A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
In Public Key Infrastructure (PKI) systems, a Certificate Signing Request also CSR or certification request is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate.
The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge SPKAC format generated by some Web browsers.
1. The tools
- Java JDK 8
- Tomcat Server 8
2. Introduction
Apache Tomcat SSL Configuration. Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication.
If you want to use HTTPS on your own Tomcat Installation without use an external authority then you need to generate your own certificate signing request, you need to advise your clients that are self signing your application because the most used browsers only recognized an limited amount of authorities, unless you are going to make your own custom browser. HTTPS also called HTTP over TLS, HTTP over SSL and HTTP Secure is a protocol for secure communication over a computer network which is widely used on the Internet.
HTTPS consists of communication over Hypertext Transfer Protocol HTTP within a connection encrypted by Transport Layer Security, or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data.
3. Prerequisites
- JDK installed
- Tomcat 8 installed and running
4. Generate Certificate Using Keytool
keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication, where the user authenticates himself/herself to other users/services or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys in the form of certificates of their communicating peers.
A certificate is a digitally signed statement from one entity person, company, etc, saying that the public key and some other information of some other entity has a particular value.
When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data indeed comes from whoever claims to have created and signed it.
We are going to generate a certificate inside keystore folder in the Tomcat install directory. If the keystore folder doesn’t exist you need to create it.
Create a certificate keystore and private key with the following command:
Keystore on Windows
keytool -genkey -alias tomcat -keyalg RSA -keystore C:\Java\apache-tomcat-8.5.9\keystore\tomcat
Keystore on Linux
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat/keystore/tomcat
5. Certificate questions
You need to answer some questions to create the certificate. We are going to follow these questions using mockup data to show the point:
First you need to enter a Fully Qualified Domain Name:
A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the Internet. The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN for a hypothetical mail server might be mail.somedomain.org.
Fully Qualified Domain Name
What is your first and last name? [Unknown]: www.javacodegeeks.com
An organizational unit (OU) is a subdivision within a directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization’s functional or business structure.
The name of your organizational unit, in this case Technology:
Name of your organizational unit
What is the name of your organizational unit? [Unknown]: Technology
The name of your organization:
Name of your organization
What is the name of your organization? [Unknown]: Java Code Geeks
The name of your City or Locality, in this case we are using London:
Name of your City or Locality
What is the name of your City or Locality? [Unknown]: London
The name of your State or Province also in this case we are using London:
Name of your State or Province
What is the name of your State or Province? [Unknown]: London
The two-letter country code, every country have a two letter country code:
Two-letter country code
What is the two-letter country code for this unit? [GB]: GB
Finally keytool asks us to review the information and if the information is correct you need to explicit write yes or no, in case you write a negative answer the keytool start the process again.
Name of your organizational unit
Is CN=www.javacodegeeks.com, OU=Technology, O=Java Code Geeks, L=London, ST=London, C=GB correct? [no]: yes
Now we have our Certificate Signing Request to use with our Tomcat Server and allow SSL connections.
6. Check Certificate keystore
We can check our CSR with the following command:
On Windows
keytool -list -keystore C:\Java\apache-tomcat-8.5.9\keystore\tomcat
On Linux
keytool -list -keystore /opt/tomcat/keystore/tomcat
7. Use the certificate in Tomcat
Edit the file:
On Windows
C:\Java\Apache Tomcat 8.5.9\conf\server.xml
On Linux
/opt/tomcat/conf/server.xml
and add an SSL connector.
SSL Conector
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\Java\apache-tomcat-8.0.23\keystore\tomcat"
keystorePass="changeit" />
Restart tomcat and you are done. Now you can run your Applications under HTTPS in Tomcat.
8. Conclusion
A certificate signing request (CSR) is a message sent to a certificate authority to request the signing of a public key and associated information. Most commonly a CSR will be in a PKCS10 format. The contents of a CSR comprises a public key, as well as a common name, organization, city, state, country, and e-mail. Not all of these fields are required and will vary depending with the assurance level of your certificate. Together these fields make up the to be signed certificate sequence.
The CSR is signed by the applicant’s private key; this proves to the CA that the applicant has control of the private key that corresponds to the public key included in the CSR. Once the requested information in a CSR passes a vetting process and domain control is established, the CA may sign the applicant’s public key so that it can be publicly trusted.
Tomcat fully supports the SSL protocol, Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication.
SSL is one of the most common ways of integrating secure communication on the Internet, as it is a mature protocol that is supported by every browser.
Apache Tomcat, can handle sensitive data, and SSL is an easy way to offer your users security.
