This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-training.git
The following commit(s) were added to refs/heads/master by this push:
new 0ad26c5 First draft of TLS-03 module
0ad26c5 is described below
commit 0ad26c5a42081ab0e78a3f9556c80d3be06e1c08
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Mar 23 22:43:45 2018 +0000
First draft of TLS-03 module
---
modules/tls-03.html | 112 ++++++++++++++++++++++++++++++++++++++++++++++++--
res/tls-03/script.txt | 72 ++++++++++++++++++++++++++++++++
2 files changed, 180 insertions(+), 4 deletions(-)
diff --git a/modules/tls-03.html b/modules/tls-03.html
index add3917..1b84cce 100644
--- a/modules/tls-03.html
+++ b/modules/tls-03.html
@@ -14,7 +14,111 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-<section>TLS 03</section>
-<section>Slide 1</section>
-<section>Slide 2</section>
-
+<section>
+ <h2>Configuring Tomcat for TLS</h2>
+</section>
+<section>
+ <h3>Requirements</h3>
+ <p>Private key</p>
+ <p>Server certificate</p>
+ <p>Certificate chain</p>
+ <p/>
+ <p>Configuration in server.xml
+</section>
+<section>
+ <h3>File formats</h3>
+ <p>.pem .crt .cer .key</p>
+ <p>ASCII</p>
+ <p>Key, certificate or chain</p>
+</section>
+<section>
+ <h3>File formats</h3>
+ <p>.der</p>
+ <p>Binary form of .pem</p>
+ <p>Key, certificate or chain</p>
+</section>
+<section>
+ <h3>File formats</h3>
+ <p>.p7b (PKCS7)</p>
+ <p>ASCII</p>
+ <p>Certificate or chain</p>
+ <p>No keys</p>
+</section>
+<section>
+ <h3>File formats</h3>
+ <p>.p12 (PKCS12)</p>
+ <p>Binary</p>
+ <p>Key, certificate or chain</p>
+</section>
+<section>
+ <h3>File formats</h3>
+ <p>.jks .keystore</p>
+ <p>Binary</p>
+ <p>Java specific (deprecated)</p>
+ <p>Key, certificate or chain</p>
+</section>
+<section>
+ <h3>Which format?</h3>
+ <p>Tomcat 7.0.x or 8.0.x</p>
+ <p>BIO, NIO or NIO2</p>
+ <p>JSSE implementation, JSSE configuration</p>
+ <p>Keystore</p>
+ <p>PKCS12 with Java 7+</p>
+ <aside class="notes">
+ OpenSSL doesn't seem to like creating PKCS12 files without keys. Keytool
will do so happily.
+ </aside>
+</section>
+<section>
+ <h3>Which format?</h3>
+ <p>Tomcat 7.0.x or 8.0.x</p>
+ <p>APR/Native</p>
+ <p>OpenSSL implementation, OpenSSL configuration</p>
+ <p>PEM</p>
+</section>
+<section>
+ <h3>Which format?</h3>
+ <p>Tomcat 8.5.x or 9.0.x</p>
+ <p>NIO or NIO2</p>
+ <p>JSSE or OpenSSL implementation</p>
+ <p>JSSE or OpnSSL configuration (can't mix)</p>
+ <p>Keystore, PKCS12 (JSSE config)</p>
+ <p>PEM (OpenSSL config)</p>
+ <aside class="notes">
+ Netty: NIO + OpenSSLs
+ </aside>
+</section>
+<section>
+ <h3>Which format?</h3>
+ <p>Tomcat 8.5.x or 9.0.x</p>
+ <p>APR/Native</p>
+ <p>OpenSSL implementation, OpenSSL configuration</p>
+ <p>PEM</p>
+</section>
+<section>
+ <h3>Changes in 8.5.x onwards</h3>
+ <p>Was 1 connector, 1 host name, 1 certificate</p>
+ <p>Now each connector can have multiple host names</p>
+ <p>Each host name can have multiple certificates</p>
+ <p>Change in configuration style</p>
+ <p>Old style is supported but deprecated</p>
+</section>
+<section>
+ <h3>Generating keys and certificates</h3>
+ <p>OpenSSL for Linux - package manager</p>
+ <p>OpenSSL for Windows - Tomcat Native binary</p>
+ <p>Keytool - JRE/JDK</p>
+ <p>openssl.cnf - <a
href="https://raw.githubusercontent.com/openssl/openssl/OpenSSL_1_0_2-stable/apps/openssl.cnf">Github</a></p>
+ <p><a
href="http://home.apache.org/~markt/presentations/2016-01-25-TLS-key-certificate-generation/script.txt">script</a></p>
+ <aside class="notes">
+ Go through the script
+ </aside>
+</section>
+<section>
+ <h3>Demonstration</h3>
+</section>
+<section>
+ <h3>Exercise</h3>
+ <p>Create APR/native key and certificate</p>
+ <p>Create keystore key and certificate</p>
+ <p>Show 8.5.x, NIO working with both in turn</p>
+</section>
diff --git a/res/tls-03/script.txt b/res/tls-03/script.txt
new file mode 100644
index 0000000..2165d2e
--- /dev/null
+++ b/res/tls-03/script.txt
@@ -0,0 +1,72 @@
+These instructions are for Windows
+Modify the paths as approptiate for your OS.
