Skip to main content

SSL certificates guide

In this article I'm going to explain how to create keys, SSL certificates and key stores. This can be required to simply migrate your website to HTTPS or to enable single sign-on authentication or in other cases. SSL certificates can be used for digital signing/verification and for encryption/decryption.
In case of digital signatures, the sender signs the message using a private key certificate, while the receiver verifies the signature of the message using the public key certificate.
In case of encryption, the sender encrypts the message using the public key certificate, while the receiver decrypts the message using the private key.
  1. Generating keys.
  2. Generating certificates.
  3. Working with keystores.
Generating keys
The first step is generating a private/public key pair. This can be done in different ways. We'll use openssl utility as it will be used for certificates later as well. The important point is the key length - bigger length makes the key harder to crack. It's considered safe to have the length of at least 2048 bits for RSA keys nowadays.
  1. Generate RSA private key of 2048 bits in PEM format
  2. openssl genrsa -out rsaprivkey.pem 2048
    
  3. Generate the public key in DER format
  4. openssl rsa -in rsaprivkey.pem -pubout -outform DER -out rsapubkey.der
    
  5. Generate the unencrypted private key in PKCS #8 and DER format
  6. openssl pkcs8 -topk8 -inform PEM -outform DER -in rsaprivkey.pem -out rsaprivkey.der -nocrypt
    

Generating certificates
You have two options - generating a self signed certificate or requesting a trusted certificate from a certificate authority. While self signed certificates can be acceptable during development, any production system will require a trusted certificate. Both options are mentioned here.
  1. Generate certificate signing request (CSR), in the "Common Name" set the hostname of your website
  2. openssl req -new -key rsaprivkey.pem -out server.csr
    
  3. Print CSR details
  4. openssl req -in server.csr -noout -text
    
    Example output:
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:d2:02:4a:83:b1:07:4c:9f:b3:40:11:88:73:16:
                        ... more HEX data ...
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha256WithRSAEncryption
             28:f6:2e:1b:f7:4b:d9:fd:96:58:e5:ca:86:87:07:a2:a7:21:
             ... more HEX data ...
    
  5. Generate self signed certificate
  6. openssl x509 -req -days 365 -in server.csr -signkey rsaprivkey.pem -out server.crt
    
    Example output:
    Signature ok
    subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
    Getting Private key
    
  7. Request a trusted certificate (e.g. Let's Encrypt or COMODO)
There are two main encoding formats that a certificate can be stored in - a binary DER format (can also have file extensions CER or CRT) and a Base64 encoded PEM format which syntax is defined by X.509 standards (can also have file extension CRT). You can convert between the encoding formats using the following commands:
  1. Convert certificate from DER to PEM format
  2. openssl x509 -inform der -in certificate.crt -out certificate.pem
    
  3. Convert certificate from PEM to DER format
  4. openssl x509 -outform der -in certificate.pem -out certificate.crt
    

Working with keystores
There are different types of keystores. The most common types are PKCS #12 (using extensions .p12 or .pfx) and JKS (Java KeyStore, specific to Java language). We'll use keytool Java utility to work with JKS files.
  1. Generate a PKCS12 keystore with our certificate (note - set non-empty password)
  2. openssl pkcs12 -export -in server.crt -inkey rsaprivkey.pem -name server -out server.p12
    
    Next you can either convert PKCS12 keystore type into JKS or generate an empty JKS keystore and import a certificate there. Both options are explained below.
  3. Convert PKCS12 keystore to JKS keystore
  4. keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcalias server -destkeystore server.jks -deststoretype jks -deststorepass password -destalias server
    
  5. Generate an empty JKS keystore (note - set non-empty password)
  6. keytool -genkey -alias server -keystore server.jks
    keytool -delete -alias server -keystore server.jks
    
  7. Import certificate from PKCS12 to JKS keystore
  8. keytool -importkeystore -deststorepass password -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12
    
    Now when you have a JKS keystore with your private certificate, you might need to import a public trusted certificate there as well. For example, this can be needed to enable SAML SSO authentication.
  9. Import a trusted DER certificate into JKS keystore
  10. keytool -import -trustcacerts -alias trustedCert -file trustedCert.crt -keystore server.jks 
    
  11. Check certificates in JKS keystore
  12. keytool -list -keystore server.jks -storepass password
    
    Example output:
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 2 entries
    
    server, 27-Jul-2017, PrivateKeyEntry,
    Certificate fingerprint (SHA1): A3:11:78:7C:D7:C6:30:F9:57:DF:3C:B1:B4:C9:1F:06:83:E5:ED:39
    trustedCert, 24-Jul-2017, trustedCertEntry,
    Certificate fingerprint (SHA1): B8:4D:C8:5F:1C:98:A3:0B:F2:BC:04:E0:A3:22:26:66:64:F7:60:C8
    

Comments

Popular posts from this blog

DynamicReports and Spring MVC integration

This is a tutorial on how to exploit DynamicReports reporting library in an existing Spring MVC based web application. It's a continuation to the previous post where DynamicReports has been chosen as the most appropriate solution to implement an export feature in a web application (for my specific use case). The complete code won't be provided here but only the essential code snippets together with usage remarks. Also I've widely used this tutorial that describes a similar problem for an alternative reporting library.
So let's turn to the implementation description and start with a short plan of this how-to:
Adding project dependencies.Implementing the Controller part of the MVC pattern.Modifying the View part of the MVC pattern.Modifying web.xml.Adding project dependencies
I used to apply Maven Project Builder throughout my Java applications, thus the dependencies will be provided in the Maven format.

Maven project pom.xml file:
net.sourceforge.dynamicreportsdynamicrepo…

Choosing Java reporting tool - part 2

I've provided a general overview of possible solutions to get a reporting/exporting functionality in the previous post. This is the second overview of alternatives based on JasperReports reporting engine.

Since the previous part I've done the following:
Implemented a simple report using both DynamicJasper and DynamicReports to compare them from technical side.Investigated JasperServer features and tried to implement a simple report for JasperServer instance (it appeared we already have a ready licensed installation of JasperServer that makes it unreasonable to install a fresh one).
First, the comparison results of Java libraries (DynamicJasper and DynamicReports):
Both libraries suffer from poor-quality or missing Java docs but they look a bit better in DynamicJasper.Taking into account the point 1, a developer has to use online documentation and to review the code. Here the code looks definitely nicer and more readable for DynamicReports. With respect t…

Do It Yourself Java Profiling

This article is a free translation of the Russian one that is a transcript of the Russian video lecture done by Roman Elizarov at the Application Developer Days 2011 conference.
The lecturer talked about profiling of Java applications without any standalone tools. Instead, it's suggested to use internal JVM features (i.e. threaddumps, java agents, bytecode manipulation) to implement profiling quickly and efficiently. Moreover, it can be applied on Production environments with minimal overhead. This concept is called DIY or "Do It Yourself". Below the lecture's text and slides begin.
Today I'm giving a lecture "Do It Yourself Java Profiling". It's based on the real life experience that was gained during more than 10 years of developing high-loaded finance applications that work with huge amounts of data, millions currency rate changes per second and thousands of online users. As a result, we have to deal with profiling. Application profiling is an i…