In this article, I am going to show you how to install or renew SSL certificate for Crowd server step by step.
Note: In my example, my hostname is crowd.jackiechen.org
- (skip if you already have your new certificate) Run the following command to generate a csr file for your certificate, and you will get two files: crowd.jackiechen.org.csr (this is the csr file which you need to send to your CA to sign) and crowd.jackiechen.org.key (this is the private key which you need to keep it in a secure place)
DOMAIN=crowd.jackiechen.org openssl req -new -newkey rsa:2048 -nodes -sha256 -out "$DOMAIN".csr -keyout "$DOMAIN".key -subj "/C=AU/ST=NSW/L=Sydney/O=Jackie Chen/OU=IT Workshop/CN="$DOMAIN"" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:"$DOMAIN"\n"))
- (skip if your signed certificate is not DER encoded) In case that your signed certificate is DER encoded, you need to run the following command to convert it to Base64 encoded. In the example, crowd.jackiechen.org.cer is signed by the CA and it is DER encoded. So I need to convert it to Base64 encoded and name it to crowd.jackiechen.org.crt.
DOMAIN=crowd.jackiechen.org openssl x509 -inform DER -in $DOMAIN.cer -out $DOMAIN.crt
- The web application server of Crowd is Apache Tomcat which uses keystore to store the public and private key pair. So we need to import the key pair into a keystore.
DOMAIN=crowd.jackiechen.org # Create PKCS12 keystore from the key pair. You will be asked to set a password for the pkcs12 keystore (lets say it is 111111) openssl pkcs12 -export -name $DOMAIN -in $DOMAIN.crt -inkey $DOMAIN.key -out $DOMAIN.p12 # Convert PKCS12 keystore to JKS keystore (keytool comes with JRE). You will be asked to set a password for the JKS keystore (lets say it is 222222), and you also need to the above password 111111. keytool -importkeystore -destkeystore $DOMAIN.jks -srckeystore $DOMAIN.p12 -srcstoretype pkcs12 -alias $DOMAIN
- By now, you should have the JKS file ready. In my example, it is crowd.jackiechen.org.jks, and alias is crowd.jackiechen.org, and password is 222222. It is time to update the Apache Tomcat configuration file <path to Crowd Installation>/apache-tomcat/conf/server.xml to use the new jks file. It looks like this in my case:
Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="[path to keystore]/crowd.jackiechen.org.jks" keystorePass="222222" keyAlias="crowd.jackiechen.org"/
- Restart the Crowd service, the you should be able to see the new certificate. You can verify it with the following command.
openssl s_client -connect crowd.jackiechen.org:443 | openssl x509 -noout -text