I was exploring the SSL thing, and wanted to know what are the steps involved in making my browser trust the server certificate that server is sending.
First of all you need to generate a keystore (This needs to be done on server side).
C:\localhostCerts>keytool -genkey -alias server-alias -keyalg RSA -keypass welcome -storepass welcome -keystore localhost.jks What is your first and last name? [Unknown]: localhost What is the name of your organizational unit? [Unknown]: NSEL What is the name of your organization? [Unknown]: NSEL What is the name of your City or Locality? [Unknown]: NOIDA What is the name of your State or Province? [Unknown]: UP What is the two-letter country code for this unit? [Unknown]: IN Is CN=localhost, OU=NSEL, O=NSEL, L=NOIDA, ST=UP, C=IN correct? [no]: yes C:\localhostCerts>dir Volume in drive C has no label. Volume Serial Number is CE67-DC0D Directory of C:\localhostCerts 15-Apr-2012 01:10 PM <DIR> . 15-Apr-2012 01:10 PM <DIR> .. 15-Apr-2012 01:10 PM 1,338 localhost.jks 1 File(s) 1,338 bytes 2 Dir(s) 343,529,140,224 bytes free
The above command has generated a keystore (on the server side)
Now convert this into a server certificate (and send it to client side)
C:\localhostCerts>keytool -export -alias server-alias -storepass welcome -file server.cer -keystore localhost.jks Certificate stored in file <server.cer> C:\localhostCerts>dir Volume in drive C has no label. Volume Serial Number is CE67-DC0D Directory of C:\localhostCerts 15-Apr-2012 01:11 PM <DIR> . 15-Apr-2012 01:11 PM <DIR> .. 15-Apr-2012 01:10 PM 1,338 localhost.jks 15-Apr-2012 01:11 PM 563 server.cer 2 File(s) 1,901 bytes 2 Dir(s) 343,560,626,176 bytes free
Make the changes in server.xml
(Take care of the file name)
Saved the server.xml on server and restart Tomcat, access to https://localhost:8443/
You'll see a page as given below
As you see the google chrome doesn't trusts the certificate that was provided by the server.
Check untrusted certificate on client side
This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities Store
How to add this certificate to Trusted Root Certification Authorities on Google Chrome??
- Tools -> Settings
- Click on Show advanced settings at the bottom of the page
- Click on Manage Certificates
- Click on Trusted Root Certification Authorities tab
- Click on import
- Select server.cer from your machine
- Next, Next, and Finish
- You should get a import successful message
Again open the server.cer, and now you should see the certificate as follows.
if you open https://localhost:8443/ in IE or google chrome you will NOT see the warning and in the address bar, you'll notice the lock.