Une erreur s'est produite.

L'erreur a été envoyée par e-mail à l'administrateur pour analyse.

What can I do once I have purchased a domain name?

Obtain a valid TLS certificate for free, for security and credibility.

Hello, my name is Christopher Tate. I am a Red Hat consultant and I love open source software. First, congratulations on obtaining your own domain name to launch your site. Along with a domain name, you will also want to obtain a TLS certificate. The good news is that it is completely free, thanks to open source technology. With a certificate you can secure communications to your site. You can sign your code and ensure that it is valid when deployed on the cloud. You can also setup secure OAuth2/OpenID Connect Single Sign On to all of your applications. I will show you how to obtain these certificates and generate the keystores to use in your applications the open source way.

Customize the whole site for your domain.

  1. Just click the [ Login ] button above.
  2. Click: New user? Register
  3. It's free, and your information is private.

How do I install the dependencies for certbot?

Build the dependencies with yum.

sudo yum install -y epel-release
  1. sudo
    : The command to install yum repositories begins with the command sudo. The "sudo" command allows your current user to have root privileges for a few minutes after entering your password. Installing yum repositories always requires root privileges.
  2. yum
    yum Stands for "Yellowdog Updater Modified", but nobody knows it as yellowdog, just yum. CentOS manages software packages and RPM application files with yum.
  3. install
    : For installing new yum packages.
  4. -y
    : Suppress messages asking to confirm if you want to install the software.
  5. epel-release
    : The package name of the Extra Packages for Enterprise Linux repository.
sudo yum install -y certbot
  1. sudo
  2. yum
  3. install
  4. -y
  5. certbot
    : A free, automated certificate authority that aims to lower the barriers to entry for encrypting all HTTP traffic on the Internet.

Where do I put the certificates, keys and keystores for my site?

Create a certbot directory in /srv.

sudo install -d -o $USER -g $USER -m 700 /srv/certbot
  1. sudo
  2. install
    : Creates directories and sets attributes on the new directory.
  3. -d
    : Create directories.
  4. -o
    : Set ownership on the directory (super-user only).
  5. $USER
    : The current user to make the owner of the directory.
  6. -g
    : Set group ownership on the directory (super-user only).
  7. $USER
    : The current user to make the group owner of the directory.
  8. -m
    -m: Set permissions on the directory (super-user only).
  9. 700
    : Give read, write and execute permissions to only the user of the directory.
  10. /srv/certbot
    : /srv is a good place to install open source software serveurs and your certificates, keys and keystores.

How do I obtain my certificate?

Use the certbot command.

sudo certbot --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory certonly -d example.com -d *.example.com -d *.apps.example.com
  1. sudo
  2. certbot
    : A free, automated certificate authority that aims to lower the barriers to entry for encrypting all HTTP traffic on the Internet.
  3. --manual
    : Obtain certificates interactively, or using shell script.
  4. --preferred-challenges dns
    : Use DNS record challenges to prove ownership of your domain.
  5. --server https://acme-v02.api.letsencrypt.org/directory
    : Specify a more recent version of a letsencrypt server that allows wildcard domains in certificates.
  6. certonly
    : Obtain or renew a certificate, but do not install it.
  7. -d example.com
    : Specify your root domain name to include it as a route secured by the certificate.
  8. -d *. example.com
    : Include wildcard domains under your root domain, which would include www for example.
  9. -d *.apps. example.com
    : Wildcard domains do not include subdomains of a wildcard domain, so include additional subdomains as well. You can optionally include more than one domain name in the same certificate if you want to, up to a generous amount by letsencrypt.

certbot will ask you questions, like if you're okay having your IP address logged as having requested this certificate. You can answer Yes, because it is your certificate. It will probably ask you for your email, which is nice, because they will send you an email when your certificate is a few weeks from expiring. The certificates expire every 3 months, which is often, but they are free, so you can't complain too much. Much more expensive certificates might last for 3 years.

Also, certbot will ask you to create several TXT DNS records with random values for your domain names you specified to prove that you own the domain. This will take some time to do every 3 months, so I recommend a service that will let you manage the DNS of your own domain names. Fastmail is the service that I use for both personal email and DNS https://www.fastmail.com/. Fastmail is Australia based, and they protect your email privacy, unlike some other email providers. With Fastmail, I can login, even from my Fastmail phone app, and manage my DNS. I can manage as many domain names as I want with Fastmail. I just tell the support team of the domain registrar where I purchased the domain, the name servers of fastmail.com (ns1.messagingengine.com, ns2.messagingengine.com) and add the domain in Fastmail. Then I can manage the DNS records, after the changes are made for all my domains. So I add a TXT record and value for each certbot challenge and save the changes. As far as I can tell, the TXT records are recorded immediately.

How do I use the certificate and key that certbot generated?

Copy the certbot files with the install command.

sudo install -o $USER -g $USER -m 700 /etc/letsencrypt/live/example.com/privkey.pem /srv/certbot/server.key
  1. sudo
  2. install
  3. -o
  4. $USER
  5. -g
  6. $USER
  7. -m
  8. 700
  9. /srv/certbot /etc/letsencrypt/live/example.com/privkey.pem
    : After the certbot command completes, it will tell you the complete path to the newly generated private key, which may not be exactly what I wrote here.
  10. /srv/certbot/server.key
    : The new path to where the private key will be copied.
sudo install -o $USER -g $USER -m 700 /etc/letsencrypt/live/example.com/fullchain.pem /srv/certbot/server.crt
  1. sudo
  2. install
  3. -o
  4. $USER
  5. -g
  6. $USER
  7. -m
  8. 700
  9. /srv/certbot /etc/letsencrypt/live/example.com/fullchain.pem
    : After the certbot command completes, it will tell you the complete path to the newly generated certificate, which may not be exactly what I wrote here.
  10. /srv/certbot/server.crt
    : The new path to where the certificate will be copied.

How do I obtain the letsencrypt root and CA certificates?

Download the root and CA certificates with the curl command.

curl https://letsencrypt.org/certs/isrgrootx1.pem.txt -o /srv/certbot/root.crt
  1. curl
    : A tool to transfer data from or to a server, using supported protocols.
  2. https://letsencrypt.org/certs/isrgrootx1.pem.txt
    : The URL to the letsencrypt root certificate.
  3. -o /srv/certbot/root.crt
    : Write output to the root.crt file instead of stdout.
curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o /srv/certbot/ca1.crt
  1. curl
  2. https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
    : The URL to the first letsencrypt certificate authority.
  3. -o /srv/certbot/ca1.crt
    : Write output to the ca1.crt file instead of stdout.
curl https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt -o /srv/certbot/ca2.crt
  1. curl
  2. https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
    : The URL to the second letsencrypt certificate authority.
  3. -o /srv/certbot/ca2.crt
    : Write output to the ca2.crt file instead of stdout.

How do I create a merged version of site certificates, certificate authority and root certificate?

Create a merged certificate with the cat command.

cat /srv/certbot/root.crt /srv/certbot/ca2.crt /srv/certbot/server.crt > /srv/certbot/merged.crt
  1. cat
    : Concatenate files and print on the standard output.
  2. /srv/certbot/root.crt
    : The path to the letsencrypt root certificate.
  3. /srv/certbot/ca2.crt
    : The path to the second letsencrypt certificate authority.
  4. /srv/certbot/server.crt
    : The path to your new site certificate, the first letsencrypt certificate authority is also in there.
  5. >
    : Write the contents of the previous command to the file.
  6. /srv/certbot/merged.crt
    : The path to the merged certificate file.

How do I create a pkcs12 certificate chain of trust?

Use the openssl command to create a .p12 file.

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

openssl pkcs12 -export -name example.com -in /srv/certbot/merged.crt -inkey /srv/certbot/server.key -out /srv/certbot/server.p12
  1. openssl
    : OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols.
  2. pkcs12
    : The pkcs12 command allows PKCS#12 files to be created and parsed.
  3. -export
    : This option specifies that a PKCS#12 file will be created rather than parsed.
  4. -name example.com
    : This specifies the alias, or friendly name, for the certificate and private key.
  5. -in /srv/certbot/merged.crt
    : The path to the merged certificate file.
  6. -inkey /srv/certbot/server.key
    : The path to the private key.
  7. -out /srv/certbot/server.p12
    : The path to the new .p12 chain of trust file.

How do I create a Java keystore for certificate chains in Java applications?

Use the keytool command to create a .jks file.

keytool -importkeystore -srcstoretype pkcs12 -srckeystore /srv/certbot/server.p12 -destkeystore /srv/certbot/server.jks
  1. keytool
    : A Java application that manages a keystore of cryptographic keys, certificate chains, and trusted certificates.
  2. -importkeystore
    : Imports entries from a source keystore to a destination keystore.
  3. -srcstoretype pkcs12
    : The type of source keystore, which is pkcs12.
  4. -srckeystore /srv/certbot/server.p12
    : The path to the .p12 chain of trust file.
  5. -destkeystore /srv/certbot/server.jks
    : The path to the new .jks Java keystore.

How do I create a Java keystore for my secret key in Java applications?

Use the keytool command to create a .jceks file.

keytool -genseckey -storetype JCEKS -alias example.com -keystore /srv/certbot/server.jceks
  1. keytool
  2. -genseckey
    : Generates a secret key and stores it in a new secret key entry keystore identified by the alias.
  3. -storetype JCEKS
    : The type of keystore for storing keys to prevent your encryption keys from being exposed.
  4. -alias example.com
    : This specifies the alias, or friendly name, for the certificate and private key.
  5. -keystore /srv/certbot/server.jceks
    : The path to the new .jks Java keystore.

Congratulations, now you are all set to use your new certificate, keys and keystores in your applications. You will be able to secure your applications with https and TLS locally and on the OpenShift cloud. You can sign your Java code to deploy it confidently. You can install a Single Sign On server to manage user authentication and authorization in your applications.

To review:

Friday
May 24 2019 What can I do once I have purchased a domain name? Obtain a valid TLS certificate for free, for security and credibility. By Christopher Tate
Questions Answers
How do I install the dependencies for certbot? Build the dependencies with yum.
Where do I put the certificates, keys and keystores for my site? Create a certbot directory in /srv.
How do I obtain my certificate? Use the certbot command.
How do I use the certificate and key that certbot generated? Copy the certbot files with the install command.
How do I obtain the letsencrypt root and CA certificates? Download the root and CA certificates with the curl command.
How do I create a merged version of site certificates, certificate authority and root certificate? Create a merged certificate with the cat command.
How do I create a pkcs12 certificate chain of trust? Use the openssl command to create a .p12 file.
How do I create a Java keystore for certificate chains in Java applications? Use the keytool command to create a .jks file.
How do I create a Java keystore for my secret key in Java applications? Use the keytool command to create a .jceks file.

Previous and next articles.

Don't give up on your dreams. You can do hard things!

Share this story.

Let's get connected.
Up to the top.