecret -alias gd-class2-root -file gd-class2-root.crt -trustcacerts
# say yes on the last one
%%
==Step 5: Import the SSL certificate into the keystore==
%%
$ keytool -import -keystore my.keystore -storepass mysecret -alias tomcat -file www.mydomain.com.crt
Certificate reply was installed in keystore
%%
==Step 6: Configuring Tomcat connetor==
Create a connector like the following one
%%
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
address="1.2.3.4"
port="443" minProcessors="5" maxProcessors="75" enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true"
useURIValidationHack="false">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreFile="/secure/my.keystore" keystorePass="mysecret" />
</Connector>
%%
==Converting existing PEM key / cert into Java Keystore==
Original link: http://www.agentbob.info/agentbob/79-AB.html
===Change key and cer tinto DER format===
%%
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
%%
===Run ImportKey===
%%
java ImportKey key.der cert.der alias_name
%%
==List cert content==
Export the cert and pipe it to openssl. -rfc option will produce PEM output.
%%
keytool -export -keystore server.keystore -alias www.domain.com -storepass foo1234 -rfc | openssl x509 -noout -subject
%%
==Other notes==
One may also use a graphical tool from IBM to do the same thing. The tool is called ikeyman, which is bundled with IBM HTTP Server. Google IHS download and you'll find it. You will need ikeyman to work with IBM CMS keystore, which is the default keystore used by IHS.
