Friday, April 29, 2011


These are the steps I followed. This was a straightforward task to configure apache to accept HTTPS traffic. Further enhancements such as forcing HTTPS only, or validating client certificates were not required.

This article is quite good

If on linux then install mod_ssl. ( )

yum install mod_ssl ...

Also is handy for checking any old CSRs

Setting up certs etc.

generate a certificate.


To do this you need a Certification Authority, CA, (openssl to DIY, or public CA). See links above

1/ Generate CSR (Certificate Signing Request)

Multiple ways to do this. OpenSSL or Keytool.

For openssl using defaults you can simply do

openssl req -new

2/ Generate certificate (using CA)

3/ Install certificate in Apache (as root)

4/ Edit ssl.conf file (equivalent to httpd.conf). Configure any VirtualHosts you require, and assign them the requisite keys and certs, e.g.

SSLEngine On
SSLCertificateFile /etc/pki/tls/http/apachecert.pem
SSLCertificateKeyFile /etc/pki/tls/http/apachekey.pem
SSLProtocol All -SSLv2
DocumentRoot /var/www/html/ssl

Create CA private Key (used for generating CSR’s)

openssl genrsa –aes256 -out 1024

In general generate a private key per domain

Create Self Signed CA cert (Also generates private Key for CA)

openssl req -new -x509 -extensions v3_ca -keyout ./private/cakey.pem -out cacert.pem -days 3650

Create Self signed CA using existing private key

openssl req -new -x509 -extensions v3_ca -key privateKey.pem -out cacert.pem -days 3650

This command demonstrates the how commands in openssl combine functionality

Req command allows switch to x509


The default locations of the of the keystore files is %JAVA_HOME%/jre/security/.keystore

To include trusted certs from the keystore in a java client you must add the following


Unsupported OID in the AlgorithmIdentifier
<ms_osb1> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1315908488277> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>

I was doing some work with 2-way SSL, and seeing the following error in my weblogic (OSB) logs.

As it happens this is a problem with JDK 1.6_013. They included a non compatible CA cert in the keystore.

keytool -delete -keystore $JAVA_HOME\jre\lib\security\cacerts -alias ttelesecglobalrootclass2ca -keystorepass changeit
keytool -delete -keystore $JAVA_HOME\jre\lib\security\cacerts -alias ttelesecglobalrootclass3ca -keystorepass changeit

How do I remove a passphrase from a key?

Perhaps you’ve grown tired of typing your passphrase every time your secure daemon starts. You can decrypt your key, removing the passphrase requirement, using the rsa or dsa option, depending on the signature algorithm you chose when creating your private key.

If you created an RSA key and it is stored in a standalone file called key.pem, then here’s how to output a decrypted version of the same key to a file called newkey.pem.

# you'll be prompted for your passphrase one last time

openssl rsa -in key.pem -out newkey.pem

Often, you’ll have your private key and public certificate stored in the same file. If they are stored in a file called mycert.pem, you can construct a decrypted version called newcert.pem in two steps.

# you'll need to type your passphrase once more

openssl rsa -in mycert.pem -out newcert.pem

openssl x509 -in mycert.pem >>newcert.pem


No comments: