Carl, thank you very much for detailed answer. I'm in until 4)... I have created this files: - casserver.crt - casserver.key - casserver.csr - rootCA.pem - rootCA.key - rootCA.srl
In 5) I have to install the private key and public certificate in my CAS server using java `keytool` (i don't know how... ) and configuring Tomcat to use the keystore I created( i'm in!!). It is this the instruction? keytool -import -trustcacerts -alias *mydomain* -file *mydomain.crt* -keystore *keystore.jks*Thanks Gianluca Il giorno mercoledì 25 marzo 2015 14:21:07 UTC+1, Waldbieser, Carl ha scritto: > > Gianluca, > > For development, I like to use the openssl tools to create my own CA and > use it to sign my own certificates rather than using a self-signed > certificate. > Here are the notes I use. Lines starting with ($) are the actual commands > I enter into the terminal. > > ================ > Create My Own CA > ================ > > # Create CA key > $ openssl genrsa -des3 -out rootCA.key 2048 > # Create and self-sign CA cert. > $ openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem > > ------------ > Create a Key > ------------ > $ openssl genrsa -out example.key 2048 > > ------------------------------------ > Create a Certificate Signing Request > ------------------------------------ > $ openssl req -new -key example.key -out example.csr > > ---------- > Sign a CSR > ---------- > openssl x509 -req -in example.csr -CA rootCA.pem -CAkey rootCA.key > -CAcreateserial -out example.crt -days 500 > > > So first, I generate a CA key and cert (first 2 commands). This is > something you only need to do once, but you have to keep the key somewhere > you can find it, and you need to remember the password you choose for it as > you will use this key to sign your certs. > > Next, whenever you set up a develoment *server*, you create a private key > for the server (command under "Create a Key" section) and a certificate > signing request (section "Create a certificate signing request). > > Finally, you use the CA you generated to sign the CSR and generate a > public certificate for the server (section "Sign a CSR"). These steps are > basically what real CAs do, but they need to be a lot more careful with > their keys and their CA public certs are typically already included in your > browser. > > It is worth noting that the OpenSSL tool commands above generate keys and > certs in PEM format, which is a text format you can view in an editor. The > CAS server runs as a Java servlet, so it uses a Java keystore format (a > file that sometimes has a .jks extension). You need to use the Java > `keytool` command to import certificates and private keys into the Java > keystore. > > Browsers will typically accept certificates in a variety of formats. > > So for your CAS setup, I would: > > 1) Generate a CA key and certificate. > 2) Generate a private key for my CAS server. > 3) Generate a CSR for the CAS server private key. > 4) Use my CA key to sign the CAS server CSR and create a public > certificate. > 5) Install the private key and public certificate in my CAS server using > java `keytool` and configuring Tomcat to use the keystore I created. > Alternatively, if I have Apache in front of Tomcat and am using > something like mod_ajp, I can just use the PEM files in my Apache config > and not worry about SSL in Tomcat. > 6) Import my CA public cert into my browser. > 7) Test that the CAS server cert is accepted by my browser (hit the > /logout URL and verify the cert gives me the "green lock" icon). > 8) Repeat steps 2-5 for my server with the CAS client app. > 9) Since the CAS client app is actually going to make an HTTPS request > to CAS using a back-channel, you have to make sure that the > HTTPS Java client it uses trusts your CA. I am not sure how to > configure this *specifically* for only that client, but I believe > you can import your CA into the system-wide Java CA-certs keystore. > Its name is typically "cacerts", but the location on your > system may vary. > > Thanks, > Carl > > ----- Original Message ----- > From: "Gianluca Diodato" <[email protected] <javascript:>> > To: [email protected] <javascript:> > Cc: [email protected] <javascript:>, [email protected] > <javascript:>, [email protected] <javascript:> > Sent: Wednesday, March 25, 2015 6:24:44 AM > Subject: Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on > remote machine , Java Cas Client other machine > > Hi Carl, > thanks to your answer. > First of all, yes it is a development environment. > I create my own CA into server machine (CAS Server) with this tutorial > (http://tekyhost.com/ubuntu-12-04-and-tomcat-7-ssl-implementation/) and > everything works fine (https://localhost:8443/cas/login and on other > mychine https://my_ip_server:8443/cas/login). I follows this > tutorial http://jasig.github.io/cas/4.0.x/index.html and for the > authentication i create a db (mySQL) with a table users (2 columns: email, > password(MD5)). In the other machine I'm developing a web application > (J2EE > in Eclipse) and I'm searching to connect login page to cas login page via > web.xml adding filters (https://cuit.columbia.edu/cas-ify-java-application) > > via SSL. > For my client machine, have I to create another own CA or have I to import > server CA into $JAVA_HOME/jre/lib/security/cacerts (client)?? > Sorry but all this is new for me!! > > Thanks > Gianluca > > Il giorno martedì 24 marzo 2015 16:29:55 UTC+1, Waldbieser, Carl ha > scritto: > > > > > > Gianluca, > > > > Is this a development environment or is it a production environment > where > > user's web browsers need to trust the certificate? In the latter case, > you > > will need to generate a private key, make a certificate request, and get > > certificate signed from a Certificate Authority (CA). > > > > In a development environment, it is possible to be your own CA. You > would > > basically do the same things as in production, but you would need to add > > the local CA certificates to the browsers you will be testing. If you > use > > proxy CAS, your CAS server will also need to trust your private CA. > > > > Thanks, > > Carl Waldbieser > > ITS System Programmer > > Lafayette College > > > > ----- Original Message ----- > > From: "Gianluca Diodato" <[email protected] <javascript:>> > > To: [email protected] <javascript:> > > Sent: Tuesday, March 24, 2015 11:10:29 AM > > Subject: [cas-user] SSL problem (I need tutorial!!) Cas Server on remote > > machine , Java Cas Client other machine > > > > Hi All, > > can anyone help me with my configuration problem as subject?? > > I need to configure my envorinment to SSL like this: > > > > Machine 1: CAS SERVER -- Ubuntu 12.04 - Tomcat 7 - JDK 1.6 -- SSL > > certificate generate with openssl + apr and added to Tomcat + Users into > > MysqlDB (WORKS) > > Machine 2: Cas Client java 3.3.3 (jar) imported into my webapp with only > > welcome page at moment -- Eclipse Luna + Tomcat 7 + JDK 1.6 > > > > In machine 2 how to generate trusted certificate in order to connect my > > client to CAS Server to login my users? > > Anyone know if exists tutorial or guide step-by-step even basic. > > > > Please, help me > > > > Gianluca > > > > -- > > You are currently subscribed to [email protected] <javascript:> > as: > > [email protected] <javascript:> > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] <javascript:> > as: > > [email protected] <javascript:> > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
