Are you tired of paying for SSL Certificates? Then consider using Let's Encrypt.
As taken from its Wikipedia Page:
And yes, these certificates are fully compatible with all Banner applications such as (Banner 9, SSB, SSOManager, etc).
However, while it's always nice to have stuff for free, keep in mind a couple things.
This week, let's go over how to install an Let's Encrypt SSL certificate on Redhat/Centos based systems.
It goes without saying that you really should have a grasp of using Linux before continuing onward. In addition you will need to have apache httpd installed as well as root access on the system in question.
Prior to starting, make sure:
1. Install Certbot. The process is documented here for Redhat Centos 7 systems. However it's a bit wordy. if you are lazy like me you just want the commands to type.
For Redhat/Centos 7, run the below commands as root.
# yum install epel-release # yum -y install yum-utils # yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional # yum install certbot python2-certbot-apache
The commands above basically enable the Redthat extended Repository, and then install a utility called CERTBOT, which used to generate the Certificate for Let's Encrypt.
Generating the Certificate
There are numerous was to use certbot, but one of the easier ways is the following (run as root)
# certbot certonly --webroot
You will then be prompted for the hostname that you want a certificate to be generated against, as well as the document root associated with that URL. The Let's Encrypt certificate generation script will attempt to drop a couple files on your server, and then attempt to access those files.
Befow is an example for admin.nyquest.com (user input is outlined in red):
In the example above, the entire certificate bundle (private key, Root CA, certificate) is dropped under /etc/letsencrypt/live/admin.nyquest.com-0001.
You can now use this certificate under apache httpd with a virtual host directive:
<virtualhost:443/> DocumentRoot /blah/moreblah ServerName admin.nyquest.com SSLCertificateFile /etc/letsencrypt/live/admin.nyquest.com-0001/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/admin.nyquest.com-0001/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/admin.nyquest.com-0001/fullchain.pem </virtualhost>
You can view this site here.
The screenshot above was run on 2019.05.21. As you can see, the cert generated are valid for 90 days. You can easily automate the procedure with a cron job that runs every month as shown below taking input from standard IO.
#!/bin/bash certbot certonly --webroot << EOF admin.nyquest.com /usr/local/apache2/htdocs/admin EOF
You can then convert it to a JAVA KEYSTORE for use under Tomcat and Banner 9.
There is no way to directly convert a PEM to keystore, you will first need to create a PKCS12 file using openssl. The syntax for this is:
openssl pkcs12 -export -in [full path to RootCA] -inkey [full path to private key] -certfile [full path to certificate] -out [path to out pkcs12 file]
# openssl pkcs12 -export -in /etc/letsencrypt/live/admin.nyquest.com-0001/fullchain.pem -inkey /etc/letsencrypt/live/admin.nyquest.com-0001/privkey.pem -certfile /etc/letsencrypt/live/admin.nyquest.com-0001/cert.pem -out root.pkcs12 Enter Export Password: Verifying - Enter Export Password: [root@admin ~]# ls -l root.pkcs12 -rw-r--r--. 1 root root 5621 May 22 14:14 root.pkcs12
The PKCS12 file can then be directly imported into the keystore using keytool. The syntax for this command is:
keytool -importkeystore -deststorepass [keystore pass] -destkeystore [full path to keystore] -srckeystore [full path to PKCS12 file] -srcstoretype PKCS12
# keytool -importkeystore -deststorepass ********* -destkeystore /root/SSL/key.jks -srckeystore root.pkcs12 -srcstoretype PKCS12