yanokwa/ssl-create-java-keystore-jks-tomcat.txt

## ssl-create-java-keystore-jks-tomcat.txt
### SSL Part 1: Creating Java SSL KeyStore (JKS)

This is part one of a three-part series on how to configure a single SSL certificate for use on both Tomcat and Apache. I'll take you through creating a new Java KeyStore (JKS), submitting a Certificate Signing Request (CSR), and finally, importing the singed certificate into your KeyStore.

#### 1\. First, create a directory for your SSL files

# sudo mkdir /etc/my_ssl

#### 2\. Now change into that directory

# cd /etc/my_ssl

#### 3\. Create a new Java KeyStore file for our certificate

Note: You can replace **mysite** with whatever alias you choose, but I recommend leaving the command as is, so that the rest of the commands in this tutorial will work without modification.

# sudo keytool -genkey -alias mysite -keyalg RSA -keystore mysite.jks -keysize 2048

Enter your information in the prompts, using the example below as a guide. Replace everything shown in red with your information. Also, make sure your domain contact info is visible on whois (i.e. domain privacy is disabled), and that it matches what you enter here, as the signing authority will use this information to verify that you own the domain. You can enable domain privacy after you install the signed certificate.

Enter keystore password: <span style="color: red;">changeit</span>
Re-enter new password: <span style="color: red;">changeit</span>

What is your first and last name?
[Unknown]: <span style="color: red;">your.domain.com</span>
What is the name of your organizational unit?
[Unknown]: <span style="color: red;">your dept</span>
What is the name of your organization?
[Unknown]: <span style="color: red;">business name</span>
What is the name of your City or Locality?
[Unknown]: <span style="color: red;">your city</span>
What is the name of your State or Province?
[Unknown]: <span style="color: red;">your state</span>
What is the two-letter country code for this unit?
[Unknown]: <span style="color: red;">your country code e.g. US</span>

After you enter all your information, you'll have an opportunity to verify it.

Is CN=your.domain.com, OU=your dept, O=business name, L=your city, ST=your state, C=US correct? [no]: <span style="color: red;">yes</span>

If all looks good, type **yes** and hit **ENTER.**

Enter key password for <mysite>
(RETURN if same as keystore password):

Hit **ENTER** one more time.

#### 4\. Generate a Certifice Signing Request (CSR)

Now that you've entered all of your info into the KeyStore, it's time to generate a CSR, which is what you will submit to the Certificate Authority for signing.

# sudo keytool -certreq -keyalg RSA -alias mysite -file mysite.csr -keystore mysite.jks

You should now see a file named mysite.csr in your /etc/my_ssl directory.

#### 5\. Submit your CSR

Open the mysite.csr file with the following command:

# sudo nano mysite.csr

The contents should look something like this:

-----BEGIN CERTIFICATE REQUEST-----
9n08hlgknu6874lk87noy...
more random characters
...r88errmvuinOIUNoi7yo7
-----END CERTIFICATE REQUEST-----

Open a web browser, and go to your Certificate Authority's website. I recommend [GeoTrust](http://www.geotrust.com/) simply because I've had good experience using their certificates, and their documentation is fairly thourogh.

Go through the process of purchasing your certificate. When it comes time to enter your CSR text, copy the entire contents of your mysite.csr file into the text field in your browser, and finish the checkout process.

Once you receive the signed certificate, proceed to the next step.

#### 6\. Save your new certificate

You should receive and email with your signed certificate within 24 hours of submitting your CSR. This email will likely include a link where you can download your certificate, and should also include the certificate contents in plain text at the bottom of the email. For our purposes, this text is all we need. It looks something like this:

-----BEGIN CERTIFICATE-----
9n08hlgknu6874lk87noy...
more random characters
...r88errmvuinOIUNoi7yo7
-----END CERTIFICATE-----

Run the following command to open the nano text editor, and create the mysite.cer file for your certificate:

# sudo nano mysite.cer

Copy the certificate text from your email, and paste it into your new file.

Press **Ctrl+X** to close nano. Press **Y** to confirm you want to save the file, then press **ENTER**.

#### 7\. Import your certificate into your KeyStore

Import your signed certificate into your Java Keystore file.

# sudo keytool -import -alias mysite -trustcacerts -file mysite.cer -keystore mysite.jks

#### 8\. Setting proper permissions for your KeyStore

Ensure that your KeyStore is readable with the following commmand:

# sudo chmod 644 /etc/my_ssl/mysite.jks

This will ensure that only root can edit the KeyStore, but other users can still read it.

