Securing Web Servers with SSL/TLS
Scenario: Setting up SSL/TLS on a Tomcat server.
Generate a Keystore:
keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore tomcat.keystore -dname "CN=www.example.com, OU=IT, O=Example Corp, L=City, ST=State, C=Country" -storepass changeit -keypass changeit
Generate a CSR:
keytool -certreq -alias tomcat -file tomcat.csr -keystore tomcat.keystore -storepass changeit
Submit CSR to CA: Submit tomcat.csr to a Certificate Authority (CA) to get a signed certificate.
Import the CA Certificate:
keytool -importcert -alias root -file rootCA.crt -keystore tomcat.keystore -storepass changeit
Import the Signed Certificate:
keytool -importcert -alias tomcat -file tomcat.crt -keystore tomcat.keystore -storepass changeit
Configure Tomcat: Update server.xml in Tomcat's conf directory:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/tomcat.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Authenticating Clients in a Secure Environment
Scenario: Using client certificates for authentication.
Generate Client Keystore:
keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore client.keystore -dname "CN=Client Name, OU=IT, O=Example Corp, L=City, ST=State, C=Country" -storepass changeit -keypass changeit
Generate a CSR for Client:
keytool -certreq -alias client -file client.csr -keystore client.keystore -storepass changeit
Sign the CSR with Root CA: Use the CA's private key to sign the CSR and generate the client certificate.
Import CA Certificate into Client Keystore:
keytool -importcert -alias root -file rootCA.crt -keystore client.keystore -storepass changeit
Import Client Certificate into Client Keystore:
keytool -importcert -alias client -file client.crt -keystore client.keystore -storepass changeit
Client Uses Keystore for SSL/TLS Authentication: The client application can now use the client.keystore to authenticate to servers.
