Hi,

In this article, I will try to present briefly:
1) the management of self signed SSL certificates with keytool;
2) a complete example of certificate’s generation;
3) installation on web server and tests;

1. Presentation of keytool
Java uses its own tools to generate and use self signed SSL certificates, based on a proprietary storage in a keystore file, comprised of certificates / keys accessible by alias. A keystore file is protected by password, the default keystore is that of current user(~/.keystore). It’s possible to import and export certificates/keys to be used in Java applications.

  • Display the content of the current user’s keystore:
    C:\Users\huseyin>keytool -list
    
  • Display the content of a keystore file:
    keytool -list -keystore C:\MyFiles\Development\Java\tools\sslcertificates
    
  • Generate a self-signed X509 certificate named “myhuocert” in the keystore file:
    keytool -genkey -keystore C:\MyFiles\Development\Java\tools\sslcertificates -alias myhuocert -keyalg RSA
    
  • Delete a certificate named “myhuocert” from a keystore file:
    keytool -delete -keystore C:\MyFiles\Development\Java\tools\sslcertificates -alias myhuocert
    
  • Export the certificat named “myhuocert” from a keystore file:
    keytool -list -keystore C:\MyFiles\Development\Java\tools\sslcertificates -export -alias myhuocert -rfc
    
  • Import a external certificate named “myhuocertimport” and protect it by password “myhuopass”:
    keytool -import -keystore C:\MyFiles\Development\Java\tools\sslcertificates -alias myhuocertimport -storepass myhuopass -file C:\MyFiles\Development\Java\tools\sslcertificatestoimport
    

The official documentation of keytool : http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html

2. Generate a self signed SSL certificate
First, our JRE is installed in: C:\Program Files (x86)\Java\jre6\bin
..so, the following commands allow the generation of a certificate named in the keystore file “C:\MyFiles\Development\Java\tools\sslcertificates” protected by the password “javablog.fr” for a tomcat server:

Note: These commands are checked with a french system.

C:\Program Files (x86)\Java\jre6\bin>keytool -genkey -alias tomcat -keyalg RSA -keystore C:\MyFiles\Development\Java\tools\sslcertificates 

Answer the password for example “javablog.fr”:

Tapez le mot de passe du Keystore : 

Answer again the same password “javablog.fr”:

Ressaisissez le nouveau mot de passe : 

Answer your name, for example in my case “HUSEYIN OZVEREN”:

Quels sont vos prénom et nom ?
  [Unknown] :  HUSEYIN OZVEREN 

Answer the name of unit, here “JAVABLOG.FR”:

Quel est le nom de votre unité organisationnelle ?
  [Unknown] :  JAVABLOG.FR 

Answer the name for your organization, here “JAVA”:

Quelle est le nom de votre organisation ?
  [Unknown] :  JAVA

Answer the name of your city:

Quel est le nom de votre ville de résidence ?
  [Unknown] :  Lux

Answer the name of your state:

Quel est le nom de votre état ou province ?
  [Unknown] :  Lux

Answer the code of your country on 2 characters, here “LU”:

Quel est le code de pays à deux lettres pour cette unité ?
  [Unknown] :  LU

Confirm the generation of certificate:

Est-ce CN=HUSEYIN OZVEREN, OU=JAVABLOG.FR, O=JAVA, L=Lux, ST=Lux, C=LU ?
  [non] :  oui

Press the “[RETURN]” key on keyboard:

Spécifiez le mot de passe de la clé pour <tomcat>
        (appuyez sur Entrée s'il s'agit du mot de passe du Keystore) :

A file named “sslcertificates” could be created in “C:\MyFiles\Development\Java\tools”.

generateCertificateSSL

So, if we display the content of new generated keystore file (it’s necessary to fill in the above password “javablog.fr”):

C:\MyFiles\Development\Java\tools>keytool -list -keystore C:\MyFiles\Development\Java\tools\sslcertificates
Tapez le mot de passe du Keystore :

Type Keystore : JKS
Fournisseur Keystore : SUN

Votre Keystore contient 1 entrée(s)

tomcat, 4 fÚvr. 2013, PrivateKeyEntry,
Empreinte du certificat (MD5) : B8:CC:F6:0E:95:D7:2F:1A:9E:13:1D:78:C1:A3:EB:DF

Other possibility to generate directly the certificates with one command:

