3
votes

I want to establish a client server communication over SSL/TLS in java. The server is multithreaded. With openssl I acted as my own CA (created private key and self-signed certificate for the authority). Now I want to create keys and certs for my server and clients which are signed from the CA I created.

1) Do I have to create certs and keys from the prompt for every single client? Or is it another "automated" way e.g. with a script?

2) I have seen that this code for setting up keystores

 private void setupClientKeyStore() throws GeneralSecurityException, IOException 
    {
    clientKeyStore = KeyStore.getInstance( "JKS" );
    clientKeyStore.load( new FileInputStream( "client1publickey.jks" ),
                       "password".toCharArray() );
    }

    private void setupServerKeystore() throws GeneralSecurityException, IOException
    {
    InputStream keyStoreResource = new FileInputStream("serverprivatekey.jks");
    char[] keyStorePassphrase = "password".toCharArray();
    serverKeyStore = KeyStore.getInstance("JKS");
    serverKeyStore.load(keyStoreResource, keyStorePassphrase);
}

I have run the command to see what type of entries are these and client1publickey is a TrustedCert entry while serverprivatekey is a PrivateKey entry. This code is on my server class. I have this code on my client class

private void setupServerKeystore() throws GeneralSecurityException, IOException {
    serverKeyStore = KeyStore.getInstance( "JKS" );
    serverKeyStore.load( new FileInputStream("serverpublickwy.jks"), 
                        "university".toCharArray() );
  } 
   private void setupClientKeyStore() throws GeneralSecurityException, IOException {
    clientKeyStore = KeyStore.getInstance( "JKS" );
    clientKeyStore.load( new FileInputStream( "client1privatekey.jks" ),
                       "university".toCharArray() );} 

The question is that how can I create these jks files separately? The publickey.jks file is cert, right? How can I have it in another file from the private key and be signed from CA? Or is it another way I can establish connections between client/server? Firstly I had created the CA with openssl and then the two jks files for server and client included the certs and the key.

1
Possible duplicate of Private and public key seperatelyvlp
I'm confused as to what you're asking. Are you looking for an automated means to generate unique keystores for each of your clients to implement mutual authentication and have them honored by your service?David J. Liszewski
exactly what i am looking for!elenaa

1 Answers

1
votes

What you are setting up here looks fairly primitive and brittle. JKS stores are actually a real pain to work with, but they are all that some Java libraries will accept, so if you are stuck, you are stuck.

http://www.javacodegeeks.com/2014/07/java-keystore-tutorial.html

Is a rather nice tutorial on the basics of keytool, the standard way to manipulate key stores. A JKS file can have the key pair & CSR, or the key pair & signed cert or any number of certificates w. no key pairs affiliated with them.

Scripting

Usually I script these as command line driven cases that are part of whatever start up scripts I need to do. My basic premise is that the key pair is most secure if it does not leave the box it was created for. So the key pair creation, password setup, and CSR generation is something I take care of when I'm setting up the box. It is possible with either open SSL or keytool to script not only the key pair and CSR setup but sending the CSR to a CA. If you want to go the whole way, you may even script querying the CA for the signed cert.

I tend to do this outside of Java or a JEE framework. I use whatever scripting mechanism is appropos to my OS of choice.

With that said, I believe this code:

http://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html

Provides the example of how to set up a JKS in Java.

Of particular interest, it looks like at least in Java 7, you can use a PKCS 12 instead of the JKS file. PKCS12s are the default outside of Java, so it's rather nice to see them joining the standard.

Trust Stores

Either a JKS file or a PKCS12 can also hold a bundle of all the trusted certificates. In most cases, this the CA or the set of CAs in the hiearachy. This trust store can be massively distributed, and for simplicity, you may put it on the build of every server you plan to configure this way. You may also want a package hosted in a place where you can easily fetch a clean copy from any server.

The question is that how can I create these jks files separately? The publickey.jks file is cert, right? How can I have it in another file from the private key and be signed from CA? Or is it another way I can establish connections between client/server?

OK, I think you are loosing me here.

The basic premise of Java Key Stores is that the cert that describes and signs the public key of you key pair is colocated with the key pair. Whatever entity (server or client) will need exactly 1 JKS file that holds all the information connected to it's identity, both the key pair and the certificate.

Trying to separate them for long term storage in this particular situation doesn't make much sense to me.

However, if what you are asking is "how do I get the stuff I need to get signed at the CA separated from my private key, so I don't have to tote around my private key?" - that's a wonderful question. The answer is the CSR (Certificate Signing Request) which is a self-signed chunk of info that includes the public key only and a bunch of information that you would like the CA to make use of when signing your cert. The way to do it in key tools is:

keytool -certreq -alias mydomain -keystore keystore.jks -storepass password -file mydomain.csr

And in the end you'll have it in "mydomain.csr"

You'll use that to get a signed cert back from the CA, and then upload it with:

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks -storepass password