- 1) Truststore Used to verify that a client is operating legitimately on behalf of a specified user.
2) Keystore Used to provide clients with "proof" that a server is operating legitimately based on a specified domain.
To use Servoy together with SSL, the basic steps are:
1: Create a keystore with a signed and trusted certificate
- - Create a keystore using the command line utility "Keytool".
- Create a "Certificate Signing Request" (CSR)
- Authenticate the CSR, for example with "instantSSL".
- Import the signed certificate (+ any required intermediate certificate) into your keystore.
Detailed description:
1) Create a keystore with a signed and trusted certificate.
a) First create a keystore using the command line utility "Keytool". Enter the command:
- Code: Select all
keytool -genkey -alias sslkey -keyalg RSA -keystore servoy.ks -validity 360
- NOTE: keytool is a commandline tool that ships with your Java SDK
NOTE: you can make the alias (sslkey) whatever you want, but it's important to remember for later steps
NOTE: you can call the keystore file (servoy.ks) whatever you want
NOTE: you can make the validity (in days) whatever you want
c) Now keytool asks for your first and last name. Enter the Fully Qualified Domain Name of the host that Servoy Server is running on. For example: www.mycompany.com
d) Fill in something relevant for the rest of the fields.
e) Enter the password for this key. Use the same password as in step a. You can also just press return (the same password will be used automatically then).
f) Next create a "Certificate Signing Request" (CSR) using the following command:
- Code: Select all
keytool -certreq -alias sslkey -keyalg RSA -file servoy.csr -keystore servoy.ks
g) MAKE A BACKUP COPY OF THE KEYSTORE AND CSR FILES. IF YOU LOSE THEM OR ACCIDENTALLY DESTROY THEM YOU WILL HAVE PAID FOR NOTHING
Next step is to authenticate the CSR. This can be done with any third party you'd like. This example uses http://www.instantssl.com
h) Browse to http://www.instantssl.com
i1) Click Instant SSL button (top right, under Free SSL), or click Free SSL to test all this first before paying for it.
i2) If you chose Instant SSL select your duration (1, 2, or 3 years)
- NOTE: Make sure the validity is shorter than the validity you chose when creating the keystore, otherwise you are paying for more that you will get!!!
k) Select OTHER for the software used to generate it.
l) Deselect all the checks of step 4 on the web page (newsletters and other stuff).
m) Fill in the rest and follow this instructions (corporate details, etc.).
After completing all the steps, you will receive an email from InstantSSL with all the required info to continue.
When you have received the information from your SSL supplier, you need to import the signed certificate (+ any required intermediate certificate) into your keystore.
n) Import the signed .crt file which you received from Instant SSL into your keystore, using the following code:
- Code: Select all
keytool -import -alias sslkey -keystore servoy.ks -trustcacerts -file servoy.crt
o) Type the correct password and trust the certificate.
After this command, a message error can be trown sometimes by keytool, with a message that says that a chain of trust could not be established for the given certificate reply. This error appears when the reply is in form of a chain of certificates (PKCS#7 format). The keytool needs to "read" this chain from the first parent of the certificate reply up to the CA root (which will trusted or not, depending on the presence of this CA root into the cacerts file or the presence of the "-trustcacerts" argument). A fix that always works:
a) note all the "parents" of the response certificate in order (from the first parent to the CA root) - you can see them in windows by opening the .crt file (e.g. servoy.crt) and see the certification path (a "tree" with all the "parents")
b) open the certificate in an editor - let's call it target certificate
c) for each parent in the parent's list (taken from the "first" parent up to the CA root)
* add its content into the target certificate's file at the _beginning_ of the file; the content is from "----BEGIN CERTIFICATE---" to "---END CERTIFICATE----" (new lines are allowed between certificates' content)
d) run the command again: keytool -import -alias sslkey -keystore servoy.ks -trustcacerts -file servoy.crt
NOTE: each certificate is viewable as text encoded Base64
NOTE: this is need in order to make the certificate file conformant to PKCS#7 format; this can be done also in other ways, by adding the CA root into the keystore with the keytool command, but it will not work all the times, and if it works, the result is the same as using the above described solution.
2) Add the signed and trusted keystore to Servoy Server.
Copy this keystore file (servoy.ks) to a location on the machine which runs Servoy Server. In the admin pages select Network Settings, and fill in the correct location for the SSLKeystorePath and the correct password for the SSLKeystorePassword.
Restart the server.
NOTE:
YOUR KEYSTORE CONTAINS VERY SENSITIVE INFORMATION!! IF THIS INFORMATION IS COMPROMISED PEOPLE CAN DO ALL KINDS OF NASTY STUFF SUCH AS LISTEN IN ON AND MODIFY YOUR SUPPOSEDLY ENCRYPTED INFORMATION. IF YOU EVEN FIND OUT THAT THIS HAS HAPPENED (WHICH IS A BEST CASE SCENARIO) YOU WILL HAVE TO REVOKE THE CERTIFICATE AND PURCHASE A NEW ONE.
IF YOU LOSE OR ACCIDENTALLY DESTROY YOUR KEYSTORE, YOU WILL ALSO HAVE TO PURCHASE A NEW CERTIFICATE. MAKE PROPER BACKUPS AT ALL TIMES AND MAKE SURE ONLY AUTHORIZED PERSONNEL HAS ACCESS TO THESE BACKUPS!!