SSL
Configuring HTTPS (Server Side Only)
To configure PaperTrail to use HTTPS:
- Create a Java key store (JKS) with a name of
keystoreand place it in theconfdirectory - Specify the keystore password via
http.ssl.password - Check Properties -> HTTPS -> Enable (
http.ssl) to true - Set the HTTPS port (
http.ssl.port) to 443 or 8443 - Check Force SSL (
http.ssl.force) to always redirect from HTTP to HTTPS
Tip: Try KeyStore Explorer or portecle for importing and converting certificates from a variety of formats
Converting PKCS#7 to PKCS#12
openssl pkcs12 -export -in server.crt -inkey server.key -out keystore.p12 -name www
Converting PKCS#12 to JKS
keytool -importkeystore -destkeystore keystore -srckeystore keystore.p12 -srcstoretype PKCS12
Import Root and Intermediate CA's
In order for browsers to full validate a certificate all the intermediate and root certificates should be bundled in the JKS certificate chain.
keytool -import -trustcacerts -alias root -file root.crt -keystore keystore
Verifying
To verify that the keystore is configured correctly:
keytool -list -keystore keystore
Which should produce something like:
Keystore type: JKS Keystore provider: SUN
Your keystore contains 1 entry
*.papertrail.co.za, Oct 29, 2015, PrivateKeyEntry,
The last line has a syntax of {CN} {Expiry} {Key Type}
{CN} should match the URL you would be accessing PaperTrail by{Key Type} must be PrivateKeyEntry
Configuring Client Authentication (Mutual SSL)
- Configure server side SSL as above
- Create a new a JKS file called
truststorecontaining the trusted CA's - Check Require Client Certificates (
http.ssl.client.require)
Configuring client certificates requires that all clients supply a trusted certificate.
The Common Name (CN) of the certificate will be used to map the a certificate to a user via the login field.