JavaBlog.fr / Java.lu DEVELOPMENT,Java,Tools Java/JRE/JDK: generate self signed SSL certificate with keytool (install on web server…)

Java/JRE/JDK: generate self signed SSL certificate with keytool (install on web server…)

February 4, 2013February 4, 2013 | Huseyin OZVERENHuseyin OZVEREN | 0 Comment | 1:07 AM

Hi,

In this article, I will try to present briefly:
1) the management of self signed SSL certificates with keytool;
2) a complete example of certificate’s generation;
3) installation on web server and tests;

1. Presentation of keytool
Java uses its own tools to generate and use self signed SSL certificates, based on a proprietary storage in a keystore file, comprised of certificates / keys accessible by alias. A keystore file is protected by password, the default keystore is that of current user(~/.keystore). It’s possible to import and export certificates/keys to be used in Java applications.

  • Display the content of the current user’s keystore:
    view source
    print?
    1C:\Users\huseyin>keytool -list
  • Display the content of a keystore file:
    view source
    print?
    1keytool -list -keystore C:\MyFiles\Development\Java\tools\sslcertificates
  • Generate a self-signed X509 certificate named “myhuocert” in the keystore file:
    view source
    print?
    1keytool -genkey -keystore C:\MyFiles\Development\Java\tools\sslcertificates -alias myhuocert -keyalg RSA
  • Delete a certificate named “myhuocert” from a keystore file:
    view source
    print?
    1keytool -delete -keystore C:\MyFiles\Development\Java\tools\sslcertificates -alias myhuocert
  • Export the certificat named “myhuocert” from a keystore file:
    view source
    print?
    1keytool -list -keystore C:\MyFiles\Development\Java\tools\sslcertificates -export -alias myhuocert -rfc
  • Import a external certificate named “myhuocertimport” and protect it by password “myhuopass”:
    view source
    print?
    1keytool -import -keystore C:\MyFiles\Development\Java\tools\sslcertificates -alias myhuocertimport -storepass myhuopass -file C:\MyFiles\Development\Java\tools\sslcertificatestoimport

The official documentation of keytool : http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html

2. Generate a self signed SSL certificate
First, our JRE is installed in: C:\Program Files (x86)\Java\jre6\bin
..so, the following commands allow the generation of a certificate named in the keystore file “C:\MyFiles\Development\Java\tools\sslcertificates” protected by the password “javablog.fr” for a tomcat server:

Note: These commands are checked with a french system.

view source
print?
1C:\Program Files (x86)\Java\jre6\bin>keytool -genkey -alias tomcat -keyalg RSA -keystore C:\MyFiles\Development\Java\tools\sslcertificates

Answer the password for example “javablog.fr”:

view source
print?
1Tapez le mot de passe du Keystore :

Answer again the same password “javablog.fr”:

view source
print?
1Ressaisissez le nouveau mot de passe :

Answer your name, for example in my case “HUSEYIN OZVEREN”:

view source
print?
1Quels sont vos prénom et nom ?
2  [Unknown] :  HUSEYIN OZVEREN

Answer the name of unit, here “JAVABLOG.FR”:

view source
print?
1Quel est le nom de votre unité organisationnelle ?
2  [Unknown] :  JAVABLOG.FR

Answer the name for your organization, here “JAVA”:

view source
print?
1Quelle est le nom de votre organisation ?
2  [Unknown] :  JAVA

Answer the name of your city:

view source
print?
1Quel est le nom de votre ville de résidence ?
2  [Unknown] :  Lux

Answer the name of your state:

view source
print?
1Quel est le nom de votre état ou province ?
2  [Unknown] :  Lux

Answer the code of your country on 2 characters, here “LU”:

view source
print?
1Quel est le code de pays à deux lettres pour cette unité ?
2  [Unknown] :  LU

Confirm the generation of certificate:

view source
print?
1Est-ce CN=HUSEYIN OZVEREN, OU=JAVABLOG.FR, O=JAVA, L=Lux, ST=Lux, C=LU ?
2  [non] :  oui

Press the “[RETURN]” key on keyboard:

view source
print?
1Spécifiez le mot de passe de la clé pour <tomcat>
2        (appuyez sur Entrée s'il s'agit du mot de passe du Keystore) :

A file named “sslcertificates” could be created in “C:\MyFiles\Development\Java\tools”.

generateCertificateSSL

So, if we display the content of new generated keystore file (it’s necessary to fill in the above password “javablog.fr”):

view source
print?
01C:\MyFiles\Development\Java\tools>keytool -list -keystore C:\MyFiles\Development\Java\tools\sslcertificates
02Tapez le mot de passe du Keystore :
03 
04Type Keystore : JKS
05Fournisseur Keystore : SUN
06 
07Votre Keystore contient 1 entrée(s)
08 
09tomcat, 4 fÚvr. 2013, PrivateKeyEntry,
10Empreinte du certificat (MD5) : B8:CC:F6:0E:95:D7:2F:1A:9E:13:1D:78:C1:A3:EB:DF

Other possibility to generate directly the certificates with one command:

view source
print?
1C:\Program Files (x86)\Java\jre6\bin>keytool.exe -genkey -alias tomcat -dname "cn=HUSEYIN OZVEREN, ou=JAVABLOG.FR, o=JAVA, L=Lux, S=Lux, C=LU" -keyalg RSA -validity 365 -keystore C:\MyFiles\Development\Java\tools\sslcertificates2

Answer the password for example “javablog.fr”:

view source
print?
1Tapez le mot de passe du Keystore :

Answer again the same password “javablog.fr”:

view source
print?
1Ressaisissez le nouveau mot de passe :

Press the “[RETURN]” key on keyboard:

view source
print?
1Spécifiez le mot de passe de la clé pour <tomcat>
2        (appuyez sur Entrée s'il s'agit du mot de passe du Keystore) :

A file named “sslcertificates2” could be created in “C:\MyFiles\Development\Java\tools”.
So, if we display the content of new generated keystore file (it’s necessary to fill in the above password “javablog.fr”):

view source
print?
01C:\Program Files (x86)\Java\jre6\bin>keytool -list -keystore C:\MyFiles\Development\Java\tools\
02sslcertificates2
03Tapez le mot de passe du Keystore :
04 
05Type Keystore : JKS
06Fournisseur Keystore : SUN
07 
08Votre Keystore contient 1 entrÚe(s)
09 
10tomcat, 20 mars 2014, PrivateKeyEntry,
11Empreinte du certificat (MD5) : 0B:4E:0F:72:B9:44:AE:DF:1A:F8:2B:94:A4:1C:75:6C

4. Configuration of SSL on tomcat and tests

Without SSL configuration, the tomcat server is started with the following traces:

view source
print?
0119 juin 2014 00:25:03 org.apache.coyote.http11.Http11Protocol init
02INFO: Initialisation de Coyote HTTP/1.1 sur http-8080
03...
0419 juin 2014 00:25:09 org.apache.coyote.http11.Http11Protocol start
05INFO: D�marrage de Coyote HTTP/1.1 sur http-8080
0619 juin 2014 00:25:10 org.apache.jk.common.ChannelSocket init
07INFO: JK: ajp13 listening on /0.0.0.0:8009
0819 juin 2014 00:25:10 org.apache.jk.server.JkMain start
09INFO: Jk running ID=0 time=0/443  config=null
1019 juin 2014 00:25:10 org.apache.catalina.startup.Catalina start
11INFO: Server startup in 6743 ms

Activate the following connector in the file “server.xml” of “conf” folder, to use the https protocol targeting the “C:\MyFiles\Development\Java\tools\sslcertificats” keystore with the password filled above “javablog.fr”: (keystore=”C:\MyFiles\Development\Java\tools\sslcertificats” keystorePass=”javablog.fr”):

view source
print?
1<!-- Define a SSL HTTP/1.1 Connector on port 8443
2     This connector uses the JSSE configuration, when using APR, the
3     connector should be using the OpenSSL style configuration
4     described in the APR documentation -->
5<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
6          maxThreads="150" scheme="https" secure="true"
7          keystore="C:\MyFiles\Development\Java\tools\sslcertificates" keystorePass="javablog.fr"              
8          clientAuth="false" sslProtocol="TLS" />

…don’t modify the connector because, per default, the 8080 port is redirected to the 8443 port:

view source
print?
1<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>

…and when the tomcat server is started:

view source
print?
0119 juin 2014 00:43:14 org.apache.coyote.http11.Http11Protocol init
02INFO: Initialisation de Coyote HTTP/1.1 sur http-8080
0319 juin 2014 00:43:17 org.apache.coyote.http11.Http11Protocol init
04INFO: Initialisation de Coyote HTTP/1.1 sur http-8443
05...
0619 juin 2014 00:43:27 org.apache.coyote.http11.Http11Protocol start
07INFO: D�marrage de Coyote HTTP/1.1 sur http-8080
0819 juin 2014 00:43:27 org.apache.coyote.http11.Http11Protocol start
09INFO: D�marrage de Coyote HTTP/1.1 sur http-8443
1019 juin 2014 00:43:27 org.apache.jk.common.ChannelSocket init
11INFO: JK: ajp13 listening on /0.0.0.0:8009
1219 juin 2014 00:43:28 org.apache.jk.server.JkMain start
13INFO: Jk running ID=0 time=0/481  config=null
1419 juin 2014 00:43:28 org.apache.catalina.startup.Catalina start
15INFO: Server startup in 10477 ms

If we check our configuration by access to application deployed on tomcat server (for example: https://localhost:8443/test_extJs_1/index2.html):

generateCertificateSSL

generateCertificateSSL

According to our browser, our certificate is invalid, because it doesn’t trust in our self-signed certificate. Self-signed certificates aren’t trusted by browsers because they are generated by our server, not by a CA. A certificate is self-signed if the CA is not listed in trusted CA. You can
check your SSL certificate installation on your internet server via SSL Certificate tester.

generateCertificateSSL

In production environment, it is necessary to buy a signed certificate from trusted SSL service provider like Verisign (the most well known CA) or Go Daddy or sign it with your own CA server. So, we must generate a Certificate Signing Request (CSR) from your server and submit it to a signing authority (see http://www.digicert.com/csr-creation.htm and http://www.turnkeylinux.org/blog/ssl-certificates).

More information: http://www.digicert.com/ssl-support/certificate-not-trusted-error.htm

Kind regards,

Huseyin OZVEREN

Tags: , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.

Related Post