Tips on SSL certificates from the Java point of view

Tips on SSL certificates.

Tip #1 : How to create an SSL certificate for Java

Following these instructions you will be able to install to your local keystore the SSL certificates that your application needs to connect to a remote server over SSL. First download and unzip the archive InstallCert from http://opentox.ntua.gr/files/InstallCert.zip. Open a terminal and type:

mkdir InstallCert
cd InstallCert
wget http://opentox.ntua.gr/files/InstallCert.zip
unzip InstallCert

Then export your JAVA_HOME variable (customize the following line according to your Java installation directory):

export JAVA_HOME=/usr/lib/jvm/java-6-sun-1.6.0.24/

Now assume you need to download the SSL certificate of the server at https://server.com and add it to your local repository. Run:

java InstallCert server.com:443

Repeat the same to add more SSL certificates. For example run:

java InstallCert ambit.uni-plovdiv.bg:8443

These commands will create a file called jssecacerts and will be updating it with more SSL certificates every time you want to add a certificate. Copy this file to your java security folder (usually at $JAVA_HOME/jre/lib/security). Do:

sudo cp jssecacerts $JAVA_HOME/jre/lib/security

And now your Java applications will be able to connect to the servers you allowed over SSL.

OpenTox lists the following SSL certificates:

  1. The AMBIT certificate for ambit.uni-plovdiv.bg:8443
  2. The OpenSSO server certificate at opensso.in-silico.ch

 

Tip: In order to create a jssecacerts file for these servers run sequentially.

java InstallCert opensso.in-silico.ch
java InstallCert ambit.uni-plovdiv.bg:8443

And as already explained, move the file to your Java security folder (yes, a single file is created, not two). That should be enough for any Java-based client to access protected resources in OpenTox (e.g. Q-edit)

 

Tip #2 : List the contents of your keystore

In order to list the contents of your Java keystore (the file jssecacets you created in the previous section) run:

keytool -list -keystore ./jssecacerts

 

Tip #3 : Export you keystore as PEM

If you need you keystore in PEM format, you can exporting using the following command:

keytool -exportcert -keystore ./jssecacerts \
-alias digicertassuredidrootca -file ./digicertassuredidrootca.pem \
-rfc -v

This will create the file digicertassuredidrootca.pem. Your PEM file looks like this:

-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAeIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuFGlnaWNlcnQuY29tMSQw
...
8b5QZ7dsvfPxH2sMNgcWfz08qVttevESRmCD1zcEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
-----END CERTIFICATE-----

You don't understand much from that huh? In the next paragraph we explain how you can convert it to a more human-readable format.

 

Tip #4 : Inspect a PEM certificate

If you need a human-readable variant of the above PEM certificate, then run:

openssl x509 -in digicertassuredidrootca.pem -text -noout > mycert.txt

Now the certificate looks like this:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
Validity
Not Before: Nov 10 00:00:00 2006 GMT
Not After : Nov 10 00:00:00 2031 GMT
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:ad:0e:15:ce:e4:43:80:5c:b1:87:f3:b7:60:f9:
71:12:a5:ae:dc:26:94:88:aa:f4:ce:f5:20:39:28:
58:60:0c:f8:80:da:a9:15:95:32:61:3c:b5:b1:28:
84:8a:8a:dc:9f:0a:0c:83:17:7a:8f:90:ac:8a:e7:
79:53:5c:31:84:2a:f6:0f:98:32:36:76:cc:de:dd:
3c:a8:a2:ef:6a:fb:21:f2:52:61:df:9f:20:d7:1f:
e2:b1:d9:fe:18:64:d2:12:5b:5f:f9:58:18:35:bc:
47:cd:a1:36:f9:6b:7f:d4:b0:38:3e:c1:1b:c3:8c:
33:d9:d8:2f:18:fe:28:0f:b3:a7:83:d6:c3:6e:44:
c0:61:35:96:16:fe:59:9c:8b:76:6d:d7:f1:a2:4b:
0d:2b:ff:0b:72:da:9e:60:d0:8e:90:35:c6:78:55:
87:20:a1:cf:e5:6d:0a:c8:49:7c:31:98:33:6c:22:
e9:87:d0:32:5a:a2:ba:13:82:11:ed:39:17:9d:99:
3a:72:a1:e6:fa:a4:d9:d5:17:31:75:ae:85:7d:22:
ae:3f:01:46:86:f6:28:79:c8:b1:da:e4:57:17:c4:
7e:1c:0e:b0:b4:92:a6:56:b3:bd:b2:97:ed:aa:a7:
f0:b7:c5:a8:3f:95:16:d0:ff:a1:96:eb:08:5f:18:
77:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
45:EB:A2:AF:F4:92:CB:82:31:2D:51:8B:A7:A7:21:9D:F3:6D:C8:0F
X509v3 Authority Key Identifier:
keyid:45:EB:A2:AF:F4:92:CB:82:31:2D:51:8B:A7:A7:21:9D:F3:6D:C8:0F

Signature Algorithm: sha1WithRSAEncryption
a2:0e:bc:df:e2:ed:f0:e3:72:73:7a:64:94:bf:f7:72:66:d8:
32:e4:42:75:62:ae:87:eb:f2:d5:d9:de:56:b3:9f:cc:ce:14:
28:b9:0d:97:60:5c:12:4c:58:e4:d3:3d:83:49:45:58:97:35:
69:1a:a8:47:ea:56:c6:79:ab:12:d8:67:81:84:df:7f:09:3c:
94:e6:b8:26:2c:20:bd:3d:b3:28:89:f7:5f:ff:22:e2:97:84:
1f:e9:65:ef:87:e0:df:c1:67:49:b3:5d:eb:b2:09:2a:eb:26:
ed:78:be:7d:3f:2b:f3:b7:26:35:6d:5f:89:01:b6:49:5b:9f:
01:05:9b:ab:3d:25:c1:cc:b6:7f:c2:f1:6f:86:c6:fa:64:68:
eb:81:2d:94:eb:42:b7:fa:8c:1e:dd:62:f1:be:50:67:b7:6c:
bd:f3:f1:1f:6b:0c:36:07:16:7f:37:7c:a9:5b:6d:7a:f1:12:
46:60:83:d7:27:04:be:4b:ce:97:be:c3:67:2a:68:11:df:80:
e7:0c:33:66:bf:13:0d:14:6e:f3:7f:1f:63:10:1e:fa:8d:1b:
25:6d:6c:8f:a5:b7:61:01:b1:d2:a3:26:a1:10:71:9d:ad:e2:
c3:f9:c3:99:51:b7:2b:07:08:ce:2e:e6:50:b2:a7:fa:0a:45:
2f:a2:f0:f2

That's all folks! Stay tuned for more!

Ah, one more thing, kind of comment on computer security systems. I think the following cartoon best summarizes my point :) - [retrieved from http://xkcd.com/538/ ]:

 

References

  1. Introductory wikipedia article on secure HTTP (HTTPS).  
  2. SSL certificates how-to by Franck Martin
  3. A tutorial for openSSL by the Ubuntu community documentation.
  4. Keytool documentation can be found here.
  5. Community documentation on certificates can be found here.