Introduction / FirstSpirit Server configuration / HTTPS server configuration / Trusted security certificate
Install a trusted security certificate
A security certificate has to be digitally signed by an official certification authority (CA), e.g. http://thawte.com, to be classified as trusted. There are two ways to create this type of security certificate in FirstSpirit: either via openssl (see http://www.openssl.org) or via the keytool provided by Java. Certificates created via openssl are advantageous, since any other web server, e.g. Apache, IIS, Tomcat, etc., can use them. A certificate created via keytool can only be used for Java-based web servers.
Create a security certificate via keytool
A private key is generated first. To achieve this, enter the following command after changing to the FirstSpirit Server installation directory:
keytool -genkey -keystore conf/fs-keystore.jks -storepass mypass
-alias fs5.yourdomain.net -keyalg RSA -keysize 2048 -validity 3650
The key length and the validity in days are specified by the “keysize” and the “validity” respectively. If the key password is requested, specify the same as for “–storepass”. If the "first and last name” are requested, enter the fully qualified host name as visible to the client, e.g. fs5.yourdomain.net.
In the next step, a certification request has to be generated:
keytool -certreq -keystore conf/fs-keystore.jks -storepass
changeit -alias fs5.yourdomain.net -file request.csr
The file “request.csr” is subsequently sent to the certification authority. Import the received response certificate (public.pem) into the keystore:
keytool -import -trustcacerts -keystore conf/fs-keystore.jks
-storepass changeit -alias fs5.yourdomain.net -file public.pem
If the certification body issued certificates via a hierarchy (certificate chain), all certificates in the hierarchy must either already exist in the certificate store of the Java VM or must be imported into the certificate store, otherwise keytool issues the error message: “Failed to establish chain from reply”. To import the certificates of the hierarchy, the command must be called for each file and, e.g. the file name always given for “-alias”:
keytool -import -trustcacerts -keystore conf/fs-keystore.jks
-storepass changeit -alias chain_CA_1 certificate1 -file chain_CA_1.pem
The certification authorities might sometimes send certificates which the keytool cannot understand. These certificates can be converted by OpenSSL, e.g.:
openssl x509 -in public.crt -out public.pem -outform PEM
Generate a security certificate via openssl
Generate the private key first:
openssl genrsa -out private.key 2048
A certification request is then created (request.csr) and subsequently transferred to the certification authority (CA) for signing:
openssl req -new -key private.key -out request.csr
The certification authority subsequently returns the public signed key (“certificate”), usually in PEM format, as a text file (public.pem) which commences with “-----BEGIN CERTIFICATE-----”. The private and the signed public key have to be summarised in a keystore in PKCS12 format for the FirstSpirit web server. This is achieved by changing to the FirstSpirit Server installation directory and entering the following command to create the keystore. Select a password for the keystore. This password is immediately entered into the web server configuration. “changeit” has been selected in the example.
openssl pkcs12 -inkey private.key -in public.pem -export -out
conf/fs-keystore.p12 -caname root