here are the steps I followed to move my webapplication on https/SSL
1) Download Win32OpenSSL_Light-0_9_8t from
http://www.slproweb.com/products/Win32OpenSSL.html and install
2) In the OpenSSL installation directory, create subdirectory private. The Certificate Authority's private key will be stored here.
In the OpenSSL installation directory, create subdirectory newcerts. New certificates signed by the CA will be stored here.
In the OpenSSL installation directory, create an empty file named index.txt. OpenSSL keeps its signed certificates database in that file.
From the subdirectory bin/PEM/demoCA of the OpenSSL installation directory, copy the file serial to the OpenSSL installation directory. Open the copied serial file and edit it to read 00 and save. Each new CA-signed certificate's serial number is taken from this file's content, which is incremented each time a certificate is signed.
3) In openssl.cfg .Did the following changes
dir = c:/openssl <-- This is the OpenSSL installation directory
certificate = $dir/private/cacert.pem
#crl = $dir/crl.pem
4) Create Self-signed Certificate with command
cd /d "%OPENSSL_HOME%"
openssl req -new -x509 -days 2000 -keyout private\CAKey.pem -out private\CACert.pem -config bin\openssl.cnf
5)Convert the certificate PEM file to a DER encoded file
cd /d "%OPENSSL_HOME%"
openssl x509 -in private\CACert.pem -out private\CACert.cer -outform DER
This command creates file CACert.cer in the private subdirectory.
6) Modify Java Root Certificates
cd %JAVA_HOME%
keytool -import -keystore jre\lib\security\cacerts -alias AppOpenSSLCert -file %OPENSSL_HOME%\private\cacert.cer
This adds our self-signed CA certificate to Java's trusted CA certificates, which are kept in file jre\lib\security\cacerts in the Java JDK installation directory.
Our self-signed CA certificate was stored under the alias AppOpenSSLCert.
As per documentation it should have worked(i.e i tried hitting the URL with https) but it did not work . To make it work I had to run one more command i.e
7)
C:\Program Files\Java\jdk1.6.0_23>keytool -genkey -alias tomcat -keyalg RSA which generated .keystore file((which will have SSL certificate which will be send when client makes https request and client matches this certificates in truststore and private key)
Finally i made changes in server.xml and it worked
keystoreFile="c:/.keystore"
keystorePass="changeit"
Thats why whole confusion came to my mind. If we are using certificates pointed by .keystore file generated in 7th step,what is the purpose of steps i did from 1 to 6(CAKey.pem and CACert.pem files).
Last question on the verisign(http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/. ) link. it talks about two certicates i.e SSL certificate and digital certificate. Where SSL certificate and digital certificate fit in above scenario?