In this article I will answer the following questions.
How to create a SSL cert?
How to obtain SSL cert ?
How do I get my cert signed ?
How to get a signed cert?
How to install a signed ssl certificate to keystore ?
How to convert jks to pfx ?
How to convert jks to pfx ?
what is jks keystore?
what is pfx keystore?
what is a keystore ?
I was working on some security related project and wanted to get a signed cert installed.So I did read few articles and the outcome of that is what I have explained below.
Keystore is a file (a database) to store your
public/private keys.
Keystore can be in different formats - Most populare ones
are JKS, PKCS12.
JKS is a Java-specific file format to store keys in key
store. your keystore can be .keystore or abc.jks or any other name.
.p12 or .pfx for type "PKCS12" - (Personal
Information Exchange) - Is another
format to store public/private keys.PKCS just means Public-Key Cryptography Standards)
The .pfx file extension most often indicates a Personal
Information Exchange file, most frequently used on a Windows operating system or .NET framework.
To get a signed cert we need the following
Step1. Generate a Key pair using Keytool
Step2. Generate a CSR (Cert Signing Request) for the
Keys you generated in step1.
(Read more for to find what CSR contains
http://en.wikipedia.org/wiki/Certificate_signing_request)
Step3: Send the CSR file to CA (Certifying Authority)
like Verisign or Digicert or Thwart.
Step4: Import the signed.Once you receive the signed cert from CA which
may be a .p7b (PKCS #7 Certificate) it will have 3 certs within it
-
your cert generated in step1 which is signed
- CA
root cert
- CA
intermediate cert
Step5: Now you need to add back the signed cert sent by
CA.This process involves updating your keystore with new signed public key. Your private key will still be the same. Since
you are adding the signed public key we also need to add CA root cert and CA
intermediate cert. I will explain below.
STEP1: Generate a key pair
===========================
keytool -genkeypair -alias testcertforsigning -storepass
secret -keypass secret -validity 1825 -keystore my_java_keystore.jks -keyalg RSA
-keysize 2048 -storetype JKS -dname "CN=*.xyz.com, OU=Development,
O=xyz.com, L=Bangalore, S=Karanataka, C=IN"
where testcertforsigninng
- is the cert name
secret
- I used this as both store password and cert password. you can use different
strings
validity
- 1825 days - 5 years
Rest
is all obvious which tells what algorithm, key size (use 2048 or higher for
better security) and what your company name is.
CN=*.xyz.com
==> Tells that this cert is applicable for all url’s that end with *.xyz.com
assuming in your company you have url’s like app1.xyz.com, app2.xyz.com,
app3.xyz.com to access your application.
Now if you list the contents of Key store
keytool -list -v -keystore my_java_keystore.jks -storepass secret
NOTE: If you have both public/private key entry after
running key tool you will see
Your key store contains 2 entries
Alias name: testcertforsigning
Creation date: Apr 18, 2013
Entry type: keyEntry
Certificate chain length: 1 ===>
Certificate[1]:
{The actual cert information will be printed here. Excluded
that intentionally.}
The Entry type: keyEntry ==> indicates that you have both
public/private key pair else the type:
Certificate chain length: 1 ===> Tells you have one
cert (This is cert doesn’t not have root cert and intermediate cert yet so the
length is one.)
Step2 and 3: Generate a CSR (Cert Signing Request) for
the Keys you generated in step1.
===============================================================================
keytool -certreq -keystore my_java_keystore.jks
-storepass secret -alias testcertforsigning
-file xyz_cert_signing_req.csr
More info on csr file contents:
http://en.wikipedia.org/wiki/Certificate_signing_request
Remember this file will only have your public key and
some info about your organization. You never will or should share private key.
Now send this xyz_cert_signing_req.csr to CA (certifying
authority) like verisign or digicert. (Yes you need to pay to get a signed cert
:) )
Step4: This is
very important step. Here if you try to import just your signed cert you will
get error.
Follow these steps:
-
Once you receive your signed cert from CA, let’s
call this as xyz_cert_signing_req.p7b.
-
Double click the file and you should see something
similar (your CA name could be different
)
Now click on each cert (i.e. *.xyz.com, Digicert High
Assurance CA-3, Digicert High Assurance EV Root CA) and a popup launches as
shown below and now you should be able to save each cert public key separately,
Choose Base-64 encoded X.509 (.CER) format when saving.
Certificate export Wizard
Let’s call these exported cert’s as
RootCA.cer
HighAssuranceIntermediateCA3.cer
xyz_cert_signing.cer
If you open them in text editor you will see something
like
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
…..
….
-----END CERTIFICATE-----
Now combine the three * .cer files in to one file (You
can manually copy or use a script)
Let’s call this as xyz_cert_signing_combine.txt
This combined file
will have all 3 certs (root,intermediate and your xyz_cert_signing.cer)
contents
-----BEGIN CERTIFICATE-----
Contents of RootCA.cer here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Contents of HighAssuranceIntermediateCA3.cer here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Contents of xyz_cert_signing.cer
here
-----END CERTIFICATE-----
STEP5: Now import this signed public key along
with its root, intermediate cert too your key store.
So you need to use the combined file xyz_cert_signing_combine.txt
(I am using keytool which is part of java jdk)
keytool -import -trustcacerts -file xyz_cert_signing_combine.txt -keystore my_java_keystore.jks -alias testcertforsigning -storepass secret -keypass secret
Now if you list your keystore you will see root cert,
intermediate cert and your signed public key sitting along with your private
key.
If some other app asks your signed public key you can send
them xyz_cert_signing_req.p7b in which case they will extract root cert,
intermediate cert and your signed public key. However if they want to install
to the keystore , they may have to combine all 3 keys like I explained and
install it differently
keytool -import -file xyz_cert_signing_combine.txt -keystore my_java_keystore.jks -alias testcertforsigning -storepass secret
(NOTE: The keypass and –trustcacerts is not required as
we are not updating existing public-private key instead just adding a public
key. It makes sense as without the root ca cert and intermediate cert there is
no way the other app can trust if your public key is signed by the right
authority.)
To convert JKS to PFX
keytool -importkeystore -srckeypass secret –destkeypass meow123 -srcstorepass secret -deststorepass meow123 -srcalias testcertforsigning -destalias testcertforsigning -srckeystore my_java_keystore.jks -destkeystore not_java_keystore.pfx -deststoretype PKCS12
If you are adding more than one cert repeat the
-srcalias -destalias
options more than once.
In case you want to export the public key only
TO LIST KEYSTORE:
=================
--Java Key store
keytool -list -v -keystore my_java_keystore.jks -storepass secret
--PFX (Personal Information Exchange) key store.
keytool -list -v -keystore not_java_keystore.pfx -storepass secret -storetype PKCS12
NOTE: If you have both public/private key entry after
running key tool you will see
Your keystore contains 2 entries
Alias name: testcertforsigning
Creation date: Feb 1, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 4
Certificate[1]: {The actual cert information will be
printed here. Excluded that intentionally.}
The Entry type: PrivateKeyEntry indicates that you have both
public/private key pair hence the type:
Incaser someone sent you ".pfx" file , In java you can specify the "pfx" file as keystore and "Jks" file as truststore by importing ".cer" files to your java keystore.
In java code you can do this are export the same using -D option.
Properties props = System.getProperties();
// to enable debugging
props.setProperty("javax.net.debug","all");
//Mostly will have CA certs
props.setProperty("javax.net.ssl.trustStore","C:\\Program Files\\Java\\openjdk-11\\lib\\security\\cacerts");
props.setProperty("javax.net.ssl.trustStorePassword", "changeit");
props.setProperty("javax.net.ssl.trustStoreType","PKCS12");
props.setProperty("javax.net.ssl.keyStore", "C:\\Rama\\Project\\RamaFinancialTest2022.pfx");
props.setProperty("javax.net.ssl.keyStorePassword", "abcd");
props.setProperty("javax.net.ssl.keyStoreType","PKCS12");
//In case you want to control Ciphersuites based on what the server is supporting
//props.setProperty("jdk.tls.client.cipherSuites","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
//props.setProperty("jdk.tls.server.cipherSuites","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
Though in java its common to use the same "jks" (cacert file mnetioned above) as keystore and trust store. In our case a external client sent the ".pfx" file which any way java can read so we used that as Keystore as it as priavetKeyEntry (public and priavet key chain) and extracted the remaining root and inetermedicate certs and added to trust store.
More info:
This comment has been removed by a blog administrator.
ReplyDelete