Sunday, April 15, 2012

How to make my browser trust my server certificate?

Hi Guys,

I was exploring the SSL thing, and wanted to know what are the steps involved in making my browser trust the server certificate that server is sending.

First of all you need to generate a keystore (This needs to be done on server side).

C:\localhostCerts>keytool -genkey -alias server-alias -keyalg RSA -keypass welcome -storepass welcome -keystore localhost.jks
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  NSEL
What is the name of your organization?
  [Unknown]:  NSEL
What is the name of your City or Locality?
  [Unknown]:  NOIDA
What is the name of your State or Province?
  [Unknown]:  UP
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=localhost, OU=NSEL, O=NSEL, L=NOIDA, ST=UP, C=IN correct?
  [no]:  yes


C:\localhostCerts>dir
 Volume in drive C has no label.
 Volume Serial Number is CE67-DC0D

 Directory of C:\localhostCerts

15-Apr-2012  01:10 PM    <DIR>          .
15-Apr-2012  01:10 PM    <DIR>          ..
15-Apr-2012  01:10 PM             1,338 localhost.jks
               1 File(s)          1,338 bytes
               2 Dir(s)  343,529,140,224 bytes free

The above command has generated a keystore (on the server side)

Now convert this into a server certificate (and send it to client side)

C:\localhostCerts>keytool -export -alias server-alias -storepass welcome -file server.cer -keystore localhost.jks
Certificate stored in file <server.cer>

C:\localhostCerts>dir
 Volume in drive C has no label.
 Volume Serial Number is CE67-DC0D

 Directory of C:\localhostCerts

15-Apr-2012  01:11 PM    <DIR>          .
15-Apr-2012  01:11 PM    <DIR>          ..
15-Apr-2012  01:10 PM             1,338 localhost.jks
15-Apr-2012  01:11 PM               563 server.cer
               2 File(s)          1,901 bytes
               2 Dir(s)  343,560,626,176 bytes free

Make the changes in server.xml

Make changes as given on http://javakafunda.blogspot.in/2012/04/how-to-configure-tomcat-to-support-ssl.html in step 2.
(Take care of the file name)

Saved the server.xml on server and restart Tomcat, access to https://localhost:8443/

You'll see a page as given below


As you see the google chrome doesn't trusts the certificate that was provided by the server.

Check untrusted certificate on client side

If you open server.cer (provided by the server) by double clicking, you can see the message as given below

This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities Store

How to add this certificate to Trusted Root Certification Authorities on Google Chrome??

  1. Tools -> Settings
  2. Click on Show advanced settings at the bottom of the page
  3. Click on Manage Certificates
  4. Click on Trusted Root Certification Authorities tab
  5. Click on import
  6. Select server.cer from your machine
  7. Next, Next, and Finish
  8. You should get a import successful message

Again open the server.cer, and now you should see the certificate as follows.


if you open https://localhost:8443/ in IE or google chrome you will NOT see the warning and in the address bar, you'll notice the lock.





No comments:

Post a Comment