For testing purposes, we may want to have local testing servers using self-signed SSL certificate for HTTPS connection. Here is how to generate self-signed certificate using OpenSSL from Terminal, and apply it to a tomcat 7 server.
-
For MacOS: Type
brew install openssl
in Terminal (If you don't have Homebrew, check it out here) -
For Linux with apt-get: Type
sudo apt-get install openssl
Open Terminal and cd
to a directory (or create one with mkdir
) where the generated certificate files will live.
Note that for tomcat installed using apt-get, tomcat will be using a seperate user "tomcat". Make sure at least read and execute permission is given for the certificate directory
Run the following command:
openssl req -newkey rsa:2048 -nodes -keyout [key filename].pem -x509 -days 365 -out [certificate filename].pem
OpenSSL will then show prompt to input the details of the certificate which include:
- Country
- State/Province
- Locality (e.g. city)
- Organization Name (e.g. company)
- Organizational Unit Name (e.g. section)
- Common Name (e.g. server FQDN or YOUR name), usually hostname/IP Address
- Email Address
For example:
Totally not made up for this example
The certificate details can be reviewed using the following command:
openssl x509 -text -noout -in [certificate filename].pem
Depending on your operating system, the certificate details may also be viewable by directly opening the file:
"You can trust me." said by me
However, to apply certificate to tomcat, we would need to combine our key and certificate into one file. Run the following command to do so:
sudo openssl pkcs12 -inkey [key filename].pem -in [certificate filename].pem -export -out [output filename].p12
OpenSSL will ask you to create an export password. We will use that for server config
Thus, we will have a single certificate + key file that we can use for tomcat 7
Open server's server.xml
file
For tomcat7 installed using apt-get, the file is at /var/lib/tomcat7/conf
Add the following:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="[certificate directory]"
keystoreType="PKCS12"
keystorePass="[export password]"
/>
Restart tomcat with
sudo systemctl restart tomcat7
Use your favorite browser, go to your server's port 8443:
(((suspicious)))
Well, you trust yourself, right? Proceed.
Note that the browser is communicating using HTTPS. Yay!
Trusting our certificate in browser is easy. In Swift? Not so. Here is how to trust a self-signed certificate