Getting an SSL certificate

How I got my SSL certificate

April 7, 2019 by Alex

It has been a while since I last used a secured webpage (https). Last time I used a free solution (Let's Encrypt) on an OpenShift environment. This time however, I wanted to quit using free solutions, and bought an SSL certificate through Namecheap from a trusted Certificate Authority called Sectigo (formerly Comodo CA). The certificate I got is a PositiveSSL ticket which costs less than 8 dollar a year, which is a fair price to pay for having a CA that is trusted by most browsers.

---

Before we start...

Prior to reading the article I expect you to have at least some knowledge of and experience with:

1. Namecheap

2. (Apache) Tomcat and Apache (configuration)

3. the Linux filesystem

Before we start, mind that this tutorial is, for the most part, interchangeable with any other operating system or (type of) webcontainer (e.g. tomcat), apart from a few details that are (very) specific for the setup of alvanklaveren.com.

Acquiring an SSL certificate

First, we open a linux terminal, go to a folder where we would like to manage our certificates, and create a keystore. This could be any place you like, but in this example we will use the tomcat configuration folder (tomcat/conf/).
In this folder, run the following commands:

1) keytool -genkey -keysize 2048 -keyalg RSA -alias tomcat -keystore keystore.jks Mind that we use tomcat as an alias for the certificate in the keystore. If you want to use another alias, make sure to replace it in all the further instructions below.

1. password (default the password is changeit. In this example we do not change it!)

2. first and last name: yourdomain.com (do not prefix www !)

3. organizational unit (e.g. It Department)

4. name of organization

5. city

6. province or state

7. country code (2 character code, like NL, UK, IT, and so on)

8. Next you can press enter to keep using the same keystore password (changeit), or change it now (and remember... forever !!)

This will now have generated a keystore named "keystore.jks".

2) Immediately make it a pkcs12 keystore, if it is not already.

1. keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12



2. Make a backup of the keystore, just in case something goes wrong later on:
   cp keystore.jks keystore.jks.backup

3) Generate the csr:

1. keytool -certreq -alias tomcat -file tomcat.csr -keystore keystore.jks

So now we have the csr file (tomcat.csr in this example), that we are going to use to get our certificate.

4) Go to namecheap and get (a new) certificate (reissue)

1. Click on the dropdown arrow and select “reissue”

   
   
   

2. Now copy the content of the CSR generated in step 3 into the “Enter CSR” box and press “Next”

   
   
   

3. In the next screen, choose “Any other server”, because we are using apache2 on Digital Ocean.

   
   
   

4. Next, choose Email as DCV method (by far the easiest), and follow the instructions in the emails to get the certificate and root/intermediate bundle.

   
   
   

5. The first (comodo/sectigo) email asks you to enter the validation code at the given link in the email. When you entered the code, a second email arrives containing a zip file. This zipfile contains a bundle and your domain certificate. In my case, these are alvanklaveren_com.crt and alvanklaveren_com.ca-bundle.

The bundle contains both the root and intermediate certificate, so we split this into one root.crt, and one intermediate.crt. Important: The bundle starts with the 1 or 2 intermediate certificate(s), and ends with the root certificate, in that order.
Next we copy these to the keystore location, together with alvanklaveren_com.crt. We are now going to import them into the keystore.

5) Import certificates (REMEMBER: we made a copy of the keystore in case something goes wrong). First we import the root, then the intermediate, then the domain:

1. keytool -import -trustcacerts -alias root -file root.crt -keystore keystore.jks
   
2. keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore keystore.jks
   
3. keytool -import -trustcacerts -alias tomcat -file alvanklaveren_com.crt -keystore keystore.jks
   

The intermediate file is important, because otherwise (older) Android devices may give an “unsecure website” warning.

Now for something REALLY important for the angular side of the website. In your etc/nginx/sites-available/default it show the ssl_certificate set:
ssl_certificate /opt/angular/tomcat.crt
ssl_certificate /opt/angular/tomcat.key
You have to make sure you have these files present in your angular root folder opt/angular
Now to extract those keys (store this to a bash file if you want to):

1. keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass changeit -destkeypass changeit
2. openssl pkcs12 -in keystore.p12 -nokeys -out tomcat.crt
3. openssl pkcs12 -in keystore.p12 -nodes -nocerts -out tomcat.key

A specific detail for alvanklaveren.com is that the wicket webpages need to have the @requireshttps annotation, and the web.xml has to contain a setup to explain which folders (starting the webroot folder), are exempt from https. For alvanklaveren.com, all webpages are secure, except for the gameshopmobile page, that contains a service to send data to a mobile application. It is pointless to make it secure, as it only takes more time to process (and we want our mobile app to be fast).

Below shows the partial web.xml for alvanklaveren.com

<web-app ...>
   	...
	<security-constraint>
	    <web-resource-collection>
	        <web-resource-name>server</web-resource-name>
	        <url-pattern>/*</url-pattern>
	    </web-resource-collection>
	    <user-data-constraint>
	        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
	    </user-data-constraint>
	</security-constraint>
	
	<security-constraint>
	    <web-resource-collection>
	        <web-resource-name>server</web-resource-name>
	        <!-- exclude the call to gameshopmobile. this page is NOT https protected !! -->
	        <url-pattern>/gameshopmobile/*</url-pattern>
	    </web-resource-collection>
	    <user-data-constraint>
	        <transport-guarantee>NONE</transport-guarantee>
	    </user-data-constraint>
	</security-constraint>
	...
</web-app>

Don't forget to restart tomcat: service tomcat restart.

Final words

In this document I described how to get SSL certificates and install them. In another document I will explain how to setup apache2 to serve tomcat over 443 using virtual hosts (in ssl-default.conf, apache2.conf).