Following is information on setting up keystores for a client and a service using openssl
suite and the Java keytool
utility available with the JDK.
Step 1. Create Certificate Authority Keys
A certificate authority (CA) is an entity trusted by all parties participating in a secure communication. This entity will certify the trusted party's public keys by signing them. Since the certificate authority is a trusted one, it will accept the public key certificates signed by that particular CA as trusted.
First, we will create a new self-signed key pair for the certificate authority. We will use openssl
to create this key pair.
Note
Download the following three files and copy them to the directory that will be used to create the keys serial.htm_.txt, openssl.cnf and index.txt.
1. Try the following from the same directory where you have saved the above files:
openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -config openssl.cnf
2. Now you will be asked a set of questions in creating the key pair as shown below:
The result of the above will create two files:
cakey.pem
- Contains the encrypted private key.cacert.pem
- Contains the public key certificate signed using the private key.
Step 2. Create Client and Service Keys
1. Create the two sets of keys for the service and the client using the keytool
that comes with the JDK.
You can use the keytool - genkey
to create a key pair and store it in a keystores using the following command:
keytool -genkey -alias client -keyalg RSA -keystore client.jks
2. Once again you will be asked a series of questions as shown below:
3. The created keys are stored in the client.jks
file which is a Java KeyStore under the alias client. To verify this fact, we can list the contents of the keystores as shown below.
Note
We will use "18091980" (without quotes) as the password of both keys and keystores.
keytool -list -v -keystore client.jks -storepass 18091980
4. Similar to the way we created the client's keys, create the service's keys using the following command:
keytool -genkey -alias service -keyalg RSA -keystore service.jks
Step 3. Produce Signed X509 Certificates
We can create signed X509 (version 3) certificates using openssl
using certificate requests.
1. Create the certificate requests using the generated keys for the client and the service.
For client:
keytool -certreq -keystore client.jks -storepass changeme -alias client -file client.cert.req
For service:
keytool -certreq -keystore service.jks -storepass changeme -alias service -file service.cert.req
2. The above commands will create the client.cert.req
and service.cert.req
files which we will use in the next step to produce X509 certificates signed by the private key of the CA using the "openssl ca" command.
For client:
openssl ca -config openssl.cnf -out client.pem -infiles client.cert.req
For service:
openssl ca -config openssl.cnf -out service.pem -infiles service.cert.req
Note
The CA's configuration (openssl.cnf
) file is configured to point to the cakey.pem
file as the private key to use.
The output produced in the client.pem
and service.pem
files are plain text. To import these signed certificates into the keystores, convert them into the binary (DER) format using openssl x509
command.
For client:
openssl x509 -outform DER -in client.pem -out client.cert
For service:
openssl x509 -outform DER -in service.pem -out service.cert
3. Convert the CA's certificate to the binary form to be imported to both keystores.
openssl x509 -outform DER -in cacert.pem -out cacert.cert
Step 4. Import the Certificates
1. Import the CA's self-signed certificate to both client and service keystores. Use the alias ca
to identify the CA's certificate. The keytool
will display the information in the certificate and will ask for confirmation to import.
For service:
keytool -import -file cacert.cert -keystore service.jks -storepass 18091980 -alias ca
For client:
keytool -import -file cacert.cert -keystore client.jks -storepass 18091980 -alias ca
Note
When we type in "yes" and confirm the import, the CA's certificate will be imported as a trusted certificate entry.
2. The certificate is added to keystores.
3. Import the signed certificates to the keystores.
4. Since the certificate being imported matches the certificate of the given alias and is signed by the trusted CA cert (which is now in the keystore), the keytool
will simply import the signed certificate and respond with the following.
For client:
keytool -import -file client.cert -keystore client.jks -storepass 18091980 -alias client
For service:
keytool -import -file service.cert -keystore service.jks -storepass 18091980 -alias service
Note
We must import the CA's certificate before importing the other certificates.
5. In order to allow secure communication between the client and the service, make sure that each party has the others' public key with them.
6. Import the client.cert
into the service's keystore and the service.cert
into the client's keystore.
7. Since certificates added are signed by a trusted certificate, they will be simply imported to the keystore and the keytool
will confirm that with the following output.
keytool -import -file client.cert -keystore service.jks -storepass 18091980 -alias client
keytool -import -file service.cert -keystore client.jks -storepass 18091980 -alias service
8. Now we have two keystores for the client and the service including their key pairs and the certificates of the other party and the certificate authority.