Hi Kevin
Here is the part of a document I created where I describe the creation
of the CA,server and client certificate.
Creation of Certificates
I first started by using Openssl (and Perl) to create my own
Certificate Authority (CA) from the Linux Box. Below are the steps
used for that:
1. Create a directory to keep all CA work in one clearly defined
place:
mkdir /CA
2. Copy /openssl-0.9.6g/apps/CA.pl and
/openssl-0.9.6g/apps/openssl.cnf into /CA.
3. Create the new CA:
perl CA.pl -newca
Fill in the CA certificate details (all of them), something like:
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:WP
Locality Name (eg, city) []:Cape Town
Organization Name (eg, company) [Internet Widgits Pty Ltd]:telkom
Organizational Unit Name (eg, section) []:Isis
Common Name (eg, YOUR name) []:Root
Email Address []:[EMAIL PROTECTED]
Now /CA/demoCA/cacert.pem contains the certificate for the new
personal certificate authority.
Then create the server certificate:
1. Generate a certificate request.
perl CA.pl -newreq
Fill in the server certificate details (all of them), something like:
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:WP
Locality Name (eg, city) []:Cape Town
Organization Name (eg, company) [Internet Widgits Pty Ltd]:telkom
Organizational Unit Name (eg, section) []:server unit
Common Name (eg, YOUR name) []:111.111.11.11
Email Address []:[EMAIL PROTECTED]
2. Sign that request. This is what a Trusted Authority does for
you:
perl CA.pl -sign
Had we wanted a third party to sign our certificate, we would send the
certificate request to them, they would sign it, and send it back to
us. We would then use that certificate.
3. Then extract the private key into a separate file:
openssl rsa < newreq.pem > newkey.pem
4. For ease of use, rename these to more meaningful file names:
mv newcert.pem server.crt
mv newreq.pem server.req
mv newkey.pem server.key
Place these in the apache httpd.conf accordingly.
To create a client certificate, we have two choices:
1. If the certificate is going to be used in a B2B manner using
SUN's JSSE implementation then the client certificate gets created by
first generating a public key using Java's keytool command and then
signing using our CA above. Here are the steps:
· Create our new puhlic key in a new keystore
keytool -keystore jsseclientcerts -genkey
-alias client1
When prompted, enter passphrase for the password to use this
keystore with
the Java B2B application.
· Export the client's public key:
keytool -keystore jsseclientcerts -certreq -alias client1
-file client1.crs
· Copy it through to the Linux box's /CA directory mentioned
above
· Sign the client's key with our CA key
openssl ca -config openssl.cnf -in client1.crs -out
client1.crs.pem -keyfile
demoCA/private/ca.key
At this point, you should have a file called "client.crs.pem," which
is
the signed public key. It needs to be converted to a format suitable
for
the JDK's keytool command, and then imported into the
jsseclientcerts
keystore
· Convert to DER format:
openssl x509 -in client1.crs.pem -out client1.crs.der -outform
DER
· Now copy the CA certificate (/CA/demoCA/cacert.pem) and this
client certificate back into the Windows machine.
· First import the CA certificate into the client's key store:
keytool -keystore jsseclientcerts -alias root -import -file
cacert.pem
· Import signed key into client's key store:
keytool -keystore jsseclientcerts -alias client1 -import -file
client1.crs.der
The second last step must be completed so that the keytool
command agrees to
import the signed key.
We also have to create our truststore, which will simply contain
our CA
certificate (unless you want all the Verisign,etc certificates
before it - then include the -trustcacerts in the command below):
· keytool -keystore jssecacerts -alias root -file cacert.pem
The above trustore has to be placed under "C:\Program
Files\JavaSoft\JRE\1.3.1\lib\security". I also place our client
keystore there for
convenience.
These two keystores (jsseclientcerts and jssecacerts) are then
used as needed
inside the Java program. The initial steps could be something
like:
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty"java.protocol.handler.pkgs","com.sun.net.ssl.intern
al.www.protocol");
System.setProperty("javax.net.ssl.keyStorePassword","testte");
System.setProperty("javax.net.ssl.trustStorePassword","testte");
System.setProperty("javax.net.ssl.trustStore", "C:\\Program
Files\\Javasoft\\jre\\1.3.1\\lib\\security\\jssecacerts");
System.setProperty("javax.net.ssl.keyStore", "C:\\Program
Files\\Javasoft\\jre\\1.3.1\\lib\\security\\jsseclientcerts");
I used Innovate's HTTPClient after this, in which I set the SSL Socket
factory after I initialized the SSLContext.
2. If the client certificate and the CA certificate are meant for
browser use, then the client certificate has to be first generated
using openssl (just like we did our server certificate), signed and
then converted to pkcs12 format. So something like this would work:
· Generate a certificate request.
perl CA.pl -newreq
Fill in the client certificate details (all of them),
something like:
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:WP
Locality Name (eg, city) []:Cape Town
Organization Name (eg, company) [Internet Widgits Pty
Ltd]:telkom
Organizational Unit Name (eg, section) []:users
Common Name (eg, YOUR name) []:Jose
Email Address []:[EMAIL PROTECTED]
Sign the request:
perl CA.pl -sign
· Extract the key into a separate file:
openssl rsa < newreq.pem > newkey.pem
· Rename the three files for convenience:
mv newcert.pem client2.crt
mv newreq.pem client2.req
mv newkey.pem client2.key
· Now convert it to PKCS12 format:
openssl pkcs12 -export -in client2.crt -inkey server.key -out
client2.p12
· Convert the CA certificate into PKCS12 format as well:
openssl pkcs12 -export -in demoCA/cacert.pem -inkey
/demoCA/private/ca.key -out cacert.p12
· Now import these on to the client's browser (first import the
CA one).
And that's about it. Btw I used jdk 1.3.1 with JSSE 1.0.3
Cheers
Jose
-----Original Message-----
From: Fisk, Kevin [mailto:[EMAIL PROTECTED]]
Sent: 15 October 2002 17:55
To: [EMAIL PROTECTED]
Cc: Moffet, Scott
Subject: RE: CSR / CA Issued Certificate
Please ... how did you do it?
-----Original Message-----
From: Jose Correia (J) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 12:26 AM
To: [EMAIL PROTECTED]
Subject: RE: CSR / CA Issued Certificate
Hi Kevin
I have successfully used client certificate signed by my own CA using
JSSE... let me know if you are interested in knowing how...
Cheers
Jose
-----Original Message-----
From: Fisk, Kevin [mailto:[EMAIL PROTECTED]]
Sent: 15 October 2002 02:01
To: [EMAIL PROTECTED]
Subject: CSR / CA Issued Certificate
I've been using OpenSSL a great deal, though this is going to come out
sounding a lot like a newbie question.
I need to generate a CSR so I can order a Verisign certificate. Our
server currently uses a self signed cert and key pair for the server.
If I order a Verisign certificate, it is the digital cert only. Is
the server's key the key I generate for the CSR?
The self-signed cert would be fine, however, JSSE refuses to connect
with the server because it is not a trusted certificate. Am I on the
right track?
Kevin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
