Win a copy of TDD for a Shopping Website LiveProject this week in the Testing forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
  • Piet Souris
  • Himai Minh

Queries on role of files .keystore and CAKey.pem while moving the site to https?

Ranch Hand
Posts: 70
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
here are the steps I followed to move my webapplication on https/SSL

1) Download Win32OpenSSL_Light-0_9_8t from and install

2) In the OpenSSL installation directory, create subdirectory private. The Certificate Authority's private key will be stored here.
In the OpenSSL installation directory, create subdirectory newcerts. New certificates signed by the CA will be stored here.
In the OpenSSL installation directory, create an empty file named index.txt. OpenSSL keeps its signed certificates database in that file.
From the subdirectory bin/PEM/demoCA of the OpenSSL installation directory, copy the file serial to the OpenSSL installation directory. Open the copied serial file and edit it to read 00 and save. Each new CA-signed certificate's serial number is taken from this file's content, which is incremented each time a certificate is signed.

3) In openssl.cfg .Did the following changes
dir = c:/openssl <-- This is the OpenSSL installation directory
certificate = $dir/private/cacert.pem
#crl = $dir/crl.pem

4) Create Self-signed Certificate with command
cd /d "%OPENSSL_HOME%"
openssl req -new -x509 -days 2000 -keyout private\CAKey.pem -out private\CACert.pem -config bin\openssl.cnf

5)Convert the certificate PEM file to a DER encoded file
cd /d "%OPENSSL_HOME%"
openssl x509 -in private\CACert.pem -out private\CACert.cer -outform DER
This command creates file CACert.cer in the private subdirectory.

6) Modify Java Root Certificates

keytool -import -keystore jre\lib\security\cacerts -alias AppOpenSSLCert -file %OPENSSL_HOME%\private\cacert.cer

This adds our self-signed CA certificate to Java's trusted CA certificates, which are kept in file jre\lib\security\cacerts in the Java JDK installation directory.
Our self-signed CA certificate was stored under the alias AppOpenSSLCert.

As per documentation it should have worked(i.e i tried hitting the URL with https) but it did not work . To make it work I had to run one more command i.e

C:\Program Files\Java\jdk1.6.0_23>keytool -genkey -alias tomcat -keyalg RSA which generated .keystore file((which will have SSL certificate which will be send when client makes https request and client matches this certificates in truststore and private key)

Finally i made changes in server.xml and it worked

Thats why whole confusion came to my mind. If we are using certificates pointed by .keystore file generated in 7th step,what is the purpose of steps i did from 1 to 6(CAKey.pem and CACert.pem files).

Last question on the verisign( ) link. it talks about two certicates i.e SSL certificate and digital certificate. Where SSL certificate and digital certificate fit in above scenario?
There are 10 kinds of people in this world. Those that understand binary get this tiny ad:
free, earth-friendly heat - a kickstarter for putting coin in your pocket while saving the earth
    Bookmark Topic Watch Topic
  • New Topic