SSL Cheatsheet

SSL Cheatsheet for Java

Posted: Mon 08 Jan, 2018, 12:07
Every time I have an SSL certificates issue, I find myself having to re-learn all the terminology and concepts. It's an area of development that is reasonably complicated and yet infrequently used - the worst possible combination because it takes ages to get back to speed again. So this is my cheatsheet to help me get back up the learning curve a bit quicker next time, and may be of use to others as well.

It almost certainly has some errors, so please let me know if you spot anything.

Concepts

TermDescription
Private keyIs a cryptographic key that uniquely identifies an individual.
CertificateBinds a cryptographic key to an organisations details.
TruststoreA store of certificates of trusted Certificate Authorities. Provided with a JRE, but often amended to include corporation specific CAs. These are the CA's for the sites you are doing to trust.
KeystoreContains a private key and certificate for use doing client-certificate authentication (called two-way SSL sometimes).

Formats

PEM - ASCII format for certificates and/or private key. Can contain more than one per file. See doc

P12 - A binary container format for multiple cryptographic artifacts. It is often used to hold a users private key and their user certificate.

CRT - CRT is a file extension for a digital certificate file used with a web browser

JKS - A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.

Tools

openssl

openssl is a required tool that is used for generating and converting all manner of SSL related formats - of which there are many. Here are a few examples related to key management:

To check private key contents:

openssl pkcs12 -in dmcert.p12 -info
        

To generate a PEM private key from a P12 with no password challenge:

openssl pkcs12 -out dmcert.pem -in dmcert.p12 -nodes
        

To generate a P12 from a PEM do:

openssl pkcs12 -export -in dmcert.pem -out dmcertgen.p12
        

And some examples to do with certificates, to validate and view the contents of a certificate do:

openssl x509 -in my-org.pem -text
        

To convert a PEM certification to CRT format do:

openssl x509 -in my-org.pem -out my-org.crt
        

To generate a list of PEM CA certificates from a P12 file list:

openssl pkcs12 -in cacerts.p12 -nokeys -out cacerts.pem
        

To extract a key from a P12 file and convert to RSA format do:

openssl pkcs12 -in dmcert.p12 -clcerts -nodes -nocerts | openssl rsa -out dmcert.key
        

To create a p12 from a separate key and certificate file:

openssl pkcs12 -export -out dmcert.p12 -inkey dmcert.key -in dmcert.crt
        

keytool

keytool is a JRE provided tool for generating keystores, either truststores or private key stores.

To list the contents of a keystore:

keytool -list -v -keystore truststore.jks
        

To list trusted CAs:

keytool -storepass changeit -list -v -keystore truststore.jks | egrep Owner
        

To add a CA's PEM to your existing truststore:

keytool -noprompt -trustcacerts -importcert -storepass changeit -file newca.pem -alias newca -keystore truststore.
        

To convert a JKS file (of trusted CA certs) to a P12 file:

keytool -importkeystore -srckeystore cacerts -destkeystore cacerts.p12 -deststoretype PKCS12
        

SSL with Java

Java requires the following properties to be set for SSL:

PropertyDescription
javax.net.ssl.trustStoreThe location of your trust store (defaults to jre/lib/certs)
javax.net.ssl.trustStorePasswordThe password for the truststore (often changeit)
javax.net.ssl.keyStoreThe location of your private key store in jks or p12 format.
javax.net.ssl.keyStorePasswordThe keystore password
javax.net.ssl.keyStoreTypeFormat of the keystore, set to PKCS12 if provideding a raw p12 file

The keystores are required if making an SSL connection to a server that expects to authenticate client using their SSL certifcates. This document is very useful if debugging SSL connections:

https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html