Skip to main content

SSL certificates guide

In this article I'm going to explain how to create keys, SSL certificates and key stores. This can be required to simply migrate your website to HTTPS or to enable single sign-on authentication or in other cases. SSL certificates can be used for digital signing/verification and for encryption/decryption.
In case of digital signatures, the sender signs the message using a private key certificate, while the receiver verifies the signature of the message using the public key certificate.
In case of encryption, the sender encrypts the message using the public key certificate, while the receiver decrypts the message using the private key.
  1. Generating keys.
  2. Generating certificates.
  3. Working with keystores.
Generating keys
The first step is generating a private/public key pair. This can be done in different ways. We'll use openssl utility as it will be used for certificates later as well. The important point is the key length - bigger length makes the key harder to crack. It's considered safe to have the length of at least 2048 bits for RSA keys nowadays.
  1. Generate RSA private key of 2048 bits in PEM format
  2. openssl genrsa -out rsaprivkey.pem 2048
  3. Generate the public key in DER format
  4. openssl rsa -in rsaprivkey.pem -pubout -outform DER -out rsapubkey.der
  5. Generate the unencrypted private key in PKCS #8 and DER format
  6. openssl pkcs8 -topk8 -inform PEM -outform DER -in rsaprivkey.pem -out rsaprivkey.der -nocrypt

Generating certificates
You have two options - generating a self signed certificate or requesting a trusted certificate from a certificate authority. While self signed certificates can be acceptable during development, any production system will require a trusted certificate. Both options are mentioned here.
  1. Generate certificate signing request (CSR), in the "Common Name" set the hostname of your website
  2. openssl req -new -key rsaprivkey.pem -out server.csr
  3. Print CSR details
  4. openssl req -in server.csr -noout -text
    Example output:
    Certificate Request:
            Version: 0 (0x0)
            Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                        ... more HEX data ...
                    Exponent: 65537 (0x10001)
        Signature Algorithm: sha256WithRSAEncryption
             ... more HEX data ...
  5. Generate self signed certificate
  6. openssl x509 -req -days 365 -in server.csr -signkey rsaprivkey.pem -out server.crt
    Example output:
    Signature ok
    subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
    Getting Private key
  7. Request a trusted certificate (e.g. Let's Encrypt or COMODO)
There are two main encoding formats that a certificate can be stored in - a binary DER format (can also have file extensions CER or CRT) and a Base64 encoded PEM format which syntax is defined by X.509 standards (can also have file extension CRT). You can convert between the encoding formats using the following commands:
  1. Convert certificate from DER to PEM format
  2. openssl x509 -inform der -in certificate.crt -out certificate.pem
  3. Convert certificate from PEM to DER format
  4. openssl x509 -outform der -in certificate.pem -out certificate.crt

Working with keystores
There are different types of keystores. The most common types are PKCS #12 (using extensions .p12 or .pfx) and JKS (Java KeyStore, specific to Java language). We'll use keytool Java utility to work with JKS files.
  1. Generate a PKCS12 keystore with our certificate (note - set non-empty password)
  2. openssl pkcs12 -export -in server.crt -inkey rsaprivkey.pem -name server -out server.p12
    Next you can either convert PKCS12 keystore type into JKS or generate an empty JKS keystore and import a certificate there. Both options are explained below.
  3. Convert PKCS12 keystore to JKS keystore
  4. keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcalias server -destkeystore server.jks -deststoretype jks -deststorepass password -destalias server
  5. Generate an empty JKS keystore (note - set non-empty password)
  6. keytool -genkey -alias server -keystore server.jks
    keytool -delete -alias server -keystore server.jks
  7. Import certificate from PKCS12 to JKS keystore
  8. keytool -importkeystore -deststorepass password -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12
    Now when you have a JKS keystore with your private certificate, you might need to import a public trusted certificate there as well. For example, this can be needed to enable SAML SSO authentication.
  9. Import a trusted DER certificate into JKS keystore
  10. keytool -import -trustcacerts -alias trustedCert -file trustedCert.crt -keystore server.jks 
  11. Check certificates in JKS keystore
  12. keytool -list -keystore server.jks -storepass password
    Example output:
    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 2 entries
    server, 27-Jul-2017, PrivateKeyEntry,
    Certificate fingerprint (SHA1): A3:11:78:7C:D7:C6:30:F9:57:DF:3C:B1:B4:C9:1F:06:83:E5:ED:39
    trustedCert, 24-Jul-2017, trustedCertEntry,
    Certificate fingerprint (SHA1): B8:4D:C8:5F:1C:98:A3:0B:F2:BC:04:E0:A3:22:26:66:64:F7:60:C8


Popular posts from this blog

DynamicReports and Spring MVC integration

This is a tutorial on how to exploit DynamicReports reporting library in an existing  Spring MVC based web application. It's a continuation to the previous post where DynamicReports has been chosen as the most appropriate solution to implement an export feature in a web application (for my specific use case). The complete code won't be provided here but only the essential code snippets together with usage remarks. Also I've widely used this tutorial that describes a similar problem for an alternative reporting library. So let's turn to the implementation description and start with a short plan of this how-to: Adding project dependencies. Implementing the Controller part of the MVC pattern. Modifying the View part of the MVC pattern. Modifying web.xml. Adding project dependencies I used to apply Maven Project Builder throughout my Java applications, thus the dependencies will be provided in the Maven format. Maven project pom.xml file: net.sourcefo

Do It Yourself Java Profiling

This article is a free translation of the Russian one that is a transcript of the Russian video lecture done by Roman Elizarov at the Application Developer Days 2011 conference. The lecturer talked about profiling of Java applications without any standalone tools. Instead, it's suggested to use internal JVM features (i.e. threaddumps, java agents, bytecode manipulation) to implement profiling quickly and efficiently. Moreover, it can be applied on Production environments with minimal overhead. This concept is called DIY or "Do It Yourself". Below the lecture's text and slides begin. Today I'm giving a lecture "Do It Yourself Java Profiling". It's based on the real life experience that was gained during more than 10 years of developing high-loaded finance applications that work with huge amounts of data, millions currency rate changes per second and thousands of online users. As a result, we have to deal with profiling. Application pro

Using Oracle impdp utility to reload database

Here I'll show an example of using Oracle Data Pump Import (impdp) utility. It allows importing Oracle data dumps. Specifically, below is the list of steps I used on an existing Oracle schema to reload the data from a dump. Steps to reload the data from an Oracle dump We start with logging into SQL Plus as sysdba to be able to manage users. sqlplus sys/password@test as sysdba Dropping the existing user. CASCADE clause will ensure that all schema objects are removed before the user. SQL> DROP USER test CASCADE; Creating a fresh user will automatically create an empty schema with the same name. SQL> CREATE USER test IDENTIFIED BY "testpassword"; Granting DBA role to the user to load the dump later. Actually, it's an overkill and loading the dump can be permitted using a more granular role IMP_FULL_DATABASE . SQL> GRANT DBA TO test; Registering the directory where the dump is located. SQL> CREATE DIRECTORY dump_dir AS '/home/test/dumpd