Home / server / Questions / 424333
Accepted
armani
Asked: 2012-09-05 13:55:30 +0800 CST

How to secure an internal website for internal users, using SSL and Server 2008 as a CA?

  • 772

I'm needing an experienced person to guide me on this little project :-)

We have one Domain Controller [Win2k8 R2] with the Active Directory Certificate Services role. Let's call it ServerOne.OurDomain.com.

I've got a second Windows 2008 R2 server, ServerTwo.OurDomain.com, that runs an Apache Tomcat web server. We are setting up an Outlook plug-in for all users that requires an SSL connection to an OAuth server. I fumbled through the instructions to add the OAuth module to Tomcat and enable a connector using SSL on port 8443 [default SSL port for Tomcat].

But now I don't know how to "put 2 and 2 together" -- How can I generate a certificate from our internal CA so there are no SSL certificate errors when connecting to ServerTwo.OurDomain.com? So far I made the "keystore" file on ServerTwo using the JRE "keytool.exe" program, and of course the certificate shows it [like, when you click the lock icon in a browser] as a self-signed cert with no CA chain.

Any help in this area is greatly appreciated.

ssl

2 Answers

  1. Best Answer

    I ended up figuring this out on my own. I documented my steps; Hopefully this helps anybody with the same issue in the future:

    1. Generate CSR on Tomcat

      • Create the keystore and private key: keytool -genkey -alias tomcat -keyalg RSA -keystore keystore
      • "Keytool" is in your Java's JDK or JRE home directory's "bin" folder
      • "keystore" includes the path to your keystore file, such as "C:\store\keystore"
      • Fill out the information it asks, noting that "first and last name" is really asking for the FQDN
      • Create the CSR file: keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore
      • [I then copied to a common share:] copy certreq.csr Z:\

    2. Sign the certificate

      • On the server with Active Directory Certificate Services role, in an elevated command prompt: certreq -submit -attrib "CertificateTemplate: WebServer" Z:\certreq.csr certificate.cer
      • Choose the CA you're working on in the popup
      • [Then I copied back to the share:] copy certificate.cer Z:\

    3. Import the Root CA certificate

      • On the server with Active Directory Certificate Services role:
      • Server Manager --> Roles --> Active Directory Certificate Services --> [Your CA] --> Issued Certificates
      • Open any from the list signed by your CA, go to the Certification Path tab
      • "View Certificate" for the root CA, if it is your server's CA
      • Details tab --> Copy to File... [then I saved to Z:\RootCA.cer]
      • On the Tomcat server:
      • keytool -import -trustcacerts -alias rootca -file Z:\RootCA.cer -keystore keystore
      • Type "yes" to trust the certificate

    4. Import the certificate for Tomcat

      • keytool -import -trustcacerts -alias tomcat -file Z:\certificate.cer -keystore keystore

    References:

    Note, if at this point your browser still doesn't trust that it was signed by a trusted Root CA, you may have to push out the Root CA server through Group Policy . . . It was a quick Google for me. I had already set that up before these steps, so I'm not sure if it matters or not.

    • 1

  2. Well as you have just created a self signed certificate, this is not going to be automatically authenticate as you are not a trusted certificate authority.

    Easiest and quickest thing to do is to just install the certificate into your local trusted certificate store, but you will need to do this on each machine, so this will be quite time consuming and will cause problems when you setup a new machine a year in the future and forget to do this, so a better way to deploy it would be to use GPO. If you have group policy setup, follow the instructions here.

    • 0