AnsweredAssumed Answered

Using my certificate CA

Question asked by julienvincendeau on Jun 8, 2015
Hello,
I want to use a non-self signed certificate.
I've got a CA Certificate from GeoTrust.
According <a href="https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/configuration/alfresco-and-https-solved"> this topics </a> i'm generating a self signed certificate on 8843 and i wante to use my certificate on 443.
This is my certificate integration :

@rem Please edit the variables below to suit your installation
@rem Note: for an installation created by the Alfresco installer, you only need to edit ALFRESCO_HOME

@rem Alfresco installation directory
set ALFRESCO_HOME=E:\Alfresco
@rem The directory containing the alfresco keystores, as referenced by keystoreFile and truststoreFile attributes in tomcat\conf\server.xml
set ALFRESCO_KEYSTORE_HOME=%ALFRESCO_HOME%\alf_data\keystore
@rem SOLR installation directory
set SOLR_HOME=%ALFRESCO_HOME%\solr4
@rem Java installation directory
set JAVA_HOME=%ALFRESCO_HOME%\java
@rem Location in which new keystore files will be generated
set CERTIFICATE_HOME=%USERPROFILE%
@rem The repository server certificate subject name, as specified in tomcat\conf\tomcat-users.xml with roles="repository"
set REPO_CERT_DNAME=CN=sv01.h.dom, OU=Unknown, O=H I S, L=A, ST=M, C=FR
@rem The SOLR client certificate subject name, as specified in tomcat\conf\tomcat-users.xml with roles="repoclient"
set SOLR_CLIENT_CERT_DNAME=CN=Alfresco Repository Client, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
@rem The number of days before the certificate expires
set CERTIFICATE_VALIDITY=36525
set HISM_CERT_ROOT=E:\_hism_cert\crossRootCA.cer
set HISM_CERT_Inter=E:\_hism_cert\IntermediateCA.cer
set HISM_CERT=E:\_hism_cert\ssl_certificate.cer


@rem Ensure certificate output dir exists
@if not exist "%CERTIFICATE_HOME%" mkdir "%CERTIFICATE_HOME%"

@rem Remove old output files (note they are backed up elsewhere)
@if exist "%CERTIFICATE_HOME%\ssl.keystore" del "%CERTIFICATE_HOME%\ssl.keystore"
@if exist "%CERTIFICATE_HOME%\ssl.truststore" del "%CERTIFICATE_HOME%\ssl.truststore"
@if exist "%CERTIFICATE_HOME%\browser.p12" del "%CERTIFICATE_HOME%\browser.p12"
@if exist "%CERTIFICATE_HOME%\ssl.repo.client.keystore" del "%CERTIFICATE_HOME%\ssl.repo.client.keystore"
@if exist "%CERTIFICATE_HOME%\ssl.repo.client.truststore" del "%CERTIFICATE_HOME%\ssl.repo.client.truststore"



@rem Ensure certificate output dir exists
@if not exist "%CERTIFICATE_HOME%" mkdir "%CERTIFICATE_HOME%"

@rem Remove old output files (note they are backed up elsewhere)
@if exist "%CERTIFICATE_HOME%\ssl.keystore" del "%CERTIFICATE_HOME%\ssl.keystore"
@if exist "%CERTIFICATE_HOME%\ssl.truststore" del "%CERTIFICATE_HOME%\ssl.truststore"
@if exist "%CERTIFICATE_HOME%\browser.p12" del "%CERTIFICATE_HOME%\browser.p12"
@if exist "%CERTIFICATE_HOME%\ssl.repo.client.keystore" del "%CERTIFICATE_HOME%\ssl.repo.client.keystore"
@if exist "%CERTIFICATE_HOME%\ssl.repo.client.truststore" del "%CERTIFICATE_HOME%\ssl.repo.client.truststore"


"%JAVA_HOME%\bin\keytool" -import -alias root -file %HISM_CERT_ROOT% -keystore "%CERTIFICATE_HOME%\tomcat.keystore" -trustcacerts
"%JAVA_HOME%\bin\keytool" -import -alias intermed -file %HISM_CERT_Inter% -keystore "%CERTIFICATE_HOME%\tomcat.keystore" -trustcacerts
"%JAVA_HOME%\bin\keytool" -import -alias tomcat -file %HISM_CERT% -keystore "%CERTIFICATE_HOME%\tomcat.keystore" -trustcacerts


