3

I am new to certificates and keystores.

What is the importance & working of keystores, and certificates for SAML SSO (in context of Spring boot SAML SSO)?

I see .jks, .pem, .cer, .der, etc. in use. What are these?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Guru
  • 2,739
  • 1
  • 25
  • 27

1 Answers1

5

What is the importance & working of KeyStore, and certificates for SAML SSO (in context of Spring boot SAML SSO)?

  • These are used for Security implications for signing SAML assertions, SAML protocol request and response.
  • Certificates in SAML SSO will be used to digitally sign the SAML assertion/request/response and KeyStore is the persistent storage to store the keys/certificates.

  • An assertion signed by the asserting party supports assertion integrity, authentication of the asserting party to a SAML relying party, and, if the signature is based on the SAML authority’s public-private key pair, non-repudiation of origin.

  • A SAML protocol request or response message signed by the message originator supports message integrity, authentication of message origin to a destination, and, if the signature is based on the originator's public-private key pair, non-repudiation of origin.

  • Certificates are also used for secure channel establishment (SSL/TLS).

What are the .jks, .pem, .cer, .der, etc.?

  • .jks is extension to JAVA's proprietary KeyStore (JKS) format. JKS is the database format for both the private key, and the associated certificate or certificate chain. Till JAVA 8, by default, as specified in the java.security file, keytool uses JKS as the format of the key and certificate databases (KeyStore and TrustStores). Since JAVA 9 the default KeyStore format has been changed to PKCS12(extension .pkcs).

.pem, .cer, .der are the certificate/key types/extensions:

  • .PEM : The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
  • .DER : The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .CRT : The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems.
  • CER : alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
  • .KEY : The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
Kishor Jadhav
  • 196
  • 2
  • 16