Skip to main content

Certificates

Become a Certified Authority

openssl genrsa -des3 -out myCA.key 2048

Create Root Certificate

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

Create Cert signed with the CA

openssl genrsa -out dev.mydomain.com.au.key 2048

Create a certificate signing request

openssl req -new -key dev.mydomain.com.au.key -out dev.mydomain.com.au.csr

Create a config file for the extenstion.

The file should have the following content:

dev.mydomain.com.au.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = dev.mydomain.com.au # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
IP.1 = 192.168.0.13 # Optionally, add an IP address (if the connection which you have planned requires it)

Create the signed certificate

The generated file is a crt file which is in PEM format.

openssl x509 -req -in dev.mydomain.com.au.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.mydomain.com.au.crt -days 825 -sha256 -extfile dev.mydomain.com.au.ext

Verifying a certificat key

openssl verify -CAfile myCA.pem -verify_hostname dev.mydomain.com.au dev.mydomain.com.crt

Convert a Public and Private Key to pkcs12 format. (for tomcat)

openssl pkcs12 -export -in dev.mydomain.com.crt -inkey dev.mydomain.com.au.key -out dev.mydomain.com.au.p12 -name tomcat -chain -CAfile myCA.pem Remember the password you made up for this step.

Use a key pair with tomcat / java

Import a pkcs12 cert into the java keystore.

keytool -importkeystore -deststorepass changeme -destkeystore tomcat.keystore -srckeystore dev.mydomain.com.au.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD_FROM_LAST_STEP -alias tomcat

Use the keystore in tomcat

Copy the keystore onto the server for example to /opt/security/

Modify the SSL Section within the tomcat server.xml file.

server.xml
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true" keyAlias="tomcat"
keystoreFile="/opt/security/tomcat.keystore" keystorePass="changeme"
clientAuth="false" sslProtocol="TLS"/>

Setup certificates for AWS VPN

Convert the CA private key from RSA to PEM format.

openssl rsa -in ca-private.key -outform PEM -out ca-private.pem