How to create and work with certificates using openssl and keytool. 11-Feb-2001 | Product & Version: iPortal Application Server, | Article ID: 3579.874 How to run a PK infrastructure The whole PKI starts with a CA, so if you don't have a CA you have to create one: How to create a CA: For a simple test lab I suggest to create a self signed CA using openSSL. The cacert indicates that you are about to create a new CA... openssl req -config openssl.cnf -x509 -new -days 365 -out cacert.pem private\cakey.pem Don't try to install your key elsewhere than private\cakey.pem, otherwise you will have to struggle afterwards. The data that you use for "Organization Name" and "Country Code" will have to be the same for all certificates created with this CA. How you generate a web server certificate (for Apache, Netscape or others): First generate a Certificate Signing Request (CSR); This has to be done with the Server tool mostly right with the server console itself (using an underlying tool). Example using Sun's keytool: Best thing is to create a new keystore, e.g. "ServerKeyStore". C:\ssl\openssl>keytool -genkey -keystore ServerKeyStore -alias WebServer This creates a new private key for the web server. The keytool will ask you for some descriptive data. Be sure to give the same Organization Name and country code as above. Now create the CSR: C:\ssl\openssl>keytool -certReq -keystore ServerKeyStore -file webServerCSR.pem -alias WebServer You'll get a webServerCSR.pem, which is your request for a certificate. Create a signed certificate to satisfy this CSR using your CA: C:\ssl\openssl>openssl ca -config openssl.cnf -in webServerCSR.pem -out webServerCert.pem You now have a signed Server Certificate: webServerCert.pem Go back to the server and install this certificate webServerCert.pem The web server needs to know the CA as well, therefore you have to install the cacert.pem (the certificate of your CA) into the server's keystore. Example using Sun's keytool: keytool only accepts plain X.509 Certificates. Therefore you have to edit the webServerCert.pem and remove additional information. (See keytool summary below) Then you can import the certificate: C:\ssl\openssl>keytool -import -keystore ServerKeyStore -file webServerCert.pem -alias WebServer Import the CA: C:\ssl\openssl>keytool -import -keystore ServerKeyStore -file cacert.pem -alias CA Your web server is now secured and ready for SSL How to generate a client certificate: You start generating a CSR and a key using openssl: C:\ssl\openssl>openssl req -config openssl.cnf -new -days 365 -out myUser1CSR.pem -keyout myUser1Key.pem Now you have to sign that CSR with your CA and you'll get a certificate. Remember you already have a private key from the step before. C:\ssl\openssl>openssl ca -config openssl.cnf -in myUser1CSR.pem -out myUser1Cert.pem By now you have everything you need. However, a lot of tools, browsers, etc. prefer to import pkcs12 files instead of .pem and .der files. How to create a PKCS12: Your first step is to bring the cacert, usercert and userkey together on NT: type cacert.pem myUser1Cert.pem myUser1Key.pem > myUser1CertPKCS12.pem on UNIX: cat cacert.pem myUser1Cert myUser1Key.pem > myUser1CertPKCS12.pem Now the myUser1CertPKCS12.pem contains all CA, Key and Certificate. Your next and last step is to bring this myUser1CertPKCS12.pem into the pkcs12 format... C:\ssl\openssl>openssl pkcs12 -export -in myUser1CertPKCS12.pem -out myUser1Cert.p12 -name "User1 Client Certificate" The browser will show this name when choosing one of the installed certificates. How to use Sun's keytool and keystore (Java 1.2, summary): 1. KeyStore First generate your keystore used by