Integrating Java Cryptography API’s With Certificates to Create Trust Chains (Part 1)
Learn how to create a certificate that implements secure communication via the Java cryptography API.
Join the DZone community and get the full member experience.Join For Free
Today, we will demonstrate the creation of certificates by adding the same in the Trust Store of the browsers.
Let's take a look at how to generate a key pair, a certificate signing request (CSR) using Java Keytool and set up your own CA using OpenSSL tool and sign a certificate. At the end of this tutorial, we will have demonstrated how to use the generated certificates to implement secure communication.
We will require the following items installed in the Maven file to run the following programs:
The above tools need to be downloaded in order to create the keyStores and certificates.
- Java Cryptography Libraries:
We need to add the above dependencies in the Maven project to access the Java cryptography API’s.
Steps to create a keyStore and add it to the class path of the Java Project.
#######Password Always is Password######################
- Generate a Key Pair
keytool -genkey -alias Aritra -keystore AritraKeyStore.jks -keyalg RSA -sigalg SHA1withRSA
Key Store Password: You can consider that the
keytoolwill append this password to the content of the key store and then generate a hash/digest and store it into the key store. If someone modifies the key store without this password, they won’t be able to update the digest message. The next time you run the
keystore, it will note the mismatch and warn you not to use this key store anymore.
Alias Password or Private Key Password: You need to provide an entry password to protect the entry for the alias, here Aritra. That
keytoolwill use this password to encrypt Aritra’s private key. This way, other people won’t be able to read the Aritra private key.
2. Create a Self-Signed Certificate
Use the following command to export the public key as a certificate.
keytool -export -alias Aritra -file Aritra.cer -keystore AritraKeyStore.jks
Aritra.cer is a self-signed certificate. Its Owner and Issuer have the same DN. This certificate is signed by the private key of Aritra. You can also open the certificate using Windows certification viewer tool. Double click the certificate in C:\>Keys folder and the certificate viewer will open.
These are untrusted certificates, which we need to add in the trust store.
3. Generate a Certificate Signing Request
To be trusted, we need our certificate to be signed by a well known CA. To do that, first, we need to generate a Certificate Signing Request (CSR) and send it to CA. Keytool helps to generate a CSR using the following command:
keytool -certreq -alias Aritra -keystore AritraKeyStore.jks -file Aritra.csr
The above command extracts required information, such as the public key, DN, and put it in a standard CSR format in file Aritra.csr. A commercial CA should verify all information before they can issue a certificate with their signature. In the next section, we are going to create our own test CA and register it as trusted to the browser and use it to sign our public key.
4. Set Up a Certificate Authority
Next, to start Test CA, we need a private key. This is the top secret of the CA. If this is compromised, then the CA is doomed! All certificates issued by this CA will be revoked. This is why the root private key is so important and often kept off-line necessitating a multi-tier hierarchy. For our test CA, we need to create the key-pair and create a certificate signing request for the root CA’s public key. Please note this CSR is for the CA itself. These two steps can be done in a single command using SSL as follows:
openssl req -new -keyout cakey.pem -out careq.pem -config C:\OpenSSL-Win64\bin\openssl.cfg
req: work on a certificate signing request
new: create a new private key and add a certificate request
keyout: keep the private key in the file cakey.pem. This is a top secret file!
out: write the CSR in the file careq.pem
config: provide the config file. This is needed for the first time only.
5. Generate a Certificate Out of Test CA’s CSR
Now, we need to generate a certificate out of Test CA’s CSR. Obviously, this would be self signed. The following OpenSSL command is used to generate a self signed certificate form the CSR.
openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca
x509: Work on an X.509 certificate
signkey: self sign the certificate using private in as stored in file cakey.pem
req: tells that input is a CSR
days: specify days of validity of the generated certificate
in: the input, i.e. CSR careq.pem
out: write the output certificate on caroot.cer
extensions: apply x.509 v3 extensions
6. Trusting Test CA’s Root Certificate
Every browser keeps well know CA’s root certificates in their trust store. Browsers manage (add/delete) these certificates during security patches time to time.
Open IE and click on Internet Options->Content->Certificates->Trusted Root Certification Authorities
You can add Test CA’s root certificate to your JRE using the
keytool command. The initial password of the “cacerts” keystore file is “changeit.” You can also add the Test CA’s root certificate in AritraKeyStore.jks or your own key store and point to that key store at runtime when you need to use any certificate signed by this Test CA. If you cannot convince JRE that Test CA’s root is trusted, all certificates signed by Test CA will not work at runtime! You will see shortly how Test CA’s cert can be added to AritraKeyStore.jks.
7. Own Certificate Signed by CA
Test CA is ready; we have added it to the browser’s truststore. Now, it the time to get your own certificate signed by the Test CA. However, before that, you need to note that when a CA issues a new certificate, it will put a unique serial number into that certificate. So you need to tell OpenSSL what is the next serial number to use. To do that, drop a serial.txt file containing a serial number in the directory.
echo 1234>serial.txt openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in Aritra.csr -out AritraTestCA.cer -days 365
x509: again working with X.509 certificates.
CA: sign the certificate using caroot.cer. For example, it can find the DN of the CA here
CAkey: take the private key from cakey.pem file
CAserial: point to serial number file
req: says that input is a CSR and not a certificate itself
in: provides the input CSR as ../Keys/Aritra.csr
out: write the output certificate in ../Keys/AritraTestCA.cer file
days: validity of the certificate
You can see that there are no red-cross mark with the certificate now. The AritraTestCA is trusted as it is signed by Test CA, which is trusted to the Windows/IE. Now, whoever trusts Test CA will be able to trust the public key writtin in AritraTestCA.cer and be able to send an encrypted message to Aritra. And, Aritracan decrypts the message using the private key stored in AritraKeyStore.jks.
8. Keep the Certificates in Key Store
We can separately keep the AritraTestCA.cer and send it to clients or import AritraTestCA.cer to the key store. That’s the way to use the certificate in a Java application. But before that, we need to import the signer certificate, i.e. root certificate of Test CA. Otherwise,
keytool will not import AritraTestCA.cer because it would not be able to trust the signer.
While importing Test CA’s root certificate,
keytool will ask for a confirmation that we really trust Test CA. If you say YES,
keytool will take all certificates signed by the root certificate.
keytool -import -alias TestCA -file ../CA/caroot.cer -keystore AritraKeyStore.jks
Import AritraTestCA.cer, which is now signed by Test CA. One point to note here is that while importing this certificate, you have to specify the same alias name that was used to generate the key pair. Only then,
keytool will replace the default self-signed Deb’s certificate with the certificate signed by Test CA.
keytool -import -alias Aritra -file AritraTestCA.cer -keystore AritraKeyStore.jks
We started with a empty key store and added several certificates in it while working on this tutorial. Let us see what all is there in the
The key store has two entries — one
PrivateKeyEntry entry. This is basically a certificate chain now containing two certificates. The other is the
trustedCertEntry entry, which is just a trusted, self-signed Test CA’s root certificate. Here, we learned how to create a certificate, get it signed by a CA, import it back to the
keyStoreto create the whole certificate chain and all trust issues.
In the next post, we will look into the usage of the Java cryptography APIs and how to use these certificates in your Java projects.
Opinions expressed by DZone contributors are their own.