Prepare a server certificate for HTTPS

A number of ImageMaster web services are only accessible via HTTPS. In order to use HTTPS, a certificate must be used by which the server will identify itself to connecting clients.

Generating a self-signed certificate

The following steps explain how to generate a self-signed certificate. Such a certificate is considered less secure than a certificate obtained from a public certificate issuer. For related information see: Certificate infrastructure.

  1. Start the SSL certificate creation with the keytool by the following command (where this example is based on the commonly used “RSA” algorithm):

    keytool -genkey -alias jboss -keyalg RSA -keystore keystore.p12 -storetype PKCS12

    As it is common in any process of generating a new SSL certificate, you will be asked to provide some input that you can choose freely:

    • a new keystore password

    • first and last name

    • name of your organization unit

    • name of your organization

    • name of your city or locality

    • name of your state or province

    • two-letter country code

  2. When you have finished entering the above date, you must confirm that this is correct.

    The certificate will now be generated and stored in the file “keystore.p12”. Next it must be declared in the application server configuration.

Alternative: Install an available certificate

As an alternative, if you already have a certificate available, you can provide it in form of a keystore. The keystore must fulfill these requirements:

  • It must have the keystore type JKS or PKCS12.

  • It must contain only one entry with these characteristics:

    • The entry must be of the type “private key”.

    • The certificate chain required by your environment must be included.

  • If JKS is used, it can be the case that a key password is set. If this is so, the keystore password and the key password must be the same.

You can verify the keystore using the following command:

keytool -list -v -keystore cert.p12

The output should list:

  • one of the supported keystore types:

    Keystore type: PKCS12

    Keystore type: JKS

  • the number of entries with 1 entry:

    Your keystore contains 1 entry

  • the type of the entry as private key:

    Entry type: PrivateKeyEntry

You are asked for the password of the keystore but there is no question for the password of the key.

Exemplary instructions on how to prepare a keystore

In this example the free tool “OpenSSL” is used to create the keystore. The following input files are required, which must all be in the PEM format:

  • private_key.pem – file containing the private key (can also be protected by a pass phrase)

  • cert.pem – file containing the signed certificate of the public key

  • intermediate_cert.pem – file containing the certificate used to sign the public key

  • root_cert.pem – file containing the certificate used to sign the above certificate

Follow these steps to create the keystore with the name “keystore.p12”:

  1. Build the certificate chain:

    cat cert.pem intermediate_cert.pem root_cert.pem > all_certs.pem

  2. Convert the private key and certificate files into a PKCS12 keystore:

    • The string “changeit” is the new keystore password that you set here for the new keystore that is generated (keystore.p12).

    openssl pkcs12 -export -out keystore.p12 -in all_certs.pem -inkey private_key.pem -passout "pass:changeit"

    • If access to the private key (in the file private_key.pem) is protected, you will also be asked to enter the pass phrase after executing the above command:

    Enter pass phrase for private_key.pem: