Setting up SSL for your Development Environment

Recently I needed to set up SSL in my development environment in order to debug an issue. I needed to make sure that 

  • Tomcat could serve SSL content properly
  • As an Http client, the JVM could accept a self-signed (untrusted) certificate. If you've ever come across a website that asked you if you want to accept an untrusted certificate, this is basically the same thing, but there's no UI to import certificates into the JVM.  

 

While this sounds simple to do, there's a lot of scattered information on the web about setting this up and nothing that matched the exact use case that I needed.

  1. Create a self-signed certificate using keytool. The following command generates a certificate keystore with one self-signed certificate inside it with filename keystore. I used the password "changeit", but you can use whatever you want. Just make sure the Tomcat configuration uses the same. 
    keytool -genkey -alias tomcat -keyalg RSA -keystore keystore 
  2. Configure Tomcat to use the certificate / keystore that we just generated. This tells Tomcat to send the certificate whenever you access the server @ https://host:8443. In server.xml look for the SSL connector:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS" 
        keystoreFile="/Users/myoung/projects/portal/trunk/tomcat/keystore" 
        keystorePass="changeit" />
     
  3. Import the certificate into the JVM's keystore. This tells the JVM that this is a "trusted" certificate so that when Liferay makes https requests to Tomcat it will proceed without errors
    • Export the key from the keystore you generated in step 1. This extracts the certificate so that you can import it into the JVM's store
      keytool -export -alias tomcat -keypass changeit  -file server.crt -keystore keystore
    • Import the cert into the JVM. "cacerts" is the filename of the JVM keystore. The path will be different on Windows (should be in %JAVA_HOME%/jre/lib/security/cacerts).
      keytool -import -alias tomcat -file server.crt -keypass changeit -keystore /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/cacerts
  4. Check to see that the certificate was properly imported.
    keytool -list -keypass changeit -keystore /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/cacerts
Blogs
Also, make sure to enter your hostname for your "first and last name" (the CN) when creating the certificate in step 1.
In chrome on my local machine i get a red address bar "identity not verified" although the site is working,

but on my virtual win7 machine with IE9 i get a page with
"Internet Explorer cannot display the webpage "

Any ideas?