[Mifos-developer] SSL Certificate Installation on EC2 Instance Ubuntu

164 views
Skip to first unread message

Ippez Robert

unread,
May 11, 2016, 11:33:53 AM5/11/16
to Mifos software development
Hi Devs,
Please help me install a secure SSL certificate on an EC2 Amazon Instance.
I tried the following and it has now blocked access to the community-app

Certificate Installation: Java Based Web Servers (Tomcat) using keytool


Installing SSL Certificate Chain (Root, Intermediate(s) and the End Entity)

1. Import Root Certificate
      -> keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore domain.keystore

2. Import Intermediate(s)
      -> keytool -import -trustcacerts -alias intermediate_filename -file intermediate_filename.crt -keystore domain.keystore

Note:

Depending on the type of certificate that was purchased, there may be more than one Intermediate certificate in the chain of trust. Please install all intermediates in numberical order until you get to the domain/end entity certificate.

In order to determine which chain of trust you have, please follow the article title Which is Root? Which is Intermediate?

Example: UTNAddTrustSGCCA.crt would become to UTNAddTrustSGCCA.

For more information on

3. Import Entity/Domain certificate
      -> keytool -import -trustcacerts -alias mykey -file yourDomainName.crt -keystore domain.keystore

You should you should receive a message: Certificate reply was installed in keystore if successful. It should NOT match the output of Step 1 or 2 above.

Note: If an alias was specified upon creation of the CSR then please use that alias instead of mykey.

4. Restart the Web Server Service.

Thanks Regards

Zayyad A. Said

unread,
May 11, 2016, 3:01:22 PM5/11/16
to mifos-d...@lists.sourceforge.net
Ippez,

I assume you first generated CSR and copied the text to request for your certificate from your CA. Am also assuming that when generating keystore you specified common name as *.yourdomain.com

If my 2 assumptions above are correct and you have already received the certificate files from your SSL provider then simply copy all those files in the same folder where your keystore file is placed.

Once that is done, restart the server and you should be good. This is a short cut which I have personally tried.

Please note that the path where your keystore is must be specified in the server.xml file and also the password you used when generating the keystore. Confirm this is done before restarting the server.

Regards,

Zayyad A. Said


Sent from Samsung tablet

Ippez Robert

unread,
May 12, 2016, 6:09:29 AM5/12/16
to Mifos Developer, mifos-d...@lists.sourceforge.net

Hi Zayyad,
I didn't specify the common name as *.yourdomain.com but rather yourdomain.com without "*." so does it matter. I assume "*." will be for the tenants protection.

I will try just that and get back
Thanks
Regards
Ippez Robert

Zayyad A. Said

unread,
May 12, 2016, 8:25:43 AM5/12/16
to ippez...@gmail.com, mifosde...@googlegroups.com, mifos-d...@lists.sourceforge.net
For wildcard certificate where you want security of all sub domains you need to specify common name as *.yourdomain.com, looks like you will need to be reissued with new certificate.

Let us know if can be of further help.

Regards,

Zayyad A. Said




Sent from Samsung tablet



Ippez Robert <ippez...@gmail.com> wrote:


Reply all
Reply to author
Forward
0 new messages