Essential security tools: OpenSSL and keytool

　

See also: <essential security: PKI, SSL and XML security>

　

1. OpenSSL practices

In work, you need to configure an FTP server that uses SSL for two-way authentication and communication. Take OpenSSL and Java keytool as an example to complete certificate creation:

D:/OpenSSL/mkcerts> OpenSSL genrsa-out ca. Key 1024

Create a CA private key
Loading 'screen' into random state-Done
Warning, not much extra random data, consider using the-Rand Option
Generating RSA private key, 1024 bit long Modulus
........................................ ........................... ++
...
E is 65537 (0x10001)

D:/OpenSSL/mkcerts> OpenSSL req-New-days 3650-X509-key ca. Key-out cacert. pem-config OpenSSL. CNF

Create a ca self-signed certificate (use the CA private key created in the previous step to sign the certificate)
Using configuration from OpenSSL. CNF
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: Beijing
Locality name (eg, city) []: Beijing
Organization Name (eg, company) [Internet widgits Pty Ltd]: chelseafc
Organizational unit name (eg, section) []: ftptest
Common name (eg, your name) []: Chelsea
Email Address []: chelsea@chelseafc.com

D:/OpenSSL/mkcerts> OpenSSL genrsa-des3-out server. Key 1024.

Create server Private Key
Loading 'screen' into random state-Done
Warning, not much extra random data, consider using the-Rand Option
Generating RSA private key, 1024 bit long Modulus
...
. ++
E is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password-enter PEM pass phrase:

D:/OpenSSL/mkcerts> OpenSSL RSA-in server. Key-out serverkey. pem

Encrypt server private key (protect private key information)
Read RSA key
Enter PEM pass phrase:
Writing RSA key

D:/OpenSSL/mkcerts> OpenSSL req-New-days 3650-key server. Key-out server. CSR-config OpenSSL. CNF

Create a request to apply for the certificate required by the server
Using configuration from OpenSSL. CNF
Enter PEM pass phrase:
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: Beijing
Locality name (eg, city) []: Beijing
Organization Name (eg, company) [Internet widgits Pty Ltd]: chelseafc
Organizational unit name (eg, section) []: ftptest
Common name (eg, your name) []: Chelsea
Email Address []: chelsea@chelseafc.com

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:

D:/OpenSSL/mkcerts> OpenSSL ca-days 3650-Keyfile ca. Key-Cert cacert. pem-outdir.-In server. CSR-out server. pem-config OpenSSL. CNF

CA signs the server certificate (requires the CA private key and serial number FileDemoca/serial, democa/index.txt)
Using configuration from OpenSSL. CNF
Loading 'screen' into random state-Done
Check that the request matches the signature
Signature OK
The subjects distinguished name is as follows
Countryname: printable: 'cn'
Stateorprovincename: printable: 'beijing'
Localityname: printable: 'beijing'
Organizationname: printable: 'chelseafc'
Organizationalunitname: printable: 'ftptest'
CommonName: printable: 'chelsea'
Emailaddress: ia5string: 'Chelsea @ chelseafc.com'
Certificate is to be certified until Oct 26 03:01:33 2006 GMT (365 days)
Sign the certificate? [Y/n]: Y

1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base updated

D:/OpenSSL/mkcerts> OpenSSL X509-in server. pem-out server. CRT

Conversion format

D:/OpenSSL/mkcerts> OpenSSL X509-In democa/cacert. pem-out democa/cacert. CRT

Conversion format

D:/OpenSSL/mkcerts> keytool-genkey-keyalg RSA-alias ftpsconnector-keystore ftps. jks-storepass changeit-storetype jks

Generate a Java client Private Key File
What is your first name and last name?
[UNKNOWN]: Chelsea
What is the name of your organization?
[UNKNOWN]: ftptest
What is your organization name?
[UNKNOWN]: chelseafc
What is the name of your city or region?
[UNKNOWN]: Beijing
What is the name of your state or province?
[UNKNOWN]: Beijing
What is the two-letter country code for this unit?
[UNKNOWN]: CN
CN = Chelsea, ou = ftptest, O = chelseafc, L = Beijing, St = Beijing, c = cn correct?
[No]: Y

Enter the master password of <ftpsconnector>
(If the password is the same as the keystore password, press Enter ):

D:/OpenSSL/mkcerts> keytool-certreq-alias ftpsconnector-keyalg RSA-file ftpsconnector. CSR-keystore ftps. jks

Generate a Java client certificate request
Enter the keystore password: changeit

D:/OpenSSL/mkcerts> OpenSSL ca-days 3650-Keyfile ca. Key-Cert cacert. pem-outdir.-In ftpsconnector. CSR-out ftpsconnector. pem-config OpenSSL. CNF

