« iPhone battery life woes
ESXi 5 on VirtualBox »

StartSSL (StartCOM) certificates and Tomcat

26Jan11

Bookmark and Share

StartSSL offers a great service – free SSL certificates that are trusted by most browsers.

When generating a certificate from a Certificate Signing Request they require the private key to be RSA 2048 bits and SHA1. Below are the commands I used setting up Tomcat on windows. It took me a while to get it just right so I thought I would share.

First, create the keystore containing the self signed certificate using the java keytool command. The keypass and storepass must be the same (Tomcat limitation). The important things for StartSSL compatability are the keysize, key algorithm and signing algorithm.

keytool -genkey -keysize 2048 -keyalg RSA -sigalg SHA1withRSA -alias myserver -keystore serverkeystore -keypass changeit -storepass changeit -dname “CN=myserver.mydomain.com,OU=ITS,O=OurCompany,L=Memphis,ST=Tennessee,C=US”

Next create the CSR

keytool -certreq -alias myserver -file myserver.csr -keystore serverkeystore

Copy and paste the contents of the CSR into the StartSSL Certificate wizard when prompted. Once the certificate is issued import it into the keystore along with the Certificate Chain that should be downloaded from the StartSSL site.

keytool -import -alias startsslca -file startssl.ca.cer -keystore serverkeystore -trustcacerts
keytool -import -alias startsslca2 -file startssl.sub.class2.server.ca.cer -keystore serverkeystore -trustcacerts
keytool -import -alias myserver -file myserver.mydomain.com.cer -keystore serverkeystore

Now, modify the Tomcat server.xml file to enable SSL and restart Tomcat. Sample SSL section below using port 8443.

<!– Define a SSL HTTP/1.1 Connector on port 8443 –>
<Connector port=”8443″ maxHttpHeaderSize=”8192″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” keystorePass=”changeit” keystoreFile=”D:\Program Files\Apache\Tomcat55\serverkeystore”/>

Bookmark and Share


Filed under: Software General, Windows   |  Comment
Tags: , , ,

One Response to “StartSSL (StartCOM) certificates and Tomcat”

Feed for this Entry Trackback Address
  1. 1 Some guy on May 25, 2011 said:

    Hey, thanks. This was very helpful. I actually found this page helpful, too: https://forum.startcom.org/viewtopic.php?t=1390, since I did not do my own CSR.

    One note on your blog, though: The code snippets you pasted here are all FU. The qoutes are all messed up like you wrote the stuff in some Office program or something. Same goes for all spaces. I had to re-type everything from hand.

    Reply

« iPhone battery life woes
ESXi 5 on VirtualBox »

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.