Table of Contents
- Step 1: Server Certificate.
- Step 2: Importing the certificate and installing it at client side.
As you own the server, you will have to create a certificate that will uniquely identify your server. To create the certificate you can use a command line utility called 'keytool' which is shipped with the java jdk and jre. The command we'll use is
keytool -genkey -alias server-alias -keyalg RSA -keypass yourpassword -storepass yourpassword -keystore keystore.jks
short summary of the keytool options used:
|Used to give a name to your key - should be unique for its purpose.
|Encryption algorithm type
|Password affiliated to key
|Password affiliated to keystore.jks
|Name of the file which acts as key repository.
After typing in this command, you will be asked questions, and answer accordingly. In the end, your key, called server-alias, will be stored in the repository file, keystore.jks. This entry in keystore.jks will have a public as well as a private key. You now need to publish the public key to the world. Use the following command to extract the public key from the entry which you created earlier.
keytool -export -alias server-alias -storepass yourpassword -file server.cer -keystore keystore.jks
The public key, aka certificate, will be stored in the file named server.cer. You can give this file to anyone who wants to connect to your server.
You have your public/private key pair with you.
Create an Identity in your TIBCO ActiveMatrix BusinessWorks? project.
Choose type Identity file. Provide URL as path_to your_keystore.jks.
The path "file://X:..." is not valid. You need to add an extra / to make it "file:///X:..".
Give the filetype 'JKS' and password.
Save the identity.
1.2.2 HTTP Connection.
Create an HTTP Connection and use SSL.
Configure SSL with the identity you have created above.
This step does not include instructions to enable client authentication. This is enough for the server side.
Get the server.cer from the server authority which is publicly available.
Import the public key into your trust store.
The Trust store is a repository of all trusted certificates at the client side.
Use the command:
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass yourkeypass -storepass yourstorepass
Here all the values .. ie: -alias, -keypass, -storepass are local.
You need not have to worry about which values the server authority used while creating the key pair.
As this command succeeds, you will have a public key imported in the local keystore, cacerts.jks.
Create an identity using file cacerts.jks.
2.2.2 Certificate in PEM format
In the BusinessWorks project, import the public certificate using the menu option:
Tools>Trusted Certificates>Import into PEM format.
It is advisable to keep this certificate in a separate folder to skip unnecessary processing.
Create 'HTTP send Request' and use SSL.
In the configuration, provide client identity 2.2.1 and folder name where you saved the certificate in PEM format 2.2.2.
Hope this helps
Refer this link for more details on keytool.
In addition to using 'keytool', We can use openssl commands. The openssl program is available for both indows and Linux platforms.
To create identities using openssl you can refer commands below.
Create a private key and certificate signing request attached to that private key.
openssl req -new -newkey rsa:des3:1024 -keyout (hostkey).pem -out (hostcsr).pem
This will create a private key file, (hostkey).pem, and its corresponding certificate request file, (hostcsr).pem.
To export the private key to pkcs8 format, the following command will do:
openssl pkcs8 -topk8 -inform PER -outform DER -in (private.key) -out (private).p8
To create the certificate chain, you need to get the file, (hostcsr).pem, signed by a certification authority. Here we will create our own certification authority and get (hostcsr).pem signed by it. To get an idea of how to create your own Certificate Authority, please refer to the steps at the end of this document. Assuming that we have created our own certification authority, the following command will sign (hostcsr).pem with ca certificate.
openssl ca -in (hostcsr).pem -out (host_signed.x509).pem
There are various formats available for the publication of certificates. We will use PKCS#12 and PKCS#7.
- PKCS#12 contains information about certificate chains as well as private keys.
- PKCS#7 contains information only about public certificate chains.
To convert (host_signed.x509).pem to PKCS#12 format, use the command:
openssl pkcs12 -export -in (host_signed.x509).pem -inkey (privkey).pem -out cred.p12
To convert (host_signed.x509).pem to PKCS#7 format, the following command will do.
openssl crl2pkcs7 -nocrl -certfile (host_signed.x509).pem -out (host_signed.x509).p7b
Entities obtained using above commands can be used in installing client and server ssl.
My own certification authority
details of ca are in file /usr/lib/ssl/openssl.cnf
Assume that we want to setup our own ca in directory /home/me/workspace/myca.
create this directory structure.
go to myca - cd /home/me/workspace/myca
create following files and directories in myca
mkdir private (CA private key resides here)
echo 00 > serial (this file keeps sequence number of certificates signed by your CA, the number is incremented every time your CA signs a new certificate)
cat > demoCA/index.txt (database of sign activities, contains information about previously signed certificates by your CA)
create a self signed privatekey and certificate.
openssl req -x509 -days 999 -newkey rsa:des3:1024 -keyout private/cakey.pem -out cacart.pem
Use this ca to sign other certificates.
Every time you want to sign a new certificate you need to come to this directory and issue ca command.
openssl ca -in (path to hostcsr.pem) -out (path to host_signed.x509.pem)