The importance of secure Web transactions is increasing, not only for online commerce but the maintenance of private corporate intranets as well. However, most users rely on their browsers and Web servers to take care of Web transaction security. Unfortunately, that's not good enough for you developers who implement clients and servers yourselves.
Comprehensive security protocols and implementations have been added to Java in recent years, but they haven't gained widespread usemost data still travels around networks unencrypted. Programmers may have valid reasons for not encrypting their data, but the main reason probably is too embarrassing for them to admit: encryption is hard. Even though many available systems and libraries are supposed to be relatively easy to use, the terminology is confusing and the systems are very general. Sometimes it seems only an expert could really find this stuff useful.
This article describes how to create a certification authority for Java-based systems. A certification authority is an entity that can provide authenticating certificates, enabling an organization to create a system of trust without pre-built software or commercial services. A custom certification authority is ideal for a corporate intranet, especially one built with custom clients and/or servers. You'll learn how to create a certification authority and then use it to certify certificates for a secure Web server. You'll also see how to install trusted certificates into a user's browser, making integration with your secure Web server seamless.
Custom certificates created from scratch are an attractive alternative to certificates from a provider such as VeriSign or Thawte. Creating your own authorization infrastructure is not only more cost effective than purchasing third-party certificates in many cases, but you also might put more trust in security that you set up and control yourself. You could even consider selling your certification authority services.
You can install certificates in any Web server that supports the HTTPS protocol. If you don't have access to a server you can configure, you can use a simple test server written in Java (click here for instructions). This test server will be easier to work with because the certificates you'll be generating are in the right format for Java software to read. The same might not be true for another secure Web server.