11

We have JAVA server and client communicate over network using SSL. The server and client mutually authenticate each other using certificates. The keystore type used by server and client is JKS. The keystore and truststore file names for the server and client are: server.keystore, server.truststore, client.keystore, and client.truststore.

I am using Self-Signed certificates for testing only.

Questions:

Q1. I would like to know why I need to add server’s and client’s own certificates into their respective truststores, in step 6.

Q2. Can I reduce the number steps to achieve the same thing? If yes, then how?

Steps to create RSA key, self-signed certificates, keystore, and truststore for a server

1. Generate a private RSA key

openssl genrsa -out diagserverCA.key 2048

2. Create a x509 certificate

openssl req -x509 -new -nodes -key diagserverCA.key -sha256 -days 1024 -out diagserverCA.pem

3. Create a PKCS12 keystore from private key and public certificate.

openssl pkcs12 -export -name server-cert -in diagserverCA.pem -inkey diagserverCA.key -out serverkeystore.p12

4. Convert PKCS12 keystore into a JKS keystore

keytool -importkeystore -destkeystore server.keystore -srckeystore serverkeystore.p12 -srcstoretype pkcs12 -alias server-cert

5. Import a client's certificate to the server's trust store.

keytool -import -alias client-cert -file diagclientCA.pem -keystore server.truststore

6. Import a server's certificate to the server's trust store.

keytool -import -alias server-cert -file diagserverCA.pem -keystore server.truststore

Steps to create RSA private key, self-signed certificate, keystore, and truststore for a client

1. Generate a private key

openssl genrsa -out diagclientCA.key 2048

2. Create a x509 certificate

openssl req -x509 -new -nodes -key diagclientCA.key -sha256 -days 1024 -out diagclientCA.pem

3. Create PKCS12 keystore from private key and public certificate.

openssl pkcs12 -export -name client-cert -in diagclientCA.pem -inkey diagclientCA.key -out clientkeystore.p12

4. Convert a PKCS12 keystore into a JKS keystore

keytool -importkeystore -destkeystore client.keystore -srckeystore clientkeystore.p12 -srcstoretype pkcs12 -alias client-cert

5. Import a server's certificate to the client's trust store.

keytool -import -alias server-cert -file diagserverCA.pem -keystore client.truststore

6. Import a client's certificate to the client's trust store.

keytool -import -alias client-cert -file diagclientCA.pem -keystore client.truststore

Community
  • 1
  • 1
vic99
  • 131
  • 1
  • 1
  • 4
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Feb 22 '17 at 19:41
  • 2
    Also see [Keytool create a trusted self signed certificate](http://stackoverflow.com/q/2200176/608639). – jww Feb 23 '17 at 17:31

2 Answers2

3

Q1. I would like to know why I need to add server’s and client’s own certificates into their respective truststores, in step 6.

You don't. You add the server and client certificates into each other's truststores. The server and client have no need to trust their own certicifates, but they do need to trust each other's.

Q2. Can I reduce the number steps to achieve the same thing? If yes, then how?

You can do the entire thing with the keytool. Plenty of documented examples. You don't need to use openssl at all.

Critique:

  • In the first part, steps 5 and 6 are both wrong. There should be one step: exporting the server's certificate to the client's truststore.
  • Similarly, in the second part, steps 5 and 6 are again wrong, and again there should be only step: exporting the client's certificate to the server's keystore.
  • In other words, the two step 5s should be interchanged, and the two step 6s deleted.

You will find correct instructions for doing the lot in the JSSE Reference Guide in the JDK documentation. About three steps each. But all it really goes to show is that self-signed certificates really aren't worth the paper they're printed on. Get CA-signed certificates. Much more value and much easier to deploy (no export step).

Where did you get this rubbish?

user207421
  • 305,947
  • 44
  • 307
  • 483
  • I am using self-signed because it is used in test env. This rubbish I cane up with after searching the internet. I am new to this and still confused about the subject. I will look into keytool solution. I believe that none of listed steps ever signed the certificates. – vic99 Feb 26 '17 at 04:50
  • @vic99 I asked you where you came up with it, and 'the Internet' is not a sufficient answer. Please provide a proper citation. Step 2 creates a self-signed certificate. However the subsequent steps don't deal with it correctly. – user207421 Feb 26 '17 at 09:22
  • Please explain to me what part of step 2 is taking care of signing a certificate. – vic99 Feb 26 '17 at 16:38
  • The [`-x509`](https://www.openssl.org/docs/manmaster/man1/req.html) part does that. – user207421 Feb 26 '17 at 23:09
  • FWIW OP could save another step by replacing `openssl genrsa -out keyfile 2048; openssl req -new -x509 -key keyfile ...` with `openssl req -new -x509 -newkey rsa:2048 -keyout keyfile -nodes ...` which does both parts. Also it may not really be necessary to convert OpenSSL's P12 to JKS, because Java crypto since at least 2004 can handle P12 fine. That said, I concur using keytool and an actual CA is miles better. – dave_thompson_085 Apr 05 '18 at 11:23
  • This post contains the basics of why security is so f***ed up right now. RSA is a really simple concept. making it this hard to use makes so much harm in securing the world. why do you have to be a security expert to add simple RSA encryption to your communication. – Sobvan May 08 '18 at 08:49
  • @Szobi That may be so but it certainly isn't my fault. Was this your downvote? If so it is difficult to understand. – user207421 May 08 '18 at 09:43
  • Sure, sorry. It is not your fault indeed. The downvote went for not providing a link, just quoting the "JSSE Reference Guide in the JDK" vaguely. But it actually had a lot more to do with my frustration on trying to get a simple gRPC example with self-signed certificates and TLS to work. So sorry for this again. If you edit your answer (in any way) I can remove the downvote. Right now I cannot. And thanks for being so nice in asking the why. I appreciate your much higher level of empathy than mine :) – Sobvan May 08 '18 at 11:41
  • I would also add, that letsencrypt allows you to have free CA signed certificates. I am using that lately. – Sobvan May 24 '18 at 14:22
-1

Q1. I would like to know why I need to add server’s and client’s own certificates into their respective truststores, in step 6.

A1. If you're not using a common Certificate Authority to sign your client and server certificates... adding each to the trust store is the only way. However... even in a test environment, you can create your own certificate authority and use it to sign the Client and Server certificates that you create. Your trust store then would only need to contain the public key for your Certificate Authority.

Q2. Can I reduce the number steps to achieve the same thing? If yes, then how?

A2. Yes, use a common certificate to sign your client and server certificates.

Check out the script in this post for a step-by-step on how to create your own CA and use it to sign Server and Client certs. It also creates your trust store...

Hope this helps.

Best, Ace

AceFunk
  • 684
  • 1
  • 8
  • 14
  • The answer to Q1 is that you don't, and that this betrays a fundamental misunderstanding on the part of the OP, and your own answer to it appears to exhibit the same misunderstanding. – user207421 May 24 '18 at 10:31