Author Topic: openssl gen keystore for JAVA server  (Read 8136 times)

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
openssl gen keystore for JAVA server
« on: กุมภาพันธ์ 26, 2019, 04:55:11 PM »
We have JAVA server and client communicate over a network using SSL. The server and client mutually authenticate each other using certificates. The keystore type used by the server and client is JKS. The server and client loads their keystore and truststore files. The keystore and truststore file names are: server.keystore, server.truststore, client.keystore, and client.truststore. I am using Self-Signed certificates for testing only.

Questions:

Q1. I would like to know why I need to add server’s and client’s own certificates into their respective truststores, in step 6.

Q2. Can I reduce the number steps to achieve the same thing? If yes, then how?

=== Steps to create RSA key, self-signed certificates, keystore, and truststore for a server ===

1.Generate a private RSA key
$openssl genrsa -out diagserverCA.key 2048

2.Create a x509 certificate
$openssl req -x509 -new -nodes -key diagserverCA.key \
            -sha256 -days 1024 -out diagserverCA.pem

3.Create a PKCS12 keystore from private key and public certificate.
$openssl pkcs12 -export -name server-cert \
               -in diagserverCA.pem -inkey diagserverCA.key \
               -out serverkeystore.p12

4.Convert PKCS12 keystore into a JKS keystore
$keytool -importkeystore -destkeystore server.keystore \
        -srckeystore serverkeystore.p12 -srcstoretype pkcs12
        -alias server-cert

5.Import a client's certificate to the server's trust store.
$keytool -import -alias client-cert \
        -file diagclientCA.pem -keystore server.truststore

6.Import a server's certificate to the server's trust store.
$keytool -import -alias server-cert \
        -file diagserverCA.pem -keystore server.truststore

=== Steps to create RSA private key, self-signed certificate, keystore, and truststore for a client ===

1.Generate a private key
$openssl genrsa -out diagclientCA.key 2048

2.Create a x509 certificate
$openssl req -x509 -new -nodes -key diagclientCA.key \
            -sha256 -days 1024 -out diagclientCA.pem

3.Create PKCS12 keystore from private key and public certificate.
$openssl pkcs12 -export -name client-cert \
               -in diagclientCA.pem -inkey diagclientCA.key \
               -out clientkeystore.p12

4.Convert a PKCS12 keystore into a JKS keystore
$keytool -importkeystore -destkeystore client.keystore \
        -srckeystore clientkeystore.p12 -srcstoretype pkcs12 \
        -alias client-cert

5.Import a server's certificate to the client's trust store.
$keytool -import -alias server-cert -file diagserverCA.pem \
        -keystore client.truststore

6.Import a client's certificate to the client's trust store.
$keytool -import -alias client-cert -file diagclientCA.pem \
        -keystore client.truststore
« Last Edit: กุมภาพันธ์ 27, 2019, 08:48:01 AM by golfreeze »

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
Re: openssl gen keystore for JAVA server
« Reply #1 on: กุมภาพันธ์ 27, 2019, 08:55:43 AM »
Certificates and Encodings
At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.

In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).

X509 File Extensions
The first thing we have to understand is what each type of file extension is.   There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.  While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.  Correctly labeled certificates will be much easier to manipulat

Encodings (also used as extensions)
.DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
.PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions
.CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.

.KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
The only time CRT and CER can safely be interchanged is when the encoding type can be identical.  (ie  PEM encoded CRT = PEM encoded CER)
« Last Edit: กุมภาพันธ์ 27, 2019, 09:05:00 AM by golfreeze »

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
Re: openssl gen keystore for JAVA server
« Reply #2 on: กุมภาพันธ์ 27, 2019, 09:04:08 AM »
CONVERT PEM
PEM TO DER
openssl x509 -outform der -in certificate.pem -out certificate.der

PEM TO P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

PEM TO PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
CONVERT DER
DER(.CRT .CER .DER) TO PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem

DER TO CER
openssl x509 -inform der -in certificat-ssl.der -out certificat-ssl.cer
CONVERT P7B
P7B TO PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

P7B TO PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

P7B TO CER
openssl pkcs7 -print_certs -in certificat-ssl.p7b -out certificat-ssl.cer
CONVERT PFX
PFX TO PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
CONVERT CER
CER TO P7B
openssl crl2pkcs7 -nocrl -certfile certificat-ssl.cer -certfile cert-intermediaire.cer -certfile cert-racine.cer -out certificat-ssl.p7b

CER TO PFX
openssl pkcs12 -in certificat-ssl.cer -certfile cert-intermediaire.cer -certfile cert-racine.cer -inkey cle-privee.key -export -out certificat-ssl.pfx

CER TO DER
openssl x509 -in certificat-ssl.cer -outform der -out certificat-ssl.der