Integration of Java Cryptography API’s with Certificates and Creating Trust Chains – Part 1

We will demonstrate the creation of Certificates and Adding the same in the Trust Store of the Browsers.

How to generate a key pair, a certificate signing request (CSR) using Java Keytool and set up your own CA using OpenSSL tool and sign a certificate. At the end we will show how to use the generated certificates to implement secure communication.

Technical Specs.

We would require the following items installed/ present in the maven of the Project to run the programs

The Above tools needs to be downloaded in order to create the Key stores and Certificates.

  • Java Crytography Libraries
    • commons-codec
    • commons-io
    • base64
    • rt.jar

We need to add the above dependencies in the maven project to access the Java Crytography API’s.

Steps to Create a Key store and add it to the class path of the Java Project.

#######Password Always is Password######################

  • Generate a Key Pair

keytool -genkey -alias Aritra -keystore AritraKeyStore.jks -keyalg RSA -sigalg SHA1withRSA

#Key Store Password: You can consider that keytool will append this password to the content of the key store and then generate a hash/digest and store it into the key store. If someone modifies the key store without this password, he won’t be able to update the digest message. The next time you run keytool on this keystore, it will note the mismatch and warn you not to use this key store anymore.

#Alias Password or Private Key Password: You need to provide an entry password to protect the entry for the alias, here Aritra. You can consider that keytool will use this password to encrypt Aritra’s private key. This way other people won’t be able to read Aritra private key.

  • Create a Self Signed Certificate

Use the following command to export the public key as a certificate.

keytool -export -alias Aritra -file Aritra.cer -keystore AritraKeyStore.jks

Aritra.cer is a self signed certificate. Its Owner and Issuer have the same DN. This certificate is signed by the private key of Aritra. You can also open the certificate using Windows certification viewer tool. Double click the certificate in C:\>Keys folder and the certificate viewer will open.

Capture1.PNG    Capture2

These are untrusted Certificates which we need to add in the trust store.

  • Generate a Certificate Signing Request

To be trusted We need our certificate to be signed by a well known CA. To do that first we need to generate a Certificate Signing Request (CSR) and send it to CA. Keytool helps to generate a CSR using the following command

keytool -certreq -alias Aritra -keystore AritraKeyStore.jks -file Aritra.csr

The above command extracts required information such as public key, DN and put it in a standard CSR format in file Aritra.csr. A commercial CA should verify all information before they can issue a certificate with their signature. In the next section we are going to create our own test CA and register it as trusted to the browser and use it to sign our public key.

  • Set up a Certificate Authority

Next, to start Test CA, we need a private key. This is the top secret of the CA. If this is compromised then the CA is doomed!!! All certificates issued by this CA will be revoked. This is why the root private key is so important and often kept off-line necessitating a multi-tier hierarchy. For our test CA we need to create the key-pair and create a certificate signing request for the root CA’s public key. Please note this CSR is for the CA itself. These two steps can be done in a single command using SSL as follows

openssl req -new -keyout cakey.pem -out careq.pem -config C:\OpenSSL-Win64\bin\openssl.cfg

Command Explanation:
req: work on certificate signing request
new: create a new private key and add a certificate request
keyout: keep the private key in file cakey.pem. Top secret file!!
out: write the CSR in file careq.pem
config: provides the config file. This is needed for the first time only.


  • Generate a certificate out of Test CA’s CSR
Now we need to generate a certificate out of Test CA’s CSR. Obviously this would be self signed. The following OpenSSL command is used to generate a self signed certificate form the CSR.
openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca

Command Explanation:

x509: Work on an X.509 certificate
signkey: self sign the certificate using private in as stored in file cakey.pem
req: tells that input is a CSR
days: specify days of validity of the generated certificate
in: the input, i.e. CSR careq.pem
out: write the output certificate on caroot.cer
extensions: apply x.509 v3 extensions
  • Trusting Test CA’s Root Certificate

Every browser keeps well know CA’s root certificates in their trust store. Browsers manage (add/delete) these certificates during security patches time to time.

Open IE and click on Internet Options->Content->Certificates->Trusted Root Certification Authorities



We need to click on Yes to install the certificate

Java Environment also keeps root CA certificates in C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts file. It is a keystore and you can open it using the following command.

You can add Test CA’s root certificate to your JRE using keytool command. The initial password of the “cacerts” keystore file is “changeit”. You can also add the Test CA’s root certificate in DebKeyStore.jks or your own key store and point to that key store at runtime when you need to use any certificate signed by this Test CA. If you cannot convince JRE that Test CA’s root is trusted all certificates signed by Test CA will not work at runtime! You will see shortly how Test CA’s cert can be added to AritraKeyStore.jks.

  • Own Certificate Signed by CA
Test CA is ready, we have added it to the browser’s truststore. Now it the time to get your own certificate signed by the Test CA. However, before that, you need to note that when a CA issues a new certificate, it will put a unique serial number into that certificate. So you need to tell OpenSSL what is the next serial number to use. To do that drop a serial.txt file containing a serial number in the directory.
  1. echo 1234>serial.txt
  2. openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in Aritra.csr -out AritraTestCA.cer -days 365
Command Explanation:
x509: again working with X.509 certificates.
CA: sign the certificate using caroot.cer. For exapmle it can find the DN of the CA here
CAkey: take the private key from cakey.pem file
CAserial: point to serial number file
req: says that input is a CSR and not a certificate itself
in: provides the input CSR as ../Keys/Aritra.csr
out: write the output certificate in ../Keys/AritraTestCA.cer file
days: validity of the certificate
You can see that there are no red-cross mark with the certificate now. The AritraTestCA is trusted as it is signed by Test CA which is trusted to the Windows/IE. Now whoever trust Test CA, will be able to trust the public key writtin in AritraTestCA.cer and be able to send encrypted message to Aritra. And Aritracan decrypt the message using the private key stored in AritraKeyStore.jks.
  • Keep the Certificates in Key Store
We can separately keep the AritraTestCA.cer and send it to clients or import AritraTestCA.cer to the key store. Because that’s the way to use the certificate in a Java application. But before that we need to import the signer certificate, i.e. root certificate of Test CA otherwise keytool will not import AritraTestCA.cer. Because it would not be able to trust the signer.
While importing Test CA’s root certificate keytool will ask for a confirmation that we really trust Test CA. If you say YES keytool will take all certificates signed by the root certificate.
keytool -import -alias TestCA -file ../CA/caroot.cer -keystore AritraKeyStore.jks
Import AritraTestCA.cer which is now signed by Test CA. One point to note here is that while importing this certificate you have to specify the same alias name that was used to generate the key pair. Only then keytool will replace default self signed Deb’s certificate with the certificate signed by Test CA.
keytool -import -alias Aritra -file AritraTestCA.cer -keystore AritraKeyStore.jks
We started with a empty key store and added several certificates in it while working on this tutorial. Let us see what all is there in the Key Store.
The key store has two entries. One PrivateKeyEntry  entry, it is basically a certificate chain now containing two certificates. The other trustedCertEntry entry, which is just a trusted self signed Test CA’s root certificate. Here we learnt how to create a certificate, get it signed by a CA, import it back to keystore to create the whole certificate chain and all trust issues.
In the next post, We will look into the usage of Java Crytography API’s to use these certificates in the JAVA Projects.
Digiprove sealCopyright secured by Digiprove © 2019 Geeks 18

Be the first to comment

Leave a Reply

Your email address will not be published.