SSL is a commonly-used protocol for managing the security of message transmission on the Internet.
SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key encryption, a public key and a private key are generated for a server. Data encrypted with the public key can only be decrypted using the corresponding private key and data encrypted with the private key can only be decrypted using the corresponding public key. The private key is carefully protected so that only the owner can decrypt messages that were encrypted using the public key.
The public key is embedded in a digital certificate with additional information describing the owner of the public key, such as name, street address, and e-mail address. A private key and digital certificate provide identity for the server.
The data embedded in a digital certificate is verified by a certificate authority (CA) and digitally signed with the CA’s digital certificate. Well-known certificate authorities include Entrust and VeriSign. The trusted CA certificate establishes trust for a certificate.
An application participating in an SSL connection is authenticated when the other party evaluates and accepts the application’s digital certificate. Web browsers, servers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted CA and is otherwise valid. For example, a digital certificate can be invalidated because it has expired or the digital certificate of the CA used to sign it expired. A server certificate can be invalidated if the host name in the digital certificate of the server does not match the URL specified by the client.
Open Source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. OpenSSl Command Line Tool Document
- A command line application to perform a wide variety of cryptography tasks, such as creating and handling certificates and related files. OpenSSL commands
- A comprehensive and extensive cryptographic library libcrypto.
- A library for enabling SSL/TLS communications libssl.
Generate self signed SSL certificate using OpenSSL toolkit
These are keys that are intended to be known to everyone who needs to have trusted interactions with the entity. Public keys are used to verify signatures.
These are keys, each of which is supposed to be known only to the particular entity who owns it (it’s supposed to be kept secret). Private and public keys exist in pairs in all public key cryptography systems. Private keys are used to compute signatures.
A signature is computed over some data using the private key of an entity (the signer).
A certificate is a digitally signed statement from Certificate Authority that certifies the ownership of a public key by the named subject of the certificate.
Certificate Authority(CA) is a trusted third party that agrees to vouch for the identity of a site, usually for a fee. Most web browsers automatically trust Commercial CAs. Aside from commercial CAs, some organizations entities may have their own CAs for internal signing.
keytool is a Java Key and Certificate Management Tool comes with JDK. It is an utility to manage the keystore of public/private keys, trusted certificates and certificates chains. JDK keytool
A keystore is a storage facility for cryptographic keys and certificates. In Java, you may encounter these two types of keystores:
- Identity KeyStore: contains private key and accompanied by the certificate chain for the corresponding public key.
For example, if application server itself needs to provide SSL connections, the private key and SSL certificate should be saved in this keystore.
- Trust KeyStore: contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties. If the application needs to connect to remote SSL server, the certificate from the remote server should be saved in this keystore.
Although one keystore can be used for both identity and trust, it is recommended using separate keystores for identity and trust because the identity keystore (private key/digital certificate pairs) and the trust keystore (trusted CA certificates) may have different security requirements. For example:
- For trust, you only need the certificates (non-sensitive data) in the keystore. However, for identity, you add the certificate and the private key (sensitive data) in the keystore.
- The identity keystore may be prohibited by company policy from ever being put on the corporate network, while the trust keystore can be distributed over the network.
- The identity keystore may be protected by the operating system for both reading and writing by non-authorized users, while the trust keystore only needs to be write protected.
- The identity keystore password is generally known to fewer people than the password for the trust keystore.
In general, systems within a domain have the same trust rules — they use the same set of trusted CAs — but they tend to have per-server identity. Identity requires a private key, and private keys should not be copied from one system to another. Therefore, you should maintain separate identity keystores for each system, each keystore containing only the server identity needed for that system. However, trust keystores can be copied from system to system, thus making it easier to standardize trust conventions.
Common keytool Commands
#generate keystore and public/private keys
keytool -genkeypair -alias *.manvirbasra.com -keyalg RSA -keysize 2048 -dname “CN=Manvir Singh, OU=Singh, O=Khalsa, L=Toronto, S=Ontario, C=CA” -keystore server.keystore -storepass password123 -keypass password123
#create csr for certificate signing
keytool -certreq -alias *.manvirbasra.com -file cert.csr -keystore server.keystore -ext san=dns:manvirbasra.com
#import root cert to keystore
keytool -importcert -alias root_cert -trustcacerts -file cacert.cer -keystore server.keystore
#import signed cert to keystore
keytool -importcert -alias *.manvirbasra.com -file cert.cer -keystore server.keystore