2016/02/22

Java servlet SSL certs with openssl and keytool

on e.g. a centos 6 box:
openssl req -newkey rsa:2048 -sha512 -subj "/C=US/ST=Texas/O=MyCompany, Inc./.mycompany.com" -reqexts SAN -config <(printf "[SAN]\nsubjectAltName=DNS:myserver.mycompany.com,DNS:othername.mycompany.com,DNS:othername2.mycompany.com\n[req]\ndistinguished_name = req_distinguished_name\n[req_distinguished_name]\n") -out ~/myserver.mycompany.com.csr -keyout myserver.mycompany.com.key


Submit the SSL cert at geocerts. When it is approved, download it again.

It will include an intermediate cert, so you have to combine the whole cert chain with the cert itself to have the cert be presented with its whole chain, e.g.:
curl https://www.geocerts.com/pickup/aafccdd107747f76d73048fee9db132352d7sdfsd0b8/dynamic
.zip > myserver.mycompany.com.zip
unzip myserver.mycompany.com.zip
cat GeoTrust_CA_Bundle.txt SSL_myserver_mycompany_com.txt > myserver.mycompany.com-certchain.crt 

keytool -keystore keystore -import -alias myserver.mycompany.com -file myserver.mycompany.com-certchain.crt -trustcacerts
openssl pkcs12 -inkey myserver.mycompany.com.key -in myserver.mycompany.com-certchain.crt  -export -out myserver.mycompany.com-certchain.pkcs12
keytool -importkeystore -srckeystore myserver.mycompany.com-certchain.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

Now, copy this to the application's conf directory, where it expects the keytool to be, and restart the java/tomcat daemon.
If the daemon does not stay running, then are you sure that your private key and keystore passwords are the same? If not, do this to change the password for the private key to match the keystore (and also note that your app will have to be configured to know what the keystore password is):
keytool -keypasswd -alias 1 -keystore keystore

No comments: