Log in

16 February 2006 @ 11:33 am
HOWTO: Migrate SSL Certificates from Apache to JBoss  
The problem: Replace Apache-as-load-balancer with an external load balancer. Since we were using Apache to host our SSL certificate, we now need to make JBoss/Tomcat handle that functionality directly.

Problem 1: Tomcat requires it's certificates in a Java "keystore", not as the freestanding X509 certificates Apache likes.
Broken solution attempt 1: Import the certificates into a keystore using Sun's keytool. The syntax is clear and obvious:
keytool -import -v -keystore my.keystore -file my.cert
Of course, the keytool -import function ONLY supports importing X509 certificates, not keys, and I don't see a clear way of doing any sort of a certificate chain... I'll worry about that later.

Place my.keystore into the jboss\server\default\conf folder, uncomment the SSL section in jboss\server\default\deploy\jbossweb-tomcatt55.sar\server.xml, set the "keystoreFile" and "keystorePass" attributes for the SSL connector, and start JBoss. It starts without error, and claims to be listening on port 8443.

Internet Explorer reports "Cannot find server". Telneting in, I get SOMETHING. Not sure how that something is, since I am not quite 1337 enough to do RSA encryption in my head. Firefox is a bit more helpful, reporting that it has "no common encryption algorithms" with the server. A quick test proves that JBoss+IE and JBoss+Firefox work fine with the self-signed certificates EVERY tutorial describes, so the problem MUST be with my keystore. Probably the fact that I have no signature, but no private key.

I look for ways to import the public key into a keystore, and discover that THERE IS NONE. This is why EVERY example involves generating a certificate and key from scratch, then exporting the request. Let me repeat that: Sun's keytool does not provide ANY way to import an existing X509 certificate and it's key.

Jetty has some code for creating a Java-style keystore from a PKCS12 keystore, so if I could combine the existing certificate and key into a PKCS12 keystore, that should be useful. Fortunately, I have the openssl command-line tool available, so this was a simple matter of:
openssl pkcs12 -export -inkey my.key -in my.cert -certfile certchain.cert -out my.pkcs12

Now, I could download and compile the Jetty utility to turn this pkcs12 keystore into a "Java Keystore, but I got lazy. While poring my hair out over the JBoss SSL documentation, I saw a "keystoreType" option. A little testing with keytool proved that the JDK tools could read a PKCS12 keystore jsut fine. SO, I dropped this one into JBoss without translation, fired it up, and it worked fine.

HOWTO without story
1. You will need three input files, suitable for use in Apache mod_ssl:
 a. my.cert, the X509 certificate file used by Apache as SSLCertificateFile.
 b. my.key, the key to my.cert used by Apache as SSLCertificateKeyFile.
 c. chain.cert, the certificate chain used by Apache as CCLCertificateChainFile.
2. Using openssl, build a PKCS12 keystore with the command
 openssl pxcs12 -export -inkey my.key -in my.cert -certfile certchain.cert -out my.pkcs12
3. Copy the file my.pkcs12 to your jboss\server\default\cond\ directory.
4. Edit your jboss\server\default\deploy\jbossweb-tomcat55.sar\server.xml
 a. Uncomment the Connector element in the comment starting "SSL/TLS Connector configuration"
 b. Set the port to what you want (443)
 c. Change the keystoreFile from ${jboss.server.home.dir}/conf/chapter8.keystore to ${jboss.server.home.dir}/conf/my.pkcs12
 d. Change the keyStorePass
 e. Add an attribute "keystoreType" set to "PKCS12"
Nina Forsythninaf on February 16th, 2006 08:47 pm (UTC)
oh oh oh, what kind of loab balancer? OpenSSL does some really crazy stuff.
St. Sean the Amused: bmageseanb on February 16th, 2006 10:34 pm (UTC)
I'm honestly not sure about the load balancer setup they are using at Berbee.

Since we're migrating away from OpenSSL to using JBoss' built-in SSL support (via JSSE), I'm more woried about JSSE doing weird crazy stuff at runtime.