Skip to main content

SSL certificates guide

In this article I'm going to explain how to create keys, SSL certificates and key stores. This can be required to simply migrate your website to HTTPS or to enable single sign-on authentication or in other cases. SSL certificates can be used for digital signing/verification and for encryption/decryption.
In case of digital signatures, the sender signs the message using a private key certificate, while the receiver verifies the signature of the message using the public key certificate.
In case of encryption, the sender encrypts the message using the public key certificate, while the receiver decrypts the message using the private key.
  1. Generating keys.
  2. Generating certificates.
  3. Working with keystores.
Generating keys
The first step is generating a private/public key pair. This can be done in different ways. We'll use openssl utility as it will be used for certificates later as well. The important point is the key length - bigger length makes the key harder to crack. It's considered safe to have the length of at least 2048 bits for RSA keys nowadays.
  1. Generate RSA private key of 2048 bits in PEM format
  2. openssl genrsa -out rsaprivkey.pem 2048
    
  3. Generate the public key in DER format
  4. openssl rsa -in rsaprivkey.pem -pubout -outform DER -out rsapubkey.der
    
  5. Generate the unencrypted private key in PKCS #8 and DER format
  6. openssl pkcs8 -topk8 -inform PEM -outform DER -in rsaprivkey.pem -out rsaprivkey.der -nocrypt
    

Generating certificates
You have two options - generating a self signed certificate or requesting a trusted certificate from a certificate authority. While self signed certificates can be acceptable during development, any production system will require a trusted certificate. Both options are mentioned here.
  1. Generate certificate signing request (CSR), in the "Common Name" set the hostname of your website
  2. openssl req -new -key rsaprivkey.pem -out server.csr
    
  3. Print CSR details
  4. openssl req -in server.csr -noout -text
    
    Example output:
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:d2:02:4a:83:b1:07:4c:9f:b3:40:11:88:73:16:
                        ... more HEX data ...
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha256WithRSAEncryption
             28:f6:2e:1b:f7:4b:d9:fd:96:58:e5:ca:86:87:07:a2:a7:21:
             ... more HEX data ...
    
  5. Generate self signed certificate
  6. openssl x509 -req -days 365 -in server.csr -signkey rsaprivkey.pem -out server.crt
    
    Example output:
    Signature ok
    subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
    Getting Private key
    
  7. Request a trusted certificate (e.g. Let's Encrypt or COMODO)
There are two main encoding formats that a certificate can be stored in - a binary DER format (can also have file extensions CER or CRT) and a Base64 encoded PEM format which syntax is defined by X.509 standards (can also have file extension CRT). You can convert between the encoding formats using the following commands:
  1. Convert certificate from DER to PEM format
  2. openssl x509 -inform der -in certificate.crt -out certificate.pem
    
  3. Convert certificate from PEM to DER format
  4. openssl x509 -outform der -in certificate.pem -out certificate.crt
    

Working with keystores
There are different types of keystores. The most common types are PKCS #12 (using extensions .p12 or .pfx) and JKS (Java KeyStore, specific to Java language). We'll use keytool Java utility to work with JKS files.
  1. Generate a PKCS12 keystore with our certificate (note - set non-empty password)
  2. openssl pkcs12 -export -in server.crt -inkey rsaprivkey.pem -name server -out server.p12
    
    Next you can either convert PKCS12 keystore type into JKS or generate an empty JKS keystore and import a certificate there. Both options are explained below.
  3. Convert PKCS12 keystore to JKS keystore
  4. keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcalias server -destkeystore server.jks -deststoretype jks -deststorepass password -destalias server
    
  5. Generate an empty JKS keystore (note - set non-empty password)
  6. keytool -genkey -alias server -keystore server.jks
    keytool -delete -alias server -keystore server.jks
    
  7. Import certificate from PKCS12 to JKS keystore
  8. keytool -importkeystore -deststorepass password -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12
    
    Now when you have a JKS keystore with your private certificate, you might need to import a public trusted certificate there as well. For example, this can be needed to enable SAML SSO authentication.
  9. Import a trusted DER certificate into JKS keystore
  10. keytool -import -trustcacerts -alias trustedCert -file trustedCert.crt -keystore server.jks 
    
  11. Check certificates in JKS keystore
  12. keytool -list -keystore server.jks -storepass password
    
    Example output:
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 2 entries
    
    server, 27-Jul-2017, PrivateKeyEntry,
    Certificate fingerprint (SHA1): A3:11:78:7C:D7:C6:30:F9:57:DF:3C:B1:B4:C9:1F:06:83:E5:ED:39
    trustedCert, 24-Jul-2017, trustedCertEntry,
    Certificate fingerprint (SHA1): B8:4D:C8:5F:1C:98:A3:0B:F2:BC:04:E0:A3:22:26:66:64:F7:60:C8
    

Comments

Popular posts from this blog

DynamicReports and Spring MVC integration

This is a tutorial on how to exploit DynamicReports reporting library in an existing  Spring MVC based web application. It's a continuation to the previous post where DynamicReports has been chosen as the most appropriate solution to implement an export feature in a web application (for my specific use case). The complete code won't be provided here but only the essential code snippets together with usage remarks. Also I've widely used this tutorial that describes a similar problem for an alternative reporting library. So let's turn to the implementation description and start with a short plan of this how-to: Adding project dependencies. Implementing the Controller part of the MVC pattern. Modifying the View part of the MVC pattern. Modifying web.xml. Adding project dependencies I used to apply Maven Project Builder throughout my Java applications, thus the dependencies will be provided in the Maven format. Maven project pom.xml file: net.sourcefo

Connection to Amazon Neptune endpoint from EKS during development

This small article will describe how to connect to Amazon Neptune database endpoint from your PC during development. Amazon Neptune is a fully managed graph database service from Amazon. Due to security reasons direct connections to Neptune are not allowed, so it's impossible to attach a public IP address or load balancer to that service. Instead access is restricted to the same VPC where Neptune is set up, so applications should be deployed in the same VPC to be able to access the database. That's a great idea for Production however it makes it very difficult to develop, debug and test applications locally. The instructions below will help you to create a tunnel towards Neptune endpoint considering you use Amazon EKS - a managed Kubernetes service from Amazon. As a side note, if you don't use EKS, the same idea of creating a tunnel can be implemented using a Bastion server . In Kubernetes we'll create a dedicated proxying pod. Prerequisites. Setting up a tunnel.

Elasticsearch CORS with basic authentication setup

This is a short "recipe" article explaining how to configure remote ElasticSearch instance to support CORS requests and basic authentication using Apache HTTP Server 2.4. Proxy To start with, we need to configure Apache to proxy requests to the Elasticsearch instance. By default, Elasticsearch is running on the port 9200: ProxyPass /elastic http://localhost:9200/ ProxyPassReverse /elastic http://localhost:9200/ Basic authentication Enabling basic authentication is easy. By default, Apache checks the user credentials against the local file which you can create using the following command: /path/to/htpasswd -c /usr/local/apache/password/.htpasswd_elasticsearch elasticsearchuser Then you'll need to use the following directives to allow only authenticated users to access your content: AuthType Basic AuthName "Elastic Server" AuthUserFile /usr/local/apache/password/.htpasswd_elasticsearch Require valid-user For more complex setups such as LDAP-based