SSL Cheatsheet
SSL Cheatsheet for Java
It almost certainly has some errors, so please let me know if you spot anything.
Concepts
Term | Description |
---|---|
Private key | Is a cryptographic key that uniquely identifies an individual. |
Certificate | Binds a cryptographic key to an organisations details. |
Truststore | A store of certificates of trusted Certificate Authorities. Provided with a JRE, but often amended to include corporation specific CAs. These are the CA's for the sites you are doing to trust. |
Keystore | Contains a private key and certificate for use doing client-certificate authentication (called two-way SSL sometimes). |
Formats
PEM - ASCII format for certificates and/or private key. Can contain more than one per file. See doc
P12 - A binary container format for multiple cryptographic artifacts. It is often used to hold a users private key and their user certificate.
CRT - CRT is a file extension for a digital certificate file used with a web browser
JKS - A Java KeyStore (JKS) is a repository of security certificates â either authorization certificates or public key certificates â plus corresponding private keys, used for instance in SSL encryption.
Tools
openssl
openssl is a required tool that is used for generating and converting all manner of SSL related formats - of which there are many. Here are a few examples related to key management:
To check private key contents:
openssl pkcs12 -in dmcert.p12 -info
To generate a PEM private key from a P12 with no password challenge:
openssl pkcs12 -out dmcert.pem -in dmcert.p12 -nodes
To generate a P12 from a PEM do:
openssl pkcs12 -export -in dmcert.pem -out dmcertgen.p12
And some examples to do with certificates, to validate and view the contents of a certificate do:
openssl x509 -in my-org.pem -text
To convert a PEM certification to CRT format do:
openssl x509 -in my-org.pem -out my-org.crt
To generate a list of PEM CA certificates from a P12 file list:
openssl pkcs12 -in cacerts.p12 -nokeys -out cacerts.pem
To extract a key from a P12 file and convert to RSA format do:
openssl pkcs12 -in dmcert.p12 -clcerts -nodes -nocerts | openssl rsa -out dmcert.key
To create a p12 from a separate key and certificate file:
openssl pkcs12 -export -out dmcert.p12 -inkey dmcert.key -in dmcert.crt
keytool
keytool is a JRE provided tool for generating keystores, either truststores or private key stores.
To list the contents of a keystore:
keytool -list -v -keystore truststore.jks
To list trusted CAs:
keytool -storepass changeit -list -v -keystore truststore.jks | egrep Owner
To add a CA's PEM to your existing truststore:
keytool -noprompt -trustcacerts -importcert -storepass changeit -file newca.pem -alias newca -keystore truststore.
To convert a JKS file (of trusted CA certs) to a P12 file:
keytool -importkeystore -srckeystore cacerts -destkeystore cacerts.p12 -deststoretype PKCS12
SSL with Java
Java requires the following properties to be set for SSL:
Property | Description |
---|---|
javax.net.ssl.trustStore | The location of your trust store (defaults to jre/lib/certs) |
javax.net.ssl.trustStorePassword | The password for the truststore (often changeit) |
javax.net.ssl.keyStore | The location of your private key store in jks or p12 format. |
javax.net.ssl.keyStorePassword | The keystore password |
javax.net.ssl.keyStoreType | Format of the keystore, set to PKCS12 if provideding a raw p12 file |
The keystores are required if making an SSL connection to a server that expects to authenticate client using their SSL certifcates. This document is very useful if debugging SSL connections:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html