Thursday, November 8, 2012

Installing certificate for Alfresco...

This post is continuation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post about installing Alfresco using native Tomcat6 installation (on CentOS6). If you followed steps given in that post, you have running Alfresco installation but Tomcat uses self-signed certificate.

To install your own certificate first obtain it (you can use your own, self managed, CA or you can buy commercial one), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n install it on your Tomcat instance. You'll find a lot of information about this in SSL Howto on Tomcat's Web pages, but that page assumes that everything you do, you are doing using keytool.

Here is a quick Howto with an assumption that you have files newcert.pem (containing certificate), newkey.pem (containing private key) and cacert.pem (your CA certificate). By default, tomcat's keystore is in its home (/usr/share/tomcat6) and it is named .keystore. Keystore file is password protected and default password for it is changeit. Note that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 period isn't part of password! I suggest that you copy this file to root's home under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name keystore (note no leading dot!) or whatever else you wish so that you can restore old copy in case something goes wrong with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following steps.

The installation is two step process. First, you create keystore containing you certificate, private key and CA's certificate. In second step, you import that information to Tomcat's keystore.

First step is to pack certificate for Alfresco, its private key and CA's certificate into PKCS12 store using openssl tool as follows:
$ openssl pkcs12 -export \
        -in newcert.pem -inkey newkey.pem \
        -out mycert.p12 -name tomcat \
        -CAfile cacert.pem -caname root -chain
Enter Export Password:
Verifying - Enter Export Password:
This command assumes that all necessary files (newcert.pem, newkey.pem and cacert.pem) are in you current directory. Output of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command is also stored into current directory. Note that you are asked for password that will protect all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data. Enter something or later you'll see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following warning:
*****************  WARNING WARNING WARNING  *****************
* The integrity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information stored in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 srckeystore*
* has NOT been verified!  In order to verify its integrity, *
* you must provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 srckeystore password.                *
*****************  WARNING WARNING WARNING  *****************
And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you'll receive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following error:
keytool error: java.security.UnrecoverableKeyException: Get Key failed: / by zero
Second step is to import this pkcs12 file to tomcat's keystore using keytool as follows:
$ keytool -importkeystore -srckeystore mycert.p12 \
        -srcstoretype pkcs12 -destkeystore /usr/share/tomcat6/.keystore
Enter destination keystore password:
Enter source keystore password:
Existing entry alias tomcat exists, overwrite? [no]:  yes
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
Again, input file is in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current directory and you are importing directly into tomcat's keystore. Note that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existing certificate with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alias tomcat will be removed and you are asked to confirm that! The default alias Tomcat searches when it start is called tomcat.

Third step is to change private key's password that has to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keystore. Do that using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following command:
keytool -keypasswd -alias tomcat -new -keystore /usr/share/tomcat6/.keystore
You'll be asked for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keystore's password and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 password for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key will be set to keypassword.

And that's it. Restart tomcat and check if it is using new certificate.

No comments:

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive