1. Setup SSL in tomcat with using Certificate, Chain certificate and Private key.
for example,
1. website.crt ( main certificate file )
2. website-ca.crt ( chain certificate )
3. website.key ( private Key )
Open server.xml which is located in tomcat base directory.
nano $CATALINA_BASE/Tomcat/conf/server.xml
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" compression="force" compressionMinSize="1024" useSendfile="false" noCompressionUserAgents="gozilla, traviata" URIEncoding="UTF-8" useBodyEncodingForURI="true" connectionTimeout="20000" enableLookups="false" maxThreads="1500" SSLEnabled="true" defaultSSLHostConfigName="Primary-Domain-name" maxParameterCount="-1"> <SSLHostConfig hostName="Domain-name" protocols="TLSv1.2"> <Certificate certificateFile="PATH-To-SSL-Directory/website.crt" certificateKeyFile="PATH-To-SSL-Directory/website.key"
certificateChainFile="PATH-To-SSL-Directory/website-ca.crt" />
</SSLHostConfig> </Connector>
2. Generate private key from Certificate and Chain certificate.
keytool -keysize 2048 -genkey -alias website -keyalg RSA -keystore website.keystore
keytool -certreq -keyalg RSA -alias website -file website.csr -keystore website.keystore
keytool -import -alias root -keystore website.keystore -trustcacerts -file website.crt
keytool -import -alias intermed -keystore website.keystore -trustcacerts -file website-ca.crt
keytool -import -alias website -keystore website.keystore -trustcacerts -file website.crt
keytool -importkeystore -srckeystore website.keystore -destkeystore website.keystore -deststoretype pkcs12
openssl pkcs12 -in website.keystore -out website.pem
nano $CATALINA_BASE/Tomcat/conf/server.xml
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" compression="force" compressionMinSize="1024" useSendfile="false" noCompressionUserAgents="gozilla, traviata" URIEncoding="UTF-8" useBodyEncodingForURI="true" connectionTimeout="20000" enableLookups="false" maxThreads="1500" SSLEnabled="true" defaultSSLHostConfigName="Primary-Domain-name" maxParameterCount="-1"> <SSLHostConfig hostName="Domain-name"> <Certificate certificateFile="PATH-TO-SSL/website.pem" certificateKeyPassword="certificate-password" certificateChainFile="PATH-TO-SSL/website-ca.crt" /> </SSLHostConfig> </Connector>
3. Setup Above SSL certificates on Nginx webserver.
a. convert generated .pem file into key file using below command.
openssl rsa -text -in website.pem
Copy the generated context into one file named website.key. example of key file is given below.
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAgVa6C3+/p3AfEn1ZW8KgnxAegMgjv/AllpBEeC0lB2gAkecS
xvraI+PyyzjI7maEktIPw4k2TXafsl/OYZXbPOXpSVaeIZyKCW80RsApDvJysJq/
V0g6WQKBgQCzJMUlOXFUrPKelDfhS4/7YNYmm2+ztcj/X7SXMvaA7vY424KHc9br
MzqnExB01Ge1VDB5xKrEeWtcp30mQ8E9KQfVEIlJO4dsCDVL32+beY57kWbIivlC
mf3YvqeBdnRRSjanxn5bsHqu91GLP4jQIuBNKkz8dRYwBSVcZnb1SA==
-----END RSA PRIVATE KEY-----
cat website.crt > website-combine.crt
cat website-ca.crt > website-combine.crt
c. open SSL configuration file of nginx.
/etc/nginx/conf.d/ssl.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domainname.in;
ssl_certificate /$PATH-TO-SSL/website.crt;
ssl_certificate_key /$PATH-TO-SSL/website.key;;
# SSL Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /$PATH-TO-SSL/website-combine.crt;
location / {
proxy_pass https://tomssl/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host:443;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Proto $scheme;
allow all;
}
error_page 500 502 503 504 /server-busy.html;
location = /server-busy.html {
root /usr/share/nginx/html;
internal;
}
}
nginx -tsystemctl restart nginx
4. Setup SSL in apache webserver.
<VirtualHost *:443><Directory /path/to/website/dir>Options Indexes FollowSymLinks MultiViewsAllowOverride AllRequire all granted</Directory>ServerAdmin purval@test.comServerName impurval.blogspot.comServerAlias www.impurval.blogspot.comDocumentRoot /path/to/website/dirErrorLog ${APACHE_LOG_DIR}/website.log#CustomLog ${APACHE_LOG_DIR}/phpmyadmin_access.log combinedSSLEngine onSSLCertificateFile "/path/to/ssl/website.crt"SSLCertificateKeyFile "/path/to/ssl/website.key"SSLCertificateChainFile "path/to/ssl/website-ca.crt"<FilesMatch "\.(cgi|shtml|phtml|php)$">SSLOptions +StdEnvVars</FilesMatch><Directory /usr/lib/cgi-bin>SSLOptions +StdEnvVars</Directory>Protocols h2 h2c http/1.1</VirtualHost>
apachectl -t/etc/init.d/apache2 restart
5. Setup free Lets encrypt SSL.
apt-get install certbot
sudo certbot certonly --standalone -d domain-name.com
<SSLHostConfig hostName="domain-name.com">
<Certificate certificateFile="/etc/letsencrypt/live/domain-name.com/cert.pem"
certificateKeyFile="/etc/letsencrypt/live/domain-name.com/privkey.pem"
certificateChainFile="/etc/letsencrypt/live/domain-name.com/chain.pem" />
</SSLHostConfig>
No comments:
Post a Comment