1. Summary
  2. Files
  3. Support
  4. Report Spam
  5. Create account
  6. Log in
Version 2 (modified by manningr, 5 years ago)

Added a pointer to the location of root.cer from cacert.org

I wanted to host my own server for things such as Hudson and Nexus and make it available via SSL, so that I and other developers of SQuirreL could login to it remotely. This turned out to be a bit of work to get a certificate signed by a root CA. First, I don't have a yearly budget for paying for SSL certificates, and I can't use a cheap service to do it (e.g. GoDaddy?) since I need to run tomcat. So, I found a free CA called CAcert.org and went through the short process of registering my email address and domain (www.squirrel-sql.org) with them. At that point I was ready to generate a cert that I could use in Tomcat. So, here are the steps that I followed from various web postings and reading the manual for keytool:

  1. (Create a keystore file) :
    keytool -genkey -alias server  -keyalg RSA -keystore hudson.jks
    Enter keystore password:  
    Re-enter new password: 
    What is your first and last name?
      [Unknown]:  www.squirrel-sql.org
    What is the name of your organizational unit?
      [Unknown]:  www.squirrel-sql.org
    What is the name of your organization?
      [Unknown]:  www.squirrel-sql.org
    What is the name of your City or Locality?
      [Unknown]:  Pasadena
    What is the name of your State or Province?
      [Unknown]:  Maryland
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=www.squirrel-sql.org, OU=www.squirrel-sql.org, O=www.squirrel-sql.org, L=Pasadena, ST=Maryland, C=US correct?
      [no]:  yes
    
  2. (Create a CSR (certificate signing request)) :
    keytool -certreq -alias server -file csr.txt -keystore hudson.jks
    
  3. (Submit the CSR from step 2 to CAcert.org and get a certificate signed with CAcert's root certificate)
  4. (Download and install CAcert's root certificate as a trusted root cert in JRE keystore)
    wget https://www.cacert.org/certs/root.crt
    
    keytool -import -keystore <JAVA_HOME>jre\lib\security\cacerts -file root.crt (You may have to give write permissions to the file for the user running this command and the keystore passphrase is changeit)
    
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    
  5. (Configure Tomcat SSL connector):

The following snippet goes into server.xml:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/hudson.jks"
               keystorePass="<passphrase>" URIEncoding="UTF-8"/>