Have you installed the Java Runtime Environment and Apache Tomcat yet? If not, follow these steps first!
Since we are using the Tomcat APR connector, we use OpenSSL instead of the default SSL implementation. In this step, a Certificate Signing Request will be generated at the server, which can be used to request a SSL certificate. An OpenSSL binary for Windows is included in the Tomcat Native Connector distribution.
Please replace $tomcat with the correct Tomcat installation folder name, such as C:\Program Files\Apache Software Foundation\Tomcat 7.0.
Files required
Application | Version | File |
---|---|---|
OpenSSL | newer is better (1.0.1 preferred) | For Windows the OpenSSL binary can be found in the Tomcat native libs: http://files.eveoh.nl/tomcat-native-1.1.33-win32-bin.zip For Linux OpenSSL is usually already installed, please consult the package manager of your OS if this is not the case. |
Requesting an SSL certificate
At first, a Certificate Signing Request (CSR) will be generated at the server.
- Create a file openssl.cnf with the following contents. Replace the values between << >> with appropriate values for your institution.
HOME = . oid_section = new_oids [ new_oids ] [ req ] default_days = 730 distinguished_name = req_distinguished_name encrypt_key = no string_mask = nombstr req_extensions = v3_req # Extensions to add to certificate request [ req_distinguished_name ] commonName = Your nice common name commonName_default = <<timetables.eveoh.nl>> commonName_max = 64 countryName = Country Name (2 letter code) countryName_default = <<NL>> countryName_min = 2 countryName_max = 2 0.organizationName = Organization Name (eg, company) 0.organizationName_default = <<Eveoh>> organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = <<Support>> [ v3_req ] subjectAltName=<<DNS:timetables.eveoh.nl,DNS:www.timetables.eveoh.nl,DNS:roosters.eveoh.nl,DNS:www.roosters.eveoh.nl>>
- Open the Command Prompt
- Generate a private key using openssl. Please enter a safe password and make sure to remember it.
openssl genrsa -des3 -out <path to private key>/private_key.pem 2048
- Generate a CSR. Press enter when the program asks for settings (which should already be entered into the openssl.cnf file).
openssl req -new -key <path to private key>/private_key.pem -out <path to CSR>/cert.csr -sha256 -config openssl.cnf
- Use the CSR to request a certificate from your certificate provider.
Convert PEM files to PKCS12
Usually, your SSL Certificate Authority will send you a PEM encoded certificate. Also, the files created above are all PEM encoded. To convert the PEM encoded files to PKCS12 format, you can use the following command (replace filenames where necessary):
openssl pkcs12 -export -in certificate.pem -inkey private_key.pem -certfile ca_chain.pem -out certificate.pfx
Converting PKCS7 to PEM files
If you certificate comes in a p7b files, you need to split the certificate first. Run the following command:
openssl pkcs7 -print_certs -in certificate.p7b
This will output the certificate and the CA certificates. Save the certificate in a new file (PEM extension) and save the intermediate CA certificates in a separate file.
Checking the SSL certificate
With MyTimetable published to the internet, it might be a good idea to test the SSL configuration of the server.
Please visit https://www.ssllabs.com/ssltest/ to perform a deep analysis of the SSL configuration.