dcsimg

How do I install SSL for my container?

Created May 7, 2012

Ted Husted

See:

Here are some common configuration mistakes:

  • When installing standard extensions, install them under $JAVAHOMEjrelibext -- not under $JAVAHOMElibext.
  • If Struts links do not appear under SSL, see step 7 on the Secure Socket Extension page.
  • You may need to add
    -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
    to the command line which loads your container.
  • If you have trouble importing your license key, be sure that your text file is saved in standard UNIX file format

Here's a bird's eye overview

1. Install JSSE 

2. Create a new keystore for certificate requests, using template that ships with Java

cp cacerts MY_SERVER.keystore

3. Change the default password

keytool -storepasswd -storepass changeit -new MY_KEYSTORE_PASSWORD -keystore data.keystore

4. Generate a key, specifying an alias to use for this certificate

keytool -genkey -keyalg RSA -alias MY_SERVER_ALIAS -storepass MY_KEYSTORE_PASSWORD -keystore data.keystore

Answer the questions, using your machine's fully-qualified name (www.myserver.com) for "first and last name".

Use the same password for the key (using another password is not implemented).

5. Create a certificate request, based on the key created for the alias (step 2).

keytool -certreq -alias MY_SERVER_ALIAS -store pass MY_SERVER_PASSWORD -keystore MY_SERVER.keystore

Capture the output to a text file (MY_SERVER.crs), being sure to keep a backup copy in a safe place. This is your Certificate Request.

6. Generate a test certificate with Thawte, or another authority, to be sure everything works, and import the certificate returned (MY_SERVER.crt) for this alias.

keytool -import -alias MY_SERVER_ALAIS -storepass MY_SERVER_PASSWORD -keystore MY_SERVER.keystore -file MY_SERVER.crt

7. Repeat previous step to obtain a production certificate (unless you are self-signing for intranet use). When you import the production certificate, it will replace the test version.