Software:
1. Functional EJBCA PKI (Do not have one? You could use keytool instead. Follow the 2nd section of this post for configuration).
2. Apache Tomcat 7.0.52
***Section I:
To complete the configuration,you have to have your CA root certificate (LeopardRootCA.pem as example). That will be used to sign all client certificates and server certificates. By default Tomcat uses the certificate trust store provided with JDK which can be found in
$JAVA_HOME/jre/lib/security/cacerts.
Here I am going to create a new certificate trust store in my configuration.
1. Create Key store for Tomcat
keytool -genkeypair -alias tomcat-server -keystore /opt/apache-tomcat-7.0.52/conf/keystore.jks
Enter keystore password: apache123
Re-enter new password: apache123
What is your first and last name?
[Unknown]: Use FQDN of your server
What is the name of your organizational unit?
[Unknown]: Center Research Cancer
What is the name of your organization?
[Unknown]: SHH
What is the name of your City or Locality?
[Unknown]: CityName
What is the name of your State or Province?
[Unknown]: StateName
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=FQDN, OU=Center Research Cancer, O=SHH, L=CityName, ST=StateName, C=US correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password): apache123
Re-enter new password: apache123
2. Create certificate request for Tomcat server:
keytool -certreq -alias tomcat-server -file FQDN.csr -keystore /opt/apache-tomcat-7.0.52/conf/keystore.jks
3. Sign the request in EJBCA: Copy signed certificate, FQDN.pem, file to current working path.
4. Import signed server certificate into Tomcat:
Before importing signed server certificate into Tomca,t you might need to import your CA root certificate into Tomcat first or you might see the following error:
"keytool error: java.lang.Exception: Failed to establish chain from reply.".
keytool -importcert -alias leopardrootca -file LeopardRootCA.pem -keystore /opt/apache-tomcat-7.0.52/conf/keystore.jks
4.1 import signed server certificate
keytool -importcert -alias tomcat-server -file FQDN.pem -keystore /opt/apache-tomcat-7.0.52/conf/keystore.jks
5. Create Trust store for tomcat and put yout CA root certificate into it:
keytool -import -keystore cacerts.jks -storepass changeit -alias leopardrootca -file leopardrootCA.pem
6. Configure Tomcat conf/server.xml by uncommenting the following section and edit
7. start Tomcat
bin/startup.sh
8. Create client certificate using the same root CA in EJBCA and import it into Firefox.
***Section II: Using keytool as example
1. create keyp air for rootCA
openssl genrsa -out rootCA.key 1024
2.create root certificate
openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt
3. create necessary folder for openssl
mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo '01' > demoCA/serial
4. create server certificate keypair
openssl genrsa -out localhost.key 2048
5. create server certificate singing request file
openssl req -new -key localhost.key -out localhost.csr
6. sing the server CSR using CA
openssl ca -keyfile rootCA.key -cert rootCA.crt -policy policy_anything -out localhost.crt -infiles localhost.csr
7. create client certificate keypair
openssl genrsa -out client.key 2048
8. create client certificate singing request
openssl req -new -key client.key -out client.csr
9. sing client CSR use CA
openssl ca -keyfile rootCA.key -cert rootCA.crt -out client.crt -policy policy_anything -infiles client.csr
10. convert created server and client certificate into pk12 type:
openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name sercer ##password: sercer
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name client
#password: client
11.create tomcat keystore
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore localhost.p12 -srcstoretype PKCS12 -alias sercer #pass is sercer
12. configure tomcat server.xml file
13.
keytool -import -keystore cacerts.jks -storepass changeit -alias rootca -file rootCA.crt
No comments:
Post a Comment