Using SSL (Secure Sockets Layer) will encrypt transmissions between web browsers and PageSeeder to provide extra security. To do this you need to create a private key, create a certificate by having your public key signed by yourself or a certificate authority and then install both on your proxy server or in Tomcat.
The instructions below are for Linux CentOS.
Create private key
If not done already install OpenSSL by entering:
yum install openssl
Create a private key be entering the command below. Make sure you can remember the passphrase you are asked for as you will need it later.
openssl genrsa -des3 -out mydomain.key 2048
Create SSL certificate
Creating a certificate signing request as follows:
sudo openssl req -new -key mydomain.key -out mydomain.csr
This command will prompt for fields that need to be filled in.
The most important field is "Common Name" which should be the domain name of your server. If you want the certificate to cover multiple sub-domains you can use
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) :Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Inc Organizational Unit Name (eg, section) :My Department Common Name (e.g. server FQDN or YOUR name) :myserver.mycompany.com Email Address :email@example.com
Certificate authority signs your certificate
To ensure web browsers accept your certificate without warning messages you need to send your .csr file to a Certificate Authority to have it signed. They will typically return to you an individual .crt file for your domain and a bundle .crt file containing their own certificates. These need to be concatenated in the correct order, for example:
cat mydomain_individual.crt ca_bundle.crt > mydomain.crt
Self-sign your SSL certificate
Alternatively for testing you could sign the certificate yourself but it will only be accepted by web browsers after warning the user. You can specify how long the certificate should remain valid by changing the 365 to the number of days you prefer. To create a self-signed certificate you could enter:
openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt
If you are using Nginx as a reverse proxy for PageSeeder you will need to install your certificate there.
Remove the Key Passphrase
To install an SSL certificate on Nginx it is easier to first remove the passphrase. Thought the passphrase does provide extra protection removing it saves you from having to re-enter the passphrase every time Nginx is restarted. To do this use the following commands:
mv mydomain.key mydomain.key.orig openssl rsa -in mydomain.key.org -out mydomain.key
Copy the key and certificate to Nginx as follows:
mkdir -p /etc/nginx/ssl/pageseeder cp mydomain.key /etc/nginx/ssl/pageseeder/ cp mydomain.crt /etc/nginx/ssl/pageseeder/
nginx.conf file as described in Configuring a proxy and restart the nginx service.
If you are not using a proxy like Nginx and your website port is larger than 1024 (e.g. 8443) you can configure Tomcat to use SSL is as follows:
- Create a .keystore or .jks file using the Java keytool utility. PageSeeder includes a self-signed certificate for localhost under pageseeder/webapp/WEB-INF/config/pslocalhost.keystore (password pslocalxyz) which can be used for testing.
- Obtain an SSL certificate for your server's domain name from a certificate provider or self-sign it and add it to your keystore file. Then copy it to your server and make sure you know your keystore password.
- Stop your PageSeeder service if it is running and start the pageseeder-x.exe for Windows or enter
pageseeder service configfor Linux.
- Follow the installer prompts and select "Enable SSL".
- When prompted enter the path to your SSL certificate keystore file and its password.
- For "List of ports to redirect from" (Windows only) you may wish to add other ports that your PageSeeder was previously using so that users are automatically redirected to use SSL (e.g. 80,8080).
- Finish the installation.
Converting existing .keystore or .jks to .key
If you have existing .keystore or .jks files that you need to use with Nginx they can be converted using the Java keytool and openssl as follows:
keytool -importkeystore -srckeystore mydomain.jks -destkeystore mydomain.p12 -srcstoretype jks -deststoretype pkcs12 openssl pkcs12 -in mydomain.p12 -nocerts -out mydomain.pem openssl rsa -in mydomain.pem -out mydomain.key
Created on , last edited on