Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX

By submitting your information, you agree that devx.com may send you DevX offers via email, phone and text message, as well as email offers about other products and services that DevX believes may be of interest to you. DevX will process your information in accordance with the Quinstreet Privacy Policy.


Set Up a Certification Authority for Java-based Systems : Page 3

A certification authority can provide authenticating certificates, which enable secure Web transactions in a system of trust that doesnt require any pre-built software or commercial services.




Application Security Testing: An Integral Part of DevOps

Alice needs to get herself a signed certificate. The first thing she needs to do is generate a public/private key pair for herself—the first step when using public-key cryptography. If she already has these keys, then she can skip this step. Otherwise, carry out this command, using keytool from the JDK:

keytool -genkey -alias userkey -keystore user.keystore -keyalg rsa
-dname "CN=localhost, OU=Online Division, O=Alice Inc, L=Los Angeles, S=California, C=US"
-storepass userpass -keypass userpass

This command generates a key pair and stores it in the file user.keystore, which is locked with the password userpass. It also specifies information about Alice (her organization, city, and state). Note also that it specifies localhost as the hostname. In a real situation, the hostname would be something like alice.com, but since youre going to run your server locally, you need to use your local hostname. For the value of CN, use the name of the machine on which the Web server is running.

Now that Alice has a key pair, she needs to get her key signed by Celie. To do this, she must generate a Certificate Signing Request (CSR). A CSR is a file that is sent to the certification authority for signing; it contains the public key that needs to be signed in a special format.

The following command generates the CSR in a file called user.csr:

keytool -certreq -alias userkey -keystore user.keystore -storepass userpass
-keypass userpass -file user.csr

After generating the CSR, Alice must send it to Celie. In addition, Celie is likely to require that Alice verify her identity in a more traditional way. She might require that Alice fill out forms, provide photocopies of identification, or even call her on the phone and answer identifying questions. The exact details of this process are up to Celie.

Celie Signs Alice's Certificate
Celie has just received a CSR from Alice. She has reviewed the forms that Alice sent by snail mail and even talked with her over the phone. She's convinced Alice is who she says she is, so she decides to sign Alice's certificate. She does this with the following command:

openssl ca -in user.csr -out user.crt -notext -passin pass:capass

This command results place the signed certificate in the file user.crt. The command then prints out information about the request and asks Celie if she wants to go ahead and sign it. Actually, it asks twice to be safe:

Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y

Celie sends this certificate to Alice. She also sends Alice her self-signed certificate (in the file cacert.pem), because Alice is going to need it. Note that Celie's private key is password-protected. Again, you can specify the password on the command line, or you can have the program prompt for it.

Alice Imports the Certificates
Alice now has the signed certificate (in the file user.crt) and Celie's self-signed certificate (in cacert.pem). She first must import Celie's self-signed certificate into her keystore user.keystore:

Queriekeytool -import -alias cacert -file cacert.crt
-keystore user.keystore ?storepass userpass

First, keytool will ask for confirmation:

keytool -import -alias cacert -file cacert.crt -keystore user.keystore -storepass userpass Owner: EMAILADDRESS=celie@celie.com, CN=Celie,
OU=Authentication Department, O=Celies Security Services,
L=New York City, ST=New York, C=US Issuer: EMAILADDRESS=celie@celie.com, CN=Celie,
OU=Authentication Department, O=Celies Security Services,
L=New York City, ST=New York, C=US Serial number: 0 Valid from: Wed Oct 30 17:23:08 EST 2002 until: Fri Nov 29 17:23:08 EST 2002 Certificate fingerprints: MD5: 55:FA:3A:DC:1C:32:53:28:A2:A5:5A:96:C3:77:02:E4 SHA1: B6:E2:0E:7B:A6:AC:9E:49:E5:1B:78:41:BC:C3:2D:FC:8E:36:8B:4A Trust this certificate? [no]: yes Certificate was added to keystore

Then, she can import her own certificate (the one Celie signed for her):

sinfo (Records=1, Time=16ms) SQL = SELECT contentkeytool -import -file user.crt -keystore user.keystore
-storepass userpass ?alias userkey

Alice is now equipped with the required certificates. She should configure her Web server to use user.keystore as its certificate repository. If the server requires the keys in a different format, she should use a conversion of user.keystore.

If you are using THTTPSD (click here for instructions regarding installing and running THTTPSD), you can configure it to use user.keystore by editing the thttpsd.cfg file. Set the keyfile parameter to point to user.keystore. The thttpsd.cfg file also has a password (userpass), which should be specified for the passphrase configuration variable. (Listing 1 includes the source code for THTTPSD, and Listing 2 shows the sample configuration file.)

Alice now is ready to start her server. If you're using THTTPD, you can start it like this:


Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date