Free SSL Certificate for Play Framework by Ravinder Payal
Author : @Ravinder Payal
Tweet Follow @RAVINDERPAYAL
I understand that it’s too simple thing but frustrates a lot when we don’t have the recipe to proceed and make it work, so worry not here’re the complete steps, just follow in given sequence with a coffee in hand. By the time you finish the coffee, your Play Framework based server will be running with SSL/TLS security.
For generating the TLS/SSL certficate using DNS challenge
sudo certbot certonly --manual -m email@example.com --agree-tos -d subdomain.example.com --preferred-challenges dns
On pressing enter it'll show something like this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for subdomain.example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: ` Please enter `Y` if you are OK with it and want to continue. `N` will close the request as you must agree to IP logging to proceed. On proceeding further it'll ask you to add TXT record record under the given domain name with `_acme-challenge` appended to it. `Please deploy a DNS TXT record under the name _acme-challenge.subdomain.example.com with the following value: ROBJ8UCDCMV_Uc5m9oid1heU52wsgcYF1OK0-PbgQV4 Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
Before pressing enter when asked to create TXT record under the chosen domain, do confirm the entry of TXT record using `nslookup`
nslookup -q=TXT _acme-challenge.subdomain.example.com
If it shows TXT record same as asked by Let's Encrypt, you are good to go ahead.
On completion you will find certificate in:
Note: You might need super user(sudo su) access for accessing this directory and files in it.
Now, we need to openssl to export the certificates and keys to Public-Key Cryptography Standards (PKCS) #12 (pks12) format and then using keytool we will import pks12 file into jks file.
openssl pkcs12 -export -in fullchain1.pem -inkey privkey1.pem -out keystore.p12 -CAfile cert.pem -caname root
It’ll ask password, enter any password of your choice, do remember it as it’ll be used for importing keystore into Java Key Store(JKS). For reference I will call it source keystore password.
p12 file is generated using openssl and secure sockets layer(SSL) certificates generated by Let’s Encrypt, we are going to use
keytool for export it as
jks(Java Key Store
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore cert.jks -deststoretype jks
It'll give something like this
Importing keystore keystore.p12 to cert.jks... Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore cert.jks -destkeystore cert.jks -deststoretype pkcs12".
On pressing enter it'll ask you for destination keystore password, please enter any password but do remember it as we need to provide it to play framework. After that you will need to provide the source keystore password which you entered while running the openssl command. Once all the commands are ran successfully in right sequence you will get the Java Key Store(`JKS`) file as `cert.jks`. Put `cert.jks` in conf directory available in root of the play project and while running the play framework provide the ssl certificatelike this:
-Dhttps.port=443 -Dplay.server.https.keyStore.path=cert.jks -Dplay.server.https.keyStore.password=your_destination_keystore_password
Note: Please use same password for pk12 and jks, otherwise Play won’t be able to read both certificate and private key.
Converting .crt to .jks
At times, we may encounter certificate issued to us in .crt format as well. For this as well we will need same commands along with .cert file for domain, root Certificate Authority .cert file and privatekey(stored in .pem or .key file).
openssl pkcs12 -export -in sslcert/domain_ext.crt -inkey sslcert/privkey.key -CAfile sslcert/ROOT_CERT_AUTHORITY.crt -out intermediate.p12
keytool -importkeystore -srckeystore intermediate.p12 -srcstoretype pkcs12 -destkeystore cert.jks -deststoretype jks
And you will have the certificate in Java Key Store(JKS) format. Look for cert.jks in present working directory(pwd) of terminal.
Command to see if exported Java Key Store is valid
keytool -v -list -keystore cert.jks
It will ask for the password, enter same password as you entered while doing export of Public-Key Cryptography Standards (PKCS) #12(.p12) in Java Key Store(JKS). If you enter wrong password, it will tell you certificate is tempered. On correct password, you will see content of certificate. Look for the subject keyword and mention of your domain name, apart from that check if the certificate authority is mentioned or not.
Cheers, Enjoy the additioanl security layer provided by TLS/SSL.
Please do comment if you have any doubts, I will revert back within a day.
Tweet Follow @RAVINDERPAYAL