sexta-feira, 29 de julho de 2011

How to enable https / ssl on tomcat certificate and private key already existing





I have the following scenary:

I bought 1 certificate + 1 private key of ICP Brasil. I need to add them to tomcat to my sites inside it work with ssl (https). How to do?

== Creating keystore ==
To enable ssl in tomcat, before, must be created the "keystore", that is a encrypted file where tomcat stores all the certificates and keys in a secure way. To create it and manipulate it, use the command "keytool". When you import a certificate in a first time, the keystore is created.

#importing the ICPBrasil root certificates
# that certificates were downloaded from http://acraiz.icpbrasil.gov.br/ICP-Brasil.crt
keytool -import -trustcacerts -alias icpbrasil1 -file /etc/tomcat6/certificados/icpbrasil1.pem -keystore /usr/share/tomcat6/.keystore

keytool -import -trustcacerts -alias icpbrasil2 -file /etc/tomcat6/certificados/icpbrasil2.pem -keystore /usr/share/tomcat6/.keystore

keytool -import -trustcacerts -alias icpbrasil3 -file /etc/tomcat6/certificados/icpbrasil3.pem -keystore /usr/share/tomcat6/.keystore

== Converting certificate + private key to DER format ==
To add the certificate + private key that I bought, it's necessary to convert them to DER format.
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl pkcs8 -topk8 -nocrypt -in cert.pem -inform PEM -out cert.der -outform DER

== Adding the pair certificate + private key to keystore ==
Unfortunately tomcat has a "kludge" to add the private key to keystore: it's necessary to use a class called ImportKey to import the pair to tomcat. To download, compile and use the class, follow the following commands:

wget http://www.startux.de/images/phocadownload/importkey.java
mv importkey.java ImportKey.java #the file name must be equal the class name
javac ImportKey.java
java ImportKey key.der cert.der ANY_ALIAS /usr/share/tomcat6/.keystore KEYSTORE_PASSWORD #java ImportKey keyfile certfile [alias] [keystore] [keystore_passphrase]


== Configuring server.xml ==
In "/etc/tomcat6/server.xml" add the following lines to enable the usage of the keystore and https:
maxThreads="1024" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="KEYSTORE_PASSWORD" />

Restart tomcat
/etc/init.d/tomcat6 restart

SORRY MY ENGLISH, I'M LEARNING YET!

Nenhum comentário: