openssl genrsa -des3 -out restapi-root-ca.key 2048
##password restapi-root
openssl req -new -x509 -days 13210 -key restapi-root-ca.key -out restapi-root-ca.cert
openssl genrsa -out restapi-server.key 2048
openssl req -new -sha256 -key restapi-server.key -out restapi-server.csr
openssl x509 -req -sha256 -days 13210 -in restapi-server.csr -signkey restapi-server.key -CA restapi-root-ca.cert -CAkey restapi-root-ca.key -CAcreateserial -out restapi-server.cert
openssl pkcs12 -export -name restapi-server -in restapi-server.cert -out restapi-server.p12 -inkey restapi-server.key -CAfile restapi-root-ca.cert -caname restapi-root -chain
#export password restapi-server
Error self signed certificate getting chain
solution
---------
- have different DNs
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:duwamish inc
Organizational Unit Name (eg, section) []:server
Common Name (e.g. server FQDN or YOUR name) []:server
Email Address []:prayag.upd@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/Users/as18/possibilities/programming/s2/eccount-rest/conf3/restapi-server.p12"
keystoreType="PKCS12"
keystorePass=""
clientAuth="false"
sslProtocol="TLS" />
5613 java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded
5614 at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:410)
5615 at java.security.KeyStore.getKey(KeyStore.java:1023)
5616 at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
5617 at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
5618 at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
5619 at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:617)
5620 at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:546)
5621 at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:370)
5622 at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:810)
5623 at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:476)
5624 at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
5625 at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
5626 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
5627 at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
5628 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
5629 at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)
5630 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
5631 at org.apache.catalina.startup.Catalina.load(Catalina.java:580)
5632 at org.apache.catalina.startup.Catalina.load(Catalina.java:603)
5633 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
5634 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
5635 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
5636 at java.lang.reflect.Method.invoke(Method.java:498)
5637 at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
5638 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
solution
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/Users/as18/possibilities/programming/s2/eccount-rest/conf3/restapi-server.p12"
keystoreType="PKCS12"
keystorePass="restapi-server"
clientAuth="false"
sslProtocol="TLS" />
openssl genrsa -out restapi-client.key 2048
# Use common name = <tomcat-user.xml's user say 'admin'>, department = Tomcat Client CSR
# take Cert Signing Request from API user, and respond with a restapi-client.cert
openssl req -new -sha256 -key restapi-client.key -out restapi-client.csr
openssl x509 -req -sha256 -days 13210 -in restapi-client.csr -signkey restapi-client.key -CA restapi-root-ca.cert -CAkey restapi-root-ca.key -CAcreateserial -out restapi-client.cert
openssl pkcs12 -export -name restapi-client -in restapi-client.cert -out restapi-client.p12 -inkey restapi-client.key -CAfile restapi-root-ca.cert -caname restapi-root -chain
#export password restapi-client
- install root cert copying the cert PEM to /etc/pki/tls/certs/ca-bundle.crt
- openssl verify -verbose /etc/pki/tls/certs/restapi-root-ca.cert
- curl -v --cert /home/ec2-user/restapi-client.cert --key /home/ec2-user/restapi-client.key https://customerorder-dev.duwamish.com
http://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
root cert
server cert
client cert
How to create a self-signed certificate with openssl?