This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-training.git


The following commit(s) were added to refs/heads/master by this push:
     new 0ad26c5  First draft of TLS-03 module
0ad26c5 is described below

commit 0ad26c5a42081ab0e78a3f9556c80d3be06e1c08
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Mar 23 22:43:45 2018 +0000

    First draft of TLS-03 module
---
 modules/tls-03.html   | 112 ++++++++++++++++++++++++++++++++++++++++++++++++--
 res/tls-03/script.txt |  72 ++++++++++++++++++++++++++++++++
 2 files changed, 180 insertions(+), 4 deletions(-)

diff --git a/modules/tls-03.html b/modules/tls-03.html
index add3917..1b84cce 100644
--- a/modules/tls-03.html
+++ b/modules/tls-03.html
@@ -14,7 +14,111 @@
   See the License for the specific language governing permissions and
   limitations under the License.
 -->
-<section>TLS 03</section>
-<section>Slide 1</section>
-<section>Slide 2</section>
-
+<section>
+  <h2>Configuring Tomcat for TLS</h2>
+</section>
+<section>
+  <h3>Requirements</h3>
+  <p>Private key</p>
+  <p>Server certificate</p>
+  <p>Certificate chain</p>
+  <p/>
+  <p>Configuration in server.xml
+</section>
+<section>
+  <h3>File formats</h3>
+  <p>.pem .crt .cer .key</p>
+  <p>ASCII</p>
+  <p>Key, certificate or chain</p> 
+</section>
+<section>
+  <h3>File formats</h3>
+  <p>.der</p>
+  <p>Binary form of .pem</p>
+  <p>Key, certificate or chain</p> 
+</section>
+<section>
+  <h3>File formats</h3>
+  <p>.p7b (PKCS7)</p>
+  <p>ASCII</p>
+  <p>Certificate or chain</p>
+  <p>No keys</p> 
+</section>
+<section>
+  <h3>File formats</h3>
+  <p>.p12 (PKCS12)</p>
+  <p>Binary</p>
+  <p>Key, certificate or chain</p>
+</section>
+<section>
+  <h3>File formats</h3>
+  <p>.jks .keystore</p>
+  <p>Binary</p>
+  <p>Java specific (deprecated)</p>
+  <p>Key, certificate or chain</p>
+</section>
+<section>
+  <h3>Which format?</h3>
+  <p>Tomcat 7.0.x or 8.0.x</p>
+  <p>BIO, NIO or NIO2</p>
+  <p>JSSE implementation, JSSE configuration</p>
+  <p>Keystore</p>
+  <p>PKCS12 with Java 7+</p>
+  <aside class="notes">
+    OpenSSL doesn't seem to like creating PKCS12 files without keys. Keytool 
will do so happily. 
+  </aside>
+</section>
+<section>
+  <h3>Which format?</h3>
+  <p>Tomcat 7.0.x or 8.0.x</p>
+  <p>APR/Native</p>
+  <p>OpenSSL implementation, OpenSSL configuration</p>
+  <p>PEM</p>
+</section>
+<section>
+  <h3>Which format?</h3>
+  <p>Tomcat 8.5.x or 9.0.x</p>
+  <p>NIO or NIO2</p>
+  <p>JSSE or OpenSSL implementation</p>
+  <p>JSSE or OpnSSL configuration (can't mix)</p>
+  <p>Keystore, PKCS12 (JSSE config)</p>
+  <p>PEM (OpenSSL config)</p>
+  <aside class="notes">
+    Netty: NIO + OpenSSLs 
+  </aside>
+</section>
+<section>
+  <h3>Which format?</h3>
+  <p>Tomcat 8.5.x or 9.0.x</p>
+  <p>APR/Native</p>
+  <p>OpenSSL implementation, OpenSSL configuration</p>
+  <p>PEM</p>
+</section>
+<section>
+  <h3>Changes in 8.5.x onwards</h3>
+  <p>Was 1 connector, 1 host name, 1 certificate</p>
+  <p>Now each connector can have multiple host names</p>
+  <p>Each host name can have multiple certificates</p>
+  <p>Change in configuration style</p>
+  <p>Old style is supported but deprecated</p>
+</section>
+<section>
+  <h3>Generating keys and certificates</h3>
+  <p>OpenSSL for Linux - package manager</p>
+  <p>OpenSSL for Windows - Tomcat Native binary</p>
+  <p>Keytool - JRE/JDK</p>
+  <p>openssl.cnf - <a 
href="https://raw.githubusercontent.com/openssl/openssl/OpenSSL_1_0_2-stable/apps/openssl.cnf";>Github</a></p>
+  <p><a 
href="http://home.apache.org/~markt/presentations/2016-01-25-TLS-key-certificate-generation/script.txt";>script</a></p>
 
