Gianluca,
For development, I like to use the openssl tools to create my own CA and use it
to sign my own certificates rather than using a self-signed certificate.
Here are the notes I use. Lines starting with ($) are the actual commands I
enter into the terminal.
================
Create My Own CA
================
# Create CA key
$ openssl genrsa -des3 -out rootCA.key 2048
# Create and self-sign CA cert.
$ openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
------------
Create a Key
------------
$ openssl genrsa -out example.key 2048
------------------------------------
Create a Certificate Signing Request
------------------------------------
$ openssl req -new -key example.key -out example.csr
----------
Sign a CSR
----------
openssl x509 -req -in example.csr -CA rootCA.pem -CAkey rootCA.key
-CAcreateserial -out example.crt -days 500
So first, I generate a CA key and cert (first 2 commands). This is something
you only need to do once, but you have to keep the key somewhere you can find
it, and you need to remember the password you choose for it as you will use
this key to sign your certs.
Next, whenever you set up a develoment *server*, you create a private key for
the server (command under "Create a Key" section) and a certificate signing
request (section "Create a certificate signing request).
Finally, you use the CA you generated to sign the CSR and generate a public
certificate for the server (section "Sign a CSR"). These steps are basically
what real CAs do, but they need to be a lot more careful with their keys and
their CA public certs are typically already included in your browser.
It is worth noting that the OpenSSL tool commands above generate keys and certs
in PEM format, which is a text format you can view in an editor. The CAS
server runs as a Java servlet, so it uses a Java keystore format (a file that
sometimes has a .jks extension). You need to use the Java `keytool` command to
import certificates and private keys into the Java keystore.
Browsers will typically accept certificates in a variety of formats.
So for your CAS setup, I would:
1) Generate a CA key and certificate.
2) Generate a private key for my CAS server.
3) Generate a CSR for the CAS server private key.
4) Use my CA key to sign the CAS server CSR and create a public certificate.
5) Install the private key and public certificate in my CAS server using java
`keytool` and configuring Tomcat to use the keystore I created.
Alternatively, if I have Apache in front of Tomcat and am using something
like mod_ajp, I can just use the PEM files in my Apache config
and not worry about SSL in Tomcat.
6) Import my CA public cert into my browser.
7) Test that the CAS server cert is accepted by my browser (hit the /logout
URL and verify the cert gives me the "green lock" icon).
8) Repeat steps 2-5 for my server with the CAS client app.
9) Since the CAS client app is actually going to make an HTTPS request to CAS
using a back-channel, you have to make sure that the
HTTPS Java client it uses trusts your CA. I am not sure how to configure
this *specifically* for only that client, but I believe
you can import your CA into the system-wide Java CA-certs keystore. Its
name is typically "cacerts", but the location on your
system may vary.
Thanks,
Carl
----- Original Message -----
From: "Gianluca Diodato" <[email protected]>
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Sent: Wednesday, March 25, 2015 6:24:44 AM
Subject: Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on remote
machine , Java Cas Client other machine
Hi Carl,
thanks to your answer.
First of all, yes it is a development environment.
I create my own CA into server machine (CAS Server) with this tutorial
(http://tekyhost.com/ubuntu-12-04-and-tomcat-7-ssl-implementation/) and
everything works fine (https://localhost:8443/cas/login and on other
mychine https://my_ip_server:8443/cas/login). I follows this
tutorial http://jasig.github.io/cas/4.0.x/index.html and for the
authentication i create a db (mySQL) with a table users (2 columns: email,
password(MD5)). In the other machine I'm developing a web application (J2EE
in Eclipse) and I'm searching to connect login page to cas login page via
web.xml adding filters (https://cuit.columbia.edu/cas-ify-java-application)
via SSL.
For my client machine, have I to create another own CA or have I to import
server CA into $JAVA_HOME/jre/lib/security/cacerts (client)??
Sorry but all this is new for me!!
Thanks
Gianluca
Il giorno martedì 24 marzo 2015 16:29:55 UTC+1, Waldbieser, Carl ha scritto:
>
>
> Gianluca,
>
> Is this a development environment or is it a production environment where
> user's web browsers need to trust the certificate? In the latter case, you
> will need to generate a private key, make a certificate request, and get
> certificate signed from a Certificate Authority (CA).
>
> In a development environment, it is possible to be your own CA. You would
> basically do the same things as in production, but you would need to add
> the local CA certificates to the browsers you will be testing. If you use
> proxy CAS, your CAS server will also need to trust your private CA.
>
> Thanks,
> Carl Waldbieser
> ITS System Programmer
> Lafayette College
>
> ----- Original Message -----
> From: "Gianluca Diodato" <[email protected] <javascript:>>
> To: [email protected] <javascript:>
> Sent: Tuesday, March 24, 2015 11:10:29 AM
> Subject: [cas-user] SSL problem (I need tutorial!!) Cas Server on remote
> machine , Java Cas Client other machine
>
> Hi All,
> can anyone help me with my configuration problem as subject??
> I need to configure my envorinment to SSL like this:
>
> Machine 1: CAS SERVER -- Ubuntu 12.04 - Tomcat 7 - JDK 1.6 -- SSL
> certificate generate with openssl + apr and added to Tomcat + Users into
> MysqlDB (WORKS)
> Machine 2: Cas Client java 3.3.3 (jar) imported into my webapp with only
> welcome page at moment -- Eclipse Luna + Tomcat 7 + JDK 1.6
>
> In machine 2 how to generate trusted certificate in order to connect my
> client to CAS Server to login my users?
> Anyone know if exists tutorial or guide step-by-step even basic.
>
> Please, help me
>
> Gianluca
>
> --
> You are currently subscribed to [email protected] <javascript:> as:
> [email protected] <javascript:>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] <javascript:> as:
> [email protected] <javascript:>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
