SSL Cheatsheet

SSL Cheatsheet for Java
Posted: Mon 08 Jan, 2018, 12:07

Every time I have an SSL certificates issue, I find myself having to re-learn all the terminology
and concepts. It’s an area of development that is reasonably complicated and yet infrequently
used - the worst possible combination because it takes ages to get back to speed again. So
this is my cheatsheet to help me get back up the learning curve a bit quicker next time, and
may be of use to others as well.

It almost certainly has some errors, so please let me know if you spot anything.

Concepts

Term Description
Private key Is a cryptographic key that uniquely identifies an individual.
Certificate Binds a cryptographic key to an organisations details.
Truststore A store of certificates of trusted Certificate Authorities. Provided with a JRE, but often amended to include corporation specific CAs. These are the CA’s for the sites you are doing to trust.
Keystore Contains a private key and certificate for use doing client-certificate authentication (called two-way SSL sometimes).

Formats

PEM - ASCII format for certificates and/or private key. Can contain more than one per file. See doc

P12 - A binary container format for multiple cryptographic artifacts. It is often used to hold a users private key and their user certificate.

CRT - CRT is a file extension for a digital certificate file used with a web browser

JKS - A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.

Tools

openssl

openssl is a required tool that is used for generating and converting all manner of SSL related
formats - of which there are many. Here are a few examples related to key management:

To check private key contents:

openssl pkcs12 -in dmcert.p12 -info
    

To generate a PEM private key from a P12 with no password challenge:

openssl pkcs12 -out dmcert.pem -in dmcert.p12 -nodes
    

To generate a P12 from a PEM do:

openssl pkcs12 -export -in dmcert.pem -out dmcertgen.p12
    

And some examples to do with certificates, to validate and view the contents of a certificate do:

openssl x509 -in my-org.pem -text
    

To convert a PEM certification to CRT format do:

openssl x509 -in my-org.pem -out my-org.crt
    

To generate a list of PEM CA certificates from a P12 file list:

openssl pkcs12 -in cacerts.p12 -nokeys -out cacerts.pem
    

To extract a key from a P12 file and convert to RSA format do:

openssl pkcs12 -in dmcert.p12 -clcerts -nodes -nocerts | openssl rsa -out dmcert.key
    

To create a p12 from a separate key and certificate file:

openssl pkcs12 -export -out dmcert.p12 -inkey dmcert.key -in dmcert.crt
    

keytool

keytool is a JRE provided tool for generating keystores, either truststores or private key stores.

To list the contents of a keystore:

keytool -list -v -keystore truststore.jks
    

To list trusted CAs:

keytool -storepass changeit -list -v -keystore truststore.jks | egrep Owner
    

To add a CA’s PEM to your existing truststore:

keytool -noprompt -trustcacerts -importcert -storepass changeit -file newca.pem -alias newca -keystore truststore.
    

To convert a JKS file (of trusted CA certs) to a P12 file:

keytool -importkeystore -srckeystore cacerts -destkeystore cacerts.p12 -deststoretype PKCS12
    

SSL with Java

Java requires the following properties to be set for SSL:

Property Description
javax.net.ssl.trustStore The location of your trust store (defaults to jre/lib/certs)
javax.net.ssl.trustStorePassword The password for the truststore (often changeit)
javax.net.ssl.keyStore The location of your private key store in jks or p12 format.
javax.net.ssl.keyStorePassword The keystore password
javax.net.ssl.keyStoreType Format of the keystore, set to PKCS12 if provideding a raw p12 file

The keystores are required if making an SSL connection to a server that expects to authenticate client using
their SSL certifcates. This document is very useful if debugging SSL connections:

https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html