http://www.javacodegeeks.com/2014/07/java-keystore-tutorial.html

Table Of Contents

1. Introduction
2. SSL and how it works
3. Private Keys
4. Public Certificates
5. Root Certificates
6. Certificate Authorities
7. Certificate Chain
8. Keystore using Java keytool
9. Keystore Commands
10. Configure SSL using Keystores and Self Signed Certificates on Apache Tomcat

1. Introduction

Who of us didn’t visit ebay, amazon to buy anything or his personal bank account to check it. Do you think that those sites are secure enough to put your personal data like (credit card number or bank account number, etc.,)?

Most of those sites use the Socket Layer (SSL) protocol to secure their Internet applications. SSL allows the data from a client, such as a Web browser, to be encrypted prior to transmission so that someone trying to sniff the data is unable to decipher it.

Many Java application servers and Web servers support the use of keystores for SSL configuration. If you’re building secure Java programs, learning to build a keystore is the first step.

2. SSL and how it works

A HTTP-based SSL connection is always initiated by the client using a URL starting with https:// instead of with http://. At the beginning of an SSL session, an SSL handshake is performed. This handshake produces the cryptographic parameters of the session. A simplified overview of how the SSL handshake is processed is shown in the diagram below.

This is in short how it works:

  1. A browser requests a secure page (usually https://).
  2. The web server sends its public key with its certificate.
  3. The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
  4. The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
  5. The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
  6. The web server sends back the requested html document and http data encrypted with the symmetric key.
  7. The browser decrypts the http data and html document using the symmetric key and displays the information.

The world of SSL has, essentially, three types of certificates: private keys, public keys (also called public certificates or site certificates), and root certificates.

3. Private Keys

The private key contains the identity information of the server, along with a key value. It should keep this key safe and protected by password because it’s used to negotiate the hash during the handshake. It can be used by someone to decrypt the traffic and get your personal information. It like leaving your house key in the door lock.

4. Public Certificates

The public certificate (public key) is the portion that is presented to a client, it likes your personal passport when you show in the Airport. The public certificate, tightly associated to the private key, is created from the private key using a Certificate Signing Request (CSR). After you create a private key, you create a CSR, which is sent to your Certificate Authority (CA). The CA returns a signed certificate, which has information about the server identity and about the CA.

5. Root Certificates

Root CA Certificate is a CA Certificate which is simply a Self-signed Certificate. This certificate represents a entity which issues certificate and is known as Certificate Authority or the CA such as VeriSign, Thawte, etc.

6. Certificate Authorities

Companies who will sign certificates for you such as VeriSign, Thawte, Commodo, GetTrust. Also, many companies and institutions act as their own CA, either by building a complete implementation from scratch, or by using an open source option, such as OpenSSL.

7. Certificate Chain

When a server and client establish an SSL connection, a certificate is presented to the client; the client should determine whether to trust this certificate, a process called the certificate chain. The client examines the issuer of a certificate, searches its list of trusted root certificates, and compares the issuer on the presented certificate to the subjects of the trusted certificates.

If a match is found, the connection proceeds. If not, the Web browsers may pop up a dialog box, warning you that it cannot trust the certificate and offering the option to trust the certificate.

8. Keystore using Java keytool

Java Keytool is a key and certificate management utility. It allows users to manage their own public/private key pairs and certificates. Java Keytool stores the keys and certificates in what is called a keystore. It protects private keys with a password.

Each certificate in a Java keystore is associated with a unique alias. When creating a Java keystore you will first create the .jks file that will initially only contain the private key, then generate a CSR. Then you will import the certificate to the keystore including any root certificates.

9. Keystore Commands

Create Keystore, Keys and Certificate Requests

  • Generate a Java keystore and key pair

    keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -storepass password
  • Generate a certificate signing request (CSR) for an existing Java keystore 
    keytool -certreq -alias mydomain -keystore keystore.jks -storepass password -file mydomain.csr
  • Generate a keystore and self-signed certificate 
    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360

Import Certificates

    • Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks -storepass password
  • Import a signed primary certificate to an existing Java keystore

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks -storepass password

Export Certificates

  • Export a certificate from a keystore

    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks -storepass password

Check/List/View Certificates

  • Check a stand-alone certificate

    keytool -printcert -v -file mydomain.crt
  • Check which certificates are in a Java keystore 
    keytool -list -v -keystore keystore.jks -storepass password
  • Check a particular keystore entry using an alias 
    keytool -list -v -keystore keystore.jks -storepass password -alias mydomain

Delete Certificates

  • Delete a certificate from a Java Keytool keystore

    keytool -delete -alias mydomain -keystore keystore.jks -storepass password

Change Passwords

  • Change a Java keystore password

    keytool -storepasswd -new new_storepass -keystore keystore.jks -storepass password
  • Change a private key password 
    keytool -keypasswd -alias client -keypass old_password -new new_password -keystore client.jks -storepass password

10. Configure SSL using Keystores and Self Signed Certificates on Apache Tomcat

  1. Generate new keystore and self-signed certificateusing this command, you will prompt to enter specific information such as user name, organization unit, company and location.

    keytool -genkey -alias tomcat -keyalg RSA -keystore /home/ashraf/Desktop/JavaCodeGeek/keystore.jks -validity 360

  2. You can list the certificate details you just created using this command 
    keytool -list -keystore /home/ashraf/Desktop/JavaCodeGeek/keystore.jks

