In Public Key Infrastructure (PKI) systems, a Certificate Signing Request also CSR or certification request is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate.
The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge SPKAC format generated by some Web browsers.
1. The tools
- Java JDK 8
- Tomcat Server 8
2. Introduction
If you want to use HTTPS on your own Tomcat Installation without use an external authority then you need to generate your own certificate signing request, you need to advise your clients that are self signing your application because the most used browsers only recognized a limited amount of authorities, unless you are going to make your own custom browser.
HTTPS also called HTTP over TLS, HTTP over SSL and HTTP Secure is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol HTTP within a connection encrypted by Transport Layer Security, or its predecessor, Secure Sockets Layer. The main motivation for HTTPS, is authentication of the visited website and protection of the privacy and integrity of the exchanged data.
3. Prerequisites
- JDK installed
- Tomcat 8 installed and running
4. Generate Certificate keystore
We are going to generate a certificate inside keystore folder in the Tomcat install directory. If the keystore folder doesn’t exist you need to create it.
Create a certificate keystore and private key with the following command:
Keystore on Windows
keytool -genkey -alias tomcat -keyalg RSA -keystore C:\Java\apache-tomcat-8.5.9\keystore\tomcat
Keystore on Linux
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat/keystore/tomcat
5. Certificate questions
You need to answer some questions to create the certificate. We are going to follow these questions using mockup data to show the point:
First you need to enter a Fully Qualified Domain Name:
Fully Qualified Domain Name
What is your first and last name? [Unknown]: www.javacodegeeks.com
The name of your organizational unit, in this case Technology:
Name of your organizational unit
What is the name of your organizational unit? [Unknown]: Technology
The name of your organization:
Name of your organization
What is the name of your organization? [Unknown]: Java Code Geeks
The name of your City or Locality, in this case we are using London:
Name of your City or Locality
What is the name of your City or Locality? [Unknown]: London
The name of your State or Province also in this case we are using London:
Name of your State or Province
What is the name of your State or Province? [Unknown]: London
The two-letter country code, every country have a two letter country code:
Two-letter country code
What is the two-letter country code for this unit? [GB]: GB
Finally keytool asks us to review the information and if the information is correct you need to explicit write yes or no. In case you write a negative answer the keytool starts the process again.
Name of your organizational unit
Is CN=www.javacodegeeks.com, OU=Technology, O=Java Code Geeks, L=London, ST=London, C=GB correct? [no]: yes
Now we have our Certificate Signing Request to use with our Tomcat Server and allow SSL connections.
6. Check Certificate keystore
We can check our CSR with the following command:
On Windows
keytool -list -keystore C:\Java\apache-tomcat-8.5.9\keystore\tomcat
On Linux
keytool -list -keystore /opt/tomcat/keystore/tomcat
7. Use the certificate in Tomcat
Edit the file:
On Windows
C:\Java\Apache Tomcat 8.5.9\conf\server.xml
On Linux
/opt/tomcat/conf/server.xml
and add an SSL connector.
SSL Conector
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\Java\apache-tomcat-8.0.23\keystore\tomcat"
keystorePass="changeit" />
Restart tomcat and you are done. Now you can run your Applications under HTTPS in Tomcat.
8. Conclusion
A certificate signing request (CSR) is a message sent to a certificate authority to request the signing of a public key and associated information. Most commonly a CSR will be in a PKCS10 format. The contents of a CSR comprises a public key, as well as a common name, organization, city, state, country, and e-mail. Not all of these fields are required and will vary depending with the assurance level of your certificate. Together these fields make up to be signed certificate sequence.
The CSR is signed by the applicant’s private key. This proves to the CA that the applicant has control of the private key that corresponds to the public key included in the CSR. Once the requested information in a CSR passes a vetting process and domain control is established, the CA may signs the applicant’s public key so that it can be publicly trusted.
