Setting up a Certificate Authority (CA) for use with Tomcat and BanditIdP

The BanditIdP web application requires that the application server uses SSL. Furthermore, Windows CardSpace requires that the InfoCards it uses are signed by the same certificate that the issuer's web site is using for SSL traffic.

In production, you would be buying a commercial EV SSL certificate signed with a root certificate already trusted by Internet Explorer and Windows CardSpace, from such CAs as Entrust (~$500/year), Thawte (~$900/year), or VeriSign (~$1500/year).

For development purposes, I set up my own CA for signing server certificates. I then signed a server certificate for an Apache Tomcat 5.5 installation, and imported the root certificate on my Windows system (so that Internet Explorer and Windows CardSpace would trust the server certificate I had signed).

Generate the Root Certificate

Make sure Perl and OpenSSL are installed.

Create a new directory to perform your CA work. I'll call this directory demo.

mkdir demo
cd demo

Copy CA.pl and openssl.cfg from the OpenSSL distribution to the demo directory.

copy "C:\OpenSSL\bin\CA.pl" .
copy "C:\OpenSSL\bin\openssl.cfg" .

Use CA.pl to create a new certificate which will be used as the "Trusted Root Certificate" for you new CA.

perl CA.pl -newca

CA certificate filename (or enter to create) <enter>

Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
....................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: abracadabra
Verifying - Enter PEM pass phrase: abracadabra
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Virginia
Locality Name (eg, city) []:Herndon
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:Development Division
Common Name (eg, YOUR name) []:Development Root Certificate
Email Address []:gene.gotimer@commandinformation.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<enter>
An optional company name []:<enter>
Using configuration from C:\OpenSSL\bin\openssl.cfg
Enter pass phrase for ./demoCA/private/cakey.pem:abracadabra
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            b4:1e:6b:6d:5f:d5:b5:62
        Validity
            Not Before: Sep 17 19:13:04 2008 GMT
            Not After : Sep 17 19:13:04 2011 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Virginia
            organizationName          = My Company, Inc.
            organizationalUnitName    = Development Division
            commonName                = Development Root Certificate
            emailAddress              = gene.gotimer@commandinformation.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1A:CD:47:CE:D9:8A:84:02:50:87:F6:E0:07:6C:2C:12:26:3F:20:A1
            X509v3 Authority Key Identifier:
                keyid:1A:CD:47:CE:D9:8A:84:02:50:87:F6:E0:07:6C:2C:12:26:3F:20:A1
                DirName:/C=US/ST=Virginia/O=My Company, Inc./OU=Development Division/CN=Development Root Certificate/emailAddress=gene.gotimer@commandinformation.com
                serial:B4:1E:6B:6D:5F:D5:B5:62

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Sep 17 19:13:04 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

This will create a demoCA directory, and will create the CA's new self-signed root certificate at demoCA/cacert.pem.
At this point, the CA is set up, but the Windows box(es) that will be using the certificates signed by the CA are not going to recognize them.

Make a copy of the new self-signed root certificate for editing, and change the file extension to .cer so that Windows will recognize it as a certificate file. Edit the copy to remove all the human-readable text before the -----BEGIN CERTIFICATE----- line, so that Java's keytool can import it.

cd demoCA
copy cacert.pem cacert.cer
vim cacert.cer

Import the new root certificate into Windows. This can be repeated on each computer that will be using the InfoCards and/or Tomcat instance.

Open the Start menu
Choose Run...
Type mmc, press OK
Open the File menu, choose Add/Remove Snap-in...
At the bottom of the dialog, choose Add...
Choose Certificates, press Add
Select Computer account, press Next>
Select Local computer, press Finish
Press Close
Press OK
Expand the Certificates (Local Computer) folder
Expand the Trusted Root Certificate Authorities subfolder
Right-click on the Certificates subfolder, and choose All Tasks > Import...
Press Next>
Browse to demo\demoCA\cacert.cer, press Next>
Select Place all certificates in the following store: Certificate Store: Trusted Root Certification Authorities, press Next>
Press Finish and OK
Open the File menu, choose Exit, and No when asked to save

The root certificate should now be available to both Internet Explorer and to Windows CardSpace.

Generate the Signed Server Certificate for Tomcat

Make sure Java is installed and is on your PATH.

Generate the keystore and private key for Tomcat. This needs to be available for Tomcat when it starts, so a convenient place is the Tomcat conf directory.

