File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Sockets and Internet Protocols and the fly likes Queries on role of files .keystore and CAKey.pem while moving the site to https? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Sockets and Internet Protocols
Bookmark "Queries on role of files .keystore and CAKey.pem while moving the site to https?" Watch "Queries on role of files .keystore and CAKey.pem while moving the site to https?" New topic
Author

Queries on role of files .keystore and CAKey.pem while moving the site to https?

scott miles
Ranch Hand

Joined: Jun 16, 2011
Posts: 70
here are the steps I followed to move my webapplication on https/SSL

1) Download Win32OpenSSL_Light-0_9_8t from http://www.slproweb.com/products/Win32OpenSSL.html and install

2) In the OpenSSL installation directory, create subdirectory private. The Certificate Authority's private key will be stored here.
In the OpenSSL installation directory, create subdirectory newcerts. New certificates signed by the CA will be stored here.
In the OpenSSL installation directory, create an empty file named index.txt. OpenSSL keeps its signed certificates database in that file.
From the subdirectory bin/PEM/demoCA of the OpenSSL installation directory, copy the file serial to the OpenSSL installation directory. Open the copied serial file and edit it to read 00 and save. Each new CA-signed certificate's serial number is taken from this file's content, which is incremented each time a certificate is signed.

3) In openssl.cfg .Did the following changes
dir = c:/openssl <-- This is the OpenSSL installation directory
certificate = $dir/private/cacert.pem
#crl = $dir/crl.pem

4) Create Self-signed Certificate with command
cd /d "%OPENSSL_HOME%"
openssl req -new -x509 -days 2000 -keyout private\CAKey.pem -out private\CACert.pem -config bin\openssl.cnf

5)Convert the certificate PEM file to a DER encoded file
cd /d "%OPENSSL_HOME%"
openssl x509 -in private\CACert.pem -out private\CACert.cer -outform DER
This command creates file CACert.cer in the private subdirectory.


6) Modify Java Root Certificates

cd %JAVA_HOME%
keytool -import -keystore jre\lib\security\cacerts -alias AppOpenSSLCert -file %OPENSSL_HOME%\private\cacert.cer

This adds our self-signed CA certificate to Java's trusted CA certificates, which are kept in file jre\lib\security\cacerts in the Java JDK installation directory.
Our self-signed CA certificate was stored under the alias AppOpenSSLCert.

As per documentation it should have worked(i.e i tried hitting the URL with https) but it did not work . To make it work I had to run one more command i.e

7)
C:\Program Files\Java\jdk1.6.0_23>keytool -genkey -alias tomcat -keyalg RSA which generated .keystore file((which will have SSL certificate which will be send when client makes https request and client matches this certificates in truststore and private key)

Finally i made changes in server.xml and it worked
keystoreFile="c:/.keystore"
keystorePass="changeit"


Thats why whole confusion came to my mind. If we are using certificates pointed by .keystore file generated in 7th step,what is the purpose of steps i did from 1 to 6(CAKey.pem and CACert.pem files).

Last question on the verisign(http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/. ) link. it talks about two certicates i.e SSL certificate and digital certificate. Where SSL certificate and digital certificate fit in above scenario?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Queries on role of files .keystore and CAKey.pem while moving the site to https?