These instructions are a more thorough variation of instructions found elsewhere.
1. At a command prompt, browse to the directory containing keytool.exe, usually C:\Program Files\Java\jre1.5.0_14\bin
2. Create a Certificate Signing Request (CSR) using keytool. Enter the command:
- Code: Select all
keytool -genkey -alias sslkey -keyalg RSA -keystore servoy.ks -validity 360
NOTE: keytool is a commandline tool that ships with your Java SDK and JRE
NOTE: you can make the alias (sslkey) whatever you want
NOTE: you can call the keystore file (servoy.ks) whatever you want
NOTE: you can make the validity (in days) whatever you want
a) Enter a keystore password (whatever you want)
b) Now keytool asks for your first and last name. Enter the Fully Qualified Domain Name of the host that Servoy Server is running on. For example: www.mycompany.com
c) Fill in something relevant for the rest of the fields. Spell out the state name, don't use an abbreviation.
d) Enter the password for this key.
USE THE SAME PASSWORD AS IN STEP a!!! In other words, JUST PRESS RETURN.
Enter the command:
- Code: Select all
keytool -certreq -alias sslkey -keyalg RSA -file servoy.csr -keystore servoy.ks
e) MAKE A BACKUP COPY OF THESE FILES. IF YOU LOSE THEM OR ACCIDENTALLY DESTROY THEM YOU WILL HAVE PAID FOR NOTHING!!!
3. Browse to http://www.verisign.com/ssl/buy-ssl-certificates/
Scroll down to Secure Site. Click Buy or Renew, whichever you are doing. Select the length of time for the validity of the certificate. Follow the rest of the on screen instructions.
(MAKE SURE THIS VALIDITY IS SHORTER THAN THE VALIDITY YOU CHOSE ABOVE, OTHERWISE YOU ARE PAYING FOR MORE THAN YOU WILL GET!!!)
Fill in the stuff and follow the instructions (corporate details, etc, etc).
Copy the contents of the servoy.csr file into the form where it says to copy your CSR to. Select "Server not listed" for the software used to generate it. Deselect all the newsletters and other irritating stuff.
4. You will receive an email from Verisign containing the text of your signed certificate file. Create a file called servoy.crt and copy the text of the cert from the email into this file.
5. Download the Verisign Root CA Certificate here:
https://knowledge.verisign.com/resource ... 202028.cer You will probably want to rename the file to something shorter, like rootca.cer.
6. Import the Verisign Root CA Certificate into your keystore:
- Code: Select all
keytool -import -alias root -keystore servoy.ks -trustcacerts -file rootca.cer
Note: Choose 'Yes' if you get prompted with a message that says "Certificate already exists in system-wide CA keystore under alias <verisignclass3ca> Do you still want to add it to your own keystore? [no]:"
Note: You will get a confirmation stating that the "Certificate was added to keystore"
7. Import the Verisign Intermediate CA Certificate into your keystore:
- Code: Select all
keytool -import -alias intermediate -keystore servoy.ks -trustcacerts -file intermediateca.cer
Note: You will get a confirmation stating that the "Certificate was added to keystore"
8. Import the signed .crt file which you received from Verisign into your keystore:
- Code: Select all
keytool -import -alias sslkey -keystore servoy.ks -trustcacerts -file servoy.crt
Type the correct password and trust the certificate.
Note: You will get a different confirmation stating that the "Certificate reply was installed in keystore"
Note: Everything imported into a keystore must have a unique alias except the signed .crt file you got from Verisign. That must have the same alias as the one you originally created the keystore file with, in this case 'sslkey'.
9. Copy your keystore file (servoy.ks) to ...servoy_directory\server\conf\ on the machine that runs Servoy Server.
10. Edit server.xml (also in ...servoy_directory\server\conf\). Add the text:
<Connector port="443"
protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="sslkey"
keystoreFile="...servoy_directory\server\conf\servoy.ks" keystorePass="your_keystore_password" />
Note: Replace the path shown above with the actual absolute path of where you placed the keystore file and replace your_password with the password of your keystore file. Keep all the quotes as shown above.
Note: There will be a similar block of text for port 80 already in server.xml. Place this new text after it.
11. Log in to the Servoy admin page. Select Network Settings, and fill in the absolute path for the SSLKeystorePath and the correct password for the SSLKeystorePassword.
12. Restart Servoy.
13. Edit your html files. Edit the links to the pages that you want to be secure by changing http://... to https://... Conversely, when going from secure to non secure pages, the links must sepecify http://..., not https://...
NOTE:
YOUR KEYSTORE CONTAINS VERY SENSITIVE INFORMATION!! IF THIS INFORMATION IS COMPROMISED PEOPLE CAN DO ALL KINDS OF NASTY STUFF SUCH AS LISTEN IN ON AND MODIFY YOUR SUPPOSEDLY ENCRYPTED INFORMATION. IF YOU EVEN FIND OUT THAT THIS HAS HAPPENED (WHICH IS A BEST CASE SCENARIO) YOU WILL HAVE TO REVOKE THE CERTIFICATE AND PURCHASE A NEW ONE.
IF YOU LOSE OR ACCIDENTALLY DESTROY YOUR KEYSTORE, YOU WILL ALSO HAVE TO PURCHASE A NEW CERTIFICATE. MAKE PROPER BACKUPS AT ALL TIMES AND MAKE SURE ONLY AUTHORIZED PERSONNEL HAS ACCESS TO THESE BACKUPS!!