« Back

Setting up SSL for your Development Environment

Company Blogs December 1, 2010 By Michael Young Staff

Recently I needed to set up SSL in my development environment in order to debug an issue. I needed to make sure that 

  • Tomcat could serve SSL content properly
  • As an Http client, the JVM could accept a self-signed (untrusted) certificate. If you've ever come across a website that asked you if you want to accept an untrusted certificate, this is basically the same thing, but there's no UI to import certificates into the JVM.  

 

While this sounds simple to do, there's a lot of scattered information on the web about setting this up and nothing that matched the exact use case that I needed.

  1. Create a self-signed certificate using keytool. The following command generates a certificate keystore with one self-signed certificate inside it with filename keystore. I used the password "changeit", but you can use whatever you want. Just make sure the Tomcat configuration uses the same. 
    keytool -genkey -alias tomcat -keyalg RSA -keystore keystore 
  2. Configure Tomcat to use the certificate / keystore that we just generated. This tells Tomcat to send the certificate whenever you access the server @ https://host:8443. In server.xml look for the SSL connector:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS" 
        keystoreFile="/Users/myoung/projects/portal/trunk/tomcat/keystore" 
        keystorePass="changeit" />
     
  3. Import the certificate into the JVM's keystore. This tells the JVM that this is a "trusted" certificate so that when Liferay makes https requests to Tomcat it will proceed without errors
    • Export the key from the keystore you generated in step 1. This extracts the certificate so that you can import it into the JVM's store
      keytool -export -alias tomcat -keypass changeit  -file server.crt -keystore keystore
    • Import the cert into the JVM. "cacerts" is the filename of the JVM keystore. The path will be different on Windows (should be in %JAVA_HOME%/jre/lib/security/cacerts).
      keytool -import -alias tomcat -file server.crt -keypass changeit -keystore /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/cacerts
  4. Check to see that the certificate was properly imported.
    keytool -list -keypass changeit -keystore /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/cacerts
Threaded Replies Author Date
Nice Post, Michael. It's very helpful... Pravin Pawar December 2, 2010 4:49 AM
Thanks Michael .. I have achieved the SSL with... Navin Agarwal November 2, 2011 9:58 PM
Also, make sure to enter your hostname for your... Dennis Ju December 9, 2011 2:43 PM
In chrome on my local machine i get a red... Nico Bijl October 30, 2013 8:41 AM
Ignore that, i just forgot to change the hosts... Nico Bijl October 31, 2013 1:19 AM

Nice Post, Michael. It's very helpful...
Posted on 12/2/10 4:49 AM.
Thanks Michael .. I have achieved the SSL with HTTPS configuration .. thanks a lot emoticon
Posted on 11/2/11 9:58 PM.
Also, make sure to enter your hostname for your "first and last name" (the CN) when creating the certificate in step 1.
Posted on 12/9/11 2:43 PM.
In chrome on my local machine i get a red address bar "identity not verified" although the site is working,

but on my virtual win7 machine with IE9 i get a page with
"Internet Explorer cannot display the webpage "

Any ideas?
Posted on 10/30/13 8:41 AM.
Ignore that, i just forgot to change the hosts file.. now it works
Posted on 10/31/13 1:19 AM in reply to Nico Bijl.