Guía: Utilizar Certificados SSL

From Nxt Wiki
Jump to: navigation, search
This page is a translated version of the page How-To:UseSslCerts and the translation is 31% complete.

Other languages:
English • ‎español • ‎italiano • ‎русский • ‎українська

Es posible utilizar certificados distintos del incluido en la configuración Jetty de NRS. Puedes usar un certificado con firma oficial de una CA (rapidssl/verisign/etc.) lo que tiene un coste, o puedes hacerlo de forma gratuita usando un certificado firmado por ti mismo. Un certificado firmado por ti mismo provocará avisos en el navegador, pero como lo has generado tú, puedes fiarte de él. Es una MALA COSTUMBRE confiar en los certificados SSL autofirmados por defecto, ¡sobre todo porque no sabes quién tiene la clave privada para acceder a él!

1 Certificados firmados por ti mismo

1. Genera un certificado firmado por ti mismo (self-signed). Este comando 'openssl' te pedirá cierta información que debes rellenar. Puedes usar cualquier periodo en días durante el que quieres que el certificado sea válido.

openssl req -new -x509 -out mycert.crt -days 1095

chmod 400 privkey.pem

chmod 400 mycert.crt

2. Convierte los certificados al formato pkcs12 requerido por el servidor web Jetty. Este comando solicitará una contraseña para la exportación. La contraseña no puede estar vacía.

openssl pkcs12 -export -inkey privkey.pem -in mycert-key -out mycert.pkcs12

chmod 400 mycert.pkcs12

3. Generate a new Jetty keystore file. NRS's Jetty config is set to use the default password of 'storepwd' for the keystore password, so we will use this. (It is a good idea for you to, on your own, set a different password, and to reconfigure Jetty with the new password, but this is beyond this scope of this wiki article, so we will use 'storepwd'. See https://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty and the file jetty-ssl.xml inside the NRS distribution for using your own password. The keytool command will prompt for password.) Use 'storepwd' in every case.

keytool -importkeystore -srckeystore mycert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

4a. (only for 0.7.x and earlier releases) Step 3 created the file called keystore in the local directory. Simply copy it over the default NRS keystore of nxt/etc/keystore then do the last step of editing the default NRS nxt/etc/jetty-ssl.xml file to remove 3 problem statements:

<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>

<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>

<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>

4b. (only for 0.8.x and later releases) Step 3 created the file called keystore in the local directory. Simply copy it over to the nxt directory then do the last step of editing nxt/conf/nxt.properties (create this file if it doesnt exist) and putting in the following statements:

nxt.uiSSL=true
nxt.apiSSL=true
nxt.keyStorePassword=storepwd

2 CA-signed Certificate

1. Generate a CSR (certificate signing request). This 'openssl' command will prompt you for some info, fill it in.

openssl req -new -out mycert.csr

chmod 400 privkey.pem

chmod 400 mycert.csr

2. Send this CSR mycert.csr file to whoever you choose to be your certificate authority. They will send you back a certificate that they have signed. They may/maynot also sent you an intermediate and/or root certificate. Rename the cert they give you for your server to be mycert.crt and make sure you also chmod 400 all files they give you.

2b. IF your CA gave you additional certificates in the form of intermediate/root certificates to go along with your server certificate that they signed for you, use the following cat command and notice that the order of files HAS PRECEDENCE. First is your server certificate that the CA signed for you, then any intermediate certificates (intermediate certificates also have their own order), then last is a root certificate, if it was also provided by your CA.

cat mycert.crt intermediate1.crt intermediate2.cert rootCA.cert > cert-chain.txt

chmod 400 cert-chain.txt

3. Convert certificates to pkcs12 format as required by Jetty web server. This command will prompt for an export password. This must not be null. If there are no intermediate/root certs then you skipped 2b above and do not have a cert-chain.txt file, so in this case use mycert.crt as the '-in' option instead of cert-chain.txt

openssl pkcs12 -export -inkey privkey.pem -in cert-chain.txt -out mycert.pkcs12

chmod 400 mycert.pkcs12

4. Generate a new Jetty keystore file. NRS's Jetty config is set to use the default password of 'storepwd' for the keystore password, so we will use this. (It is a good idea for you to, on your own, set a different password, and to reconfigure Jetty with the new password, but this is beyond this scope of this wiki article, so we will use 'storepwd'. See https://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty and the file jetty-ssl.xml inside the NRS distribution for using your own password.) The keytool command will prompt for password. Use 'storepwd' in every case.

keytool -importkeystore -srckeystore mycert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

5a. (only for 0.7.x and earlier releases) Step 4 created the file called keystore in the local directory. Simply copy it over the default NRS keystore of nxt/etc/keystore then do the last step of editing the default NRS nxt/etc/jetty-ssl.xml file to remove 3 problem statements:

<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>

<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>

<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>

5b. (only for 0.8.x and later releases) Step 4 created the file called keystore in the local directory. Simply copy it over to the nxt directory then do the last step of editing nxt/conf/nxt.properties (create this file if it doesnt exist) and putting in the following statements:

nxt.uiSSL=true
nxt.apiSSL=true
nxt.keyStorePassword=storepwd