Nethence NEWDOC OLDDOC Lab Webmail Your IP BBDock  

Preparing SSL certificates

Introduction

You will need at least two keys from your SSL provider (you already got the certificate request):

Then if those aren’t delivered, you might find it on their website:

eventually concatenate those two,

cd /etc/httpd/ssl/
cat intermediatecert rootcert > issuer-concat-cert.crt
chmod 400 issuer-concat-cert.crt

OK for Apache

See Setting up a Reverse Proxy with Apache

Converting to JAVA keystore

Dummy cert

For testing purposes, you can run CAS with a dummy cert,

keytool -genkey -keyalg RSA -alias cas -keystore keystore.jks -validity 360 -keysize 2048

Note. it’s worse than self-signed by your own CA, this is just self-self-signed (no idea how the cert can sign itself)

Real cert

From the docker host, copy the real certs into the shared volume,

cd /etc/httpd/ssl/
ls -ldhF /data/tomcatprod/ssl/
mkdir /data/tomcatprod/ssl/
cp -pi private_key.pkey certificate.crt issuer-concat-cert.crt /data/tomcatprod/ssl/
chmod 700 /data/tomcatprod/ssl/
chmod 400 /data/tomcatprod/ssl/*

From the container, convert the separated PKCS12/Apache certs to a centralized .p12 (also PKCS12).

chmod 755 /root/
#chown -R ~/apps/
cd /root/apps/ssl/
openssl pkcs12 -export -in certificate.crt -inkey private_key.pkey -out certificate.p12 -name cas -CAfile issuer-concat-cert.crt -caname root -chain
(enter private key's passphrase, it's the same as for apache/sma)
(enter and confirm a storepass for the export, my advice is to use the same as the passphrase, since this also override the key passphrase!)
chmod 400 certificate.p12

Note: the passphrase was changed during the export: it’s now the same as the export storepass!

No need to convert from PKCS12 to JKS for CAS which is able to read a P12 keystore too.

However for other apps, if PKCS12 is no good, here’s the way to go,

#keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -srcalias cas -destkeystore certificate.jks -deststoretype jks -destalias cas
#-deststorepass
#chmod 400 certificate.jks

Now check the keystore,

keytool -v -list -keystore certificate.p12 | grep -i alias
#-storetype pkcs12
#-storepass
#keytool -v -list -keystore certificate.jks

Troubleshooting java keystores

If you get this ERROR when launching the cas app with java,

javax.crypto.BadPaddingException: Given final block not properly padded

==> means wrong key (or bad passphrase)…

References

https://www.tbs-certificats.com/FAQ/fr/626.html