Use Let's Encrypt - Free SSL/TLS Certificates with CoCCA

From CoCCA Registry Services (NZ) Limited

Jump to: navigation, search

Use Let's Encrypt - Free SSL/TLS Certificates with COCCA

In this section we will talk how we can generate the java key store based on letsencrypt Certificates, or in accurate mening how we can generate our free SSL certificate from letsencrypt then import it in JAVA Key Store to be trusted by all modern browser. 

  Please Note:
  This java key store is valid only for https and not valid for EPP connection.

Encrypt - Free SSL/TLS Certificates

Let's Encrypt is a certificate authority that provides free X.509 certificates for Transport Layer Security encryption (TLS). Let’s Encrypt is a free, automated, and open certificate authority created by the Internet Security Research Group (ISRG). 

Note:
 all Let's Encrypt certificates will have a lifetime of exactly 90 days.

generate java key store based one letsencrypt Certificates to use in CoCCA

The required steps to generate java key store listed in this [1] link. we will repeat few steps but the goal is to use letsencrypt to sign our SSL certificate as the following: 

 Step 1: Install letsencrypt in Centos 6 or 7
 ----------
 Install letsencrypt command line utility, you can get it from github as they explain in their installation instructions:
 # Install Epel Repository
 yum install epel-release
 # Install git and some important packages
 yum install gcc libffi-devel python-devel openssl-devel
 yum install git
 # Now let us clone the github repository of Let's encrypt
 cd /root/
 git clone https://github.com/letsencrypt/letsencrypt
 cd letsencrypt
 # Run the auto installer
 ./letsencrypt-auto
 After all previous command working then will get this message: No installers are available on your OS yet; try running "letsencrypt-auto certonly" to     
 get a cert you can install manually
 Now, you should stop any software listening on port 443 for this we will stop CoCCA:
 /etc/init.d/cocca stop                           
 then run the following command:
 ./letsencrypt-auto certonly
 after last command the installer will ask you to provide it with valid email.you will use this email in case you lost the certificates, you can         
 regain them using the email. So, after that Accept the terms of service, and press enter.
 Next, it will ask you the domain name. This is the domain name we are installing the SSL certificate for. 
 then you will get the following message:
 Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/<your-domain>/fullchain.pem. Your cert will

 Step 2: Use letsencrypt to generate the required java key store for Resin in CoCCA platform:
 ----------
 In this Step we will use the generated private key and certificate (located in /etc/letsencrypt/live/<your-domain>/ )to generate the java key store, and    
 this step can be done in two command:
 First: to be able to import generated certificate using letsencrypt command line utility into java key store, we should first Convert a the .PEM    
 certificate file and a private key to PKCS#12 (.pfx .p12) using the following command:
 # openssl pkcs12 -export -name sslcertificate -in /etc/letsencrypt/live/<your-domain>/cert.pem -inkey /etc/letsencrypt/live/<your-domain>/privkey.pem -out    
   sslkeystore.p12         
 will ask you to set the password for PKCS#12 file, The ouput from previous command is The PKCS#12 or PFX format which is a binary format for storing the    
 server certificate, any intermediate certificates,    
 and the private key in one encryptable file.
 Now we need to import the PKCS#12 file into Java Key Store using the following command:
 # keytool -importkeystore -destkeystore SSLkeystore.jks -srckeystore sslkeystore.p12 -srcstoretype pkcs12 -alias sslcertificate 
 will ask you to set the password for PKCS#12 as source password and ask you to set the destination password.

 Step 3: Use generated Key store in Resin config in CoCCA platform:
 ---------
 To use the generated java key store files "in our example sslkeystore." in resin config file in CoCCA platform, you need to copy the SSLkeystore.jks   
 file to keys directory, then edit the resin.xml file as the following:
 # cp SSLkeystore.jks /opt/cocca-8/keys/
 # nano /opt/cocca-8/resin/config/resin.xml
 and change the SSL java key store to new one SSLkeystore.jks:
 <http address="your_IP_" port="443">
         <jsse-ssl>
             <key-store-type>jks</key-store-type>
             <key-store-file>/opt/cocca-8/keys/SSLkeystore.jks</key-store-file>
             <password>Your_New_KeysStore_pass</password>
         </jsse-ssl>
 </http>
Retrieved from "https://wiki.cocca.org.nz/mediawiki/index.php/Use_Let%27s_Encrypt_-_Free_SSL/TLS_Certificates_with_CoCCA"