We will demonstrate the creation of Certificates and Adding the same in the Trust Store of the Browsers.
How to generate a key pair, a certificate signing request (CSR) using Java Keytool and set up your own CA using OpenSSL tool and sign a certificate. At the end we will show how to use the generated certificates to implement secure communication.
We would require the following items installed/ present in the maven of the Project to run the programs
The Above tools needs to be downloaded in order to create the Key stores and Certificates.
- Java Crytography Libraries
We need to add the above dependencies in the maven project to access the Java Crytography API’s.
Steps to Create a Key store and add it to the class path of the Java Project.
#######Password Always is Password######################
- Generate a Key Pair
keytool -genkey -alias Aritra -keystore AritraKeyStore.jks -keyalg RSA -sigalg SHA1withRSA
#Key Store Password: You can consider that keytool will append this password to the content of the key store and then generate a hash/digest and store it into the key store. If someone modifies the key store without this password, he won’t be able to update the digest message. The next time you run keytool on this keystore, it will note the mismatch and warn you not to use this key store anymore.
#Alias Password or Private Key Password: You need to provide an entry password to protect the entry for the alias, here Aritra. You can consider that keytool will use this password to encrypt Aritra’s private key. This way other people won’t be able to read Aritra private key.
- Create a Self Signed Certificate
Use the following command to export the public key as a certificate.
keytool -export -alias Aritra -file Aritra.cer -keystore AritraKeyStore.jks
Aritra.cer is a self signed certificate. Its Owner and Issuer have the same DN. This certificate is signed by the private key of Aritra. You can also open the certificate using Windows certification viewer tool. Double click the certificate in C:\>Keys folder and the certificate viewer will open.
These are untrusted Certificates which we need to add in the trust store.
- Generate a Certificate Signing Request
To be trusted We need our certificate to be signed by a well known CA. To do that first we need to generate a Certificate Signing Request (CSR) and send it to CA. Keytool helps to generate a CSR using the following command
keytool -certreq -alias Aritra -keystore AritraKeyStore.jks -file Aritra.csr
The above command extracts required information such as public key, DN and put it in a standard CSR format in file Aritra.csr. A commercial CA should verify all information before they can issue a certificate with their signature. In the next section we are going to create our own test CA and register it as trusted to the browser and use it to sign our public key.
- Set up a Certificate Authority
Next, to start Test CA, we need a private key. This is the top secret of the CA. If this is compromised then the CA is doomed!!! All certificates issued by this CA will be revoked. This is why the root private key is so important and often kept off-line necessitating a multi-tier hierarchy. For our test CA we need to create the key-pair and create a certificate signing request for the root CA’s public key. Please note this CSR is for the CA itself. These two steps can be done in a single command using SSL as follows
openssl req -new -keyout cakey.pem -out careq.pem -config C:\OpenSSL-Win64\bin\openssl.cfg
- Generate a certificate out of Test CA’s CSR
- Trusting Test CA’s Root Certificate
Every browser keeps well know CA’s root certificates in their trust store. Browsers manage (add/delete) these certificates during security patches time to time.
Open IE and click on Internet Options->Content->Certificates->Trusted Root Certification Authorities
We need to click on Yes to install the certificate
Java Environment also keeps root CA certificates in
C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts file. It is a keystore and you can open it using the following command.
You can add Test CA’s root certificate to your JRE using keytool command. The initial password of the “cacerts” keystore file is “changeit”. You can also add the Test CA’s root certificate in DebKeyStore.jks or your own key store and point to that key store at runtime when you need to use any certificate signed by this Test CA. If you cannot convince JRE that Test CA’s root is trusted all certificates signed by Test CA will not work at runtime! You will see shortly how Test CA’s cert can be added to AritraKeyStore.jks.
- Own Certificate Signed by CA
- echo 1234>serial.txt
- openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in Aritra.csr -out AritraTestCA.cer -days 365
- Keep the Certificates in Key Store