When certificate tools speak of a name (or common name, or first/last name) for a computer, they are referring to the fully-qualified domain name (FQDN) of the computer. Since other computers will match the computer name to the certificate's common name, it is absolutely critical that the FQDN be correct. If the domain name or the computer name changes, you'll need a new certificate.

cd C:\apache-tomcat-5.5.25\conf
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
  [Unknown]:  laptop225.corp.cmdinfo.com
What is the name of your organizational unit?
  [Unknown]:  Development Division
What is the name of your organization?
  [Unknown]:  My Company, Inc.
What is the name of your City or Locality?
  [Unknown]:  Herndon
What is the name of your State or Province?
  [Unknown]:  Virginia
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=laptop225.corp.cmdinfo.com, OU=Development Division, O="My Company, Inc.", L=Herndon, ST=Virginia, C=US correct?
  [no]:  yes

Enter key password for <tomcat>
        (RETURN if same as keystore password): <enter>

Generate the Certificate Signing Request (CSR)

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.keystore

Enter keystore password: changeit

The CSR is now in a file called certreq.csr. It could be sent to a commercial Certificate Authority, or signed by the CA that you created earlier.

The CA.pl utility can sign the CSR, but it expects the CSR to be named newreq.pem. Copy the CSR into place and rename it before using the utility to sign the CSR.

copy certreq.csr C:\demo\newreq.pem
cd \demo
perl CA.pl -sign

Using configuration from C:\OpenSSL\bin\openssl.cfg
Enter pass phrase for ./demoCA/private/cakey.pem: abracadabra
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            b4:1e:6b:6d:5f:d5:b5:63
        Validity
            Not Before: Sep 19 15:39:59 2008 GMT
            Not After : Sep 19 15:39:59 2009 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Virginia
            localityName              = Herndon
            organizationName          = My Company, Inc.
            organizationalUnitName    = Development Division
            commonName                = laptop225.corp.cmdinfo.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                9D:60:D6:4D:43:E0:CE:6B:48:5B:F3:2C:E4:25:D1:93:38:C5:B5:0B
            X509v3 Authority Key Identifier:
                keyid:1A:CD:47:CE:D9:8A:84:02:50:87:F6:E0:07:6C:2C:12:26:3F:20:A1

Certificate is to be certified until Sep 19 15:39:59 2009 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Again, we'll edit the copy to remove all the human-readable text before the -----BEGIN CERTIFICATE----- line, so that Java's keytool can import it.

copy newcert.pem C:\apache-tomcat-5.5.25\conf\tomcat.cer
cd C:\apache-tomcat-5.5.25\conf
vim tomcat.cer

Import the root certificate into Tomcat's keystore.

copy \demo\demoCA\cacert.cer cacert.cer keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file cacert.cer

Enter keystore password: changeit
Owner: EMAILADDRESS=gene.gotimer@commandinformation.com, CN=Development Root Certificate, OU=Development Division, O="My Company, Inc.", ST=Virginia, C=US
Issuer: EMAILADDRESS=gene.gotimer@commandinformation.com, CN=Development Root Certificate, OU=Development Division, O="My Company, Inc.", ST=Virginia, C=US
Serial number: b41e6b6d5fd5b562
Valid from: Wed Sep 17 15:13:04 EDT 2008 until: Sat Sep 17 15:13:04 EDT 2011
Certificate fingerprints:
         MD5:  66:27:21:B3:E6:DC:88:CC:71:15:E7:AA:2F:D0:38:C2
         SHA1: DD:1D:4E:A0:F8:40:14:22:EA:D0:DF:B8:22:E5:82:01:DC:E0:E2:5C
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1A CD 47 CE D9 8A 84 02   50 87 F6 E0 07 6C 2C 12  ..G.....P....l,.
0010: 26 3F 20 A1                                        &? .
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 1A CD 47 CE D9 8A 84 02   50 87 F6 E0 07 6C 2C 12  ..G.....P....l,.
0010: 26 3F 20 A1                                        &? .
]

[EMAILADDRESS=gene.gotimer@commandinformation.com, CN=Development Root Certificate, OU=Development Division, O="My Company, Inc.", ST=Virginia, C=US]
SerialNumber: [    b41e6b6d 5fd5b562]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Now, import the signed server certificate into Tomcat's keystore.

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file tomcat.cer

Enter keystore password: changeit
Certificate reply was installed in keystore

The keystore should be backed up. This is especially true if the certificate was signed by a commercial CA.

Finally, configure Tomcat to use the keystore for SSL/HTTPS. The relevant section of server.xml is shown below:

    <!-- Define a SSL HTTP/1.1 Connector on port 443 -->
    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="conf/tomcat.keystore" keystorePass="changeit" keyAlias="tomcat" />