  3. Download Tomcat 7
  4. Configure Tomcat’s server to support for SSL or https connection. Adding a connector element in Tomcat\conf\server.xml 
    <Connector port="8443" maxThreads="150" scheme="https" secure="true"
    
SSLEnabled="true" keystoreFile="/home/ashraf/Desktop/JavaCodeGeek/.keystore" keystorePass="password" clientAuth="false" keyAlias="tomcat" sslProtocol="TLS" />
  5. Start Tomcat and go tohttps://localhost:8443/, you will find the following security issue where the browser will present untrusted error messages. In the case of e-commerce, such error messages result in immediate lack of confidence in the website and organizations risk losing confidence and business from the majority of consumers, that's normal as your certificate isn't signed yet by CA such as Thawte or Verisign who will verify the identity of the requester and issue a signed certificate.

  6. You can click Proceed anyway till you receive you signed certificate.

SSL 通信及 java keystore 工具介绍的更多相关文章

  1. 编程入门-Java开发工具介绍及Eclipse安装

    编程入门-Java开发工具介绍及Eclipse安装 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.Java开发工具介绍 "源代码"一般是文字,所以可以使用记 ...

  2. ssl证书与java keytool工具

    ssl协议 SSL(Secure Sockets Layer 安全套接字协议),及其继任者传输层安全(Transport Layer Security,TLS)是为网络通信提供安全及数据完整性的一种安 ...

  3. Java Metrics工具介绍

    目录 简介 快速入门 Maven配置 MetricRegistry Gauge Meter Counter Histgram Timer Reporter 更多用法 参考资料 简介 Metric是一个 ...

  4. JAVA代码覆盖率工具JaCoCo-原理篇

    JAVA代码覆盖率工具JaCoCo-原理篇 1.2 JAVA覆盖率工具介绍 1.3.3 Apache Maven方式 1.3.4 Eclipse EclDmma Plugin方式 JAVA代码覆盖率工 ...

  5. Java 下 SSL 通信原理及实例

    有关SSL的原理和介绍在网上已经有不少,对于Java下使用keytool生成证书,配置SSL通信的教程也非常多.但如果我们不能够亲自动手做一个SSL Sever和SSL Client,可能就永远也不能 ...

  6. [原创]Java静态代码检查工具介绍

    [原创]Java静态代码检查工具介绍 一  什么是静态代码检查? 静态代码分析是指无需运行被测代码,仅通过分析或检查源程序的语法.结构.过程.接口等来检查程序的正确性,找出代码隐藏的错误和缺陷,如参数 ...

  7. Java基础-考察JVM内部结构的常用工具介绍

    Java基础-考察JVM内部结构的常用工具介绍 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 我们可以通过jvisualvm.exe考察jvm内部结构.而jvisualvm.exe ...

  8. java基础-Eclipse开发工具介绍

    java基础-Eclipse开发工具介绍 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 所谓工欲善其事必先利其器,即将身为一名Java开发工程师怎么能没有一款好使的IDE呢?今天就 ...

  9. java基础-Idea开发工具介绍

    java基础-Idea开发工具介绍 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 之前给大家介绍过一款Java的IDE叫eclipse,有些功能用起来不是很得心应手,尤其是在导报的 ...

随机推荐

  1. variable-precision SWAR算法:计算Hamming Weight

    variable-precision SWAR算法:计算Hamming Weight 转自我的Github 最近看书看到了一个计算Hamming Weight的算法,觉得挺巧妙的,纪录一下. Hamm ...

  2. Jquery操作单选按钮(Radio)的取值赋值实现代码

    1.获取选中值,三种方法都可以: $('input:radio:checked').val(); $("input[type='radio']:checked").val(); $ ...

  3. sonar-maven-plugin问题

    问题: jenkins本地构建时sonar报错 StackOverflow问题 [ERROR] Failed to execute goal org.codehaus.mojo:sonar-maven ...

  4. Spring Cloud Eureka Server例子程序

    Spring-Cloud-Eureka-Server 及Client 例子程序 参考源代码:https://github.com/spring-cloud-samples/eureka 可以启动成功, ...

  5. svn命令操作

    非超级用户:sudo 命令 svn info 查看svn地址 svn co 地址 检出仓库

  6. Mysql修改设置root密码的命令及方法

    方法一:使用SQL语句命令UPDATE 需用到Mysql自带的加密函数PASSWORD(string),该函数对一个明文密码进行加密,但不能解密.专门用于mysql.user(用户权限表)中设置密码, ...

  7. python 数据类型(元组(不可变列表),字符串

    元组(不可变列表) 创建元组: ages = (11, 22, 33, 44, 55) 或 ages = tuple((11, 22, 33, 44, 55)) 一般情况下是不需要被人该的数值才使用元 ...

  8. python 三分钟入门

    1.Python环境配置(2.7版本): Python官网:https://www.python.org/ Pycharm官网 http://www.jetbrains.com/pycharm/dow ...

  9. Mac双系统切换

    苹果系统和WIN7系统  切换和使用说明 先按住“alt(opfion)”不放手,然后在按开机键,会进入选择页面,选择win8 会进入 windos页面 ,选择MACintos h HD(Mac)会进 ...

  10. NOIP 2011 提高组 计算系数

    有二项式定理 `\left( a+b\right) ^{n}=\sum _{r=0}^{n}\left( \begin{matrix} n\\ r\end{matrix} \right) a^{n-r ...