Introduction to digital certificates and implementation of Java coding

1. Introduction to Digital certificates

The digital certificate has the necessary information of general encryption and decryption, including the signature algorithm, which can be used for network data encryption and decryption interaction to identify network user (computer) identity. Digital certificate provides a simple way to publish public key, and its digital certificate becomes the carrier of encryption algorithm and public key . Relying on digital certificates, we can build a simple encryption network application platform.

A digital certificate is similar to a personal ID and is issued by a digital certificate authority (Certificate Authority, CA). Only CA-issued certificates are available for authentication on the network. The certificate that the CA issues to itself is called the root certificate.

VeriSign, GeoTrust and Thawte are the three giants of the international authoritative digital certification authority. One of the most widely used is the VeriSign-issued digital certificate for e-commerce.

The most commonly used asymmetric encryption algorithm is RSA, and the matching signature algorithm is Sha1withrsa, the most commonly used message digest algorithm is SHA1.

In addition to RSA, you can also use the DSA algorithm. Only using the DSA algorithm cannot complete the cryptographic decryption implementation, that is, such a certificate does not include encryption and decryption capabilities.

Digital certificates have several file encoding formats, including CER encoding, DER Encoding, and so on.

CER (Canonical Encoding Rules, canonical encoding format), DER (distinguished Encoding Rules Excellent encoding format), the difference between the former is the variable-length mode, the latter is the fixed-length mode.

All certificates conform to the ITU-T X509 International Standard (Infrastructure), which is established by the public Key Infrastructure (PKI).

2. Model Analysis

In practical applications, many digital certificates belong to self-signed certificates, that is, the certificate requester signs their own certificates. Such certificates are typically applied to products issued internally by the software vendor or to Parties that use the certificate for data interaction. The digital certificate acts as the carrier of the encryption algorithm, encrypts and decrypts the necessary data and signs the signature. in our development process, the digital certificate is more used to do encryption and decryption.

1) Certificate Issuance

2) Encrypt the interaction, entries.

When the client obtains the digital certificate issued by the server, it can encrypt the interaction. The specific approach is:

The client uses the public key, encrypts and sends it to the server, and the server decrypts the authentication with the private key.

The server uses the private key for encryption and digital signing.

3. KeyTool Management Certificate

Keytool is associated with the local keystore, the private key is stored in the KeyStore, and the public key is exported as a digital certificate . The Keytool is located in the Bin directory under the JDK directory and needs to be manipulated by the command line.

1) Build a self-signed certificate

Before applying for a digital certificate, you need to generate the local digital certificate in the KeyStore by alias, establish the corresponding encryption algorithm, key, expiration date and other information.

Keytool-genkeypair-keyalg rsa-keysize 2048-sigalg sha1withrsa-validity 3600-alias mycertificate-keystore myKeystore . keystore

Each parameter has the following meanings:

-genkeypair indicates that a key pair is generated

-KEYALG Specifies the key algorithm, here is the RSA

-KEYSIZE Specifies the key length, default 1024, where 2048 is specified

-SIGAL Specifies the signature algorithm, here is Sha1withrsa

-validity Specify the period of validity, in days

-alias Specifying aliases

-keystore Specifying KeyStore storage location

Here I enter the parameter Changeme123 as the password for the KeyStore, or you can specify the password through the parameter-storepass. You can avoid more interactions by using the-dname "cn=xxx ..." form.

Note: A keystore should be able to store multiple sets of < private keys-Digital certificate > information, differentiated by aliases . Through practice, call the above command two times (different aliases), generate the same keystore, with different aliases for encryption and decryption and signature verification, there is no problem.

For more commands, refer to: http://blog.chinaunix.net/uid-17102734-id-2830223.html

After the above operation, a digital certificate has been created in the KeyStore. Although the digital certificate is not CA certified, it does not affect our use. We can still export the certificate and send it to the partner for encrypted interaction.

Keytool-exportcert-alias Mycertificate-keystore Mykeystore.keystore-file MYCER.CER-RFC

Each parameter has the following meanings:

-exportcert indicates a certificate export operation

-alias Specifying aliases

-keystore Specifying a KeyStore file

-file specifying the file path for the exported certificate

-rfc specifying output in BASE64 encoded format

Print Certificate

Keytool-printcert-file Mycer.cer

2) Build CA-Issued certificate

If you want to obtain a CA authority who's digital certificate, you need to export the digital certificate signing request (CSR), certified and issued by the CA agency, and then import the certificate into the local KeyStore and repository.

Keytool-certreq-alias Mycertificate-keystore Mykeystore.keystore-file mycsr.csr-v

Each parameter has the following meanings:

-certreq indicates a digital certificate request operation

-alias Specifying aliases

-keystore specifying the KeyStore file path

-file specifying the path of the export requisition

-V Detailed information

Once you have a digital certificate issued, you need to import it into the Truststore.

Keytool-importcert-trustcacerts-alias mycertificate-file Mycer.cer-keystore Mykeystore.keystore

Parameters are not explained in detail, if the original certificate file, then the error:

View certificates

Keytool-list-alias Mycertificate-keystore Mykeystore.keystore

After all of the above actions, you can get the following files

4. Certificate use

Finally to the exciting moment, you can use the code through the KeyStore for encryption and decryption operations!

Java 6 provides a complete digital certificate management implementation, we almost do not need to pay attention to, only through the operation of the KeyStore and digital certificates to complete the corresponding encryption and decryption and signature verification process.

The KeyStore manages the private key, the digital certificate manages the public key, the public key and the private key belong to the message passing parties, carries on the encrypted message passing.

Consider a scenario.

A machine module needs to export the data to a file, send the file to the B machine, and import the data by B.

In this scenario, a is equivalent to the server, which needs to give the certificate to B, encrypt the data with the private key, generate the signature, and export to the file.

b corresponds to the client, using the received digital certificate for decryption and verification.

View Code

Category: Java encryption and Decryption methods

Introduction to digital certificates and implementation of Java coding