SSL Certificate Support
Resin
resin.xml - Configuring Resin to use your private key and certificate
The OpenSSL configuration has two tags certificate-file and certificate-key-file. These correspond exactly to mod_ssl\'s SSLCertificateFile and SSLCertificateKeyFile. So you can use the same certificates (and documentation) from mod_ssl for Resin.
The full set of parameters is in the port configuration.
<resin xmlns=\"http://caucho.com/ns/resin\">
<cluster id=\"http-tier\">
<server id=\"a\" address=\"192.168.1.12\">
<http port=\"443\">
<openssl>
<certificate-file>keys/gryffindor.crt</certificate-file>
<certificate-key-file>keys/gryffindor.key</certificate-key-file>
<password>my-password</password>
</openssl>
</http>
</server>
...
</resin>
The default resin configuration allows you to setup open-ssl in resin.properties.
# OpenSSL certificate configuration openssl_file : key/gryffindor.crt openssl_key : keys/gryffindor.key openssl_password : my-password
Testing with openssl to test the server
The openssl tool can be used as a client, showing some interesting information about the conversation between the client and the server:
unix$ openssl s_client -connect www.some.host:443 -prexit
Certificate Chains
A is used when the signing authority is not an authority trusted by the browser. In this case, the signing authority uses a certificate which is in turn signed by a trusted authority, giving a chain of [your certificate] <-- signed by -- [untrusted signer] <-- signed by -- [trusted signer].
The Resin config parameter certificate-chain-file is used to specify a certificate chain. It is used to reference a file that is a concatenation of:
- your certificate file
- the intermediate (untrusted) certificate
- the root (trusted) certificate.
The certificates must be in that order, and must be in PEM format.
Example certificate chain for Instant SSL
Comodo (http://instantssl.com) is a signing authority that is untrusted by most browsers. Comodo has their certificate signed by GTECyberTrust.
Comodo gives you three certificates:
your_domain.crt(signed by Comodo)ComodoSecurityServicesCA.crt(signed by GTE CyberTrust)GTECyberTrustRoot.crt(universally known root)
In addition to this, you have your key, your_domain.key. The contents of the file referred to by certificate-chain-file is a concatenation of the three certificates, in the correct order.
$ cat your_domain.crt ComodoSecurityServicesCA.crt GTECyberTrustRoot.crt > chain.txt
<http port=\"443\">
<openssl>
<certificate-key-file>keys/your_domain.key</certificate-key-file>
<certificate-file>keys/your_domain.crt</certificate-file>
<certificate-chain-file>keys/chain.txt</certificate-chain-file>
<password>test123</password>
</openssl>
</http>
We recommend avoiding JSSE if possible. It is slower than using Resin\'s OpenSSL support and does not appear to be as stable as Apache or IIS (or Netscape/Zeus) for SSL support. In addition, JSSE is far more complicated to configure. While we\'ve never received any problems with Resin using OpenSSL, or SSL from Apache or IIS, JSSE issues are fairly frequent.
Install JSSE from Sun
This section gives a quick guide to installing a test SSL configuration using Sun\'s JSSE. It avoids as many complications as possible and uses Sun\'s keytool to create a server certificate.
Resin\'s SSL support is provided by Sun\'s JSSE. Because of export restrictions, patents, etc, you\'ll need to download the JSSE distribution from Sun or get a commercial JSSE implementation.
More complete JSSE installation instructions for JSSE are at http://java.sun.com/products/jsse/install.html.
- First download Sun\'s JSSE.
- Uncompress and extract the downloaded file.
- Install the JSSE jar files: jsse.jar, jnet.jar, and jcert.jar. You can either put them into the CLASSPATH or you can put them into $JAVA_HOME/jre/lib/ext. Since you will use \"keytool\" with the new jars, you need to make them visible to keytool. Just adding them to resin/lib is not enough.
- Register the JSSE provider (com.sun.net.ssl.internal.ssl.Provider). Modify $JAVA_HOME/jre/lib/security/java.security so it contains something like: Adding the JSSE provider allows \"keytool\" to create a key using the RSA algorithm.
security.provider.1=sun.security.provider.Sun security.provider.2=com.sun.net.ssl.internal.ssl.Provider
Create a test server certificate
The server certificate is the core of SSL. It will identify your server and contain the secret key to make encryption work.
- Sun\'s keytool
- A self-signed certificate using open_ssl
- A test certificate from Thawte
- A production certificate from one of the certificate authorities (Verisign, Thawte, etc)
In this case, we\'re using Sun\'s to generate the server certificate. Here\'s how:
resin1.2.b2> resin1.2.b2> Enter keystore password: What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is <CN=www.caucho.com, OU=Resin Engineering, O=\"Caucho Technology, Inc.\", L=San Francisco, ST=California, C=US> correct? [no]: Enter key password for <mykey> (RETURN if same as keystore password):
Currently, the key password and the keystore password must be the same.
resin.xml
The Resin SSL configuration extends the http configuration with a few new elements.
<resin xmlns=\"http://caucho.com/ns/resin\">
<cluster id=\"\">
<server-default>
<http port=\"8443\">
<jsse-ssl>
<key-store-type>jks</key-store-type>
<key-store-file>keys/server.keystore</key-store-file>
<password>changeit</password>
</jsse-ssl>
</http>
</server-default>
...
</cluster>
</resin>