Wednesday, October 07, 2009

Requesting buying and importing a SSL certificate

So here it is, I am embarrassed after a 2 days long journey to buy / import a SSL certificate from Thawte. It was not their fault, it's only me and I thought it may help people if I share:

First I want to say that I have bought a SSL123 certificate. What I am saying here may not apply to other types of certificates but it still may give you a hint. I have used Java's keytool tool for all the command lines appearing below.

So here are the correct steps:

1.) Generate a RSA type keypair. important: as of the date of this post they only support RSA

keytool -keystore path_to_keystore -genkeypair -keyalg RSA -alias jetty

You cannot secure an IP address through a certificate, only a domain name e.g. yourdomain.com. The common name of your certificate (the keytool will prompt you for your first and last name) must be yourdomain.com

2.) Generate the certificate request, CSR:

keytool -keystore path_to_keystore -certreq -keyalg RSA -alias jetty

VITAL: make sure you keep the keystore file somewhere you can get it later and don't change, tamper, delete anything from it. Just keep it safe as it is!

The CSR looks something like this:

-----BEGIN CERTIFICATE REQUEST-----
AAAAERERRRTERTDASDASYDASDMAN312312312DASDASd etc etc
blablalonger stuff here

-----END CERTIFICATE REQUEST-----

3.) Go to their site, choose the certificate you want to buy and make sure you get right at least the following options:

When you paste your CSR you may be pressing the button "test your CSR" just to make sure all the info contained in it is valid.

Choose Tomcat as the server software if you will deploy on Tomcat or Jetty. Otherwise choose the server you are using, if it's not there then ASK the support what to put in there. On the bottom of the support page you'll see a live chat button, use it, as they are very responsive. If you use Tomcat/Jetty and don't choose Tomcat as the server software they will not issue a PKCS7 but a generic certificate and you won't be able to import it later!

Tax number is the VAT number in case you're buying for a company registered in the European Union.

4.) They'll pass you through the verification process and send you back the certificate which looks just as the CSR string but with PKCS7 header and footer:

-----BEGIN PKCS7-----
blablatons of things here
-----END PKCS7-----

5.) Save that string into a certificate.txt file, and save it with Notepad (on windows), not Wordpad or anything that would mess with formatting, insert spaces or anything like that.

6.) Run this:

keytool -import -trustcacerts -file certificate.txt -keystore path_to_keystore -alias jetty

VITAL: it needs to be the same keystore from where you generated the CSR, untampered, unchanged, at least not the alias you have used to generate the CSR. So the alias you have generated the CSR from, must be there !

If you will see something like 'Certificate reply was installed in keystore' you're done.

If you get something like

"keytool error: java.lang.Exception: Input not an X.509 certificate"

then it may be that you didn't save the certificate correctly, or that you tampered with the keystore. However this error can appear for 1000 reasons other than the type of your certificate.

Take this information more as a guide then as "religion", use it w/o any guarantees, and whatever you do not understand or are not sure of, contact their support otherwise you may find yourself in the situation of buying something totally different than what you actually need or want.

No comments: