I write this post mainly so that I retain the knowledge of stumbling through this frustrating and poorly documented process and in the hopes that it will be of use to another poor soul on the Internet. Specifically, this how-to will be useful if you:
- Have purchased a Wildcard SSL Certificate through GoDaddy
- Need to enable SSL on JBoss (should apply to Tomcat too) because the Apache web server is not being used to pass requests to JBoss
- Are running Ubuntu (or any Linux/Unix OS) on your server
- Are running Sun Java 1.5
Step 1
SSH into one of your production servers and create the directory "ssl-files" to work in as you will be creating and downloading several files. CD into "ssl-files" Then run the command:
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystoreThis will run a command line wizard that prompts you to enter data. Whoever wrote this tool could have spent more time on the clarifying the instructions.
Enter keystore password:
[Pick something clever and write it down]
What is your first and last name?
[Don't take this literally. It turns out that "*.yourdomain.com" is the best answer]
What is the name of your organizational unit?
[Anything, this isn't really important but should be the same as a previous certificate if you are renewing]
What is the name of your organization?
[Same as above]
What is the name of your City or Locality?
[Same as above]
What is the name of your State or Province?
[Same as above]
What is the two-letter country code for this unit?
[Same as above]
Once you finished the wizard you should now have the file "tomcat.keystore" in your current directory.
Step 2
From the "ssl-files" directory, run another command to create a certificate request (.csr) file:
keytool -certreq -keyalg RSA -alias tomcat -file <your-file-name-here>.csr -keystore tomcat.keystoreNow open the newly created file:
cat your-file-name-here.csrCopy the contents of the file so you can paste it into the CSR field of the Certificate Request form on GoDaddy's website. I'm assuming you found the correct form on the website, but if you haven't, don't feel bad as the GoDaddy site has a deplorable UI.
Step 3 (Not found in GoDaddy's instructions - nor many other places on the net)
You now need to extract a private key from the tomcat.keystore binary. This is where any official documentation leaves you hanging. Not only are you unaware of this step but there is no easy way to do using the keytool. Luckily, someone at the University of Texas has a nice write-up on this. Scroll down to the "Additional esoteric Java keytool operations" section to the 3rd step. Copy the code, and paste it into a new file (in the "ssl-files" directory) names, "GetKeys.java". Delete the first line in the file that is specifying the package as "MyPackage" and replace the three values as indicated at the University of Texas website.
Compile GetKeys:
javac GetKeys.javaRun the class:
java GetKeysIf all goes well you should see some text that begins with "-----BEGIN PRIVATE KEY-----". If not, you will have to go back to GetKeys.java and debug. Once you get it working, copy all the output (including the begin and end private key lines) and paste it into a new file you create named "<your-file-name-here>.key".
Step 4
Download the .zip archive provided by GoDaddy to your server (you will likely have to download it to your desktop and then scp or ftp it to your server). Now run the unzip command (note: unzip is not installed by default on Ubuntu, but a quick
sudo apt-get install unzip will fix that):unzip <big-long-random-string.zip>This will extract 4 .crt files into your current directory, hopefully you are still in "ssl-files". Now create your "keystore.tomcat" file (not to be confused with the existing "tomcat.keystore" file) that you can copy to the correct location on your servers:
openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <_.yourdomain.com> .crt -inkey <your-file-name-here>.key -out keystore.tomcat -name tomcat -passout pass:<your-password>Now you should have the file "keystore.tomcat" in your current directory.
Step 5
At this point you can head back to the GoDaddy instructions in order enable/modify SSL support in server.xml. The "keystore.tomcat" file can be safely used in a clustered environment and re-used on the remaining servers.
Hopefully you found this helpful. If you find any errors or simpler alternatives, please post a comment.
5 comments:
SSL Installation for Tomcat 6.x
Created by Cenker Ozkurt cenker@yahoo.com on Jan 24, 2008
1.Generate Key
keytool -genkey -alias tomcat -keyalg RSA -keystore certificate.key
2.Wait email from Godaddy and extract following files and import certs
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle.crt
keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file www.valetsolutions.com.crt
3. Update Server.xml in tomcat\conf folder;
Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 6.0\SSL\tomcat.keystore" keystorePass="changeit."
clientAuth="false" sslProtocol="TLS"/
This works and no need to do anything else. Cheers...
Thanks for the tip. I'll give that a try next time I'm wrestling with JBoss or Tomcat.
The Anonymous tip worked well for me. Thanks.
Here's a link on how to do it if you already have an existing certificate and accompanying private key.
http://www.agentbob.info/agentbob/79-AB.html
Most wonderfull Article, Thanks for sharing!
Top 15 Cheapest Wildcard SSL Certificates
Post a Comment