Certs and SSL

Digital Encryption Tips

How to munge a certificate from your signing authority into something that Tomcat can use, and other miscellaneous key and certificate management topics.

Tomcat / SSL


Two roughly equivalent HOWTOs on making a Java keystore for use with Tomcat:

More on keytool

keytool is Java's key and certificate manager. The best guide for using keytool is the manual page.

Generating a key and CSR


HOWTO Update mifos.org wildcard SSL cert

Change directory to "the vault" on birch (location deliberately omitted).

Back up the old cert, key, and CSR:

mkdir `date -I`_saved && mv cert.* keystore* key.* server.* `date -I`_saved

Create a csr (certificate request):

openssl req -new -key key.pem -out server.csr

(from http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html)

If creating a csr didn't work with the existing key, create a new key and csr simultaneously:

openssl req -nodes -new -keyout key.pem -out server.csr

  • follow directions at cacert.org.
    • Country Name: US
    • State or Province Name: Washington
    • Locality Name (eg, city): Seattle
    • Organization Name (eg, company): Grameen Foundation
    • Organizational Unit Name (eg, section): (just hit enter)
    • Common Name (eg, YOUR name): *.mifos.org
    • Email Address: amonsen@grameenfoundation.org
  • Finally you will be asked information about 'extra' attribute, you simply hit enter to both these questions.

Submit the CSR to cacert.org, select "Sign by class 1 root certificate". Paste the certificate from cacert.org into a file called "cert.pem".

Make the cert usable by Tomcat:

openssl pkcs8 -topk8 -nocrypt -in key.pem -out key.der -outform der
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
java ImportKey key.der cert.der
mv ~/keystore.ImportKey .

For Hudson:

cp keystore.ImportKey /home/hudson/.keystore
chown hudson /home/hudson/.keystore
chmod 0600 /home/hudson/.keystore

The ImportKey program is available here.

Possible future improvements

Adjust procedure so key doesn't need to be regenerated for every new CSR.