+  <aside class="notes">
+    Go through the script 
+  </aside>
+</section>
+<section>
+  <h3>Demonstration</h3>
+</section>
+<section>
+  <h3>Exercise</h3>
+  <p>Create APR/native key and certificate</p>
+  <p>Create keystore key and certificate</p>
+  <p>Show 8.5.x, NIO working with both in turn</p>
+</section>
diff --git a/res/tls-03/script.txt b/res/tls-03/script.txt
new file mode 100644
index 0000000..2165d2e
--- /dev/null
+++ b/res/tls-03/script.txt
@@ -0,0 +1,72 @@
+These instructions are for Windows
+Modify the paths as approptiate for your OS.
+
+Create a CA
+===========
+
+1. Create the directory structure
+
+   mkdir demoCA
+   mkdir demoCA\newcerts demoCA\private demoCA\csr demoCA\keystores
+   echo 1000 > demoCA\serial
+   echo 2>demoCA\index.txt
+   
+2. Create the CA
+   openssl req -config openssl.cnf -new -x509 -days 3650 -extensions v3_ca 
-keyout demoCA\private\cakey.pem -out demoCA\cacert.pem
+
+Create an APR/native key and certificate for localhost
+======================================================
+   
+1. Create the private key and the certificate signing request
+   openssl req -config openssl.cnf -new -nodes -out 
demoCA\csr\localhost-req.pem -keyout demoCA\private\localhost-key.pem
+
+2. Sign the certifcate
+   openssl ca -config openssl.cnf -days 730 -out 
demoCA\newcerts\localhost-cert.pem -infiles demoCA\csr\localhost-req.pem
+
+3. Create the certificate chain file
+   Just the CA certificate
+
+4. Install key, certificate and chain files
+   <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+              maxThreads="150" SSLEnabled="true" >
+       <SSLHostConfig>
+           <Certificate certificateKeyFile="conf/localhost-key.pem"
+                        certificateFile="conf/localhost-cert.pem"
+                        certificateChainFile="conf/localhost-chain.pem"
+                        type="RSA" />
+       </SSLHostConfig>
+   </Connector>
+
+Create a Java Keystore for localhost
+====================================
+
+1. Ensure keytool is on the path
+   set JAVA_HOME=C:\java\jdk1.8.0_72_x64
+   set PATH=%PATH%;%JAVA_HOME%\bin
+
+2. Create the private key
+   keytool -genkey -alias tomcat -keyalg RSA -keystore 
demoCA\keystores\localhost2.jks -dname CN=localhost,OU=B,O=ASF,ST=MD,C=US
+   
+3. Create the certificate signing request
+   keytool -certreq -keyalg RSA -alias tomcat -file 
demoCA\csr\localhost2-req.pem -keystore demoCA\keystores\localhost2.jks
+   
+4. Sign the certificate
+   openssl ca -config openssl.cnf -days 730 -out 
demoCA\newcerts\localhost2-cert.pem -infiles demoCA\csr\localhost2-req.pem
+   Java uses PRINTABLESTRING. OpenSSL expects UTF8STRING.
+   openssl ca -policy policy_anything -config openssl.cnf -days 730 -out 
demoCA\newcerts\localhost2-cert.pem -infiles demoCA\csr\localhost2-req.pem
+
+5. Import the certificate chain
+   keytool -import -alias ca -keystore demoCA\keystores\localhost2.jks 
-trustcacerts -file demoCA\cacert.pem
+   
+6. Import the signed certificate
+   keytool -import -alias tomcat -keystore demoCA\keystores\localhost2.jks 
-file demoCA\newcerts\localhost2-cert.pem
+   
+7. Install keystore
+   <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+              maxThreads="150" SSLEnabled="true">
+       <SSLHostConfig>
+           <Certificate certificateKeystoreFile="conf/localhost2.jks"
+                        type="RSA" />
+       </SSLHostConfig>
+   </Connector>
+

-- 
To stop receiving notification emails like this one, please contact
[email protected].

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to