This project includes utility tools to generate trusted SSL certificates and keystores to be used by ProActive, in order to establish secure SSL communications with client hosts. In particular, this project includes two tools, namely: (1) a shell script to generate SSL certificates for localhost (when running ProActive locally), and (2) a Java client to generate SSL certificates for a specific domain.
To generate a trusted SSL certificate for localhost, we create a shell script called generate_trusted_cert_and_keystore_for_localhost.sh, which is located under the folder ssl-certificate-for-localhost. The script proceed through the following steps:
- First, it considers a local Certification Authority (CA) called ActiveeonCA.
- It generates a private key (
ActiveeonCA.key) a local root certificate (ActiveeonRootCA.crt) for ActiveeonCA. - After that, the script generates a private key (
localhost.key) and a certificate (localhost.crt) for localhost. The localhost certificate is signed by the local root certificateActiveeonRootCA.crt. - Then, the script stores
localhost.keyandlocalhost.crtin a key store calledkeystore. - The generated
keystoreis to be used by ProActive for SSL communication and must be placed under${ProActive_Home}/config/web. - To make the certificate used by ProActive trusted by the client host:
- Either add
ActiveeonRootCA.crtto the OS trust store (as explained here) - Or add
ActiveeonRootCA.crtto the client web browser (for instance, In Mozilla Firefox, click Tools > Options > Advanced. Scroll down, click Manage Certificates, click Authorities and then import ActiveeonRootCA.crt).
- Either add
The script generate_trusted_cert_and_keystore_for_localhost.sh uses two files: (i) v3.ext, used to create localhost.crt, and (ii) secret, which contains a single password used to secure all private keys and keystores.
We extend an existing Java client to generate SSL certificates for a specific domain. The java client uses the ACME (Automatic Certificate Management Environment) protocol to connect to an ACME server, notably Let's Encrypt server. It performs all necessary steps to generate SSL certificates. Our Java client mainly contains three classes:
- SSLCertificateGenerator: Its role is twofold: (i) it creates a domain challenge, i.e., a specific static web resource that sould be accessible under the considered domain, and (ii) generate SSL certificate for the considered domain one the ACME challenge is met.
- WebResource: It creates the static web resource needed to meet the ACME challenge.
- EmbeddedJetty: It runs an embedded web application server (Jetty) that serves the created static web resource.
As an example of ACME challenge (required to generate the SSL certificate for a given domain)
- The following resource must be created: https://domain/.well-know/acme-challenge/kJmvx69CEVe5uEPMwNqRiHXyni__7t4sp-aJaBTaFIE
- It must contain the following content: kJmvx69CEVe5uEPMwNqRiHXyni__7t4sp-aJaBTaFIE.XMOaXhDazt2A3R42GzSEFIOFs7jsiUgY6xc1N2iL0MY
Execute the following command to produce a jar file called ssl-certificate-generator-all-xxxxVersion.jar
./gradlew shadowJar
java -jar ssl-certificate-generator-all-xxxxVersion.jar -d domain_hostname
e.g., java -jar ssl-certificate-generator-all-xxxxVersion.jar -d try.activeeon.com -p 8080
The jar takes further arguments as input. To get more help about these arguments run, e.g.,: java -jar ssl-certificate-generator-all-xxxxVersion.jar -d try.activeeon.com -h
When the domain (concerned by the SSL certificate) is accessible via a web server like Apache or Nginx, the static resources created to meet the ACME challenge cannot be served by the web server in a straightforward manner. To cope with this issue, two solutions are proposed:
- Place and run
ssl-certificate-generator-all-xxxxVersion.jarunder the resources directory of the web server, e.g., under/var/www/htmlwhen usingnginx. - Or add the location (where
ssl-certificate-generator-all-xxxxVersion.jaris placed) to the configuration of the web server. For instance, when usingnginxadd the following block:
location ^~ /.well-known/acme-challenge/ {
allow all;
root path_to_where_to_run_ssl-certificate-generator-all-xxxxVersion.jar;
}
This is particularly useful when generating SSL certificates for try.activeeon.com, tryqa.activeeon.com and trydev.activeeon.com.