If all went well, your are now ready to proceed to [SSL Part2: Configuring Tomcat 6 with Java KeyStore (JKS)](https://gist.github.com/yanokwa/15d4d9a81cd81e7fa0fb)
	### SSL Part 1: Creating Java SSL KeyStore (JKS)

	This is part one of a three-part series on how to configure a single SSL certificate for use on both Tomcat and Apache. I'll take you through creating a new Java KeyStore (JKS), submitting a Certificate Signing Request (CSR), and finally, importing the singed certificate into your KeyStore.

	#### 1\. First, create a directory for your SSL files

	# sudo mkdir /etc/my_ssl

	#### 2\. Now change into that directory

	# cd /etc/my_ssl

	#### 3\. Create a new Java KeyStore file for our certificate

	Note: You can replace mysite with whatever alias you choose, but I recommend leaving the command as is, so that the rest of the commands in this tutorial will work without modification.

	# sudo keytool -genkey -alias mysite -keyalg RSA -keystore mysite.jks -keysize 2048

	Enter your information in the prompts, using the example below as a guide. Replace everything shown in red with your information. Also, make sure your domain contact info is visible on whois (i.e. domain privacy is disabled), and that it matches what you enter here, as the signing authority will use this information to verify that you own the domain. You can enable domain privacy after you install the signed certificate.

	Enter keystore password: <span style="color: red;">changeit</span>
	Re-enter new password: <span style="color: red;">changeit</span>

	What is your first and last name?
	[Unknown]: <span style="color: red;">your.domain.com</span>
	What is the name of your organizational unit?
	[Unknown]: <span style="color: red;">your dept</span>
	What is the name of your organization?
	[Unknown]: <span style="color: red;">business name</span>
	What is the name of your City or Locality?
	[Unknown]: <span style="color: red;">your city</span>
	What is the name of your State or Province?
	[Unknown]: <span style="color: red;">your state</span>
	What is the two-letter country code for this unit?
	[Unknown]: <span style="color: red;">your country code e.g. US</span>

	After you enter all your information, you'll have an opportunity to verify it.

	Is CN=your.domain.com, OU=your dept, O=business name, L=your city, ST=your state, C=US correct? [no]: <span style="color: red;">yes</span>

	If all looks good, type yes and hit ENTER.

	Enter key password for <mysite>
	(RETURN if same as keystore password):

	Hit ENTER one more time.

	#### 4\. Generate a Certifice Signing Request (CSR)

	Now that you've entered all of your info into the KeyStore, it's time to generate a CSR, which is what you will submit to the Certificate Authority for signing.

	# sudo keytool -certreq -keyalg RSA -alias mysite -file mysite.csr -keystore mysite.jks

	You should now see a file named mysite.csr in your /etc/my_ssl directory.

	#### 5\. Submit your CSR

	Open the mysite.csr file with the following command:

	# sudo nano mysite.csr

	The contents should look something like this:

	-----BEGIN CERTIFICATE REQUEST-----
	9n08hlgknu6874lk87noy...
	more random characters
	...r88errmvuinOIUNoi7yo7
	-----END CERTIFICATE REQUEST-----

	Open a web browser, and go to your Certificate Authority's website. I recommend [GeoTrust](http://www.geotrust.com/) simply because I've had good experience using their certificates, and their documentation is fairly thourogh.

	Go through the process of purchasing your certificate. When it comes time to enter your CSR text, copy the entire contents of your mysite.csr file into the text field in your browser, and finish the checkout process.

	Once you receive the signed certificate, proceed to the next step.

	#### 6\. Save your new certificate

	You should receive and email with your signed certificate within 24 hours of submitting your CSR. This email will likely include a link where you can download your certificate, and should also include the certificate contents in plain text at the bottom of the email. For our purposes, this text is all we need. It looks something like this:

	-----BEGIN CERTIFICATE-----
	9n08hlgknu6874lk87noy...
	more random characters
	...r88errmvuinOIUNoi7yo7
	-----END CERTIFICATE-----

	Run the following command to open the nano text editor, and create the mysite.cer file for your certificate:

	# sudo nano mysite.cer

	Copy the certificate text from your email, and paste it into your new file.

	Press Ctrl+X to close nano. Press Y to confirm you want to save the file, then press ENTER.

	#### 7\. Import your certificate into your KeyStore

	Import your signed certificate into your Java Keystore file.

	# sudo keytool -import -alias mysite -trustcacerts -file mysite.cer -keystore mysite.jks

	#### 8\. Setting proper permissions for your KeyStore

	Ensure that your KeyStore is readable with the following commmand:

	# sudo chmod 644 /etc/my_ssl/mysite.jks

	This will ensure that only root can edit the KeyStore, but other users can still read it.

	If all went well, your are now ready to proceed to [SSL Part2: Configuring Tomcat 6 with Java KeyStore (JKS)](https://gist.github.com/yanokwa/15d4d9a81cd81e7fa0fb)