Creating Self-Signed Certificates for Google Web Toolkit Running on Apache HTTPD and Tomcat on Amazon Web Services EC2

Marc Whitlow — Mon, 27 Aug 2012 20:43:09 +0000

Creating and installing a self-signed Secure Sockets Layer (SSL) certificate on a server should be a relatively simple task. However, most of the documentation relating to these tasks is confusing. Most of the confusion arises from the fact that there are a multitude of different server configurations that utilize the SSL to complete secure transactions over the web. In order not to add to this confusion, the following tutorial will refer to the following server configuration:

Server:	64 bit Linux server running on Amazon Web Services Elastic Compute Cloud (EC2) server based on AMI ami-3bc9997e
Server Software:	Apache HTTP Server (HTTPD) and Apache Tomcat
Applications Type:	Google Web Toolkit and Java servlets

In this post I will describe:

Creation of self-signed SSL certificate in a Java keystore
Adding keystore to Tomcat’s server.xml
Extracting the certificate and the key from the keystore
Configuring Apache Server (httpd) ssl.conf

Creation of self-signed SSL certificate

Here we will use a Java KeyStore to supply Apache Tomcat the certificates we generate. One of the limitations to this approach is that you must start by creating the KeyStore first. SSL utilities such as Java keytool and OpenSSL do not have the ability to create a keystore from an existing certificate and key. In particular, there is no way to put the key in the keystore.

First we will create and open to the directory /etc/pki/tls/keystore. The keytool command that creates the keystore, we need to supply the following:

keystore file name: demo.colabrativ.keystore
alias: tomcat
keypass: password
storepass: password

In addition, we need to supply information on the website URL, when the keytool asks for “What is your first and last name?” and our institution information. This information has been highlighted in green below in the example below.

$ sudo mkdir /etc/pki/tls/keystore
$ cd /etc/pki/tls/keystore
$ sudo keytool -genkey -alias tomcat -keypass password -keystore demo.colabrativ.keystore -storepass password
What is your first and last name?
  [Unknown]:  demo.colabrativ.com
What is the name of your organizational unit?
  [Unknown]:  Developmemt
What is the name of your organization?
  [Unknown]:  Colabrativ, Inc.
What is the name of your City or Locality?
  [Unknown]:  El Sobrante
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=demo.colabrativ.com, OU=Developmemt, O=Colabrativ, Inc., L=El Sobrante, ST=California, C=US correct?
  [no]:  y

A useful command to check to keystore before preceeding is:

$ sudo keytool -list -keystore demo.colabrativ.keystore
Enter keystore password: password

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Aug 27, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): 1A:2D:B5:C1:E9:1E:5C:A2:79:D3:8A:9B:A1:CE:14:72

Adding Keystore to Tomcat’s server.xml

We configure Tomcat to support applications and services under the secure https protocol on port 8443. We do this by editing the server.xml file in /etc/tomcat7. We need to supply the keystore password in the 8443 Connector we enable. I have saved the original server.xml, and only show the difference between the two files below.

$ cd /etc/tomcat7
$ sudo cp -p server.xml server.xml.orig
$ sudo vi server.xml
$ sudo diff server.xml.orig server.xml
84,88c84,92
<     
---
>
>                     protocol="HTTP/1.1"
>                SSLEnabled="true"
>                maxThreads="150"
>                scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="/etc/pki/tls/keystore/demo.colabrativ.keystore"
>                keystorePass="password" />

Extracting the Certificate and Key from the Keystore

There are three steps in extracting the certificate and key from the keystore we created above:

Use keytool to create an intermediate PKCS12 keystore.
Use OpenSSL to create a Privacy-enhanced Electronic Mail (PEM) formatted file containing the certificate and the key.
Extract the certificate and key from the PEM file using a text editor.

After the certificate and key have been prepared, they are moved the /etc/pki/tls/certs/, and /etc/pki/tls/private/ directories, respectively.

The ASCII demo.colabrativ.pem file created during the preparation of this tutorial can be download at the bottom of this section.

$ sudo keytool -importkeystore -srckeystore demo.colabrativ.keystore -destkeystore demo.colabrativ.intermediate -deststoretype PKCS12
Enter destination keystore password: password
Re-enter new password: password
Enter source keystore password: password
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

$ sudo openssl pkcs12 -in demo.colabrativ.intermediate -out demo..colabrativ.pem -nodes
Enter Import Password: password
MAC verified OK

$ sudo cp demo.colabrativ.pem demo.colabrativ.key
$ sudo cp demo.colabrativ.pem demo.colabrativ.crt
$ sudo vi demo.colabrativ.key
$ sudo vi demo.colabrativ.crt

$ ls -lt
total 20
-rw-r--r-- 1 root root 1224 Aug 27 10:11 demo.colabrativ.crt
-rw-r--r-- 1 root root  509 Aug 27 10:11 demo.colabrativ.key
-rw-r--r-- 1 root root 2294 Aug 27 10:02 demo.colabrativ.pem
-rw-r--r-- 1 root root 1852 Aug 27 10:00 demo.colabrativ.intermediate
-rw-r--r-- 1 root root 1333 Aug 27 09:37 demo.colabrativ.keystore

$ sudo mv demo.colabrativ.crt /etc/pki/tls/certs/.
$ sudo mv demo.colabrativ.key /etc/pki/tls/private/.

Download: demo.colabrativ.pem

Configuring Apache Server (HTTPD) ssl.conf

We will place all the SSL information for this server in the ssl.conf file in the /etc/httpd/conf.d directory. The ssl.conf file is loaded into the Apache Server (HTTPD) from the command “Include conf.d/*.conf” in httpd.conf in directory /etc/httpd/conf. You should check to be sure that this command is in your httpd.conf file.

We will place all the SSL information for this server in the ssl.conf file in the /etc/httpd/conf.d directory. Shown below are the differences between the original ssl.conf file and the edited version. It is a bit hard to tell where these changes were made from the file differences, so a copy of a demonstration ssl.conf file can be downloaded at the bottom of the section.

$ cd /etc/httpd/conf.d
$ sudo cp –p ssl.conf ssl.conf.orig
$ sudo vi ssl.conf
$ sudo diff ssl.conf.orig ssl.conf
19a20,21
> NameVirtualHost *:443
>
74c76,77
> 
---
> #
> 
78a82
> ServerName demo.colabrativ.com:443
85a90,100
> #
> # Proxy Server directives. Uncomment the following lines to
> # enable the proxy server:
> #
> ProxyRequests Off
> ProxyPass        /admin   https://demo.colabrativ.com:8443/admin
> ProxyPass        /demoapp https://demo.colabrativ.com:8443/demoapp
>
> SSLProxyEngine on
>
105c120,121
< SSLCertificateFile /etc/pki/tls/certs/localhost.crt
---
> #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateFile /etc/pki/tls/certs/demo.colabrativ.crt
112c128,129
< SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
---
> #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> SSLCertificateKeyFile /etc/pki/tls/private/demo.colabrativ.key

Download: ssl.conf

Useful Resources