How-To:UseSslCerts

From Nxt Wiki
Jump to: navigation, search
This page contains changes which are not marked for translation.

Other languages:
English • ‎español • ‎italiano • ‎русский • ‎українська

It is possible to use certificates other than the one included in the Jetty config of NRS. You can use an officially-signed certificate from a CA (rapidssl/verisign/etc) which costs money, or for free you can create a self-signed cert and use it. A self-signed cert will still give cert warnings, but since you generated it, you can trust it. It is a BAD PRACTICE to trust default self-signed SSL certs, especially since you dont know who all has the private key to a default self-signed cert!

1 Self-signed Certificate

1. Generate a self-signed certificate. This 'openssl' command will prompt you for some info, fill it in. Use whatever period in days you would like the cert to be valid for.

openssl req -new -x509 -out mycert.crt -days 1095

chmod 400 privkey.pem

chmod 400 mycert.crt

2. Convert certificates to pkcs12 format as required by Jetty web server. This command will prompt for an export password. This must not be null.

openssl pkcs12 -export -inkey privkey.pem -in mycert.crt -out mycert.pkcs12

chmod 400 mycert.pkcs12

3. Generate a new Jetty keystore file. NRS's Jetty config is set to use the default password of 'storepwd' for the keystore password, so we will use this. (It is a good idea for you to, on your own, set a different password, and to reconfigure Jetty with the new password, but this is beyond this scope of this wiki article, so we will use 'storepwd'. See https://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty and the file jetty-ssl.xml inside the NRS distribution for using your own password. The keytool command will prompt for password.) Use 'storepwd' in every case.

keytool -importkeystore -srckeystore mycert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

4a. (only for 0.7.x and earlier releases) Step 3 created the file called keystore in the local directory. Simply copy it over the default NRS keystore of nxt/etc/keystore then do the last step of editing the default NRS nxt/etc/jetty-ssl.xml file to remove 3 problem statements:

<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>

<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>

<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>

4b. (only for 0.8.x and later releases) Step 3 created the file called keystore in the local directory. Simply copy it over to the nxt directory then do the last step of editing nxt/conf/nxt.properties (create this file if it doesnt exist) and putting in the following statements:

nxt.uiSSL=true
nxt.apiSSL=true
nxt.keyStorePassword=storepwd

2 CA-signed Certificate

1. Generate a CSR (certificate signing request). This 'openssl' command will prompt you for some info, fill it in.

openssl req -new -out mycert.csr

chmod 400 privkey.pem

chmod 400 mycert.csr

2. Send this CSR mycert.csr file to whoever you choose to be your certificate authority. They will send you back a certificate that they have signed. They may/maynot also sent you an intermediate and/or root certificate. Rename the cert they give you for your server to be mycert.crt and make sure you also chmod 400 all files they give you.

2b. IF your CA gave you additional certificates in the form of intermediate/root certificates to go along with your server certificate that they signed for you, use the following cat command and notice that the order of files HAS PRECEDENCE. First is your server certificate that the CA signed for you, then any intermediate certificates (intermediate certificates also have their own order), then last is a root certificate, if it was also provided by your CA.

cat mycert.crt intermediate1.crt intermediate2.cert rootCA.cert > cert-chain.txt

chmod 400 cert-chain.txt

3. Convert certificates to pkcs12 format as required by Jetty web server. This command will prompt for an export password. This must not be null. If there are no intermediate/root certs then you skipped 2b above and do not have a cert-chain.txt file, so in this case use mycert.crt as the '-in' option instead of cert-chain.txt

openssl pkcs12 -export -inkey privkey.pem -in cert-chain.txt -out mycert.pkcs12

chmod 400 mycert.pkcs12

4. Generate a new Jetty keystore file. NRS's Jetty config is set to use the default password of 'storepwd' for the keystore password, so we will use this. (It is a good idea for you to, on your own, set a different password, and to reconfigure Jetty with the new password, but this is beyond this scope of this wiki article, so we will use 'storepwd'. See https://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty and the file jetty-ssl.xml inside the NRS distribution for using your own password.) The keytool command will prompt for password. Use 'storepwd' in every case.

keytool -importkeystore -srckeystore mycert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

5a. (only for 0.7.x and earlier releases) Step 4 created the file called keystore in the local directory. Simply copy it over the default NRS keystore of nxt/etc/keystore then do the last step of editing the default NRS nxt/etc/jetty-ssl.xml file to remove 3 problem statements:

<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>

<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>

<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>

5b. (only for 0.8.x and later releases) Step 4 created the file called keystore in the local directory. Simply copy it over to the nxt directory then do the last step of editing nxt/conf/nxt.properties (create this file if it doesnt exist) and putting in the following statements:

nxt.uiSSL=true
nxt.apiSSL=true
nxt.keyStorePassword=storepwd