Skip to main content

SSL certificates guide

In this article I'm going to explain how to create keys, SSL certificates and key stores. This can be required to simply migrate your website to HTTPS or to enable single sign-on authentication or in other cases. SSL certificates can be used for digital signing/verification and for encryption/decryption.
In case of digital signatures, the sender signs the message using a private key certificate, while the receiver verifies the signature of the message using the public key certificate.
In case of encryption, the sender encrypts the message using the public key certificate, while the receiver decrypts the message using the private key.
  1. Generating keys.
  2. Generating certificates.
  3. Working with keystores.
Generating keys
The first step is generating a private/public key pair. This can be done in different ways. We'll use openssl utility as it will be used for certificates later as well. The important point is the key length - bigger length makes the key harder to crack. It's considered safe to have the length of at least 2048 bits for RSA keys nowadays.
  1. Generate RSA private key of 2048 bits in PEM format
    2. openssl genrsa -out rsaprivkey.pem 2048
  2. Generate the public key in DER format
    3. openssl rsa -in rsaprivkey.pem -pubout -outform DER -out rsapubkey.der
  3. Generate the unencrypted private key in PKCS #8 and DER format
    4. openssl pkcs8 -topk8 -inform PEM -outform DER -in rsaprivkey.pem -out rsaprivkey.der -nocrypt

Generating certificates
You have two options - generating a self signed certificate or requesting a trusted certificate from a certificate authority. While self signed certificates can be acceptable during development, any production system will require a trusted certificate. Both options are mentioned here.
  1. Generate certificate signing request (CSR), in the "Common Name" set the hostname of your website
    2. openssl req -new -key rsaprivkey.pem -out server.csr
  2. Print CSR details
    3. openssl req -in server.csr -noout -text
    Example output: 
    Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d2:02:4a:83:b1:07:4c:9f:b3:40:11:88:73:16:
                    ... more HEX data ...
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         28:f6:2e:1b:f7:4b:d9:fd:96:58:e5:ca:86:87:07:a2:a7:21:
         ... more HEX data ...
  3. Generate self signed certificate
    4. openssl x509 -req -days 365 -in server.csr -signkey rsaprivkey.pem -out server.crt
    Example output: 
    Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Getting Private key
  4. Request a trusted certificate (e.g. Let's Encrypt or COMODO)
There are two main encoding formats that a certificate can be stored in - a binary DER format (can also have file extensions CER or CRT) and a Base64 encoded PEM format which syntax is defined by X.509 standards (can also have file extension CRT). You can convert between the encoding formats using the following commands:
  1. Convert certificate from DER to PEM format
    2. openssl x509 -inform der -in certificate.crt -out certificate.pem
  2. Convert certificate from PEM to DER format
    3. openssl x509 -outform der -in certificate.pem -out certificate.crt

Working with keystores
There are different types of keystores. The most common types are PKCS #12 (using extensions .p12 or .pfx) and JKS (Java KeyStore, specific to Java language). We'll use keytool Java utility to work with JKS files.
  1. Generate a PKCS12 keystore with our certificate (note - set non-empty password)
    2. openssl pkcs12 -export -in server.crt -inkey rsaprivkey.pem -name server -out server.p12
    Next you can either convert PKCS12 keystore type into JKS or generate an empty JKS keystore and import a certificate there. Both options are explained below.
  2. Convert PKCS12 keystore to JKS keystore
    3. keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcalias server -destkeystore server.jks -deststoretype jks -deststorepass password -destalias server
  3. Generate an empty JKS keystore (note - set non-empty password)
    4. keytool -genkey -alias server -keystore server.jks
keytool -delete -alias server -keystore server.jks
  4. Import certificate from PKCS12 to JKS keystore
    5. keytool -importkeystore -deststorepass password -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12
    Now when you have a JKS keystore with your private certificate, you might need to import a public trusted certificate there as well. For example, this can be needed to enable SAML SSO authentication.
  5. Import a trusted DER certificate into JKS keystore
    6. keytool -import -trustcacerts -alias trustedCert -file trustedCert.crt -keystore server.jks
  6. Check certificates in JKS keystore
    7. keytool -list -keystore server.jks -storepass password
    Example output: 
    Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

server, 27-Jul-2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): A3:11:78:7C:D7:C6:30:F9:57:DF:3C:B1:B4:C9:1F:06:83:E5:ED:39
trustedCert, 24-Jul-2017, trustedCertEntry,
Certificate fingerprint (SHA1): B8:4D:C8:5F:1C:98:A3:0B:F2:BC:04:E0:A3:22:26:66:64:F7:60:C8
Labels:

Comments

Post a Comment

Popular posts from this blog

Connection to Amazon Neptune endpoint from EKS during development

This small article will describe how to connect to Amazon Neptune database endpoint from your PC during development. Amazon Neptune is a fully managed graph database service from Amazon. Due to security reasons direct connections to Neptune are not allowed, so it's impossible to attach a public IP address or load balancer to that service. Instead access is restricted to the same VPC where Neptune is set up, so applications should be deployed in the same VPC to be able to access the database. That's a great idea for Production however it makes it very difficult to develop, debug and test applications locally. The instructions below will help you to create a tunnel towards Neptune endpoint considering you use Amazon EKS - a managed Kubernetes service from Amazon. As a side note, if you don't use EKS, the same idea of creating a tunnel can be implemented using a Bastion server . In Kubernetes we'll create a dedicated proxying pod. Prerequisites. Setting up a tunnel. ...
Post a Comment
Read more

Notes on upgrade to JSF 2.1, Servlet 3.0, Spring 4.0, RichFaces 4.3

This article is devoted to an upgrade of a common JSF Spring application. Time flies and there is already Java EE 7 platform out and widely used. It's sometimes said that Spring framework has become legacy with appearance of Java EE 6. But it's out of scope of this post. Here I'm going to provide notes about the minimal changes that I found required for the upgrade of the application from JSF 1.2 to 2.1, from JSTL 1.1.2 to 1.2, from Servlet 2.4 to 3.0, from Spring 3.1.3 to 4.0.5, from RichFaces 3.3.3 to 4.3.7. It must be mentioned that the latest final RichFaces release 4.3.7 depends on JSF 2.1, JSTL 1.2 and Servlet 3.0.1 that dictated those versions. This post should not be considered as comprehensive but rather showing how I did the upgrade. See the links for more details. Jetty & Tomcat. JSTL. JSF & Facelets. Servlet. Spring framework. RichFaces. Jetty & Tomcat First, I upgraded the application to run with the latest servlet container versio...
1 comment
Read more

Managing Content Security Policy (CSP) in IBM MAS Manage

This article explores a new system property introduced in IBM MAS 8.11.0 and Manage 8.7.0+ that enhances security but can inadvertently break Google Maps functionality within Manage. We'll delve into the root cause, provide a step-by-step solution, and offer best practices for managing Content Security Policy (CSP) effectively. Understanding the issue IBM MAS 8.11.0 and Manage 8.7.0 introduced the mxe.sec.header.Content_Security_Policy   property, implementing CSP to safeguard against injection attacks. While beneficial, its default configuration restricts external resources, causing Google Maps and fonts to malfunction. CSP dictates which domains can serve various content types (scripts, images, fonts) to a web page. The default value in this property blocks Google-related domains by default. Original value font-src 'self' data: https://1.www.s81c.com *.walkme.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' ...
Post a Comment
Read more