What is digital certificate
- An electronic document which uses a digital signature to bind together a public key with an identity information such as the name of a person or an organization, their address, and so forth
- The certificate can be used to verify that a public key belongs to an individual
Contents of a typical digital certificate
- Serial Number: Used to uniquely identify the certificate.
- Subject: The person, or entity identified.
- Signature Algorithm: The algorithm used to create the signature.
- Issuer: The entity that verified the information and issued the certificate.
- Valid-From: The date the certificate is first valid from.
- Valid-To: The expiration date.
- Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing...).
- Public Key: The public key to encrypt a message to the named subject or to verify a signature from the named subject.
- Thumbprint Algorithm: The algorithm used to hash the certificate.
- Thumbprint: The hash itself to ensure that the certificate has not been tampered with
Public and private key - Asynchronous encryption
- Use of these keys allows protection of the authenticity of a message by creating a digital signature of a message using the private key, which can be verified using the public key.
- It also allows protection of the confidentiality and integrity of a message, by public key encryption, encrypting the message using the public key, which can only be decrypted using the private key.
Asymmetric key encryption
Protection of the authenticity
Source: http://cxf.apache.org |
SSL
- the most common use of digital certificate
- allows to communicate over secure connection
- it's layer between transport (TCP/IP) and presentation (HTTP) layer
- data is encrypted and then decrypted
SSL addresses the following security considerations:
- Authentication – server will present his certificate, it verify that server (site) is who and what it claims to be. Server may request clients certificate too.
- Confidentiality – data can be read by third party but it cannot be deciphered
- Integrity – SSL helps guarantee that data will not be modified
SSL sub protocols
Source: http://beefchunk.com |
Establishing connection
Source: http://beefchunk.com |
SSL, PCT, TLS and WTLS (not SSH)
- SSL v2.0 Released by Netscape Communications in 1994. The main goal of this protocol was to provide security for transactions over the World Wide Web. Unfortunately, very quickly a number of security weaknesses were found in this initial version of the SSL protocol, thus making it less reliable for commercial use:
- weak MAC construction, possibility of forcing parties to use weaker encryption, no protection for handshakes, possibility of an attacker performing truncation attacks
- PCT v1.0 Developed in 1995 by Microsoft. Privacy Communication Technology (PCT) v1.0 addressed some weaknesses of SSL v2.0, and was aimed to replace SSL.
- SSL v3.0 Released in 1996 by Netscape Communications. SSL v3.0 solved most of the SSL v2.0 problems, and incorporated many of the features of PCT. Pretty quickly become the most popular protocol for securing communication over WWW.
- TLS v1.0 (also known as SSL v3.1) Published by IETF in 1999 (RFC 2246). This protocol is based on SSL v3.0 and PCT and harmonizes both Netscape's and Microsoft's approaches. It is important to note that although TLS is based on SSL, it is not a 100% backward compatible with its predecessor. IETF did some security improvements. The end result of these improvements is that these protocols don't fully interoperate. Fortunately enough, TLS has also got a mode to fall back to SSL v3.0.
- WTLS "Mobile and wireless" version of the TLS protocol that uses the UDP protocol as a carrier. It is designed and optimized for the lower bandwidth and smaller processing capabilities of WAP-enabled mobile devices. However, after the introduction of the WAP 2.0 protocol, WTLS has been replaced by a profiled version of the TLS protocol, which is much more secure -- mainly because there is no need for decryption and re-encryption of the traffic at the WAP gateway.
SSL installation
Before we can use SSL with Tomcat for example, we need to install the following:
- A server certificate keystore
- An HTTPS connector
Creating the server certificate
To create a server certificate follow these steps:
- Create the keystore.
- Export the certificate from the keystore.
- Sign the certificate.
- Import the certificate into a trust-store
Generating server certificate
keytool -genkey -alias server-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
- Generates the server keystore keystore.jks
- Generates a key pair (a public key and associated private key)
- Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain
Importing the Certificate
Now that you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore.
keytool -import -alias root -keystore keystore-file.abc -trustcacerts -file received-file.abc
After that you can proceed with importing your Certificate.
keytool -import -alias tomcat -keystore keystore-file.abc -trustcacerts -file received-file.abc
Displaying certificates
To print out the content of a keystore entry, use the following command:
keytool -list -keystore keystore.jks
To display the contents of a certificate stored in a file, use the following command:
keytool -printcert -file server.cer
Install HTTPS connector
Add following lines into $CATALINA_HOME/conf/server.xml configuration file
<-- Define an SSL HTTP/1.1 Connector on port 8443--> <Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true" clientAuth="false" protocol="TLS" </Connector>
Export the certificate from keystore
keytool -export -alias server-alias -storepass changeit -file server.cer -keystore keystore.jks
Certificate Signing Request (CSR)
keytool -certreq -keyalg RSA -alias server-alias -file certreq.csr -keystore keystore.jks
References
- http://www.securityfocus.com/infocus/1818
- http://www.root.cz/clanky/ssl-autentizacia-s-webovym-serverom-apache/
- http://slacksite.com/apache/certificate.php
- http://en.wikipedia.org/wiki/Public_key_certificate
- http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html
- http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html