Blogs

Introduction

So I've got my Liferay site up and running under Tomcat and fronted by Apache HTTPd. The next thing I wanted to do was add an SSL certificate so that I could get it all under HTTPS...

SSL certificates, from sites like VeriSign or Thawte or Network Solutions are usually the players that come to mind when you want to get a certificate.

A quick Google search, however, yields scores of other companies that provide SSL certificates. After pricing a bunch of them, I finally settled on a certificate from GoDaddy. At $12.99 per certificate per year, it's hard to beat the price and they are handled in most browsers.

For the most part the instructions for getting a certificate on the GoDaddy site are straight-forward. There were a few hiccups along the way, mostly due to my use of the Apache Portable Runtime (APR) in conjunction with Apache HTTPd and Tomcat.

So I'm going to lay out all of the steps that I had to take in order to request the certificate, get the certificate, install the certificate in Apache and Tomcat, and finally get it all working.

Create the Certificate Signing Request

Creating the csr, or Certificate Signing Request, is a fairly simple process. Since we're getting a certificate to install into both Apache and Tomcat, you could look at two different sets of instructions, one for each server. Since I think (but do not know for sure) that getting the certificate into Tomcat is going to be the harder of the two, I elected to follow the Tomcat instructions.

To generate the csr for Tomcat, you have a number of commands to execute in the shell to create the csr file and then you have to paste the contents of the csr file into the GoDaddy form.  The GoDaddy instructions for creating the csr are here.

The first step involves creating the keystore that Tomcat will be referencing. You'll need to know where on the filesystem your keystore will be stored, because you'll eventually be pointing Tomcat to it for usage. On my Gentoo system, certificates are usually in the /etc/ssl directory, so that's where I built mine. I created the /etc/ssl/tomcat directory and then cd'd to that directory. The remainder of the shell script commands were all executed from this directory.

Creating the keystore involves running the following command:

$ keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

When you type this command, you'll be prompted with a series of questions, and the GoDaddy instructions tell you what needs to go into each field.

If you don't want to go through the prompts, a web-based form for building the command to create the keystore can be found at digicert.com. Note that you'll have to edit the script they generate to change the alias specified above, but otherwise the tool works quite well.

Next you need to generate the csr using the following command:

$ keytool -certreq -keyalg RSA -alias tomcat -file <your file name>.csr -keystore tomcat.keystore

Replace the <your file name> with the csr filename you want to use. It is not that important because you don't really send the file anywhere. I named mine dnebinger.csr.

The part that is missing from the GoDaddy instructions relates to whether you are using the Apache Portable Runtime (as I am). When using the APR, you will be needing the private key that is currently stored inside of the tomcat.keystore file. I couldn't find a way to extract the private key using keytool, but I did find a tool at https://code.google.com/p/java-exportpriv/ that could do it. Download the tool and run it as instructed from the link to get the PKCS#8 format and direct it to a file. Give the file a .pem extension; I used the tool to create my dnebinger.pem file.

$ java ExportPriv /etc/ssl/tomcat/tomcat.keystore tomcat {keystore_password} > /etc/ssl/tomcat/<your file name>.pem

Cat your .csr file and copy it into the clipboard. Go to the GoDaddy form and paste in your csr. You'll then have to wait for GoDaddy to create your certificate.

Wait for Your SSL Certificate

While waiting, I did get an email from GoDaddy indicating that they could not verify that I was in control of the domain (my whois information is blocked from public consumption, thank you Network Solutions!). One option was to create a specially named html file and serve it from my Apache web server. I followed the instructions to create the html file, naming it correctly and putting the right stuff inside. Since I have Apache fronting my Liferay/Tomcat and do not have html file extensions JkUnmount'd, I had to temporarily add the JkUnmount for html files so when GoDaddy would come looking for the file I'd be able to serve it up quickly and easilly. I then went to the GoDaddy site and followed their further instructions for validating using the special file. Domain control was verified immediately, and they created the certificate.

Download Your SSL Certificates

So, next comes downloading the certificate. When downloading, you choose the type of server that you're installing the certificate into. I chose first to download the Tomcat version, then I chose to download the Apache version. The certificates are downloaded in zip format, you'll need to expand them. I extracted the Tomcat version to /etc/ssl/tomcat and the Apache one to /etc/ssl/apache.

Setup Tomcat to Use the Certificate

You don't really have to follow the Tomcat instructions for installing the certificate, it is actually quite easy. Since I'm using APR, I don't need to install the certificate into the keystore, but I do need the private key.

Using the certificate in Tomcat is a matter of editing the /opt/liferay/tomcat/conf/server.xml file (use whatever path is appropriate for your local environment). Find the <Connector /> tag for port 8443 and add the following attributes:

SSLCertificateFile="/etc/ssl/tomcat/dnebinger.crt"
SSLCertificateKeyFile="/etc/ssl/tomcat/dnebinger.pem"
SSLPass="<your keystore password>"

And change the attribute for SSLProtocol so it says "TLSv1".

Setup Apache to Use the Certificate

Setting up Apache simply requires following GoDaddy's instructions. For my Gentoo system, I had to edit /etc/apache2/vhost.d/00_default_ssl_vhost.conf. For the SSLCertificateChainFile entry, they're referring to the gd_bundle.crt file that was part of the downloaded zip. The SSLCertificateKeyFile entry refers to the private key file that was created, in my case it is dnebinger.pem.

Setup Liferay to Use HTTPS

Since you've got this new certificate, you're going to want Liferay to use it. You need to edit your /opt/liferay/tomcat/webapps/ROOT/WEB-INF/classes/portal-ext.properties file and add the following entries:

  company.security.auth.requires.https=true
  session.enable.phishing.protection=false
  web.server.protocol=https

Conclusion

At this point everything should be configured and ready to go. Restart your Liferay/Tomcat and Apache servers, and then you can hit them using either the http or https urls. Since we've configured Liferay to prefer https, you should see that when you use the http url you will eventually be redirected to the https url.

Enjoy!