CA signs the Java client certificate
Using configuration from OpenSSL. CNF
Loading 'screen' into random state-Done
Check that the request matches the signature
Signature OK
The subjects distinguished name is as follows
Countryname: printable: 'cn'
Stateorprovincename: printable: 'beijing'
Localityname: printable: 'beijing'
Organizationname: printable: 'chelseafc'
Organizationalunitname: printable: 'ftptest'
CommonName: printable: 'chelsea'
Certificate is to be certified until Oct 26 03:05:08 2006 GMT (365 days)
Sign the certificate? [Y/n]: Y

1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base updated

D:/OpenSSL/mkcerts> OpenSSL X509-In ftpsconnector. pem-out ftpsconnector. Cer

ConversionFormat

D:/OpenSSL/mkcerts> keytool-import-alias root-trustcacerts-file democa/cacert. CRT-keystore ftps. jks

Import the CA certificate to the jks file and trust it (all the certificates signed by this ca are therefore listed in the letter)

Enter the keystore password: changeit
Owner: emailaddress = chelsea@chelseafc.com, Cn = Chelsea, ou = ftptest, O = chelseafc, L = Beijing, S
T = Beijing, c = Cn
Sender: emailaddress = chelsea@chelseafc.com, Cn = Chelsea, ou = ftptest, O = chelseafc, L = Beijing,
St = Beijing, c = Cn
No.: 0
Validity Period: Wed Oct 26 10:55:43 CST 2005 to: Sat Oct 24 10:55:43 CST 2015
Authentication fingerprint:
MD5: 85: 21: 11: 10: 26: 4A: CD: 01: 55: B7: 47: DF: 0d: 58: AA: A3
Sha1: 91: 74: 88: 03: B7: 5C: e4: BD: 27: 1f: 27: BF: 10: 23: 0a: BA: 2C: 42: 13: 2b
Trust this certification? [No]: Y
The authentication has been added to the keystore.

D:/OpenSSL/mkcerts> keytool-import-alias ftpsconnector-trustcacerts-file ftpsconnector. cer-keystore ftps. jks

Import your certificate to the jks file (this jks file includes all the information required to establish an SSL connection)
Enter the keystore password: changeit
The authentication reply has been installed in the keystore.

Examples of other OpenSSL commands

OpenSSL PKCS12-export-clcerts-in client. pem-inkey clientkey. pem-out client. p12

OpenSSL pkcs8-inform PEM-nocrypt-In abcwebnet-pkcs8.key-out abcwebnet. Key

OpenSSL PKCS12-export-out abcwebnet. pfx-inkey abcwebnet. Key-In abcwebnet-pem.crt

......

　

2. keytool practices

The keystore name is actually a bit misleading. It should be certstore. It can contain two types of information: its own keyentry and trusted Cert entry. (naturally, it includes your own private key and trusted public key) (sometimes separated, trusted certificates are stored in separate files)

The keystore can have two types of passwords: storepass and keypass)

You can specify alias for each key, and then use alias to reference or access the corresponding key.

Example:

Rem creates client keystore

Keytool-genkey-keyalg RSA-keystore client. jks-storetype jks-storepass client-alias client_rsa-keypass client_rsa-dname "cn = client, ou = IBM, c = us"-keysize 1024-validity 1460

Rem creates server keystore

Keytool-genkey-keyalg RSA-keystore server. jks-storetype jks-storepass server-alias server_rsa-keypass server_rsa-dname "cn = server, ou = IBM, c = us"-keysize 1024-validity 1460

Rem exports a general-format certificate from the client's keystore for import to the server's keystore

Keytool-export-keystore client. jks-storetype jks-storepass client-alias client_rsa-file client_rsa.cer

Rem exports a general-format certificate from the server's keystore for import to the client's keystore

Keytool-export-keystore server. jks-storetype jks-storepass server-alias server_rsa-file server_rsa.cer

Rem imports the client certificate to the server's keystore (the consequence of this action is to make the server trust the client)

Keytool-import-noprompt-keystore server. jks-storetype jks-storepass server-alias client_rsa-file client_rsa.cer

Rem imports the server certificate to the client's keystore (the consequence of this action is that the client trusts the server)

Keytool-import-noprompt-keystore client. jks-storetype jks-storepass client-alias server_rsa-file server_rsa.cer

Rem lists the information contained in the client's keystore for viewing.

Keytool-list-keystore client. jks-storepass client-V

Rem lists the information contained in the server's keystore for viewing.

Keytool-list-keystore server. jks-storepass server-V

　

3. Java client

A client usually has a file containing all the trusted certificate information (including the SSL server), as shown in the preceding ftps. jks, You can programmatically inform the client socket runtime of the location and password format of this file, so that when you try to establish an SSL connection and receive the certificate sent by the server, you can perform trust verification.

You can use Java. Security File in JDK folder or -djavax.net. SSL. keystore = xxx -djavax.net. SSL. keystorepassword = YYY to set

See http://www-128.ibm.com/developerworks/cn/websphere/techjournal/0502_benantar/0502_benantar.html