SSL Cheatsheet.md

SSL

1. 1-way SSL (a.k.a. Server Authentication)
   1. Client confirms the server’s identity via the server’s provided certificate by verifying it with a CA (Certificate Authority).
   2. Then the Public Key contained in the received certificate is used along the Session Key to encrypt all sent/received messages.
2. 2-way SSL (a.k.a. Client Authentication, Mutual Authentication)
   1. Server and Client confirm the other’s identity after each share their own public certificate by verifying it with a CA.
   2. Then the Public Key contained in the received certificate is used along the Session Key to encrypt all sent messages.

Keystore

• An encrypted (using the keystore password) file where its private key and identity certificates are stored.
• A keystore is a set of entries. Each entry is identified by an alias and composed of a key and a certificate that form a trust chain.
• Contains own public and private keys and signed identity certificates.
• Keystore file: keystore.jks, contains the Application Server’s certificate, including its private key.
• Keystore is needed when you are setting up the server side on SSL.
• javax.net.ssl.keyStore is used to specify Keystore.

Truststore

• A file where trusted foreign entities’ CA Certificates (which include their public keys) are stored.
• Contains Public Certificates of trusted CAs (Intermediate and Root).
• Truststore file: cacerts.jks, contains the Application Server’s trusted certificates, including public keys for other entities.
• Server will authenticate the client against the certificate stored on the server’s Truststore.
• Truststore setup is required for the successful connection at the client side.
• javax.net.ssl.trustStore is used to specify Truststore.

SSL Components

1. My own SSL Certificates
   1. Domain Certificate: the certificate of the local application
   2. DigiCert Intermediate (Issuer, Signer) Certificate
   3. Root CA (Certificate Authority) Certificate
2. SSL CA Certificates: public certificates of client applications whose messages we need to decrypt.
3. Private Key: my RSA private key to unencrypt messages decrypted using my public key.

Note:

• A Digital Certificate usually contains:
  • Encrypted information using owner’s Private Key
    • Certificate owner’s identity (name, etc.)
    • Certificate owner’s Public Key and expiration date
    • Certificate Issuer’s name (Certificate Authority)
  • Certificate Issuer’s Digital Signature
• CA Certificates (which includes public keys, received certificates by those who want us to understand their messages) are certificates issued by Certificate Authorities (CAs), like Verisign, GoDaddy, or may be even self-signed.
• The Session Key is passed to the other machine after being encrypted with the public key of the received and verified certificate.
• Java Keytool is a key and certificate management tool that is used to manipulate Java Keystores.
• If you would like to obtain a CA-signed (or self-signed) SSL certificate, you must generate a Certificate Signing Request (CSR) to then send it to a CA (or self-sign it). A CSR consists mainly of the Public Key of a key pair, and some additional information you fill out. Both of these components are inserted into the certificate when it is signed.
• The default SSL port is 443

When a client’s browser connects to an HTTPS (Http Secure Socket Layer) page:

1. Client’s browser sends a request to https://www.google.com
2. Google server sends its Public Key with its SSL Certificate (which is digitally signed by a CA) to client.
3. Client’s browser will check that the issuer’s Digital Signature in the SSL Certificate is valid.
4. Client’s browser creates a Symmetric Key (shared secret), keeps a copy and then, to send the Symmetric Key to the web server, it does the following:
   1. Uses the web server’s Public Key to encrypt the secret.
   2. Sends the encrypted secret to the web server.
5. The web server, after receiving the encrypted Symmetric Key, uses its Private Key to decrypt it.
6. All following traffic will be encrypted and decrypted using the shared Symmetric Key.

Trust Models The higher layers issue lower layers’ Digital Certificates and also verify them.

1. Hierarchical Trust Model
   • There is only a few Root CAs, which sign Digital Certificates.
   • The Root CAs sign Digital Certificates with their own single Private Key.
   • The Root CAs publish a self-signed certificate signed by themselves.
   • If CA’s Private Key is compromised, all Digital Certificates signed by it become worthless.
2. Distributed Trust Model (Chain of Trust, the basis of most internet certificates)
   • There is only a few Root CAs, but multiple Intermediate (issuer, Signer) CAs, which get their Digital Certificates signed by the Root CAs.
   • The workload of signing and verifying Digital Certificates is distributed.

Keystore and Truststore file types

• JKS (usually with extensions .jks or .keystore)
  • Java’s default until Java 8
  • Most common for Java, since it’s Java-specific.
  • It can store private keys and certificates, but it cannot be used to store secret keys.
• PKCS12 (usually with extension .p12 or .pfx)
  • It isn't Java-specific, but it’s the default since Java 9.
  • It can store private keys, secret keys and certificates.
  • Particularly convenient to use certificates (with private keys) backed up from a browser or coming from OpenSSL-based tools.
• PKCS11
  • This is a hardware keystore type.
  • It servers an interface for the Java library to connect with hardware keystore devices such as Luna, nCipher. 
• JCEKS, JCE (extension .jceks)
  • The entries which can be put in the JCEKS keystore are private keys, secret keys and certificates.

Check a private key

• openssl rsa -check -in private.key Check a Certificate Signing Request (CSR)
• openssl req -text -noout -verify -in my_request.csr Check a certificate (to check multiple simultaneously, use keytool)
• openssl x509 -text -noout -in new_postman.crt

Generate a CSR and a Private Key

• openssl req -sha256 -newkey rsa:2048 -nodes -keyout private.key -out new_postman.csr Generate a CSR from an Existing Private Key
• openssl req -sha256 -key private.key -new -out new_postman.csr Generate a CSR from an Existing Certificate and Private Key
• openssl x509 -sha256 -in bak/postman.crt -signkey private.key -x509toreq -out new_postman.csr

Generate a Self-Signed SSL Certificate

• openssl req -sha256 -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out new_postman.crt Generate a Self-Signed SSL Certificate from an existing Private Key
• openssl req -sha256 -key domain.key -new -x509 -days 365 -out new_postman.crt Generate a Self-Signed SSL Certificate from an existing Private Key and CSR
• openssl req -sha256 -x509 -key private.key -in new_postman.csr -days 365 -out new_postman.crt

Generate a Public Key from a Private Key

• openssl rsa -in private.key -pubout -out public.key

Decrypt a Private Key

• openssl rsa -in private.key > decrypted.key Reencrypt with a password a decrypted Private Key
• openssl rsa -des3 -in decrypted.key -out reencrypted.key

JKS (Java Keystore/Truststore) Management Check the store

• keytool -list -v -keystore keystore.jks
• keytool -list -v -alias postman -keystore keystore.jks Delete an entry from the store
• keytool -delete -alias postman -keystore postman.jks Check one or more certificates
• keytool -printcert -file new_postman.crt
• keytool -printcert -file e1_rt-inquiry.cacerts | grep -A 2 'Certificate[' Add a trustedCertEntry to the store
• keytool -import -trustcacerts -alias postman -file new_postman.crt -keystore postman.jks Add a PrivateKeyEntry to the store
  1. openssl pkcs12 -export -name postman -inkey private.key -in new_e1_e2/new_postman.crt -out new-PKCS-12.p12
  2. openssl pkcs12 -info -in new-PKCS-12.p12
  3. keytool -importkeystore -srckeystore new-PKCS-12.p12 -srcstoretype PKCS12 -destkeystore postman.jks