Saturday, August 17, 2013

SSL Certificates or SSL Certs



In this article I will answer the following questions.
How to create a SSL cert?
How to obtain SSL cert ?
How do I get my cert signed ?
How  to get a signed cert?
How to install a signed ssl certificate to keystore ?
How to convert jks to pfx ?
what is jks keystore?
what is pfx  keystore?
what is a keystore ?

I was working on some security related project and wanted  to get a signed cert installed.So I did read few articles and the outcome of that is what I have explained below.

Keystore is a file (a database) to store your public/private keys.
Keystore can be in different formats - Most populare ones are JKS, PKCS12.
JKS is a Java-specific file format to store keys in key store. your keystore can be .keystore or abc.jks or any other name.

.p12 or .pfx for type "PKCS12" - (Personal Information Exchange)  - Is another format to store public/private keys.PKCS just means Public-Key Cryptography Standards)
The .pfx file extension most often indicates a Personal Information Exchange file, most frequently used on a Windows operating system or .NET framework.


To get a signed cert we need the following

Step1. Generate a Key pair using Keytool
Step2. Generate a CSR (Cert Signing Request) for the Keys you generated in step1.
(Read more for to find what CSR contains http://en.wikipedia.org/wiki/Certificate_signing_request)
Step3: Send the CSR file to CA (Certifying Authority) like Verisign or Digicert or Thwart.
Step4: Import the signed.Once you receive the signed cert from CA which may be a .p7b (PKCS #7 Certificate) it will have 3 certs within it
                - your cert generated in step1 which is signed
                - CA root cert
                - CA intermediate cert

Step5: Now you need to add back the signed cert sent by CA.This process involves updating your keystore with new signed public key. Your private key will still be the same. Since you are adding the signed public key we also need to add CA root cert and CA intermediate cert. I will explain below.



STEP1: Generate a key pair
===========================
keytool -genkeypair -alias testcertforsigning -storepass
secret -keypass secret -validity 1825 -keystore my_java_keystore.jks -keyalg RSA
 -keysize 2048 -storetype JKS -dname "CN=*.xyz.com, OU=Development,
 O=xyz.com, L=Bangalore, S=Karanataka, C=IN"
where   testcertforsigninng - is the cert name
                secret - I used this as both store password and cert password. you can use different strings                       
                validity - 1825 days  - 5 years
                Rest is all obvious which tells what algorithm, key size (use 2048 or higher for better security) and what your company name is.
                CN=*.xyz.com ==> Tells that this cert is applicable for all url’s that end with *.xyz.com assuming in your company you have url’s like app1.xyz.com, app2.xyz.com, app3.xyz.com to access your application.

Now if you list the contents of Key store
keytool -list -v -keystore my_java_keystore.jks
-storepass secret

NOTE: If you have both public/private key entry after running key tool you will see
Your key store contains 2 entries

Alias name: testcertforsigning
Creation date: Apr 18, 2013
Entry type: keyEntry
Certificate chain length: 1 ===>
Certificate[1]:
{The actual cert information will be printed here. Excluded that intentionally.}

The Entry type: keyEntry ==> indicates that you have both public/private key pair else the type:
Certificate chain length: 1 ===> Tells you have one cert (This is cert doesn’t not have root cert and intermediate cert yet so the length is one.)

Step2 and 3: Generate a CSR (Cert Signing Request) for the Keys you generated in step1.
===============================================================================
keytool -certreq -keystore my_java_keystore.jks
-storepass secret -alias testcertforsigning 
-file xyz_cert_signing_req.csr

More info on csr file contents: http://en.wikipedia.org/wiki/Certificate_signing_request
Remember this file will only have your public key and some info about your organization. You never  will or should share private key.
Now send this xyz_cert_signing_req.csr to CA (certifying authority) like verisign or digicert. (Yes you need to pay to get a signed cert :) )


Step4: This is very important step. Here if you try to import just your signed cert you will get error.
Follow these steps:
-          Once you receive your signed cert from CA, let’s call this as xyz_cert_signing_req.p7b.
-          Double click the file and you should see something similar (your  CA name could be different )





Now click on each cert (i.e. *.xyz.com, Digicert High Assurance CA-3, Digicert High Assurance EV Root CA) and a popup launches as shown below and now you should be able to save each cert public key separately, Choose Base-64 encoded X.509 (.CER) format when saving.



 
 Certificate export Wizard



Let’s call these exported cert’s as
RootCA.cer
HighAssuranceIntermediateCA3.cer
xyz_cert_signing.cer

If you open them in text editor you will see something like

-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
…..
….
-----END CERTIFICATE-----

Now combine the three * .cer files in to one file (You can manually copy or use a script)
Let’s call this as xyz_cert_signing_combine.txt
This combined file will have all 3 certs (root,intermediate and your xyz_cert_signing.cer) contents
-----BEGIN CERTIFICATE-----
Contents of RootCA.cer  here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Contents of HighAssuranceIntermediateCA3.cer  here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Contents of xyz_cert_signing.cer here
-----END CERTIFICATE-----


STEP5:  Now import this signed public key along with its root, intermediate cert too your key store.
So you  need to use the combined file xyz_cert_signing_combine.txt
(I am using keytool which is part of java jdk)
   
keytool -import -trustcacerts -file xyz_cert_signing_combine.txt -keystore my_java_keystore.jks  -alias testcertforsigning  -storepass secret  -keypass secret

 Now if you list your keystore you will see root cert, intermediate cert and your signed public key sitting along with your private key.

If some other app asks your signed public key you can send them xyz_cert_signing_req.p7b  in which case they will extract root cert, intermediate cert and your signed public key. However if they want to install to the keystore , they may have to combine all 3 keys like I explained and install it differently

keytool -import  -file
 xyz_cert_signing_combine.txt
  -keystore my_java_keystore.jks  -alias testcertforsigning  -storepass secret  

(NOTE: The keypass and –trustcacerts is not required as we are not updating existing public-private key instead just adding a public key. It makes sense as without the root ca cert and intermediate cert there is no way the other app can trust if your public key is signed by the right authority.)

To convert JKS to PFX
keytool -importkeystore 
 -srckeypass secret –destkeypass meow123 
 -srcstorepass secret -deststorepass meow123 -srcalias testcertforsigning  -destalias testcertforsigning  -srckeystore  my_java_keystore.jks  -destkeystore  not_java_keystore.pfx  -deststoretype PKCS12
If you are adding more than one cert repeat the
-srcalias   -destalias  options more than once.


In case you want to export the public key only

TO LIST KEYSTORE:
=================
--Java Key store
 keytool -list -v -keystore my_java_keystore.jks -storepass secret

--PFX (Personal Information Exchange)  key store.
 keytool -list -v -keystore not_java_keystore.pfx -storepass secret -storetype PKCS12


NOTE: If you have both public/private key entry after running key tool you will see
Your keystore contains 2 entries
Alias name: testcertforsigning
Creation date: Apr 18, 2013
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]: {The actual cert information will be printed here. Excluded that intentionally.}


The Entry type: keyEntry indicates that you have both public/private key pair else the type:

More info:


1 comment:

  1. This article do covers all the main thing about ssl certificates. Its a short but complete guide to gain knowledge about this security option. Thank you for writing and sharing this useful information.
    digital certificates

    ReplyDelete