@rem Generate new self-signed certificates for the repository and solr
"%JAVA_HOME%\bin\keytool" -genkeypair -keyalg RSA -dname "%REPO_CERT_DNAME%" -validity %CERTIFICATE_VALIDITY% -alias ssl.repo -keypass kT9X6oe68t -keystore "%CERTIFICATE_HOME%\ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t
"%JAVA_HOME%\bin\keytool" -exportcert -alias ssl.repo -file "%CERTIFICATE_HOME%\ssl.repo.crt" -keystore "%CERTIFICATE_HOME%\ssl.keystore" -storetype JCEKS -storepass kT9X6oe68t
"%JAVA_HOME%\bin\keytool" -genkeypair -keyalg RSA -dname "%SOLR_CLIENT_CERT_DNAME%" -validity %CERTIFICATE_VALIDITY% -alias ssl.repo.client -keypass kT9X6oe68t -keystore "%CERTIFICATE_HOME%\ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t
"%JAVA_HOME%\bin\keytool" -exportcert -alias ssl.repo.client -file "%CERTIFICATE_HOME%\ssl.repo.client.crt" -keystore "%CERTIFICATE_HOME%\ssl.repo.client.keystore" -storetype JCEKS -storepass kT9X6oe68t

@rem Create trust relationship between repository and solr
"%JAVA_HOME%\bin\keytool" -importcert -noprompt -alias ssl.repo.client -file "%CERTIFICATE_HOME%\ssl.repo.client.crt" -keystore "%CERTIFICATE_HOME%\ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t
@rem Create trust relationship between repository and itself - used for searches
"%JAVA_HOME%\bin\keytool" -importcert -noprompt -alias ssl.repo -file "%CERTIFICATE_HOME%\ssl.repo.crt" -keystore "%CERTIFICATE_HOME%\ssl.truststore" -storetype JCEKS -storepass kT9X6oe68t
@rem Create trust relationship between solr and repository
"%JAVA_HOME%\bin\keytool" -importcert -noprompt -alias ssl.repo -file "%CERTIFICATE_HOME%\ssl.repo.crt" -keystore "%CERTIFICATE_HOME%\ssl.repo.client.truststore" -storetype JCEKS -storepass kT9X6oe68t

@rem Export repository keystore to pkcs12 format for browser compatibility
"%JAVA_HOME%\bin\keytool" -importkeystore -srckeystore "%CERTIFICATE_HOME%\ssl.keystore" -srcstorepass kT9X6oe68t -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore "%CERTIFICATE_HOME%\browser.p12" -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco

@rem Ensure keystore dir actually exists
@if not exist "%ALFRESCO_KEYSTORE_HOME%" mkdir "%ALFRESCO_KEYSTORE_HOME%"

@rem Back up old files
copy /Y "%ALFRESCO_KEYSTORE_HOME%\ssl.keystore" "%ALFRESCO_KEYSTORE_HOME%\ssl.keystore.old"
copy /Y "%ALFRESCO_KEYSTORE_HOME%\ssl.truststore" "%ALFRESCO_KEYSTORE_HOME%\ssl.truststore.old"
copy /Y "%ALFRESCO_KEYSTORE_HOME%\browser.p12" "%ALFRESCO_KEYSTORE_HOME%\browser.p12.old"
copy /Y "%SOLR_HOME%\workspace-SpacesStore\conf\ssl.repo.client.keystore" "%SOLR_HOME%\workspace-SpacesStore\conf\ssl.repo.client.keystore.old"
copy /Y "%SOLR_HOME%\workspace-SpacesStore\conf\ssl.repo.client.truststore" "%SOLR_HOME%\workspace-SpacesStore\conf\ssl.repo.client.truststore.old"
copy /Y "%SOLR_HOME%\archive-SpacesStore\conf\ssl.repo.client.keystore" "%SOLR_HOME%\archive-SpacesStore\conf\ssl.repo.client.keystore.old"
copy /Y "%SOLR_HOME%\archive-SpacesStore\conf\ssl.repo.client.truststore" "%SOLR_HOME%\archive-SpacesStore\conf\ssl.repo.client.truststore.old"
copy /Y "%SOLR_HOME%\templates\test\conf\ssl.repo.client.keystore" "%SOLR_HOME%\templates\test\conf\ssl.repo.client.keystore.old"
copy /Y "%SOLR_HOME%\templates\test\conf\ssl.repo.client.truststore" "%SOLR_HOME%\templates\test\conf\ssl.repo.client.truststore.old"
copy /Y "%SOLR_HOME%\templates\store\conf\ssl.repo.client.keystore" "%SOLR_HOME%\templates\store\conf\ssl.repo.client.keystore.old"
copy /Y "%SOLR_HOME%\templates\store\conf\ssl.repo.client.truststore" "%SOLR_HOME%\templates\store\conf\ssl.repo.client.truststore.old"

