Have you installed the Java Runtime Environment and Apache Tomcat yet? If not, follow these steps first!

 

Since we are using the Tomcat APR connector, we use OpenSSL instead of the default SSL implementation. In this step, a Certificate Signing Request will be generated at the server, which can be used to request a SSL certificate. An OpenSSL binary for Windows is included in the Tomcat Native Connector distribution.

Please replace $tomcat with the correct Tomcat installation folder name, such as C:\Program Files\Apache Software Foundation\Tomcat 7.0.

Files required

ApplicationVersionFile
OpenSSLnewer is better (1.0.1 preferred)

For Windows the OpenSSL binary can be found in the Tomcat native libs: http://files.eveoh.nl/tomcat-native-1.1.33-win32-bin.zip

For Linux OpenSSL is usually already installed, please consult the package manager of your OS if this is not the case.

Requesting an SSL certificate

At first, a Certificate Signing Request (CSR) will be generated at the server.

  • Create a file openssl.cnf with the following contents. Replace the values between << >> with appropriate values for your institution.
HOME = .
oid_section = new_oids
[ new_oids ]
[ req ]
default_days = 730
distinguished_name = req_distinguished_name
encrypt_key = no
string_mask = nombstr
req_extensions = v3_req # Extensions to add to certificate request
[ req_distinguished_name ]
commonName              = Your nice common name
commonName_default      = <<timetables.eveoh.nl>>
commonName_max = 64
countryName			= Country Name (2 letter code)
countryName_default		= <<NL>>
countryName_min			= 2
countryName_max			= 2
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= <<Eveoh>>
organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= <<Support>>
[ v3_req ]
subjectAltName=<<DNS:timetables.eveoh.nl,DNS:www.timetables.eveoh.nl,DNS:roosters.eveoh.nl,DNS:www.roosters.eveoh.nl>>

 

  • Open the Command Prompt
  • Generate a private key using openssl. Please enter a safe password and make sure to remember it.
openssl genrsa -des3 -out <path to private key>/private_key.pem 2048

 

  • Generate a CSR. Press enter when the program asks for settings (which should already be entered into the openssl.cnf file).
openssl req -new -key <path to private key>/private_key.pem -out <path to CSR>/cert.csr -sha256 -config openssl.cnf

 

  • Use the CSR to request a certificate from your certificate provider.

Convert PEM files to PKCS12

Usually, your SSL Certificate Authority will send you a PEM encoded certificate. Also, the files created above are all PEM encoded. To convert the PEM encoded files to PKCS12 format, you can use the following command (replace filenames where necessary):

openssl pkcs12 -export -in certificate.pem -inkey private_key.pem -certfile ca_chain.pem -out certificate.pfx

Converting PKCS7 to PEM files

If you certificate comes in a p7b files, you need to split the certificate first. Run the following command:

openssl pkcs7 -print_certs -in certificate.p7b

This will output the certificate and the CA certificates. Save the certificate in a new file (PEM extension) and save the intermediate CA certificates in a separate file.

Checking the SSL certificate

With MyTimetable published to the internet, it might be a good idea to test the SSL configuration of the server.

Please visit https://www.ssllabs.com/ssltest/ to perform a deep analysis of the SSL configuration.