Java Keystore

1. Introduction

Who of us didn’t visit ebay, amazon tobuy anything or his personal bank account to check it. Do you think that thosesites are secure enough to put your personal data like (credit card number orbank account number, etc.,)?

Most of those sites use the Socket Layer(SSL) protocol to secure their Internet applications. SSL allows the data froma client, such as a Web browser, to be encrypted prior to transmission so thatsomeone trying to sniff the data is unable to decipher it.

Many Java application servers and Webservers support the use of keystores for SSL configuration. If you’re buildingsecure Java programs, learning to build a keystore is the first step.

2. SSL and how it works

A HTTP-based SSL connection is alwaysinitiated by the client using a URL starting with https:// instead of withhttp://. At the beginning of an SSL session, an SSL handshake is performed.This handshake produces the cryptographic parameters of the session. Asimplified overview of how the SSL handshake is processed is shown in thediagram below.

This is in short how it works:

1.   A browser requests a secure page (usually https://).

2.   The web server sends its public key with its certificate.

3.   The browser checks that the certificate was issued by atrusted party (usually a trusted root CA), that the certificate is still validand that the certificate is related to the site contacted.

4.   The browser then uses the public key, to encrypt a randomsymmetric encryption key and sends it to the server with the encrypted URLrequired as well as other encrypted http data.

5.   The web server decrypts the symmetric encryption keyusing its private key and uses the symmetric key to decrypt the URL and httpdata.

6.   The web server sends back the requested html document andhttp data encrypted with the symmetric key.

7.   The browser decrypts the http data and html documentusing the symmetric key and displays the information.

The world of SSL has, essentially, threetypes of certificates: private keys, public keys (also called publiccertificates or site certificates), and root certificates.

3. Private keys

The private key contains the identityinformation of the server, along with a key value. It should keep this key safeand protected by password because it’s used to negotiate the hash during the handshake.It can be used by someone to decrypt the traffic and get your personalinformation. It like leaving your house key in the door lock.

4. Public Certificates

The public certificate (public key) isthe portion that is presented to a client, it likes your personal passport whenyou show in the Airport. The public certificate, tightly associated to theprivate key, is created from the private key using a Certificate SigningRequest (CSR). After you create a private key, you create a CSR, which is sent toyour Certificate Authority (CA). The CA returns a signed certificate, which hasinformation about the server identity and about the CA.

5. Root Certificates

Root CA Certificate is a CA Certificatewhich is simply a Self-signed Certificate. This certificate represents a entitywhich issues certificate and is known as Certificate Authority or the CA suchas VeriSign, Thawte, etc.

6. Certificate Authorities

Companies who will sign certificates foryou such as VeriSign, Thawte, Commodo, GetTrust. Also, many companies andinstitutions act as their own CA, either by building a complete implementationfrom scratch, or by using an open source option, such as OpenSSL.

7. Certificate Chain

When a server and client establish anSSL connection, a certificate is presented to the client; the client shoulddetermine whether to trust this certificate, a process called the certificatechain. The client examines the issuer of a certificate, searches its list oftrusted root certificates, and compares the issuer on the presented certificateto the subjects of the trusted certificates.

If a match is found, the connectionproceeds. If not, the Web browsers may pop up a dialog box, warning you that itcannot trust the certificate and offering the option to trust the certificate.

8. Keystore using Java Keytool

Java Keytool is a key and certificatemanagement utility. It allows users to manage their own public/private keypairs and certificates. Java Keytool stores the keys and certificates in whatis called a keystore. It protects private keys with a password.

Each certificate in a Java keystore isassociated with a unique alias. When creating a Java keystore you will firstcreate the .jks file that will initially only contain the private key, thengenerate a CSR. Then you will import the certificate to the keystore includingany root certificates.

9. Keystore Commands

Create Keystore, Keys and CertificateRequests

•  Generate a Java keystore and key pair

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -storepass password

• Generate a certificate signing request (CSR) for anexisting Java keystore

keytool -certreq -alias mydomain -keystore keystore.jks -storepass password -file mydomain.csr

• Generate a keystore and self-signed certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360

Import Certificates

• Import a root or intermediate CA certificate to anexisting Java keystore

keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks -storepass password

• Import a signed primary certificate to an existing Javakeystore

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks -storepass password

Export Certificates

• Export a certificate from a keystore

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks -storepass password

Check/List/View Certificates

• Check a stand-alone certificate

keytool -printcert -v -file mydomain.crt

• Check which certificates are in a Java keystore

keytool -list -v -keystore keystore.jks -storepass password

• Check a particular keystore entry using an alias

keytool -list -v -keystore keystore.jks -storepass password -alias mydomain

Delete Certificates

• Delete a certificate from a Java Keytool keystore

keytool -delete -alias mydomain -keystore keystore.jks -storepass password

Change Passwords

• Change a Java keystore password

keytool -storepasswd -new new_storepass -keystore keystore.jks -storepass password

• Change a private key password

keytool -keypasswd -alias client -keypass old_password -new new_password -keystore client.jks -storepass password

10. Configure SSL using Keystores and Self Signed Certificates on Apach Tomcat

1.   Generate new keystore and self-signed certificateusingthis command, you will prompt to enter specific information such as user name,organization unit, company and location.

keytool -genkey -alias tomcat -keyalg RSA -keystore /home/ashraf/Desktop/JavaCodeGeek/keystore.jks -validity 360

注：这里的<tomcat>密钥密码一定要和keystore密码相同，否则tomcat起不来，会报如下错误：

严重: Error initializingendpoint

java.io.IOException: Keystore was tampered with, or passwordwas incorrect

        atsun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:768)

2.  You can list the certificate details you just createdusing this command

keytool -list -keystore /home/ashraf/Desktop/JavaCodeGeek/keystore.jks

3.   Download Tomcat7

4.   Configure Tomcat’s server to support for SSL or httpsconnection. Adding a connector element in Tomcat\conf\server.xml

<Connector port="8443" maxThreads="150" scheme="https" secure="true"
SSLEnabled="true" keystoreFile="/home/ashraf/Desktop/JavaCodeGeek/.keystore"keystorePass="password" clientAuth="false" keyAlias="tomcat" sslProtocol="TLS" />

5. Start Tomcat and go to https://localhost:8443/, you will findthe following security issue where the browser will present untrusted errormessages. In the case of e-commerce, such error messages result in immediatelack of confidence in the website and organizations risk losing confidence andbusiness from the majority of consumers, that's normal as your certificateisn't signed yet by CA such as Thawte or Verisign who will verify the identityof the requester and issue a signed certificate.

6.   You can click Proceed anyway till you receive you signedcertificate.

转自www.javacodegeeks.com