Nalanta

SETTING UP YOUR CA

Step 1:
Go to http://www.slproweb.com/download/Win32OpenSSL-0_9_8e.exe and download openssl for windows.

Step 2:
Create directories to hold your CA keys, your server keys and, if you want to use SSL client authentication, your client keys. For the sake of argument let’s assume that these directories are called “C:/ssl/TomcatCA”, “C:/ssl/TomcatServer” and “C:/ssl/TomcatClient”.

Step 3:
Create a private key and certificate request for your own CA:
openssl req -new -newkey rsa:1024 -nodes -out C:/ssl/TomcatCA/ca.csr –keyout
C:/ssl/TomcatCA/ca.key

Step 4:
Create your CA’s self-signed certificate (note lasts one year - increase the days setting to whatever you want):
openssl x509 -trustout -signkey C:/ssl/TomcatCA/ca.key -days 365 -req –in C:/ssl/TomcatCA/ca.csr -out C:/ssl/TomcatCA/ca.pem

NOTE : If you copy the ca.pem file to ca.crt and edit the file so that the strings “TRUSTED CERTIFICATE” read “CERTIFICATE”, you can import your CA certificate into your trusted root certificates store.

Step 5:
Import the CA certificate into the JDK certificate authorities’ keystore:
keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts –file C:/ssl/TomcatCA/ca.pem -alias my_ca

Note:
For accessing the Web Server pages from Stand alone Java program system property should be set
-Djavax.net.ssl.trustStore=%JAVA_HOME%/jre/lib/security/cacerts

Step 6:
Create a file to hold your CA’s serial numbers. This file starts with the number “2″:
echo “02″ > C:/ssl/TomcatCA/ca.srl

SETTING UP YOUR WEB SERVER

Step 7:
Create a keystore for your web server.
keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 –keystore C:/ssl/TomcatServer/server.jks -storetype JKS

Step 8:
Create a certificate request for your web server.
keytool -certreq -keyalg RSA -alias tomcat –file C:/ssl/TomcatServer/server.csr -keystore C:/ssl/TomcatServer/server.jks

You need to edit the certificate request file slightly. Open it up in a text editor and amend the text which reads “NEW CERTIFICATE REQUEST” to “CERTIFICATE REQUEST”

Step 9:
Have your CA sign your certificate request:
openssl x509 -CA C:/ssl/TomcatCA/ca.pem -CAkey C:/ssl/TomcatCA/ca.key –Caserial C:/ssl/TomcatCA/ca.srl -req -in C:/ssl/TomcatServer/server.csr –out C:/ssl/TomcatServer/server.crt -days 365

Step 10:
Import your signed server certificate into your server keystore:
keytool -import -alias tomcat –keystore C:/ssl/TomcatServer/server.jks -trustcacerts -file C:/ssl/TomcatServer/server.crt

You should see a message “Certificate reply was installed in keystore”.

Step 11:
Import your CA certificate into your server keystore:
keytool -import -alias my_ca –keystore C:/ssl/TomcatServer/server.jks -trustcacerts -file C:/ssl/TomcatCA/ca.pem

This step is only necessary if you wish to use SSL client authentication with Tomcat.

Step 12:
Set up an SSL connector for Tomcat. Open up %CATLINA_HOME%/conf/server.xml in a text editor and search for the text “keystoreFile”. Ensure that the attribute value is the keystore you’ve created above.

keystoreFile =”server.jks”

SETTING UP AN SSL CLIENT

Step 13:
Create a client certificate request:
openssl req -new -newkey rsa:512 -nodes -out C:/ssl/TomcatClient/client1.req –keyout C:/ssl/TomcatClient/client1.key

The common name of the client must match a user in Tomcat’s user realm (e.g. an entry in %CATLINA_HOME%/conf/tomcat-users.xml).

Step 14:
Have your CA sign your client certificate.
openssl x509 -CA C:/ssl/TomcatCA/ca.pem -CAkey C:/ssl/TomcatCA/ca.key –Caserial C:/ssl/TomcatCA/ca.srl -req -in C:/ssl/TomcatClient/client1.req –out C:/ssl/TomcatClient/client1.pem -days 365

Step 15:
Generate a PKCS12 file containing your server key and server certificate.
openssl pkcs12 -export -clcerts -in C:/ssl/TomcatClient/client1.pem –inkey C:/ssl/TomcatClient/client1.key -out C:/ssl/TomcatClient/client1.p12 –name “my_client_certificate”

Step 16:
Import the PKCS12 file into your web browser to use as your client certificate and key.
Repeat steps 13-16 as often as required.

Step 17:
Enable client certificate authentication in Tomcat. Open up %CATALINA_HOME%/conf/server.xml and search for the text “clientAuth”. Set the value of the attribute to “true”.