My experience with enabling SSL on JBoss/Tomcat

Here are the detailed steps for generating/installing a GoDaddy CA signed cert on a JBoss/Tomcat deployment.

I figured I would document the entire process for future reference, I added as much detail as I could and documented the issues I ran into.

I also added steps at the end to document a self signed certificate as well.

I used OpenSSL to do the key generating and importing on the NMSU server.

NOTE: ALL the below commands have to be generated on the server that you install the certificate on. You also need admin rights on the server and an email address that is for an admin registered for the domain so that whois.com can be used to look up the server and email address associated with it. The certifying authorities mandate this so that they are sure that they are issuing the certificate to the correct site owner. I tried to add as much detail as possible.

1. Generate Your Private Key:

openssl genrsa -des3 -out server.key 2048

2. Generate the certificate signing request (CSR), an unsigned copy of

the SSL certificate:

Enter the relevant information requested.

IMPORTANT: Make sure that the Common Name is EXACTLY the same as the domain that you are registering for a key, case matching. The country code has to be the right one, US for USA and the case matters. I demonstrated some dummy data below to give an idea…

openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: VA
Locality Name (eg, city) []: Alexandria
Organization Name (eg, company) [Internet Widgits Pty Ltd]: myorg
Organizational Unit Name (eg, section) []: dev
Common Name (eg, YOUR name) []: mydomain.com (the exact domain that you are securing)
Email Address []: foo@bar.com

3. List the certificate to ensure all went well so far… I have mangled the below to show a dummy certificate for demo purposes.

cat server.csr

—–BEGIN CERTIFICATE REQUEST—–
MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRAwDgYDVQQH
EwdoZXJuZG9uMQ4wDAYDVQQKEwVudGVseDEMMAoGA1UECx
Ewlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALHKK9/YFGrV
v+DMILzRuUKPpEGEKirh4X9pj/Q+OcB/7yAR
wCq/pRlKwRiBFkTVA0JMTALEg11TUqQSgBDkIYK6+RSkSA==
—–END CERTIFICATE REQUEST—–

4. Send this to the CA by going to the GoDaddy website and submitting the CSR form with the above key copied and pasted into their input window. This site has good directions for doing this part.

5. Remove the PassPhrase From Your Private Key

cp server.key server.key.secure

openssl rsa -in server.key.secure -out server.key

6. Install the certificate on the server:

GoDaddy sends back an approval email, once GoDaddy has approved the cert, they will send the admin email address the an email stating that the cert is ready to be installed. Go to the GoDaddy website as instructed in that email and follow directions from there, its fairly clear at that point what to do.

Download the signed certificate and unzip the contents of the package, you will see 4 files in there.

Some problems I ran into and their solutions:

Beware of gd_bundle.crt in the package they send you, discard it and download the file from their repository at https://certs.godaddy.com/anonymous/repository.seam?cid=116134.

Also download the valicert_class2_root.crt from their site, its a part of their chain that their documentation refers to but fails to deploy or mention explicitly on their instructions.

Finally do the following command which generates the keystore and adds the chain of certs to it.

openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in

mydomain.com.crt -inkey server.key -out keystore.tomcat -name

tomcat -passout pass:changeit

7. List out the installed certificate:

openssl pkcs12 -info -in keystore.tomcat

Here is the output, to give you an idea what the chain looks like in the keystore: The below is a non functional mangled cert which is strictly shown to demonstrate what you can expect.

openssl pkcs12 -info -in keystore.tomcat
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
friendlyName: tomcat
localKeyID: 81 19 4A 2E 4D FA F4 A6 8E 11 E5 1B 29 52 12 D8 D6 21 E9 2F
subject=/O=nmsu.nxsuite.com/OU=Domain Control Validated/CN=nmsu.nxsuite.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
—–BEGIN CERTIFICATE—–
WQxGTAXBgNVBAMTEG5tc3UubnhzdWl0ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDDvyy0dyieEG3NebGvvUCVfopO3vsGrRYsjLZV4+izcfWH
6a/HQxB6JkMjdeJpr++WERtQ4dRjMKvBLl5cpCK/Wb33so0DzFVT6/i6aT+iewES
LmNvbS9nZHMxLTE0LmNybDBTBgNVHSAETDBKMEgGC2CGSAGG/W0BBxcBMDkwNwYI
dG9yeS8wgYAGCCsGAQUFBwEBBHQwcjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au
Z29kYWRkeS5jb20vMEoGCCsGAQUFBzAChj5odHRwOi8vY2VydGlmaWNhdGVzLmdv
ZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RfaW50ZXJtZWRpYXRlLmNydDAfBgNVHSME
DqqqK1puhoJo74K1s2+v4PTRcnkUil/w6TGXyza2ELsReApmU+ImrLdlxso5wCUS
4QrwxHIx7wuZtN+GrdvdrdzJKuajah7gI6kyqLcS+dII4qgs7qOvy6dD57dHrADM
CgYkTOTaWciyBY2ftfxM+jc3mbWRvpGrEsVgi6NXfSWq7zPstTEbJ3zWl3LTUFY=
—–END CERTIFICATE—–
Certificate bag
Bag Attributes:
subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
issuer=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
—–BEGIN CERTIFICATE—–
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMTYw
QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5j
b20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j
BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWRkeS5jb20wRgYDVR0f
BD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9p0iRFEUOOjZv2kWzRaJBydTX
RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
U+4=
—–END CERTIFICATE—–
Certificate bag
Bag Attributes:
subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
issuer=/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
—–BEGIN CERTIFICATE—–
MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh
Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
QXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAe
biBBdXRob3JpdHkxITAfBgNVBAMTGGh0dHA6Ly93d3cudmFsaWNlcnQuY29tLzEg
MB4GCSqGSIb3DQEJARYRaW5mb0B2YWxpY2VydC5jb22CAQEwDwYDVR0TAQH/BAUw
AwEB/zAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmdv
Z29kYWRkeS5jb20vcmVwb3NpdG9yeS9yb290LmNybDBLBgNVHSAERDBCMEAGBFUd
IAAwODA2BggrBgEFBQcCARYqaHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNv
bS9yZXBvc2l0b3J5MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOBgQC1
QPmnHfbq/qQaQlpE9xXUhUaJwL6e4+PrxeNYiY+Sn1eocSxI0YGyeR+sBjUZsE4O
WBsUs5iB0QQeyAfJg594RAoYC5jcdnplDQ1tgMQLARzLrUc+cb53S8wGd9D0Vmsf
SxOaFIqII6hR8INMqzW/Rn453HWkrugp++85j09VZw==
—–END CERTIFICATE—–
Certificate bag
Bag Attributes:
subject=/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
issuer=/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
—–BEGIN CERTIFICATE—–
MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0
IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz
BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y
aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG
NjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y
azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs
YXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw
Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl
IYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMMj4QssxsodyamEwC
W/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd
—–END CERTIFICATE—–
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
friendlyName: tomcat
localKeyID: 81 19 4A 2E 4D FA F4 A6 8E 11 E5 1B 29 52 12 D8 D6 21 E9 2F
Key Attributes:
Enter PEM pass phrase:
Verifying – Enter PEM pass

8. Location of the certificates are here below and the contents of the directory consist of the certificates from GoDaddy, the private key (server.key), and the keystore (keystore.tomcat)

gd_bundle.crt gd_cross_intermediate.crt keystoreg.tomcat mydomain.com.crt server.key valicert_class2_root.crt

gd_bundle.crtsav gd_intermediate.crt keystore.tomcat server.csr server.key.org

9. Configure Tomcat inside Jboss:

The server.xml is located at /FD-jboss423/server/default/deploy/jboss-web.deployer /server.xml.

You need to modify the keystoreName, keystorePassword to match the certificate installed. The keystoreType is set to PKCS12 since this is the type that was generated by OpenSSL.

Tomcat currently operates with JKS, PKCS11 or PKCS12 format keystores. The JKS format is Java’s standard “Java KeyStore” format, and is the format created by the keytool command-line utility. This tool is included in the JDK. The PKCS12 format is an internet standard, and can be manipulated via (among other things) OpenSSL

port="8443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" protocol="HTTP/1.1" sslProtocol="TLS" keystoreFile="/mypath/keystore.tomcat" keystoreType="PKCS12" keystorePass="changeit" >

How to get a self signed certificate generated and installed:

Follow ALL the steps above except that instead of submitting a request for a signed cert, sign it and install your self signed server.crt. The keystore can simply be added to the tomcat server.xml to use this instead of the signed cert. I tested this out.

Self Sign Your Certificate Signing Request:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out

server.crt

Install the cert into a keystore:

openssl pkcs12 -export -in server.crt -inkey server.key -out mycert.p12 -name tomcat -CAfile server.crt -caname root -chain

NOTE:

I had no success with keytool, the commands I followed on the GoDaddy help for keytool did not work for me, the certificates were not recognized by Tomcat. Another issue I found with keytool is that it did not export the private key or generate it outside of the keystore.