We will use
openssl suite and Java keytool utility that is available with the JDK to create
the keystores.
Step 1 :
Creating Certificate Authority Keys
A
certificate authority is an entity trusted by all parties participating in a
secure communication. This entity will certify the trusted party's public keys
by signing them. Since the certificate authority is a trusted one it will accept
the public key certificates signed by that particular CA as trusted. First we
will be creating a new self signed key pair for the certificate authority. We
will use openssl to create this key pair. IMPORTANT: Download the following
three files and copy them to the directory that will be used to create the
keys. index.txt openssl.cnf serial Try
the following from the same directory that you saved the above files in:
$ openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -config openssl.cnf
Now you will
be asked a set of questions in creating the key pair as shown below:
Generating a 1024 bit RSA private key
...++++++
..............++++++
writing new private key to 'CAKey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank. For some fields
there will be a default value,If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:LK
State or Province Name (full name) [Some-State]:Western
Locality Name (eg, city) []:Colombo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WSO2
Organizational Unit Name (eg, section) []:Axis2
Common Name (eg, YOUR name) []:Ruchith Fernando
Email Address []:ruchith@axis2.com
The result
of the above will be two files:
The
cakey.pem file contains the encrypted private key and the cacert.pem file
contains the publik key certificate signed using the private key (Figure 1).
Figure 1:
CA's private key and the self signed certificate
Step 2 :
Client and Service Keys
Now lets
create the two sets of keys for the service and the client using the 'keytool'
that comes with the JDK. Lets use the 'keytool -genkey' to create a keypair and
store it in a keystore using the following command:
$ keytool -genkey -alias client -keyalg RSA -keystore client.jks
Once again
you will be asked a series of questions as shown below:
Enter keystore password: changeme
What is your first and last name?
[Unknown]: Client
What is the name of your organizational unit?
[Unknown]: Axis2
What is the name of your organization?
[Unknown]: WSO2
What is the name of your City or Locality?
[Unknown]: Colombo
What is the name of your State or Province?
[Unknown]: Western
What is the two-letter country code for this unit?
[Unknown]: LK
Is CN=Client, OU=Axis2, O=WSO2, L=Colombo, ST=Western, C=LK correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
The created
keys are stored in the client.jks file (Figure 2) which is a Java keystore under
the alias client.
Figure 2:
Contents of a keystore with a single key entry To verify this fact we can list
the contents of the keystore as shown below.
$ keytool -list -v -keystore client.jks -storepass changeme
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: client
Creation date: Apr 12, 2006
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Client, OU=Axis2, O=WSO2, L=Colombo, ST=Western, C=LK
Issuer: CN=Client, OU=Axis2, O=WSO2, L=Colombo, ST=Western, C=LK
Serial number: 443d2226
Valid from: Wed Apr 12 21:52:06 LKT 2006 until: Tue Jul 11 21:52:06 LKT 2006
Certificate fingerprints:
MD5: EB:25:BA:E1:A9:7F:FB:41:2D:B9:B4:75:D4:47:88:D8
SHA1: F2:6F:93:3F:51:FA:CC:48:AE:E1:BE:20:04:C7:0E:90:C4:2C:D2:DB
*******************************************
*******************************************
Similar to
the way we created the client's keys we can create the service's keys using the
following command:
$ keytool -genkey -alias service -keyalg RSA -keystore service.jks
Note that we
will be using 'changeme' (without quotes) as the password of both keys and
keystores.
Step 3 :
Producing Signed X509 Certificates
We can
create signed X509 (version 3) certificates using openssl using certificate
requests. First we have to create the certificate requests using the generated
keys for the client and the service.
$ keytool -certreq -keystore client.jks -storepass changeme -alias client -file client.cert.req
$ keytool -certreq -keystore service.jks -storepass changeme -alias service -file service.cert.req
The above
command will create the client.cert.req and service.cert.req files which we will
use in the next step to produce X509 certificates signed by the private key of
the CA using 'openssl ca' command.
$ openssl ca -config openssl.cnf -out client.pem -infiles client.cert.req
$ openssl ca -config openssl.cnf -out service.pem -infiles service.cert.req
It should be
noted that the CA's configuration (openssl.cnf) file is configured to point to
the cakey.pem file as the private key to use. The output produced in the
client.pem and service.pem files are plain text. To import these signed
certificates into the keystores we will have to convert them into the binary
(DER) format using 'openssl x509' command.
$ openssl x509 -outform DER -in client.pem -out client.cert
$ openssl x509 -outform DER -in service.pem -out service.cert
Also we will
have to convert the CA's certificate to the binary form to be imported to both
keystores.
$ openssl x509 -outform DER -in cacert.pem -out cacert.cert
Step 4 :
Importing the certificates
First we
must import the CA's self signed certificate to both client and service
keystores. Lets use the alias 'ca' to identify the CA's certificate.
$ keytool -import -file cacert.cert -keystore service.jks -storepass changeme -alias ca
$ keytool -import -file cacert.cert -keystore client.jks -storepass changeme -alias ca
The
'keytool' will display the information in the certificate and will ask for
confirmation to import.
Owner: CN=Ruchith Fernando, OU=Axis2, O=WSO2, L=Colombo, ST=Western, C=LK
Issuer: CN=Ruchith Fernando, OU=Axis2, O=WSO2, L=Colombo, ST=Western, C=LK
Serial number: c2889b1153b983b6
Valid from: Wed Apr 12 23:10:23 LKT 2006 until: Fri May 12 23:10:23 LKT 2006
Certificate fingerprints:
MD5: 0C:D8:14:DA:B2:32:3A:DA:F3:9B:2F:C8:B8:4E:C8:A0
SHA1: 20:77:05:EA:50:E6:64:EE:81:05:57:EE:8B:E4:C8:7C:76:98:C0:06
Trust this certificate? [no]: yes
When we type
in 'yes' and confirm the import, the CA's certificate will be imported as a
trusted certificate entry.