+
+Create a CA
+===========
+
+1. Create the directory structure
+
+ mkdir demoCA
+ mkdir demoCA\newcerts demoCA\private demoCA\csr demoCA\keystores
+ echo 1000 > demoCA\serial
+ echo 2>demoCA\index.txt
+
+2. Create the CA
+ openssl req -config openssl.cnf -new -x509 -days 3650 -extensions v3_ca
-keyout demoCA\private\cakey.pem -out demoCA\cacert.pem
+
+Create an APR/native key and certificate for localhost
+======================================================
+
+1. Create the private key and the certificate signing request
+ openssl req -config openssl.cnf -new -nodes -out
demoCA\csr\localhost-req.pem -keyout demoCA\private\localhost-key.pem
+
+2. Sign the certifcate
+ openssl ca -config openssl.cnf -days 730 -out
demoCA\newcerts\localhost-cert.pem -infiles demoCA\csr\localhost-req.pem
+
+3. Create the certificate chain file
+ Just the CA certificate
+
+4. Install key, certificate and chain files
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+ maxThreads="150" SSLEnabled="true" >
+ <SSLHostConfig>
+ <Certificate certificateKeyFile="conf/localhost-key.pem"
+ certificateFile="conf/localhost-cert.pem"
+ certificateChainFile="conf/localhost-chain.pem"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
+
+Create a Java Keystore for localhost
+====================================
+
+1. Ensure keytool is on the path
+ set JAVA_HOME=C:\java\jdk1.8.0_72_x64
+ set PATH=%PATH%;%JAVA_HOME%\bin
+
+2. Create the private key
+ keytool -genkey -alias tomcat -keyalg RSA -keystore
demoCA\keystores\localhost2.jks -dname CN=localhost,OU=B,O=ASF,ST=MD,C=US
+
+3. Create the certificate signing request
+ keytool -certreq -keyalg RSA -alias tomcat -file
demoCA\csr\localhost2-req.pem -keystore demoCA\keystores\localhost2.jks
+
+4. Sign the certificate
+ openssl ca -config openssl.cnf -days 730 -out
demoCA\newcerts\localhost2-cert.pem -infiles demoCA\csr\localhost2-req.pem
+ Java uses PRINTABLESTRING. OpenSSL expects UTF8STRING.
+ openssl ca -policy policy_anything -config openssl.cnf -days 730 -out
demoCA\newcerts\localhost2-cert.pem -infiles demoCA\csr\localhost2-req.pem
+
+5. Import the certificate chain
+ keytool -import -alias ca -keystore demoCA\keystores\localhost2.jks
-trustcacerts -file demoCA\cacert.pem
+
+6. Import the signed certificate
+ keytool -import -alias tomcat -keystore demoCA\keystores\localhost2.jks
-file demoCA\newcerts\localhost2-cert.pem
+
+7. Install keystore
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+ maxThreads="150" SSLEnabled="true">
+ <SSLHostConfig>
+ <Certificate certificateKeystoreFile="conf/localhost2.jks"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
+
--
To stop receiving notification emails like this one, please contact
[email protected].
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]