C:\Program Files (x86)\Java\jre6\bin>keytool.exe -genkey -alias tomcat -dname "cn=HUSEYIN OZVEREN, ou=JAVABLOG.FR, o=JAVA, L=Lux, S=Lux, C=LU" -keyalg RSA -validity 365 -keystore C:\MyFiles\Development\Java\tools\sslcertificates2

Answer the password for example “javablog.fr”:

Tapez le mot de passe du Keystore : 

Answer again the same password “javablog.fr”:

Ressaisissez le nouveau mot de passe : 

Press the “[RETURN]” key on keyboard:

Spécifiez le mot de passe de la clé pour <tomcat>
        (appuyez sur Entrée s'il s'agit du mot de passe du Keystore) :

A file named “sslcertificates2” could be created in “C:\MyFiles\Development\Java\tools”.
So, if we display the content of new generated keystore file (it’s necessary to fill in the above password “javablog.fr”):

C:\Program Files (x86)\Java\jre6\bin>keytool -list -keystore C:\MyFiles\Development\Java\tools\
sslcertificates2
Tapez le mot de passe du Keystore :

Type Keystore : JKS
Fournisseur Keystore : SUN

Votre Keystore contient 1 entrÚe(s)

tomcat, 20 mars 2014, PrivateKeyEntry,
Empreinte du certificat (MD5) : 0B:4E:0F:72:B9:44:AE:DF:1A:F8:2B:94:A4:1C:75:6C

4. Configuration of SSL on tomcat and tests

Without SSL configuration, the tomcat server is started with the following traces:

19 juin 2014 00:25:03 org.apache.coyote.http11.Http11Protocol init
INFO: Initialisation de Coyote HTTP/1.1 sur http-8080
...
19 juin 2014 00:25:09 org.apache.coyote.http11.Http11Protocol start
INFO: D�marrage de Coyote HTTP/1.1 sur http-8080
19 juin 2014 00:25:10 org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
19 juin 2014 00:25:10 org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/443  config=null
19 juin 2014 00:25:10 org.apache.catalina.startup.Catalina start
INFO: Server startup in 6743 ms

Activate the following connector in the file “server.xml” of “conf” folder, to use the https protocol targeting the “C:\MyFiles\Development\Java\tools\sslcertificats” keystore with the password filled above “javablog.fr”: (keystore=”C:\MyFiles\Development\Java\tools\sslcertificats” keystorePass=”javablog.fr”):

    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"	
              keystore="C:\MyFiles\Development\Java\tools\sslcertificates" keystorePass="javablog.fr"               
              clientAuth="false" sslProtocol="TLS" />

…don’t modify the connector because, per default, the 8080 port is redirected to the 8443 port:

<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>

…and when the tomcat server is started:

19 juin 2014 00:43:14 org.apache.coyote.http11.Http11Protocol init
INFO: Initialisation de Coyote HTTP/1.1 sur http-8080
19 juin 2014 00:43:17 org.apache.coyote.http11.Http11Protocol init
INFO: Initialisation de Coyote HTTP/1.1 sur http-8443
...
19 juin 2014 00:43:27 org.apache.coyote.http11.Http11Protocol start
INFO: D�marrage de Coyote HTTP/1.1 sur http-8080
19 juin 2014 00:43:27 org.apache.coyote.http11.Http11Protocol start
INFO: D�marrage de Coyote HTTP/1.1 sur http-8443
19 juin 2014 00:43:27 org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
19 juin 2014 00:43:28 org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/481  config=null
19 juin 2014 00:43:28 org.apache.catalina.startup.Catalina start
INFO: Server startup in 10477 ms

If we check our configuration by access to application deployed on tomcat server (for example: https://localhost:8443/test_extJs_1/index2.html):

generateCertificateSSL

generateCertificateSSL

According to our browser, our certificate is invalid, because it doesn’t trust in our self-signed certificate. Self-signed certificates aren’t trusted by browsers because they are generated by our server, not by a CA. A certificate is self-signed if the CA is not listed in trusted CA. You can
check your SSL certificate installation on your internet server via SSL Certificate tester.

generateCertificateSSL

In production environment, it is necessary to buy a signed certificate from trusted SSL service provider like Verisign (the most well known CA) or Go Daddy or sign it with your own CA server. So, we must generate a Certificate Signing Request (CSR) from your server and submit it to a signing authority (see http://www.digicert.com/csr-creation.htm and http://www.turnkeylinux.org/blog/ssl-certificates).

More information: http://www.digicert.com/ssl-support/certificate-not-trusted-error.htm

Kind regards,

Huseyin OZVEREN