1. What is Asymmetric Cryptography?
Asymmetric cryptography is used for secured communication. Public and private keys are the main parts of asymmetric cryptography.
2. How it works?
For an example, say server A wants to securely send a message to server B. In order to do that Server B has to generate a public private key pair and share the public key with server A. When sending the message, server B encrypts it using public key of server A. Speciality of using the public key of server B for the encryption is that it can only be decrypted using the private key of server B. Once the server B receives the message it uses his private key to decrypt the message.
Refer to: [1] to learn more on how asymmetric (public key) encryption works.
3. What is a Java KeyStore?
As per the above example it is clear that private key should be store very securely. You can think of the keyStore as a safe that you can store your keys. KeyStore as well as public-private key pair should be protected using a password.
4. How to add a certificate as a trusted certificated to a Java KeyStore?
Lets take the above example;
Step 01
Server B wants to generate a key pair given the key pair alias as 'serverb' and add it into the created keyStore given the name 'serverbkeystore.jks'.
Key tool command [2]
keytool -genkey -alias serverb -keystore serverbkeystore.jks
Output
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: serverb.com
What is the name of your organizational unit?
[Unknown]: qa
What is the name of your organization?
[Unknown]: wso2
What is the name of your City or Locality?
[Unknown]: colombo
What is the name of your State or Province?
[Unknown]: western
What is the two-letter country code for this unit?
[Unknown]: lk
Is CN=serverb.com, OU=qa, O=wso2, L=colombo, ST=western, C=lk correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
Step 02
List keys in the key store.
Notice that 'Entry type' of the key pair with private key is marked as 'PrivateKeyEntry' whereas public certificates are marked as 'trustedCertEntry'.
Key tool command
keytool -list -v -keystore serverbkeystore.jks
Output
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: verisignclass3g3ca
Creation date: Mar 11, 2017
Entry type: trustedCertEntry
Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial number: 9b7e0649a33e62b9d5ee90487129ef57
Valid from: Fri Oct 01 06:00:00 IST 1999 until: Thu Jul 17 05:29:59 IST 2036
Certificate fingerprints:
MD5: CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
SHA1: 13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6
SHA256: EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1:B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44
Signature algorithm name: SHA1withRSA
Version: 1
*******************************************
*******************************************
Alias name: serverb
Creation date: Mar 11, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=serverb.com, OU=qa, O=wso2, L=colombo, ST=western, C=lk
Issuer: CN=serverb.com, OU=qa, O=wso2, L=colombo, ST=western, C=lk
Serial number: 3f06ea7a
Valid from: Sat Mar 11 20:59:07 IST 2017 until: Fri Jun 09 20:59:07 IST 2017
Certificate fingerprints:
MD5: 29:63:1F:2F:83:19:5B:D3:CF:65:45:15:63:3E:26:B6
SHA1: 94:C8:F2:28:AB:71:D7:2E:9F:7A:9C:90:9E:51:B2:C9:19:FC:C9:AE
SHA256: 3A:0E:F5:C0:A7:10:0F:19:47:95:29:C3:0A:9B:A8:39:56:74:9C:26:0B:A6:F6:63:74:CA:CB:FE:D4:32:3E:D8
Signature algorithm name: SHA1withDSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2C F1 24 27 05 A5 AB 16 3A 33 CC 3F E4 CF EC 1E ,.$'....:3.?....
0010: 63 35 74 CF c5t.
]
]
*******************************************
*******************************************
Step 03
Export the certificate to a file before importing it into the keyStore of server A.
Note : when exporting you must use the same alias which is being used in the private key. When importing you can use any alias of your choice.
Key tool command
keytool -export -keystore serverbkeystore.jks -alias serverb -file serverb.cert
Output
A file containing certificate should be created with the name 'serverb.cert'
Step 04
Import the certificate into the keyStore of server A.
Key tool command
keytool -import -keystore serverakeystore.jks -alias serverb.com -file serverb.cert
Output
"Certificate was added to keystore" will be printed if the certificate is being added successfully. You can also list keys in server A keyStore to verify.
No comments:
Post a Comment