HTTPS SSL configuration

Overall steps :
**Java Key Store — is where you store all your keys (its a vault)
**Overall Process
1. Create private key → 2. Create CSR → 3. Get it signed by CA → 4. Cert Chain (server, intermediate, root CA) generated → 5. Configure webserver with private key & cert chain(3)

→ Java Application (ex. jira) : create key store (JKS, java key store) — usually in the java_home/bin directory
create csr (CSR, certificate signing request)
submit csr to CA for signing

<JAVA_HOME>/keytool -genkey -alias jira -keyalg RSA -keystore <Jira_HOME>/jira.jks

Inside Java_home/bin -> there is a lot of tools including keytool
Where is Java_home
echo $JAVA_HOME
which java
sudo find /usr/ -name *jdk
/usr/lib/jvm/java-1.8.0-openjdk <- find this!! (don’t confuse with other dir)

Openssl vs Java Keytool

CACERT vs Letsencrypt (&certbot)

Certificate Chain vs Signed Certificate(server), Intermediate CA, Root CA
- Certificate Chain (chain.pem) is all of these 3 together in one file
- If you send CSR → CA for signing, CA will generate ALL 3 or CHAIN

How CACERT WORKS???
$ sudo certbot certonly --standalone -d digifac.online # Ubuntu
$ sudo ./certbot-auto certonly --standalone -d digifac.online # CentOS/RHEL

This will generate two things
1. Key chain /etc/letsencrypt/live/digifac.online/fullchain.pem
2. Server's Private Key /etc/letsencrypt/live/digifac.online/privkey.pem

***How to Configure in Jira *****
>> https://confluence.atlassian.com/adminjiraserver/running-jira-applications-over-ssl-or-https-938847764.html : using CAcert(create individual priv key + key chain + CSR)
>> https://gist.github.com/dborin/dd501b28967d3784fa646534dbea6ffa: letsencrypt does it all for you -> and converting to JKS at the end)

[Objective] After you get your CA signed, you need to …
: PRIVATE KEY(server signed) + KEY CHAIN(3) ==> PKCS12 KEY

openssl pkcs12 -export -out /tmp/digifac.online_fullchain_and_key.p12 -in /etc/letsencrypt/live/digifac.online/fullchain.pem -inkey /etc/letsencrypt/live/digifac.online/privkey.pem -name jira

>>Convert PKCS12 into JKS (Java Key Store)

keytool -importkeystore -deststorepass 1234 -destkeypass 1234 -destkeystore jira.jks -srckeystore /tmp/digifac.online_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass 1234 -alias jira

>>Configure the Server settings (sever.xml)
>>EDIT HTTPS connector

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.3"
clientAuth="false" useBodyEncodingForURI="true"
keyAlias="jira" keystoreFile="/usr/lib/jvm/java-8-openjdk-amd64/jre/jira.jks"
keystorePass="1234" keystoreType="JKS"/>

>>EDIT HTTP connector to redirect 80 -> 8443
<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8080" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true"/>

>>Redirect all (underlying) URLS to HTTPS
(Insert in web.xml file)

<security-constraint>
<web-resource-collection>
<web-resource-name>all-except-attachments</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspa</url-pattern>
<url-pattern>/browse/*</url-pattern>
<url-pattern>/issues/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

>>RESTART jira
>>Open Security Group 8443 (https)
>>Configure Auto renewal of CERTBOT certificate (cronjob)