How to install an SSL Certificate into the SparkGateway

yoinkscreechedInternet and Web Development

Nov 13, 2013 (3 years and 9 months ago)

112 views

How to i
nstall an SSL Certificate into the SparkGateway


The SparkGateway use the Apache Tomcat web server and servlet container so installing SSL certificates is basically the
same process as installing an SSL certificate in Tomcat. However, there is no specific tools that handles all the steps
needed. So thi
s article will explain in more detail how this can be done on a Windows Server 2003/2008.


1) Install the java SDK. The recommended version is jdk 1.6.0_27.
You will need the Keytool.exe found in the bin folder.


2) Install OpenSSL. I used the version
from http://code.google.com/p/openssl
-
for
-
windows/ because when I ran the 32bit
version from Sourceforge.net it crashed when I ran it on Windows Server 2008 64bit. The one from Google Code had a
64bit version which worked perfectly.

Since the version fr
om Google Code only contained three files I placed these files in
the
b
in folder of the Java SDK so that all the tools I needed were in the same folder.


3) Create a java keystore using
K
eytool.exe found in the Java
b
in folder. The keystore is simply the
file where the SSL
certificate will be stored. Note: You must specify "RSA" as the algorithm because the default for
K
eytool is "DSA" but
most certificates now use "RSA".

The default keystore type is "jks" which is what I used so I did not specify a keys
tore
type. If you wanted a "pkcs12" keystore you would have to specify this option. The normal file extension for a "jks" type
keystore is either "jks" or "keystore". I used "keystore".


keytool
-
genkey
-
alias
myalias

-
keyalg RSA
-
keystore
mystore.keysto
re

-
keysize 2048


myalias

-

should be the same name as you are using for your SSL Certificate. In my case I used www.ordersportal.com
since that was the website where I wanted to use the SSL certificate.

You will need this alias in subsequent commands.


mystore.keystore

is simply the name I want for the file where the certificates will be stored. You could also use the
extension "jk
s and you can include the full file path if needed.


Y
ou will be prompted for a keystore password and this password will be
needed in the Sparkgateway and with most of the
following commands so be sure to remember it.



When creating the keystore a self signed certificate is also created so y
ou
will be prompted for:


1.

What is you first and last name? Enter
myalias

(
I used

"
www
.ordersportal.com
"
)

2.

What is the name of your organizational unit.
Enter what you like (I used

"Online Sales"
).

3.

What is your organization? Enter you business name
(
I used

"
dCipher Computing
"
).

4.

What is the name of your city or locality. Enter your city

( I

used "Barrie").

5.

What is your state or province? Enter your state of province
(I
used

"
Ontario
"
).

6.

What is the two letter country code for this unit? Enter your country code
(I
used

"
CA
"
).

7.

Then you will be prompted to confirm
that
all the entries are corre
ct if so answer yes

(y)
. If you answer
no
(n)
you
will be able to

make changes to these items.

8.

Finally you will be prompted for another password but
do not create one
. This will make the default
password for the certificate the same as the keystore which

is what you want for the Sparkgateway.


4) Create a CSR (Certificate Signing Request). This will create a file containing the information needed to have someone
issue you a SSL certificate. In my case I

will use

RapidSSL.


keytool
-
certreq
-
alias
myalia
s

-
keyalg RSA
-
file
mycertreq.csr

-
keystore
mystore.keystore


mycertreq.csr

-

the file name where the CSR data will be stored. This is just a text file and can be opened with a test
editor.

5) Submit the
mycertreq.csr

to the
signing authority supplying yo
ur certificate. The file is a text file and you usually
just
copy and paste the contents into a web site for processing.


6)
If your certificate comes in "pkcs12" this step may not be necessary. In my case I was sent a "
pem
" file

containing the
certifica
te, private key, root and intermediate certificates
.

You need to import all these items into your keystore.


Unfortunately the
K
eytool does not allow you import the private key directly but there is a way around this problem. You
need to convert the priv
ate key and your certificate into a pkcs12 file which can them be imported into the keystore using
How to i
nstall an SSL Certificate into the SparkGateway


Keytool.
To do this y
ou need to put
both
the private key and your certificate into a "pem" text file.
Si
mply paste them in
because both are just encoded te
xt. I create
d

a file called myalias.pem

and just copied the required elements from the "pem"
file supplied to my
.

Be sure that you are copying and pasting the correct certificates. I used an online SSL Certificate
Viewer to ensure I was using the correc
t certificate. Once you have created this new "pem" file containg your private key
and certificate
you can use the following command to convert the "pem" file into a pkcs12 file.


openss
l


pkcs12
-
export
-
in
myalias.pem

-
out
myalias.p12

-
name
myalias


mya
lias.pem

-

The new "pem" file containing the private key and certificate

myalias.p12

-

The new pkcs12 file containing my converted private key and certificate


You will be prompted for a password. I used the same password as I used in
Step 3


8) I put bot
h
the
root certificate and the intermediate certificate in their own "crt" files. I do not know for certain if this is
necessary but it was easier for me to import them into the key store using the following commands.


keytool
-
import
-
alias Root
-
trustca
certs
-
file
myroot_ca.crt

-
keystore
mystore.keystore

-
keyalg RSA


keytool
-
import
-
alias Intermediate
-
trustcacerts
-
file
myintermediate_ca.crt

-
keystore
mystore.keystore

-
keyalg RSA


9) Import the SSL Certificate and private
key using the following comman
d. You will be prompted for both the keystore
password and pkcs12 file password. You will also be asked if you want to overwrite the existing self signed certificate to
which you should say yes. This will replace the self signed certificate created in s
tep 3 with the real SSL certificate of the
same name.

Make sure you specify the destination store type as "JKS" which is the format we used when we created the
keystore.


keytool
-
importkeystore
-
srckeystore
myalias.p12

-
srcstoretype pkcs12
-
destkeystore
mystore.keystore

-
deststoretype
JKS



10) This step is optional but useful to see what is in your keystore.


keytool
-
list
-
v
-
keystore
mystore.keystore

>
mykeystorelist.txt


mykeystorelist.txt

-

The text file containing information about certificates in t
he keystore


11) I put the keystore file in the Sparkgateway folder and adjusted the "Java Options" in the SparkGateway Manager as:


-
Djavax.net.ssl.keyStore=
mystore.keystore

-
Djavax.net.ssl.keyStorePassword=
mykeystorepwd


mykeystorepwd

-

This is the passw
ord you used in step 3

mystore.keystore

-

This is the fully qualified path to the keystore file.


Conclusion:

If you followed these steps you should have successfully created a keystore that will allow you to use an SSL certificate
with the SparkGateway.
For simplicity I created a "cmd" file with all the commands that I can run when I need to create a
keystore.


openssl pkcs12
-
export
-
in
myalias
.pem
-
out
myalias
.p12
-
name
myalias

keytool
-
genkey
-
alias
myalias

-
keyalg RSA
-
keystore
mystore
.keystore
-
keysi
ze 2048

keytool
-
certreq
-
alias
myalias

-
keyalg RSA
-
file
my
certreq.csr
-
keystore
mystore.keystore

keytool
-
import
-
alias Root
-
trustcacerts
-
file
my
root_ca.crt
-
keystore
mystore
.keystore"
-
keyalg RSA

keytool
-
import
-
alias Intermediate
-
trustcacerts
-
file

my
intermediate_ca.crt
-
keystore
mystore
.keystore"
-
keyalg RSA

keytool
-
importkeystore
-
srckeystore
myalias
.p12
-
srcstoretype pkcs12
-
destkeystore

mystore
.keystore
-
deststoretype JKS

keytool
-
list
-
v
-
keystore
mystore
.keystore >
my
keystorelist.txt