This article covers to setup both client and server for SSL authentication.
Consider we have java server and keytool utility comes with java sdk.
To create a server certificate follow these steps:
1. Create the keystore.
2. Export the certificate from the keystore.
3. Sign the certificate.
4. Import the certificate into a trust-store: a repository of certificates used for verifying the certificates. A trust-store typically contains more than one certificate.
From the directory in which you want to create the keystore, run keytool with the following parameters.
1. Generate the server certificate.
<JAVA_HOME>binkeytool -genkey -alias <server-alias> -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
When you press Enter, keytool prompts you to enter the server name, organizational unit, organization, locality, state, and country code. Note that you must enter the server name in response to keytool’s first prompt, in which it asks for first and last names. For testing purposes, this can be localhost. The host specified in the keystore must match the host identified in the host variable specified in /etc/hosts. keystore file can have .jks or .p12 extension. Here we are specifying two pass phrases for each of key & keystore.
2. Export the generated server certificate in keystore.jks into the file server.cer.
<JAVA_HOME>binkeytool -export -alias <server-alias> -storepass changeit -file server.cer -keystore keystore.jks
If you want to have the certificate signed by a CA, then we need to generate CSR.
2.1 Generate a Certificate Signing Request (CSR)
<JAVA_HOME>binkeytool -certreq -sigalg RSA -alias <server-alias> -file <csr-filename>
Send the contents of <csr-filename> for signing to CA. Then you get another server.cer file from CA after it is CA signed.
2.2 Generate trust-store for server
To create the trust-store file cacerts.jks and add the server certificate to the trust-store, run keytool from the directory where you created the keystore and server certificate. Use the following parameters:
<JAVA_HOME>binkeytool -import -v -trustcacerts -alias <server-alias> -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit
Information on the certificate, such as that shown next, will display. Output of the above command will be.
Owner: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, C=US Issuer: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, C=US Serial number: 3e932169 Valid from: Tue Apr 08 Certificate fingerprints: MD5: 52:9F:49:68:ED:78:6F:39:87:F3:98:B3:6A:6B:0F:90 SHA1: EE:2E:2A:A6:9E:03:9A:3A:1C:17:4A:28:5E:97:20:78:3F: Trust this certificate? [no]: Enter yes, and then press the Enter or Return key. The following information displays: Certificate was added to keystore [Saving cacerts.jks]
With this we have created a server certificate and configured trust store. Depending on the application you host, you need to make sure of these server.cer file for server certificate along with it’s pass phrase & cacerts.jks for trusted-store.
Creating a Client Certificate for Mutual Authentication:
To create a keystore named client-keystore.jks that contains a client certificate named client.cer, follow these steps:
1. Generate the client certificate.
<JAVA_HOME>binkeytool -genkey -alias <client-alias> -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
2. Export the generated client certificate into the file client.cer.
<JAVA_HOME>binkeytool -export -alias <client-alias> -storepass changeit -file client.cer -keystore keystore.jks
Add the certificate to the trust-store file cacerts.jks in the server. Run keytool from the directory where you created the keystore and client certificate. Use the following parameters:
<JAVA_HOME>binkeytool -import -v -trustcacerts -alias <client-alias> -file client.cer -keystore cacerts.jks -keypass changeit -storepass changeit
The keytool utility returns this message:
Owner: CN=J2EE Client, OU=Java Web Services, O=Sun, L=Santa Clara, ST=CA, C=US Issuer: CN=J2EE Client, OU=Java Web Services, O=Sun, L=Santa Clara, ST=CA, C=US Serial number: 3e39e66a Valid from: Thu Jan 30 18:58:50 PST 2003 until: Wed Apr 30 19:58:50 PDT 2003 Certificate fingerprints: MD5: 5A:B0:4C:88:4E:F8:EF:E9:E5:8B:53:BD:D0:AA:8E:5A SHA1:90:00:36:5B:E0:A7:A2:BD:67:DB:EA:37:B9:61:3E:26:B3:89:46: 32 Trust this certificate? [no]: yes Certificate was added to keystore
With this we have created client cert and imported in server’s trusted-store, completed client setup. Coming back to server again.
To check the contents of a keystore that contains a certificate with an alias <server-alias>,
use this command:
keytool -list -keystore keystore.jks -alias <server-alias> -v
To check the contents of the cacerts file,
use this command:
keytool -list -keystore cacerts.jks
With this, we have covered server and client setup for SSL certificates for both one way & two way authentication.
Next section, we’ll see how can we use libcurl as http client for HTTP(S) authentication with both libcurl API & curl command.
Pingback: SSL Authentication in HTTP : Basics - Part 1
Pingback: Cer » SSL Authentication in HTTP : Basics – Part 2