Once you have OpenSSL properly set up and the OpenSSL binary in your path, execute the following commands (unix OS assumed):
OpenSSL has several 'subparts' in its command. The portion of the command line that follows the openssl binary is the portion to use. For example, the first part:
deals with X.509 Certificate Signing Request (CSR) Management. whereas
deals with X.509 certificate data management. So the first command created a Certificate request as well as a new private key for the certificate authority, and the second command created a new Certificate Authority Certificate with a 5 year duration.
At this point in time, you have two main artifacts that need to be protected: ca.key. the private key for the certificate authority, and ca.pem the public certificate of the certificate authority. The private key of the certificate authority must be the most guarded portion of your security! Typically, this is given restricted privileges. If someone manages to steal the Certificate Authority private key, they may issue client certificates in your name.
Create the Serial Number File
Each certificate that is signed by the certificate authority will have a serial number assigned to the signed certificate. It helps when tracing when and where certificates were signed. To create the certificate serial number file in shell environments you can issue the command:
In a Windows environment,
you may simply create a new file called ca.srl, open it with NotePad or equivilant text editor, and give the file the contents 02 and save it.
Create a server certificate and keystore
Create your Tomcat Certificate
Each SSL handshake that is mutually authenticated requires two certificates: One for the server, and one for the client. Java also requires a keystore in which to store the certificate that is used by the Tomcat server.
The important items in the command line are:
- emokeystore: You can have any number of keystores, and Java comes with one buried in it. Howver, it is easier to manage if you have Tomcat/emo deal with its own keystore file rather than relying on the one sitting somewhere else.
- dname: the common name (cn) should be the domain of the web server. You can add a comma and an organziation if you like, e.g. o="Codeguild,Inc.". If you leave off the -dname argument you will be prompted for various fields in the certificate.
- keystore: $EMO_DIR should be set to the full path of the 'keys' directory created above.
- storepass: $PASS is some password you will remember.
- alias: can be anything; we use 'emo' for convenience.
Next we import the certificate created in OpenSSL:
At this point, the keystore should be ready to go for tomcat.