Free https certificate + integration into Apache – TomCat
Good day, dear friends. I needed to configure https on the server used in the online game. For this I need free registration on StartSSL and some time. The instructions on the StartSSL site are rather vague. This publication aims to shed light on the details.
First of all we go through simple registration on StartSSL, its result will be a private certificate created. During registration, we specify our home data. All data is desirable to fill in Latin. The certificate should always be kept in a safe place. To do this, in your favorite browser, go to the settings where certificates are stored and export your certificate to a file.
The second step involves the validation of the domain where the https certificate will be used. To do this, go to the control panel on the StartSSL site and go to the section Validations Wizard and select the Domain Name Validation item. We choose to send the verification code to which email address, we send, we check the mail, we confirm the code - the domain is confirmed.
The third big step. Certificate generation To do this, we will need to create a request file for receiving the certificate and the storage that will be used to authorize https. Initialize the private key and create a repository, where PASSWORD is the same password that we will use in all the commands below and DOMAIN_NAME is just your domain name, without .ru, .org, etc. Perform in the terminal:
')
Now we can create a file request, also known as Certificate Request (CSR), the result will appear in the file DOMAIN_NAME.csr:
Go to the Certificates Wizard section and select the Web Server SSL / TSL Certificate there. Click Skip. Open our file DOMAIN_NAME.csr and copy its contents to the clipboard. We return to the StartSSL website and insert our Certificate Request (CSR) from the buffer in the appeared field, which will be in Base64 format. We send. StartSSL offers to add a subdomain to the main domain. You can specify the standard www or what you want. A certificate will be created within 15-180 minutes
Fourth step. You waited for a letter from StartSSL that your surfer is ready. We go to their site and get it in the Tool Box - Retrieve Certificate, select your domain and copy the Base64 encoded text to the clipboard. Create an ssl.crt file on disk and paste our certificate into it. Now we have everything for the final step. Downloading the StartSSL root certificate:
www.startssl.com/certs/ca.crt
www.startssl.com/certs/sub.class1.server.ca.crt
We import these certificates into our repository:
We import our certificate from the ssl.crt file:
Fifth step. Last. Let's write the connector in the server.xml file:
And set the redirect:
Is done.
PS I apologize for the spelling errors I have made, as well as for the possible chaotic guide. The author is self-taught and, perhaps, calls some things not by their proper names. Thank you all for your attention. I hope the publication will be useful to someone.
PSS It is understood that all files are saved and created in the same folder, and commands in the terminal are executed in the same folder.
First of all we go through simple registration on StartSSL, its result will be a private certificate created. During registration, we specify our home data. All data is desirable to fill in Latin. The certificate should always be kept in a safe place. To do this, in your favorite browser, go to the settings where certificates are stored and export your certificate to a file.
The second step involves the validation of the domain where the https certificate will be used. To do this, go to the control panel on the StartSSL site and go to the section Validations Wizard and select the Domain Name Validation item. We choose to send the verification code to which email address, we send, we check the mail, we confirm the code - the domain is confirmed.
The third big step. Certificate generation To do this, we will need to create a request file for receiving the certificate and the storage that will be used to authorize https. Initialize the private key and create a repository, where PASSWORD is the same password that we will use in all the commands below and DOMAIN_NAME is just your domain name, without .ru, .org, etc. Perform in the terminal:
')
keytool -genkey -keysize 2048 -keyalg RSA -sigalg SHA1withRSA -alias webserver -keystore ks2 -keypass PASSWORD -storepass PASSWORD -dname "CN=DOMAIN_NAME.org, OU=Unknown, O=DOMAIN_NAME, L=Slovakia, ST=Unknown, C=SK" Now we can create a file request, also known as Certificate Request (CSR), the result will appear in the file DOMAIN_NAME.csr:
keytool -certreq -alias webserver -file DOMAIN_NAME.csr -keystore ks2 Go to the Certificates Wizard section and select the Web Server SSL / TSL Certificate there. Click Skip. Open our file DOMAIN_NAME.csr and copy its contents to the clipboard. We return to the StartSSL website and insert our Certificate Request (CSR) from the buffer in the appeared field, which will be in Base64 format. We send. StartSSL offers to add a subdomain to the main domain. You can specify the standard www or what you want. A certificate will be created within 15-180 minutes
Fourth step. You waited for a letter from StartSSL that your surfer is ready. We go to their site and get it in the Tool Box - Retrieve Certificate, select your domain and copy the Base64 encoded text to the clipboard. Create an ssl.crt file on disk and paste our certificate into it. Now we have everything for the final step. Downloading the StartSSL root certificate:
www.startssl.com/certs/ca.crt
www.startssl.com/certs/sub.class1.server.ca.crt
We import these certificates into our repository:
keytool -import -alias startsslca -file ca.cer -keystore ks2 -trustcacerts keytool -import -alias startsslca1 -file sub.class1.server.ca.crt -keystore ks2 -trustcacerts We import our certificate from the ssl.crt file:
keytool -import -alias webserver -file ssl.crt -keystore ks2 Fifth step. Last. Let's write the connector in the server.xml file:
<Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile=“path\to\keystore\ks2" keystorePass="PASSWORD" clientAuth="false" sslProtocol="TLS"/> And set the redirect:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> Is done.
PS I apologize for the spelling errors I have made, as well as for the possible chaotic guide. The author is self-taught and, perhaps, calls some things not by their proper names. Thank you all for your attention. I hope the publication will be useful to someone.
PSS It is understood that all files are saved and created in the same folder, and commands in the terminal are executed in the same folder.
Source: https://habr.com/ru/post/248285/
All Articles