Digital Encryption Tips
How to munge a certificate from your signing authority into something that Tomcat can use, and other miscellaneous key and certificate management topics.
Tomcat / SSL
Two roughly equivalent HOWTOs on making a Java keystore for use with Tomcat:
keytool is Java's key and certificate manager. The best guide for using keytool is the manual page.
Generating a key and CSR
HOWTO Update mifos.org wildcard SSL cert
Change directory to "the vault" on birch (location deliberately omitted).
Back up the old cert, key, and CSR:
mkdir `date -I`_saved && mv cert.* keystore* key.* server.* `date -I`_saved
Create a csr (certificate request):
openssl req -new -key key.pem -out server.csr
If creating a csr didn't work with the existing key, create a new key and csr simultaneously:
openssl req -nodes -new -keyout key.pem -out server.csr
- follow directions at cacert.org.
- Country Name: US
- State or Province Name: Washington
- Locality Name (eg, city): Seattle
- Organization Name (eg, company): Grameen Foundation
- Organizational Unit Name (eg, section): (just hit enter)
- Common Name (eg, YOUR name): *.mifos.org
- Email Address: email@example.com
- Finally you will be asked information about 'extra' attribute, you simply hit enter to both these questions.
Submit the CSR to cacert.org, select "Sign by class 1 root certificate". Paste the certificate from cacert.org into a file called "cert.pem".
Make the cert usable by Tomcat:
openssl pkcs8 -topk8 -nocrypt -in key.pem -out key.der -outform der
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
java ImportKey key.der cert.der
mv ~/keystore.ImportKey .
cp keystore.ImportKey /home/hudson/.keystore
chown hudson /home/hudson/.keystore
chmod 0600 /home/hudson/.keystore
The ImportKey program is available here.
Possible future improvements
Adjust procedure so key doesn't need to be regenerated for every new CSR.