Enable HTTPS on WebSphere Liberty

Thing you want to do

It seems that it is essential to convert my own web application to HTTPS when I try to run it on Google's Lighthouse, so Liberty I tried the method of using HTTPS in.

SAN required

I thought that it would not be difficult to use HTTPS communication using a self-signed certificate, but in the past it was OK if the Common Name (CN) was set, but since Chrome 58, the certificate is Subject Alternative. Since it requires that the Name (SAN) be registered, it is necessary to create a certificate that includes the SAN. スクリーンショット 2019-05-01 17.56.12.png

Tried environment

What happens to the certificate generated by default?

Launching WebSphere Liberty with the ssl-1.0 feature enabled will generate a file called key.p12 in ʻuser / servers / (server-name) / resources / security. This file is a PKCS12 format file that contains the private key and public key certificate. The file has a password, and specify the password in the element ofserver.xml`.

The method of checking the contents is as follows (password is specified by <keyStore>). You can see that the certificate is registered with an alias called default.

keytool -v -list -keystore key.p12

Procedure for creating a certificate with SAN

Obtain the private key and create a certificate with SAN from it. It seems that the private key can be extracted from the p12 file generated by default (described later), but here I will create it from scratch. With iTerm.app, I used Terminal.app because keyboard input does not work when the password is requested when executing the openssl command.

#Create a private key
openssl genrsa 2048 > default.key

# Certificate Signing Request(CSR,Certificate signing request)To create
#You will be asked for Country Name etc. At least Common Name(CN)Must be localhost
openssl req -new -key default.key > default.csr

#Create an input file so that the SAN is localhost
echo subjectAltName=DNS:localhost > default-san.ext

#Create a certificate
openssl x509 -days 3650 -sha256 -req -signkey default.key < default.csr > default.crt -extfile default-san.ext

#Create a PKCS12 format keystore
openssl pkcs12 -export -in default.crt -inkey default.key -out default.p12 -name default

#Confirm that the Subject Alternative Name is included in the certificate in the created p12 file.
keytool -v -list -keystore default.p12 -storetype pkcs12

Register the certificate in your Mac keychain

Start Keychain Access.app and open "Login" and "Certificate" from the left pane. A list of certificates is displayed in the right pane. Add the default.crt created in the above procedure by dragging and dropping. After adding, change the SSL part to "always trust".

スクリーンショット 2019-05-01 17.58.00.png

If you access it again with Chrome, you can access it without a warning message when using a self-signed certificate. スクリーンショット 2019-05-01 19.36.31.png

reference

How to retrieve private key and certificate from p12 file

You can retrieve it with the following command. As mentioned above, I used Terminal.app because password input does not work with iTerm.app.

#Take out the private key
openssl pkcs12 -in key.p12 -nocerts -nodes -out privatekey
#Take out the certificate
openssl pkcs12 -in key.p12 -clcerts -nokeys -out default2.crt

p12 or jks

I thought that it was jks format instead of p12 in the past, so when I looked at the Issue of Open Liberty, it may have changed from 19.0.0.3. It seems that p12 is generally recommended.

Recommended Posts

Enable HTTPS on WebSphere Liberty
Enable Openjdk10 and maven on CentOS
Enable Java 8 and Java 11 SDKs on Ubuntu