@rem Install the new files
copy /Y "%CERTIFICATE_HOME%\ssl.keystore" "%ALFRESCO_KEYSTORE_HOME%\ssl.keystore"
copy /Y "%CERTIFICATE_HOME%\ssl.truststore" "%ALFRESCO_KEYSTORE_HOME%\ssl.truststore"
copy /Y "%CERTIFICATE_HOME%\browser.p12" "%ALFRESCO_KEYSTORE_HOME%\browser.p12"
copy /Y "%CERTIFICATE_HOME%\ssl.repo.client.keystore" "%SOLR_HOME%\workspace-SpacesStore\conf\ssl.repo.client.keystore"
copy /Y "%CERTIFICATE_HOME%\ssl.repo.client.truststore" "%SOLR_HOME%\workspace-SpacesStore\conf\ssl.repo.client.truststore"
copy /Y "%CERTIFICATE_HOME%\ssl.repo.client.keystore" "%SOLR_HOME%\archive-SpacesStore\conf\ssl.repo.client.keystore"
copy /Y "%CERTIFICATE_HOME%\ssl.repo.client.truststore" "%SOLR_HOME%\archive-SpacesStore\conf\ssl.repo.client.truststore"
copy /Y "%CERTIFICATE_HOME%\ssl.repo.client.keystore" "%SOLR_HOME%\templates\test\conf\ssl.repo.client.keystore"
copy /Y "%CERTIFICATE_HOME%\ssl.repo.client.truststore" "%SOLR_HOME%\templates\test\conf\ssl.repo.client.truststore"
copy /Y "%CERTIFICATE_HOME%\ssl.repo.client.keystore" "%SOLR_HOME%\templates\store\conf\ssl.repo.client.keystore"
copy /Y "%CERTIFICATE_HOME%\ssl.repo.client.truststore" "%SOLR_HOME%\templates\store\conf\ssl.repo.client.truststore"

@echo Certificate update complete
@echo Please ensure that you set dir.keystore=%ALFRESCO_KEYSTORE_HOME% in alfresco-global.properties


"%JAVA_HOME%\bin\keytool"  -delete -alias ssl.repo -keystore E:\Alfresco\java\lib\security\cacerts -storepass changeit
"%JAVA_HOME%\bin\keytool"  -import -v -file "%CERTIFICATE_HOME%\ssl.repo.crt" -keystore E:\Alfresco\java\lib\security\cacerts -storepass changeit -alias ssl.repo



and my server.xml is

    <Connector port="8443" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="E:\Alfresco/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"
            secure="true" connectionTimeout="240000" truststoreFile="E:\Alfresco/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"
              clientAuth="want"  keyAlias="ssl.repo"   sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" maxHttpHeaderSize="32768" /> 

    <Connector port="443" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="E:\_hism_cert/tomcat.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"
secure="true" connectionTimeout="240000" truststoreFile="E:\_hism_cert/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"
               clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" maxHttpHeaderSize="32768" />


The problem is : when i try to access to my web site on port 443, the website can't be display.

I'm using a W2008R2 Server.

Thanks a lot for your help

Outcomes