Following is information on setting up keystores for a client and a service using
openssl suite and the Java
keytool utility available with the JDK.
Step 1. Create Certificate Authority Keys
A certificate authority (CA) is an entity trusted by all parties participating in a secure communication. This entity will certify the trusted party's public keys by signing them. Since the certificate authority is a trusted one, it will accept the public key certificates signed by that particular CA as trusted.
First, we will create a new self-signed key pair for the certificate authority. We will use
openssl to create this key pair.
1. Try the following from the same directory where you have saved the above files:
2. Now you will be asked a set of questions in creating the key pair as shown below:
The result of the above will create two files:
cakey.pem- Contains the encrypted private key.
cacert.pem- Contains the public key certificate signed using the private key.
Step 2. Create Client and Service Keys
1. Create the two sets of keys for the service and the client using the
keytool that comes with the JDK.
You can use the
keytool - genkey to create a key pair and store it in a keystores using the following command:
2. Once again you will be asked a series of questions as shown below:
3. The created keys are stored in the
client.jks file which is a Java KeyStore under the alias client. To verify this fact, we can list the contents of the keystores as shown below.
We will use "18091980" (without quotes) as the password of both keys and keystores.
4. Similar to the way we created the client's keys, create the service's keys using the following command:
Step 3. Produce Signed X509 Certificates
We can create signed X509 (version 3) certificates using
openssl using certificate requests.
1. Create the certificate requests using the generated keys for the client and the service.
2. The above commands will create the
service.cert.req files which we will use in the next step to produce X509 certificates signed by the private key of the CA using the "openssl ca" command.
The CA's configuration (
openssl.cnf) file is configured to point to the
cakey.pem file as the private key to use.
The output produced in the
service.pem files are plain text. To import these signed certificates into the keystores, convert them into the binary (DER) format using
openssl x509 command.
3. Convert the CA's certificate to the binary form to be imported to both keystores.
Step 4. Import the Certificates
1. Import the CA's self-signed certificate to both client and service keystores. Use the
alias ca to identify the CA's certificate. The
keytool will display the information in the certificate and will ask for confirmation to import.
When we type in "yes" and confirm the import, the CA's certificate will be imported as a trusted certificate entry.
2. The certificate is added to keystores.
3. Import the signed certificates to the keystores.
4. Since the certificate being imported matches the certificate of the given alias and is signed by the trusted CA cert (which is now in the keystore), the
keytool will simply import the signed certificate and respond with the following.
We must import the CA's certificate before importing the other certificates.
5. In order to allow secure communication between the client and the service, make sure that each party has the others' public key with them.
6. Import the
client.cert into the service's keystore and the
service.cert into the client's keystore.
7. Since certificates added are signed by a trusted certificate, they will be simply imported to the keystore and the
keytool will confirm that with the following output.
8. Now we have two keystores for the client and the service including their key pairs and the certificates of the other party and the certificate authority.