Site SSL certificates

I am setting up a mirror site. Currently we are just using self-signed certificates testing. For production, we would like to use official certificates so users don’t get warnings when browsing the site, not to mention that gives real security.

As I understand, two certificates are required. One is on nginx server which serves the main portal site, the other one is on download server. I am trying to understand what formats are the certificates and how to use them.

For nginx, I checked nginx config, below are what I got:

nginx01:/etc/nginx/sites-enabled$ cat dcc_portal
# Copyright 2014(c) The Ontario Institute for Cancer Research. All rights reserved.
server {
        listen  443;
        ssl                 on;
        ssl_certificate     /etc/ssl/dcc/portal.crt;
        ssl_certificate_key /etc/ssl/dcc/portal.key;
        location / {
                proxy_pass http://web-cluster;

lxv-icgc-nginx01:/etc/ssl/dcc$ file *
portal.crt: PEM certificate
portal.key: PEM RSA private key

It appears nginx uses PEM certificate and key. So we should get the similar certificate and replace /etc/ssl/dcc/portal.crt and /etc/ssl/dcc/portal.key.

For download server, it is a little unclear what is required. In /srv/dcc-download-server/conf directory, there is a file keystore.p12. So I assume pkcs12 format is accepted. In our testing, we generated a java keystore file with command:

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass <pass word> -validity 3600 -keysize 2048

and we are using it.

My questions (not really DCC portal specific) are:

  1. What kind of formats should be used with download server? Does it matter?
  2. I don’t know much about how certificate is used with java application. How do we request a certificate to be used with download server?

Hi Brady,

Our portal-server readme has an example, where it uses certs provided by letsencrypt to generate a p12 file and then to import it into a java keystore:

# Create new letsencrypt.jks keystore
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root
keytool -importkeystore -deststorepass password -destkeypass password -destkeystore letsencrypt.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass password -alias tomcat

Hi Dusan,

Basically we can take certificate and private key and convert to java key store, and use it with download server. Thanks!