|
I just
did this. Here are the sources I used to guide me:
The
Orion SSL-HowTo document was good at describing what to do once you have the
keystore file, but failed miserably at describing how to create the keystore
file. Here's how I would rewrite it based on my experience (my comments
are in square brackets "[]"):
- Creating a keystore with a certificate:
Note that the Linux keytool binaries that I tried
(including Sun's and IBM's) completely failed to use the RSA algorithm, which
is necessary [I'm
using Win2K Advanced Server, but I believe that much of the following would
apply to Linux. I found that you need Sun's J2EE SDK to get the RSA
algorithm. Use the keytool batch file in the bin directory. The
batch file will require that you set two environment variables:
J2EE_HOME and
JAVA_HOME. J2EE_HOME gets set
to the directory where the J2EE SDK was installed, for me it was c:\j2sdkee1.2.1. JAVA_HOME gets set
to the directory where the Java JDK was installed, for me it was
c:\jdk1.3. Note, the IBM version
of the JDK did *not* work for this, the keytool routine complained that what
it found in the IBM directory was not valid.]. What I did was generate
the keystore under Windows, and then copy the keystore file to Linux. However,
this aspect is still untested; if anyone else wants to independently verify
that it works, I'd appreciate it.
keytool -genkey -keyalg "RSA" -keystore keystore
-storepass 123456 -validity 360
- [The
command above didn't work for me. I used this instead: keytool -genkey
-keyalg RSA -alias my_key]
-
Note: the CN must match the fully qualified domain name of
the machine. If you're planning on using
"https://my.host.com/", you'll need to use
"my.host.com" as the CN.
keytool -certreq -keyalg "RSA" -file my.host.com.csr
-keystore keystore
- [I had to
change this as well to: keytool -certreq -alias my_key -file
keystore.csr]
- paste the .csr to https://www.thawte.com/cgi/server/test.exe
You will want to generate a key with a chained SSL key, not
the default.
- paste the result into my.host.com.cer
keytool -keystore keystore -keyalg "RSA" -import
-trustcacerts -file my.host.com.cer- [And this became: keytool
-import -trustcacerts -alias my_key -file
keystore.cer]
You'll now have a keystore file in your current
directory [I ended up with a ".keystore" file in c:\Documents and
Settings\Administrator, the home directory for the user I was logged in
as. I don't know where the file would end up on
Linux.]
- Creating a secure site:
- Copy the
default-web-site.xml config in the
$ORION/config directory to $ORION/config/secure-web-site.xml
and edit it.
- Add
secure="true" as an attribute to the
<web-site> node, and remove the port
attribute.
- Add
<ssl-config keystore="../my/keystore"
keystore-password="123456" /> to the main body [the
"keystore" file here is the
".keystore" file generated by the import step above, and the password is the one supplied when
generating the key (it'll make sense when you get there)]. The
keystore path is relative from the $ORION/config directory.
- Install the site, this is done by adding
web-site
path="./secure-web-site.xml" /> to
$ORION/server.xml.
Has anyone tried installing/using a ssl (40 bit)
certificate from Thawte on orion?
|
