Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

Tomcat: How to use a self-signed SAN supported certificate via OpenSSL

The instructions below are working on OSX and should equally work on any distribution with Openssl. From Chrome58 onwards only the SAN (subject alternative name) extension is used to match the domain name and site-certificate (prior to Chrome58 the commonName was used).

If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private.

The instructions below create in three simple steps the key and PEM file and then white-list it in the Keystore:

Create the OpenSSL configuration

Adjust the below to your liking – especially the section “req_distinguished_name” and “alt_names”:

cat  localhost.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
 
[req_distinguished_name]
C=ZA
ST=Gauteng
L=Johannesburg
O=My Organisation
OU=My Organisational Unit
CN=www.localhost.co.za
 
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
 
[alt_names]
DNS.1 = localhost
DNS.2 = localhost.localdomain
DNS.3 = 127.0.0.1
DNS.4 = localhost.co.za
DNS.5 = www.localhost.co.za
DNS.6 = m.localhost.co.za
 
EOL

Generate the key and PEM file

Generate both files via OpenSSL:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -keyout localhost.key -out localhost.pem  -config localhost.conf

Configure Tomcat server.xml

Copy both files to a directory relative to “${catalina.home}” on your Tomcat installation and adjust server.xml:

Whitelist the certificate in OS X Keychain

With Tomcat running, run the following commands to add the certificate to the Keychain:

echo -n | openssl s_client -connect www.localhost.co.za:8443 -servername www.localhost.co.za | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | tee "/tmp/www.localhost.co.za.cert"
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/tmp/www.localhost.co.za.cert"
rm -v "/tmp/www.localhost.co.za.cert"

The post Tomcat: How to use a self-signed San Supported Certificate via OpenSSL appeared first on naschenweng.info.



This post first appeared on SEO, ECommerce, Gadgets, Home Entertainment & Gaming | Naschenweng.info, please read the originial post: here

Share the post

Tomcat: How to use a self-signed SAN supported certificate via OpenSSL

×

Subscribe to Seo, Ecommerce, Gadgets, Home Entertainment & Gaming | Naschenweng.info

Get updates delivered right to your inbox!

Thank you for your subscription

×