Certificate was added to keystore
Now we will
import the signed certificates to the keystores.
$ keytool -import -file client.cert -keystore client.jks -storepass changeme -alias client
$ keytool -import -file service.cert -keystore service.jks -storepass changeme -alias service
Since the
certificate being imported matches the certificate of the given alias and is
signed by the trusted CA cert (which is now in the keystore) the keytool will
simply import the signed certificate and respond with the following.
Certificate reply was installed in keystore
Its
important to note that we must have the CA's certificate imported first before
importing the other certificates. If not, when we try to import a certificate
the keytool will give the following error:
keytool error: java.lang.Exception: Failed to establish chain from reply
In order to
allow secure communication between the client and the service we have to make
sure that each party has the other's public key with them. Now lets import the
client.cert into the service's keystore and the service.cert into the client's
keystore.
$ keytool -import -file client.cert -keystore service.jks -storepass changeme -alias client
$ keytool -import -file service.cert -keystore client.jks -storepass changeme -alias service
Once again
since certificates added are signed by a trusted certificate it will be simply
imported to the keystore and the keytool will confirm that with the following
output.
Certificate was added to keystore
Now we have
two keystores for the client and the service including their key pairs and the
certificates of the other party and the certificate authority.
Author
Ruchith
Fernando, Senior Software Engineer, WSO2 Inc. ruchith @
wso2
相关推荐
Creating a Client Security Service (CSS) 209 SSL 211 Authentication mechanism 212 Identity tokens 213 Configuring the EJB reference to use CSS 214 Sample web application accessing CORBA EJBs 214...
【Oracle Service Bus (OSB) 下载配置】 Oracle Service Bus 是一个全面的集成平台,用于构建、部署和管理企业服务总线(ESB)解决方案。它允许开发人员将不同的业务系统和服务连接起来,提供中央化的管理和监控。...
Note Some keystores are public for the sake of automatic builds and consistent signing across devices. This means that others can build apps with the same signature. The only valid download sources ...
然而,在许多情况下,由于灵活性和低成本的需求,简单的软件密钥存储(Software Keystores)被广泛采用。尽管如此,这些软件密钥存储仅能提供基本级别的安全性防御,特别是在其运行时内存暴露于攻击的情况下[18]。...
- 打开WebLogic管理控制台,登录后选择“Security” > “Realms” > 你的realm名 > "Providers" > "KeyStores"。 - 添加一个新的KeyStore,输入keystore的文件路径和密码。 - 在“SSL”部分,配置SSL端口(默认为...
在“安全”->“Keystores and Certificates”中配置密钥库信息,导入CA签发的证书。 5.5 配置密钥库信息 在管理控制台中,配置SSL监听端口(如7443),选择刚才创建的密钥库和私钥别名,启用SSL。 5.6 测试 配置...
为了在WebLogic服务器上配置CAS (Central Authentication Service),首先需要生成一个服务器端证书。这一过程通常使用Java自带的`keytool`命令来完成。具体步骤如下: ```bash keytool -genkey -alias s1as -keyalg...
- 在弹出的对话框中选择`Custom Identity and Custom Trust`。 - 输入keystore路径、类型以及密码。 - 输入私钥的别名和keystore的密码。 - 根据需要配置其他高级选项,然后点击【Apply】按钮完成设置。 ##### 3. ...
ansible-tls-klusters 用法 依存关系 在每个库存文件夹中列出了依赖关系 安装依赖项: pip install -r < my> /requirements/python_...ansible-playbook -i inventories/test/docker playbooks/tls/keystores.yml
Solidhabits应用程序。... 并将两个密钥库都放在app/keystores/目录下: playstore.keystore stage.keystore 构建变体 使用Android Studio Build Variants按钮在生产和过渡版本以及调试和发行版本类型之间进行
通过浏览到React Native项目的android文件夹在Android Studio中打开您的应用程序转到Build>生成签名的包/ APK选择APK,然后单击下一步在密钥库路径下,单击创建新的选择一个路径,例如/ home / karl / keystores / ...
1. **KeyStores和TrustStores**:JSSE使用KeyStore存储私钥和证书,用于身份验证;TrustStore则存储信任的CA证书或服务器证书,用于验证对方的身份。开发者可以通过系统属性`javax.net.ssl.keyStore`和`javax.net....
- 标识和信任位置【Identity and Trust Locations】:选择“密钥库”【keystores】 - 私有密钥别名【Private Key Alias】:`app_server` - 私有密钥密码短语【Private Key Passphrase】:`boncme` - 确认私有密钥...
1. **创建和管理Keystores**:你可以通过Portecle创建新的keystore文件,设置keystore的密码,以及管理keystore中的条目。这对于在HTTPS服务器配置、SSL/TLS连接以及代码签名等领域非常有用。 2. **生成和导入密钥...
错误: Key was created with errors: Warning: JKS 密钥库使用专用格式。建议使用 “keytool -importkeystore -srckeystore E:\androidstudio\androidstudio_work\CommonDemo\app\fast_keystore.jks -destkeystore E...
2. Certificates和KeyStores:用于管理数字证书,存储公钥和私钥,支持X.509标准。 3. Permissions和Policy:表示代码执行的权限,并定义安全策略。`java.security.Permission`类是所有权限的基类,而`java....
1. **配置Keystores**:为服务器和客户端创建keystore文件,存储各自的私钥和证书。可以使用Keytool工具来生成这些文件。 2. **设置CXF配置**:在CXF的配置文件(如cxf.xml或Spring配置文件)中,指定keystore和...