How to resolve the "Not secure" warning on the browser to make your application secure.

You need to configure the SSL in your application to avoid the - connection not secure - warning. Based on your application deployed in Weblogic or Tomcat, below are high level steps to configure that:

Create a Java Keystore in the application installed server
Generate CSR
Send the CSR to your CA (IT Team)
Get the signed intermediate and root certs from CA
Import these certs to keystore with same alias
Adjust Tomcat / WebLogic settings

Steps for making the connection secure in Tomcat.

Below two commands generate the Keystore and CSR with Subject Alternative Names.

keytool -alias server -keystore "D:\server.keystore" -storepass changeit -deststoretype pkcs12 -genkeypair -keyalg RSA -validity 1000 -keysize 2048 -sigalg SHA256withRSA -dname "CN=ddd.ddd.dd,O=DN,OU=DN=Ddd,ST=Ddd,C=DN" -ext "SAN=IP:ip,DNS:host,EMAIL:mailid"

keytool -keystore "D:\server.keystore" -certreq -alias server -keyalg RSA -file "D:\server.csr" -ext "SAN=IP:ip,DNS:host,mailid"

Once we receive the CA signed Root certificate, Intermediate certificate and server certificateà need to import the certificates in the keystore already created with same alias server for server certificate.

keytool -import -alias root -keystore "D:\server.keystore" -file "D:\rootca.cer"

keytool -import -alias intermediate -keystore "D:\server.keystore" -file "D:\intermediateca.cer"

keytool -import -alias server -keystore "D:\server.keystore" -file "D:\serverprd.cer"

change the server.xml with this keystore and restart the Tomcat.

Tomcat example

Simple way to generate a Subject Alternate Name (SAN) certificate

28 Jul 2020, 11:15

security / certificate / SAN / CSR / keytool / openssl

What will I cover in this post?

We will learn how to generate the Subject Alternate Name (or SAN) certificate in a simple way.

In this post, I plan on:

Explaining what is the SAN certificate
Explaining how to create the SAN certificate using the Java keytool
Explaining how to export the certificate private and public keys using OpenSSL
Explaining how to create the Certificate Signing Request (CSR) for the SAN certificate using the Java keytool

Do not forget to follow me on Twitter

What is the SAN certificate?

The Subject Alternative Name (SAN) is an extension the X.509 specification. The specification allows to specify additional values for a SSL certificate. These values added to a SSL certificate via the subjectAltName field. A SSL certificate with SAN values usually called the SAN certificate.

Why to use the SAN certificate?

RFC 2818 recommends to use the SAN certificate instead of a regular SSL certificate :

Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

What are the supported values?

The full list of supported values listed in RFC 5280.

Recommended to configure the following values (where applicable):

a DNS name
an IP address
an Internet mail address

How to create the SAN certificate?

The command below will create a pkcs12 Java keystore server.jks with a self-signed SSL certificate:

keytool \

 -keystore server.jks  -storepass protected  -deststoretype pkcs12 \

 -genkeypair -keyalg RSA -validity 365 \

 -dname "CN=10.100.0.1," \

 -ext "SAN=IP:10.100.0.1"

The command below will list certificates in the keystore:

keytool -list -v -keystore server.jks -storepass protected

The snippet below shows the partial output only with the Subject (Owner below) and SubjectAltName (SubjectAlternativeName below) fields:

...

Owner: CN=10.100.0.1

...

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  IPAddress: 10.100.0.1

The certificate in a browser

Configure your webserver to use the certificate and you will be able to check the certificate in a browser.

The Subject field:

Java Learning

Wednesday, January 5, 2022

How to resolve the "Not secure" warning on the browser to make your application secure.