Skip to content

Instantly share code, notes, and snippets.

@sye8

sye8/openssl-self-signed.md

Last active August 1, 2018 10:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sye8/254e9c38ce331cda9df18bff90c5e9d3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sye8/254e9c38ce331cda9df18bff90c5e9d3 to your computer and use it in GitHub Desktop.
Download ZIP
Generating Self-Signed Certificate Using OpenSSL + Applying to Tomcat 7
Raw
openssl-self-signed.md

Generating Self-Signed Certificate Using OpenSSL + Applying to Tomcat 7

For testing purposes, we may want to have local testing servers using self-signed SSL certificate for HTTPS connection. Here is how to generate self-signed certificate using OpenSSL from Terminal, and apply it to a tomcat 7 server.

Installation Note:

  • For MacOS: Type brew install openssl in Terminal (If you don't have Homebrew, check it out here)

  • For Linux with apt-get: Type sudo apt-get install openssl

1. Generating Certificate

Open Terminal and cd to a directory (or create one with mkdir) where the generated certificate files will live.

Note that for tomcat installed using apt-get, tomcat will be using a seperate user "tomcat". Make sure at least read and execute permission is given for the certificate directory

Run the following command:

openssl req -newkey rsa:2048 -nodes -keyout [key filename].pem -x509 -days 365 -out [certificate filename].pem

OpenSSL will then show prompt to input the details of the certificate which include:

  • Country
  • State/Province
  • Locality (e.g. city)
  • Organization Name (e.g. company)
  • Organizational Unit Name (e.g. section)
  • Common Name (e.g. server FQDN or YOUR name), usually hostname/IP Address
  • Email Address

For example:

prompt

Totally not made up for this example

The certificate details can be reviewed using the following command:

openssl x509 -text -noout -in [certificate filename].pem

Depending on your operating system, the certificate details may also be viewable by directly opening the file:

details

"You can trust me." said by me

However, to apply certificate to tomcat, we would need to combine our key and certificate into one file. Run the following command to do so:

sudo openssl pkcs12 -inkey [key filename].pem -in [certificate filename].pem -export -out [output filename].p12

OpenSSL will ask you to create an export password. We will use that for server config

Thus, we will have a single certificate + key file that we can use for tomcat 7

2. Tomcat 7 Server Config

Open server's server.xml file

For tomcat7 installed using apt-get, the file is at /var/lib/tomcat7/conf

Add the following:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="[certificate directory]"
    keystoreType="PKCS12"
    keystorePass="[export password]"
/>

Restart tomcat with

sudo systemctl restart tomcat7

Use your favorite browser, go to your server's port 8443:

browsertrust

(((suspicious)))

Well, you trust yourself, right? Proceed.

page

Note that the browser is communicating using HTTPS. Yay!

Trusting our certificate in browser is easy. In Swift? Not so. Here is how to trust a self-signed certificate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment