Wednesday, March 26, 2014

SSL Keystore cheat sheet

I often find myself scouring the net for how to create a selfsigned certificate and then how to actually use it.  So I have now created a Cheat Sheet.



JAVA: how to obtain keystore file for a certification (crt) file

Create store with temporary key inside:
keytool -genkey -alias temp -keystore yourkeystore.jks -storepass Hello1
Then delete existing entry:
keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 
Now you've got empty store. You can check that it's empty:
keytool -list -keystore yourkeystore.jks -storepass Hello1
Then import your certificate to the store:
keytool -import -alias alias -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1




  • I like to create a directory to keep my certificates in separately. (for this doc I'll use C:\SSL)
  • Open a command prompt and cd to that dir. (cd c:\ssl)
  • Generate the keystore as follows
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass myPass -keysize 2048

  • You will need to fill in the prompts that follow
                Password: 
                        Use something you will remember.
                First & Last Name:  
                        Use the domain or IP that you will be using to
                        access the site with.
                        If you're only hitting tomcat from the local machine
                        use "localhost".
                        If you don't, the user will be warned that the certificate
                        is for a different domain.
                Organizational Unit: 
                        SXI
                Name of your organization:
                        SXI
                Name of your city:
                        Johannesburg
                Name of your state or province.
                        Gauteng
                The two letter contry code for this unit.
                        Make sure it's upper case ("ZA")
        You will be shown all of your entries and asked to confirm.
        (Is CN=localhost, OU=SXI, O=SXI, L=Johannesburg, ST=Gauteng, C=ZA correct?)
                Hit enter.
        You will be asked for your password again with the option to 
        just hit enter.
                Hit enter

  • You should now have a keystore.jks file in C:\SSL



TO Configure Tomcat to use this keystore


1. Open server.xml, located in TOMCAT\conf. 
(Or right click on the tomcat server in netbeans and click on edit server.xml)
        
2. Find and uncomment the SSL <Connector port entry.
        NOTE: XML uses the "<!--" start and "-->" end symbols 
                to begin and end comments.
        NOTE: There is a comment just above it that looks like this:
         <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

3. Add two more attributes to this tag:
        keystoreFile="C:\SSL\kekstore.jks"
        and:
        keystorePass="myPass"
4. Restart Tomcat.

Example of the section to configure in the server.xml file:

    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="8443"
               maxHttpHeaderSize="8192"
               maxThreads="150"
               minSpareThreads="25"
               maxSpareThreads="75"
               enableLookups="false"
               disableUploadTimeout="true"
               acceptCount="100"
               scheme="https"
               secure="true"
               clientAuth="false"
               sslProtocol="TLS"
               keystoreFile="c:\ssl\keystore.jks"
               keystorePass="myPass" />




Export the generated server certificate in keystore.jks into the file server.cer

keytool -export -alias selfsigned -storepass myPass -file server.cer -keystore keystore.jks

(NB: the alias >selfsigned< must exist in the keystore)



To add the server certificate to the truststore file sxi.jks 

Run keytool from the directory where you created the keystore and server certificate.

keytool -import -v -trustcacerts -alias selfsigned -file server.cer -keystore /path/to/keystoredir/myServersKey.jks -keypass myPass -storepass myPass

/path/to/keystoredir is obviously the path to where the keystore that your application is going to use (In java you set this property as follows:

System.setProperty("javax.net.ssl.trustStore", "/path/to/keystoredir/myServersKey.jks");
       
If you get keytool error: java.lang.Exception: Input not an X.509 certificate check that the server.cer is not 0 bytes

I hope I can refer to this many times and not have to get the into from loads of different sites in the future again ;)