Friday, October 12, 2007

Setting up SSL in JBoss/Tomcat with an Intermediate SSL CA

Verisign has switched to using a "intermediate" certificate authority (CA). These are a little tricker to install. The trick is getting the appropriate intermediate and root CA files from verisign, and "chaining" together into one file. Basically just concatenating them... one after the other with a header.

General explanation ... Assuming you have these files:

* server.key - your certificate's private key
* server.crt - your certificate
* inter.crt - the intermediate CA that signed your certificate
* root.crt - the root CA that signed the intermediate CA

First, concatenate the CA certs. Be sure the intermediate CA goes first:

$ cat inter.crt root.crt > chain.crt

Next, export the pkcs12 file:

$ openssl pkcs12 -export -chain -inkey server.key -in server.crt\
-name "server" -CAfile chain.crt -out server.p12

You'll be prompted for a password ... this the the one referenced by the server.xml config .
Enter something ... don't leave it empty.

Now, you can use keytool to verify:

$ keytool -list -v -storetype pkcs12 -keystore server.p12

Requires the password entered above... Then you should see a line like:

Certificate chain length: 3

That's it. Since this is complex, Here's a simple script that should work, with minimal editing:


# this script creates keystores for domains

# notes on script setup

# server_key - The file name of the private key for server.

# server_crt - The file name of the certificate for server.

# cert_name - Something unique, can be anything, just
# a friendly name.

# inter_crt - The file name of the intermediate
# certificate authority (CA)
# The intermediate CA can be downloaded from Verisign.
# although it might take a bit of googling to figure out where
# it is. Try searching for "Verisign intermediate certificate"
# for example.

# root_crt - The file name of the root certificate (from verisign)
# which signed the intermediate CA
# This either needs to be .cer or b64 format.
# The only difference is a header footer
# which may need to be added (see below echo's).
# The package of roots can be downloaded from verisign.
# Good luck guessing which one it is! :)
# Usually the error message ...
# or the certificate information in the browser will give a clue.
# Again, google for this. Try searching for (for example):
# "Verisign root certificate"

# chain_crt - The file name where intermediate and root
# is concatenated. Can be anything really.
# Well almost anything ...
# just don't overwrite some important system file :)

# out_file - The file name where the keystore file is saved

#set up your file paths and variables ...

echo "creating $out_file ..."
echo "remember"
echo "1. Change owner and permissions"
echo "2. move to jboss/server/default/conf"
echo "3. update jboss/server/default/deploy/jbossweb-tomcat55.sar/server.xml"
echo "4. restart jboss"

echo ""
echo "on errors check $chain_crt ... certs should appear one after the other with header and footer."
echo "the second most likely problem is just having the wrong intermediate and root certs"

## clean up
# rm $out_file
# rm $chain_crt

# build chain certificate

cat $inter_crt > $chain_crt

# may need headers if simply b64
echo "-----BEGIN CERTIFICATE-----" >> $chain_crt

# might need extra line feed ... check $chain_crt
# echo "" >> $chain_crt

cat $root_crt >> $chain_crt

# may need footer if simply b64
echo "-----END CERTIFICATE-----" >> $chain_crt

# create keystore

openssl pkcs12 -export -chain \
-inkey $server_key \
-in $server_crt \
-name $cert_name \
-CAfile $chain_crt \
-caname root \
-out $out_file

No comments: