res/tls-03/script.txt - tomcat-training - Git at Google

 These instructions are for Windows
 Modify the paths as approptiate for your OS.

 Create a CA
 ===========

 1. Create the directory structure

    mkdir demoCA
    mkdir demoCA\newcerts demoCA\private demoCA\csr demoCA\keystores
    echo 1000 > demoCA\serial
    echo 2>demoCA\index.txt

 2. Create the CA
    openssl req -config openssl.cnf -new -x509 -days 3650 -extensions v3_ca -keyout demoCA\private\cakey.pem -out demoCA\cacert.pem

 Create an APR/native key and certificate for localhost
 ======================================================

 1. Create the private key and the certificate signing request
    openssl req -config openssl.cnf -new -nodes -out demoCA\csr\localhost-req.pem -keyout demoCA\private\localhost-key.pem

 2. Sign the certifcate
    openssl ca -config openssl.cnf -days 730 -out demoCA\newcerts\localhost-cert.pem -infiles demoCA\csr\localhost-req.pem

 3. Create the certificate chain file
    Just the CA certificate

 4. Install key, certificate and chain files
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-key.pem"
                         certificateFile="conf/localhost-cert.pem"
                         certificateChainFile="conf/localhost-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

 Create a Java Keystore for localhost
 ====================================

 1. Ensure keytool is on the path
    set JAVA_HOME=C:\java\jdk1.8.0_72_x64
    set PATH=%PATH%;%JAVA_HOME%\bin

 2. Create the private key
    keytool -genkey -alias tomcat -keyalg RSA -keystore demoCA\keystores\localhost2.jks -dname CN=localhost,OU=B,O=ASF,ST=MD,C=US

 3. Create the certificate signing request
    keytool -certreq -keyalg RSA -alias tomcat -file demoCA\csr\localhost2-req.pem -keystore demoCA\keystores\localhost2.jks

 4. Sign the certificate
    openssl ca -config openssl.cnf -days 730 -out demoCA\newcerts\localhost2-cert.pem -infiles demoCA\csr\localhost2-req.pem
    Java uses PRINTABLESTRING. OpenSSL expects UTF8STRING.
    openssl ca -policy policy_anything -config openssl.cnf -days 730 -out demoCA\newcerts\localhost2-cert.pem -infiles demoCA\csr\localhost2-req.pem

 5. Import the certificate chain
    keytool -import -alias ca -keystore demoCA\keystores\localhost2.jks -trustcacerts -file demoCA\cacert.pem

 6. Import the signed certificate
    keytool -import -alias tomcat -keystore demoCA\keystores\localhost2.jks -file demoCA\newcerts\localhost2-cert.pem

 7. Install keystore
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost2.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
	These instructions are for Windows
	Modify the paths as approptiate for your OS.

	Create a CA
	===========

	1. Create the directory structure

	mkdir demoCA
	mkdir demoCA\newcerts demoCA\private demoCA\csr demoCA\keystores
	echo 1000 > demoCA\serial
	echo 2>demoCA\index.txt

	2. Create the CA
	openssl req -config openssl.cnf -new -x509 -days 3650 -extensions v3_ca -keyout demoCA\private\cakey.pem -out demoCA\cacert.pem

	Create an APR/native key and certificate for localhost
	======================================================

	1. Create the private key and the certificate signing request
	openssl req -config openssl.cnf -new -nodes -out demoCA\csr\localhost-req.pem -keyout demoCA\private\localhost-key.pem

	2. Sign the certifcate
	openssl ca -config openssl.cnf -days 730 -out demoCA\newcerts\localhost-cert.pem -infiles demoCA\csr\localhost-req.pem

	3. Create the certificate chain file
	Just the CA certificate

	4. Install key, certificate and chain files
	<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
	maxThreads="150" SSLEnabled="true" >
	<SSLHostConfig>
	<Certificate certificateKeyFile="conf/localhost-key.pem"
	certificateFile="conf/localhost-cert.pem"
	certificateChainFile="conf/localhost-chain.pem"
	type="RSA" />
	</SSLHostConfig>
	</Connector>

	Create a Java Keystore for localhost
	====================================

	1. Ensure keytool is on the path
	set JAVA_HOME=C:\java\jdk1.8.0_72_x64
	set PATH=%PATH%;%JAVA_HOME%\bin

	2. Create the private key
	keytool -genkey -alias tomcat -keyalg RSA -keystore demoCA\keystores\localhost2.jks -dname CN=localhost,OU=B,O=ASF,ST=MD,C=US

	3. Create the certificate signing request
	keytool -certreq -keyalg RSA -alias tomcat -file demoCA\csr\localhost2-req.pem -keystore demoCA\keystores\localhost2.jks

	4. Sign the certificate
	openssl ca -config openssl.cnf -days 730 -out demoCA\newcerts\localhost2-cert.pem -infiles demoCA\csr\localhost2-req.pem
	Java uses PRINTABLESTRING. OpenSSL expects UTF8STRING.
	openssl ca -policy policy_anything -config openssl.cnf -days 730 -out demoCA\newcerts\localhost2-cert.pem -infiles demoCA\csr\localhost2-req.pem

	5. Import the certificate chain
	keytool -import -alias ca -keystore demoCA\keystores\localhost2.jks -trustcacerts -file demoCA\cacert.pem

	6. Import the signed certificate
	keytool -import -alias tomcat -keystore demoCA\keystores\localhost2.jks -file demoCA\newcerts\localhost2-cert.pem

	7. Install keystore
	<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
	maxThreads="150" SSLEnabled="true">
	<SSLHostConfig>
	<Certificate certificateKeystoreFile="conf/localhost2.jks"
	type="RSA" />
	</SSLHostConfig>
	</Connector>