Introduction to SSL Communication and Java KeyStore Tools

Http://www.javacodegeeks.com/2014/07/java-keystore-tutorial.html

Table of Contents

1. Introduction

2. SSL and how it works

3. Private Keys

4. Public certificates

5. Root Certificates

6. Certificate authorities

7. Certificate Chain

8. Keystore using Java Keytool

9. Keystore Commands

Configure SSL using Keystores and self signed certificates on Apache Tomcat

1. Introduction

Who's US didn ' t visit ebay, Amazon to buy anything or his personal bank account to check it. Do you think this those sites is secure enough to put your personal the data like (credit card number or bank account number, etc.,)?

Most of those sites use the Socket Layer (SSL) protocol to secure their Internet applications. SSL allows the data from a client, such as a Web browser, to is encrypted prior to transmission so, someone trying to Sniff the data is unable to decipher it.

Many Java application servers and WEB servers support the use of the keystores for SSL configuration. If you ' re Building secure Java programs, learning to build a keystore is the first step.

2. SSL and how it works

A http-based SSL Connection is all initiated by the client using a URL starting with https://instead of with http://. At the beginning of a SSL session, an SSL handshake is performed. This handshake produces the cryptographic parameters of the session. A Simplified Overview of how the SSL handshake is processed are shown in the diagram below.

This was in short how it works:

1. A browser requests a secure page (usually https://).
2. the Web server sends its public key with its certificate.
3. The browser checks that the certificate is issued by a trusted party (usually a trusted root CA), that the Certificat E is still valid and, the certificate is related to the site contacted.
4. The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the Encrypted URL required as well as other encrypted HTTP data.
5. The Web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the U RL and HTTP data.
6. the Web server sends the requested HTML document and HTTP data encrypted with the symmetric key.
7. The browser decrypts the HTTP data and HTML document using the symmetric key and displays the information.

The world of SSL have, essentially, three types of certificates:private keys, public keys (also called public certificates or site certificates), and root certificates.

3. Private Keys

The private key contains the identity information of the server, along with a key value. It should keep this key safe and protected by password because it's used to negotiate the hash during the handshake. It can be used by someone to decrypt the traffic and get your personal information. It like leaving your house key in the door lock.

4. Public certificates

The public certificate (public key) are the portion that's presented to a client, it likes your personal passport if you Show in the Airport. The public certificate, tightly associated to the private key, was created from the private key using a certificate Signing Request (CSR). After you create a private key, you create a CSR, which are sent to your Certificate authority (CA). The CA returns a signed certificate, which have information about the server identity and about the CA.

5. Root Certificates

Root CA Certificate is a CA Certificate which is simply a self-signed Certificate. This certificate represents a entity which issues certificate and is known as Certificate authority or the CA such as Veri Sign, Thawte, etc.

6. Certificate authorities

Companies who'll sign certificates for you such as VeriSign, Thawte, Commodo, Gettrust. Also, many companies and institutions act as their own CA, either by building a all implementation from scratch, or B Y using an open source option, such as OpenSSL.

7. Certificate Chain

When a server and client establish an SSL connection, a certificate are presented to the client; The client should determine whether to trust this certificate, a process called the certificate chain. The client examines the issuer of a certificate, searches its list of trusted root certificates, and compares the issuer O n the presented certificate to the subjects of the trusted certificates.

If A match is found, the connection proceeds. If not, the Web browsers could pop up a dialog box, warning it cannot trust the certificate and offering the option To trust the certificate.

8. Keystore using Java Keytool

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. Java Keytool stores the keys and certificates in what's called a keystore. It protects private keys with a password.

Each certificate in a Java KeyStore are associated with a unique alias. When creating a Java KeyStore you'll first create the. jks file that would initially only contain the private key and then G Enerate a CSR. Then you'll import the certificate to the KeyStore including any root certificates.

9. Keystore Commands

Create Keystore, Keys and Certificate requests

• Generate a Java keystore and key pair

  Keytool-genkey-alias mydomain-keyalg rsa-keystore keystore.jks-storepass Password

• Generate a Certificate signing request (CSR) for a existing Java KeyStore

  Keytool-certreq-alias Mydomain-keystore keystore.jks-storepass password-file MYDOMAIN.CSR

• Generate a KeyStore and self-signed certificate

  Keytool-genkey-keyalg Rsa-alias selfsigned-keystore keystore.jks-storepass password-validity 360

Import certificates

• Import a root or intermediate CA certificate to an existing Java KeyStore

Keytool-import-trustcacerts-alias root-file thawte.crt-keystore keystore.jks-storepass Password

• Import a signed primary certificate to an existing Java KeyStore

  Keytool-import-trustcacerts-alias mydomain-file mydomain.crt-keystore keystore.jks-storepass Password

Export certificates

• Export a certificate from a KeyStore

  Keytool-export-alias mydomain-file mydomain.crt-keystore keystore.jks-storepass Password

Check/list/view certificates

• Check a stand-alone Certificate

  Keytool-printcert-v-file MYDOMAIN.CRT

• Check which certificates is in a Java keystore

  Keytool-list-v-keystore keystore.jks-storepass Password

• Check a particular KeyStore entry using an alias

  Keytool-list-v-keystore keystore.jks-storepass Password-alias mydomain

Delete certificates

• Delete a certificate from a Java Keytool KeyStore

  Keytool-delete-alias mydomain-keystore keystore.jks-storepass Password

Change passwords

• Change a Java keystore password

  Keytool-storepasswd-new new_storepass-keystore keystore.jks-storepass Password

• Change a private key password

  Keytool-keypasswd-alias client-keypass old_password-new new_password-keystore client.jks-storepass Password

Configure SSL using Keystores and self signed certificates on Apache Tomcat

2. Generate new KeyStore and self-signed certificateusing This command, you'll prompt to enter specific information such as User name, organization unit, company and location.

   Keytool-genkey-alias Tomcat-keyalg rsa-keystore/home/ashraf/desktop/javacodegeek/keystore.jks-validity 360

4. You can list the certificate details you just created using this command

   Keytool-list-keystore/home/ashraf/desktop/javacodegeek/keystore.jks

6. Download Tomcat 7
8. Configure Tomcat ' s server to support for SSL or HTTPS connection. Adding a connector element in Tomcat\conf\server.xml

   <connector port= "8443" maxthreads= "All" scheme= "https" secure= "true" sslenabled= "true" keystorefile= "/home/ashraf /desktop/javacodegeek/.keystore "keystorepass=" password "clientauth=" false "keyalias=" Tomcat "sslprotocol=" TLS "/ >

10. Start Tomcat and Go tohttps://localhost:8443/, you'll find the following security issue where the browser would present U ntrusted error messages. In the case of E-commerce, such error messages result in immediate lack of confidence in the website and organizations RIS K losing confidence and business from the majority of consumers, that's normal as your certificate isn ' t signed yet by CA such as Thawte or Verisign who would verify the identity of the requester and issue a signed certificate.

12. You can click Proceed anyway till to receive you signed certificate.

Introduction to SSL Communication and Java KeyStore Tools