Java SSL self-signed certificate generation

Source: Internet
Author: User
Tags pkcs12
What is HTTPS?
When an HTTP request is sent to a site based on SSL/TLS (usually using https: // URL), the server sends a certificate to the client. The client uses the installed public certificate to verify the identity of the server through this certificate, and then checks whether the IP name (machine name) matches the machine connected to the client. The client generates random information about the private key (called the session key) that can be used to generate a conversation, and then encrypts it with the public key of the server and sends it to the server. The server decrypts the message with its own private key, and then uses the random information to derive the same private session key as the client. The RSA public key algorithm is usually used in this phase. Then, the client and server use the private session key and private key algorithm (usually RC4) to communicate. Use the message authentication code of another key to ensure message integrity.

What is a digital signature?
The digital signature means that the information sender uses its private key to perform RSA algorithm operations on the feature data (or digital fingerprint) extracted from the transmitted message, to ensure that the sender is not allowed to deny the information that has been sent (that is, the non-repudiation), and to ensure that the information message is tampered with (that is, integrity) at the end of the signature ). After receiving the message, the message receiver can use the sender's public key to verify the digital signature.
Overview of SSL?
SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection. this means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. this is a two-way process, meaning that both the server and the browser encrypt all traffic before sending out data.
Another important aspect of the SSL protocol is authentication. this means that during your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials, in the form of a "Certificate ", as proof the site is who and what it claims to be. in certain cases, the server may also request a certificate from your web browser, asking for proof thatYouAre who you claim to be. this is known as "client authentication," although in practice this is used more for business-to-business (B2B) transactions than with individual users. most SSL-enabled web servers do not request client authentication.
HTTPS and tomcat
The Apache Jakarta Tomcat 5 Servlet/JSP ContainerSSL configuration how-?
Quick Configuration:
1. Use keytool in JDK to generate a tomcat keystore
In the command line, enter % java_home %/bin/keytool-genkey-alias tomcat-keyalg RSA.
You will be prompted to enter keypassword, keystorepassword, and other related information. Confirm as prompted.
2. Add the following to CONF/server. xml:

Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"
Enablelookups = "false" disableuploadtimeout = "true"
Acceptcount = "100" DEBUG = "0" Scheme = "HTTPS" secure = "true"
Clientauth = "false" keystorepass = "password" sslprotocol = "TLS"/>
3. start Tomcat and enter https: // localhost: 8443 in the browser.
Note: The keystore file generated using this method is placed under C:/Documents ents and settings/user.
Note:

Attribute Description
clientAuth Set this valuetrueIf you want tomcat to require all SSL clients to present a client certificate in order to use this socket. Set this valuewantIf you want tomcat to request a client certificate, but not fail if one isn' t presented.
keystoreFile Add this attribute if the keystore file you created is not in the default place That tomcat expects (a file named.keystoreIn the user home directory under which Tomcat is running). You can specify an absolute pathname, or a relative pathname that is resolved against$CATALINA_BASEEnvironment variable.
keystorePass Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit).
keystoreType Add this element if using a PKCS12 keystore. The valid values areJKSAndPKCS12.
sslProtocol The encryption/decryption protocol to be used on this socket. it is not recommended to change this value if you are using sun's JVM. it is reported that IBM's 1.4.1 Implementation of the TLS protocol is not compatible with some popular browsers. in this case, use the valueSSL.
ciphers The comma separated list of encryption ciphers that this socket is allowed to use. By default, any available cipher is allowed.
algorithm TheX509Algorithm to use. This defaults to the Sun implementation (SunX509). For IBM JVMs you shoshould use the valueIbmX509. For other vendors, consult the JVM documentation for the correct value.
truststoreFile The truststore file to use to validate client certificates.
truststorePass The password to access the truststore. This defaults to the valuekeystorePass.
truststoreType Add this element if your are using a different format for the truststore then you are using for the keystore. The valid values areJKSAndPKCS12.

What is the function and usage of the Java keytool?
Keytool is a security key and certificate management tool. It manages a keystore (equivalent to a database) that stores private keys and verifies the corresponding public keys associated with them ).
Keytool is a valid security key and certificate management tool. It enables users to use digital signatures to manage their own private/public key pairs, manage certificates used for self-identification, and manage data integrity and authentication services. It also enables users to cache their public keys during communication.
A certificate is a digital signature of an entity (individual, company, etc.), indicating the detailed value of the public key (or other information) of another entity. after the data is signed, the signature information is used to verify the integrity and authenticity of the data. integrity index data has not been modified or tampered with, and authenticity index data has arrived from any party that generates and signs the data.
Keytool stores the key and certificate to a keystore. The keystore is a file. It uses a password to protect the key. Another tool, jarsigner, uses the information in the keystore to generate or test the digital signature in the Java archive (JAR file.
The keystore has two different portals:
1. key entry: stores very sensitive Encrypted Key Information and stores it in a protected format to prevent unauthorized access. the key stored in this form is a secret key or a private key corresponding to the public key in the certificate chain.
2. trusted certificate entry: contains a single public key certificate for other parts. it is called "trusted Certificate" because the public key in the certificate trusted by the keystore truly belongs to the identity of the certificate owner.
 
Keystore alias:
All keystore entries (key and trust certificate entries) are accessed through a unique alias. aliases are case insensitive. For example, the aliases Hugo and Hugo point to the same keystore portal.
You can use the-genkey parameter when adding an entry to the keystore to generate a key pair (Public Key and private key) and specify the alias. you can also use the-import parameter to add a certificate or certificate chain to the trusted certificate.
 
For example, keytool-genkey-alias Duke-keypass dukekeypasswd
 
Duke is the alias, and dukekeypasswd is the password of the duke alias. This command is used to generate a new public/private key pair. duke is the alias, and dukekeypasswd is the password of the duke alias. this command is used to generate a new public/private key pair.
If you want to change the password, you can use:
Keytool-keypasswd-alias Duke-keypass dukekeypasswd-New newpass
Change the old password dukekeypasswd to newpass.
 
Keystore generation:
1. when the-genkey,-import, or-identitydb command is used to add data to a keystore, And the keystore does not exist, a keystore is generated. the default name is. keystore, which is stored in the user-home directory.
2. When-keystore is used, the specified keystore will be generated.
 
Keystore implementation:
The keytool class is located in Java. under the security package, a very good interface is provided to obtain and modify information in a keystore. currently, there are two command lines: keytool and jarsinger. a gui tool policy can implement keystore. because the keystore is public, you can use it to write additional security applications.
Keystore also has an internal implementation provided by Sun. it uses keystore as a file. A keystore type (Format) "jks" is used ". it uses a separate password to protect every private key. different passwords may also be used to protect the integrity of the entire keystore.
 
Supported algorithms and key sizes:
Keytool allows you to specify the key pair and the signature algorithm provided by the cryptographic service provider. The default key pair generation algorithm is "DSA ". If the private key is of the "DSA" type, the default signature algorithm is "sha1withdsa". If the private key is of the "RSA" type, the default algorithm is "md5withrsa ".
When a DSA key pair is generated, the key must be between 512-1024 bits. The default key size for any algorithm is 1024 bits.
 
1. Certificate: a certificate is a digital signature of an entity, indicating that the public key of another entity has a clear value.
2. Public Key: it is a digital Association of the same detailed entity and intends to let all other entities that want to have a trust relationship with the entity know. The public key is used to test the signature;
3. Digital Signature: if the data has been signed and stored in an entity with an identity, a signature can prove that the entity knows the data. The data is signed and submitted using the entity's private key;
4. Identity: Methods for knowing entities. In some systems, identity is a public key. In other systems, it can be anything from the Unix uid of an X.509 email address;
5. Signature: A signature uses the entity private key to calculate some encrypted data;
6. private Key: a number. Each private key can only be known by a specific entity that owns the private key. private and public keys exist in key pairs of all systems encrypted with public keys. A public key is encrypted (such as DSA), and a private key communicates with a correct public key. the private key is used to calculate the signature.
7. entity: an entity can be a person, an organization, a program, a computer, a business, a bank, or something else you want to trust.
 
Keytool application instance:
 
1. Generate a keystore:
 
Keytool-genkey-alias user (keystore alias)-keyalg RSA-validity 7-keystore (specified keystore ).
 
When you run this command, the system prompts:
Enter keystore password: yourpassword (enter the password)
 
What is your first and last name?
[UNKNOWN]: Your name (enter your name)
 
What is the name of your organizational unit?
[UNKNOWN]: Your organizational (enter the name of your organization)
 
What is the name of your organization?
[UNKNOWN]: Your Organization Name (enter the name of your organization)
 
What is the name of your city or locality?
[UNKNOWN]: Your city name (enter the name of the city)
 
What is the name of your state or province?
[UNKNOWN]: Your Provice name (enter the name of the Province)
 
What is the two-letter country code for this unit?
[UNKNOWN]: CN (name of the input country)
Is Cn = your name, ou = Your organizaion, O = "your organization name", L = your city name, St = your province name, c = cn correct?
[No]: Yes
 
3. Check A keystore:
Keytool-list-v-keystore
Enter keystore password: Your password (enter password)
 
The keystore content is displayed as follows:
Keystore type: jks
Keystore provider: Sun
 
Your keystore contains 1 entry
Alias Name: yourname
Creation date: Dec 20,200 1
Entry type: keyentry
Certificate Chain Length: 1
Certificate [1]:
Owner: Cn = yourname, ou = your organization, O = "your organization name ",
L = your city name, St = your province name, c = Cn
Issuer: Cn = Duke, ou = Java software, O = "Sun Microsystems, Inc.", L = Palo Alto, St = Ca, c = us
Serial number: 3c22adc1
Valid from: Thu DEC 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
MD5: F1: 5b: 9B: A1: F7: 16: Cf: 25: Cf: F4: FF: 35: 3f: 4C: 9C: F0
Sha1: B2: 00: 50: DD: B6: CC: 35: 66: 21: 45: 0f: 96: AA: AF: 6a: 3D: e4: 03: 7c: 74
 
3. Output The keystore to a file: testkey:
Keytool-export-alias Duke-keystore-RFC-file testkey
System output: Enter keystore password: Your password (enter password)
Certificate stored in file <TD>
 
4. Enter the certificate to a new truststore:
Keytool-import-alias dukecert-file testkey-keystore truststore
Enter keystore password: Your new password. (enter the new truststore password)
 
 
5. Check truststore:
Keytool-list-v-keystore truststore
The system displays truststore information.
 
Now you can use the appropriate keystore to run your application. For example:
Java -djavax.net. SSL. keystore = keystore
-Djavax.net. SSL. keystorepassword = PASSWORD Server
 
And:
Java -djavax.net. SSL. truststore = truststore
-Djavax.net. SSL. truststorepassword = trustword Client

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.