development:openssl
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
development:openssl [2016/11/12 03:35] anthonysena |
development:openssl [2016/11/12 03:47] (current) anthonysena |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| This page will detail how to use [[https://www.openssl.org/|OpenSSL]] to create a Certificate Authority and how to generate a Secure Socket Layer (SSL) certificate for use with a web server such as Apache Tomcat. This is useful when you need to use SSL on a local development machine. As a general rule of thumb, if you need an SSL certificate for use on either a production or non-production instance, you should contact your organization's IT team to obtain a certificate that will work properly in your environment. | This page will detail how to use [[https://www.openssl.org/|OpenSSL]] to create a Certificate Authority and how to generate a Secure Socket Layer (SSL) certificate for use with a web server such as Apache Tomcat. This is useful when you need to use SSL on a local development machine. As a general rule of thumb, if you need an SSL certificate for use on either a production or non-production instance, you should contact your organization's IT team to obtain a certificate that will work properly in your environment. | ||
| - | Before moving ahead, please make sure that you have created your keystore and certificate sign request as detailed in the steps [[development:security#ssl_configuration_in_tomcat|SSL configuration in Tomcat]] | + | Before moving ahead, please make sure that you have created your keystore and CSR (Certificate Signing Request) as detailed in the steps [[development:security#ssl_configuration_in_tomcat|SSL configuration in Tomcat]]. Please note the passwords that you use for each step as they will be required in the steps below. |
| ==== Creating a Certificate Authority ==== | ==== Creating a Certificate Authority ==== | ||
| Line 20: | Line 20: | ||
| Note the change to the ''dir'' setting to include the full path to the root/ca folder that is created along with the changes to the $dir settings to use a double backslashes ''\\'' instead of a single foward slash '/'. | Note the change to the ''dir'' setting to include the full path to the root/ca folder that is created along with the changes to the $dir settings to use a double backslashes ''\\'' instead of a single foward slash '/'. | ||
| + | |||
| + | ==== Signing the certificate ==== | ||
| + | |||
| + | Using the intermediate pair created in the previous step, we can now create a server certificate using the following OpenSSL command | ||
| + | |||
| + | openssl ca -config .\root\ca\intermediate\openssl.cnf -extensions server_cert -days 7300 -notext -md sha256 -in C:\path\to\csr\webapi.csr -out C:\path\to\csr\webapi.cer | ||
| + | | ||
| + | Next we can create the .p7b file that will be used to store in the keystore: | ||
| + | |||
| + | openssl crl2pkcs7 -nocrl -certfile C:\path\to\csr\webapi.cer -out C:\path\to\csr\webapi.p7b | ||
| + | |||
| + | ==== Installing into the keystore ==== | ||
| + | |||
| + | Before we can install the certificate, we also need to install the root and intermediate certificates so that the proper trust chain is set in the keystore. This is done using the following commands: | ||
| + | |||
| + | Root: | ||
| + | |||
| + | keytool -import -alias root -keystore keystore.jks -trustcacerts -file .\root\ca\certs\ca.cert.pem | ||
| + | |||
| + | Intermediate: | ||
| + | |||
| + | keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file .\root\ca\intermediate\certs\intermediate.cert.pem | ||
| + | |||
| + | Now we can import the certificate for the application: | ||
| + | |||
| + | keytool -import -alias webapi -keystore keystore.jks -trustcacerts -file C:\path\to\csr\webapi.p7b | ||
| + | |||
development/openssl.1478921722.txt.gz ยท Last modified: 2016/11/12 03:35 by anthonysena
Page Tools