the server to authenticate itself: keytool -genkey -keystore C:\mystores\IonaStage\iPAS -keyalg RSA This will be your server certificate show to the browser when invoking a page or application. It can be set when starting the server as followed: java -Djavax.net.ssl.keyStore=C:\mystores\IonaStage\iPAS -Djavax.net.ssl.keyStorePassword=keypassword Further certificates can be created issuing: keytool -genkey -keystore C:\mystores\IonaStage\iPAS -keyalg RSA -alias Certificate2 2. TrustStore To enable your server for client authentication you also need a trustStore where you'll be storing all the trusted certificates or CAs. Create your trustStore by importing the CA certificate: C:\ssl\openssl>keytool -import -trustcacerts -file cacert.pem -keystore C:\mystores\IonaStage\TrustStore Add the following line to your start-up command line: -Djavax.net.ssl.keyStore= C:\mystores\IonaStage\TrustStore -Djavax.net.ssl.keyStorePassword=trustpassword Further Certificates can be created or added issuing the following command: C:\ssl\openssl>keytool -import -trustedcacerts -file anotherca.pem -alias anotherca -keystore C:\mystores\IonaStage\TrustStore Generate a Certificate Signing Request (CSR) using Sun's keytool To generate a CSR enter: C:\ssl\openssl>keytool -certreq -keystore C:\mystores\IonaStage\iPAS -alias Server2 -file myServer2CertCSR.pem Now you have a key and an unsigned certificate in the keytool directory (e.g. C:\jdk1.3\bin). Take the CSR to your openssl directory and sign it with your openssl CA: C:\ssl\openssl>openssl ca -config openssl.cnf -in myServer2CertCSR.pem -out myServer2Cert.pem What you get is a signed certificate (signed with your CA) a myServer2Cert.pem Import a signed certificate into a keystore To re-import the signed certificate, you have to modify the myServer2Cert.pem file otherwise keytool will have a problem importing it. Copy just the body of the certificate (including the BEGIN and END tag) to the modified file myServer2CertModified.pem. The certificate has to look like this: -----BEGIN CERTIFICATE----- MIIDyjCCAzOgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpTELMAkGA1UEBhMCSUUx FjAUBgNVBAgTDUNvdW50eSBEdWJsaW4xDzANBgNVBAcTBkR1YmxpbjEeMBwGA1UE ChMVSU9OQSBUZWNobm9sb2dpZXMgcGxjMRIwEAYDVQQLEwlpUEFTIFRlYW0xFDAS BgNVBAMTC0Jlbm5vIFZvZ2VsMSMwIQYJKoZIhvcNAQkBFhRiZW5uby52b2dlbEBp b25hLmNvbTAeFw0wMTA3MjQxNjIyMzFaFw0wMjA3MjQxNjIyMzFaMIGlMQswCQYD VQQGEwJJRTEWMBQGA1UECBMNQ291bnR5IER1YmxpbjEPMA0GA1UEBxMGRHVibGlu MR4wHAYDVQQKExVJT05BIFRlY2hub2xvZ2llcyBwbGMxEjAQBgNVBAsTCWlQQVMg VGVhbTEUMBIGA1UEAxMLQmVubm8gVm9nZWwxIzAhBgkqhkiG9w0BCQEWFGJlbm5v LnZvZ2VsQGlvbmEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyxQrW loVDzVpHolwJ41/Nagqo+ePeyp30FvH9/nUi+a/wLTTZN0JVHpoYKngp/hujCNQo sG8mauq4z2mdGEO6HBL7JouSZ2Nb53Td8X/FIG8hOs15jKke21vrsbdhvRK/lKEv YpE8NzIPenSTgpSr3Vu0MnUzOCgN+rMGV9LaKQIDAQABo4IBBjCCAQIwHQYDVR0O BBYEFO9pXLUGAmj/8PKoEb8utUEqkOY+MIHSBgNVHSMEgcowgceAFO9pXLUGAmj/ 8PKoEb8utUEqkOY+oYGrpIGoMIGlMQswCQYDVQQGEwJJRTEWMBQGA1UECBMNQ291 bnR5IER1YmxpbjEPMA0GA1UEBxMGRHVibGluMR4wHAYDVQQKExVJT05BIFRlY2hu b2xvZ2llcyBwbGMxEjAQBgNVBAsTCWlQQVMgVGVhbTEUMBIGA1UEAxMLQmVubm8g Vm9nZWwxIzAhBgkqhkiG9w0BCQEWFGJlbm5vLnZvZ2VsQGlvbmEuY29tggEAMAwG A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAGFydQNe05Lo7OJciWrUzci4J G2Nh3XrgGk1jWCjbNAyDiUUB6oYkXC7Oa+TVa2Nuq1L4fXli8Rn/FOPN2/d6zBrq grwxgxzE5q1IkI9uwjZbjKDOrpylJQXQ2L2a3TsOQ45o9YsMzFKiSAVlQ44uP8zU okRKv5X340M5urRIXLs= -----END CERTIFICATE----- Import the file with the following command: C:\ssl\openssl>keytool -import -alias Server2 -file myServer2CertModified.pem -keystore C:\mystores\IonaStage\iPAS You should see something like "Certificate reply was installed in keystore" |