Skip to content

Instantly share code, notes, and snippets.

@pvlasov

pvlasov/ssl.md

Last active January 24, 2017 20:07
Show Gist options
  • Save pvlasov/b465cf181d1295348ed5f255337ce0cb to your computer and use it in GitHub Desktop.
Save pvlasov/b465cf181d1295348ed5f255337ce0cb to your computer and use it in GitHub Desktop.
Download ZIP
Key points for working with SSL
Raw
ssl.md

Generation of certificate with Apache's OpenSSL

Root CA generation

openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Importing certificates

%JAVA_HOME%\bin\keytool -import -alias <my-node> -file <my-node>.cer -keystore <key-store> –storepass <password>
"%JAVA_HOME%\bin\keytool" -import -alias ... -file ....cer -keystore ...
"%JAVA_HOME%\bin\keytool" -import -alias ... -file ....crt -keystore ...
"%JAVA_HOME%\bin\keytool" -import -alias root-ca -file Root-CA.pem -keystore ....jks

Key generation, export, certificate request, import

%JAVA_HOME%\bin\keytool -genkey -alias <alias> -keyalg RSA -keypass changeit -storepass changeit -keystore my_keystore.jks
"%java_home%\bin\keytool.exe" -export -alias <alias> -storepass changeit -file my.cer -keystore my_keystore.jks
"%java_home%\bin\keytool.exe" -alias <my_alias> -storepass changeit -keystore my_keystore.jks –certreq –keyalg rsa –file my.csr
createCertificate.bat my
"%JAVA_HOME%\bin\keytool" -import -keystore my_keystore.jks -file Root-CA.pem -alias Root-CA
"%JAVA_HOME%\bin\keytool" -import -keystore my_keystore.jks -file my.crt -alias <my_alias>

signCertificate.bat

cd %APACHE2_HOME%\bin
openssl x509 -req -in %CA_LOCATION%\%1.csr -CA %CA_LOCATION%\%CA%.pem -CAkey %CA_LOCATION%\%CA%.key -CAcreateserial -out %CA_LOCATION%\%1.cer -days 1024 -sha256
cd %CA_LOCATION%

createAndSign.bat

REM Creates a key pair in a new .jks file and then signs and imports certificate. 
REM The first argument is the base name for .jks file and certificate.
cls
echo === Generating a key and a keystore ===
"%JAVA_HOME%\bin\keytool" -keystore %1.jks -genkey -alias %1
pause

cls
echo === Generating a certificate request ===
"%JAVA_HOME%\bin\keytool" -keystore %1.jks -certreq -alias %1 -keyalg rsa -file %1.csr
pause

cls
echo === Signing the certificate request ===
call signCertificate.bat %1
pause

cls
echo === Import the CA certificate into the keystore ===
"%JAVA_HOME%\bin\keytool" -import -keystore %1.jks -file Innovation-CA.pem -alias InnovationCA 
pause

cls
echo === Import the signed certificate into the keystore ===
"%JAVA_HOME%\bin\keytool" -import -keystore %1.jks -file %1.cer -alias %1

Setting trust store.

Trust store contains certificate chains which the JVM trusts:

  • javax.net.ssl.trustStore -> Trust store location
  • javax.net.ssl.trustStorePassword -> Trust store password

Setting certificate/key store.

Certificate store contains certificates to be presented during 2-way SSL handshake:

  • javax.net.ssl.keyStore -> Key store
  • javax.net.ssl.keyStorePassword -> Key store password
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment