Tomcat: How to use a self-signed SAN supported certificate via OpenSSL
The instructions below are working on OSX and should equally work on any distribution with OpenSSL. From Chrome58 onwards only the SAN (subject alternative name) extension is used to match the domain name and site-certificate (prior to Chrome58 the commonName was used).
If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private.
The instructions below create in three simple steps the key and PEM file and then white-list it in the Keystore:
Create the OpenSSL configuration
Adjust the below to your liking – especially the section “req_distinguished_name” and “alt_names”:
cat << EOL > localhost.conf [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C=ZA ST=Gauteng L=Johannesburg O=My Organisation OU=My Organisational Unit CN=www.localhost.co.za [v3_req] keyUsage = critical, digitalSignature, keyAgreement extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = localhost DNS.2 = localhost.localdomain DNS.3 = 127.0.0.1 DNS.4 = localhost.co.za DNS.5 = www.localhost.co.za DNS.6 = m.localhost.co.za EOL
Generate the key and PEM file
Generate both files via OpenSSL:
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -keyout localhost.key -out localhost.pem -config localhost.conf
Configure Tomcat server.xml
Copy both files to a directory relative to “${catalina.home}” on your Tomcat installation and adjust server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" > <SSLHostConfig> <Certificate certificateKeyFile="${catalina.home}/webapps/ROOT/localhost.key" certificateFile="${catalina.home}/webapps/ROOT/localhost.pem" type="RSA" /> </SSLHostConfig> </Connector>
Whitelist the certificate in OS X Keychain
With Tomcat running, run the following commands to add the certificate to the Keychain:
echo -n | openssl s_client -connect www.localhost.co.za:8443 -servername www.localhost.co.za | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | tee "/tmp/www.localhost.co.za.cert" sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/tmp/www.localhost.co.za.cert" rm -v "/tmp/www.localhost.co.za.cert"
Recent Comments