Keystore management - Part II

In Part I of this, we discussed how you can create a signed certificate for your web server. There we got a certificate signed by VeriSign trial CA. This post discusses how you can create your own CA - where you can sign your certificate, your self. In other words this post simply replaces the steps 4, 5 & 6 of Part I.

Here we use OpenSSL to build the required CA infrastructure. For Windows you can download Win32 OpenSSL v0.9.8g from here.Once installed make sure you add C:\OpenSSL\bin [i.e [INSTALLED_LOCATION]\bin] to the PATH env variable.

1. First we need to create a private key for our CA

openssl genrsa -des3 -out CA_key.pem 2048

This creates a private key with length 2,048 bits. With -des3 switch, we specified that we wish to protect our private key with a password. So in the process of private key generation you'll be prompted to enter a pass phrase.

2. Now we need to create a public-key certificate for our CA with the private key generated in step 1

openssl req -new -key CA_key.pem -x509 -days 365 -out CA_cert.pem

With -x509 switch we ask to generate an X.509 certificate, and -days switch adds the generated certificate an expiration date. During the certificate generation you'll be asked few questions to populate the necessary certificate information.

3. All set..! Now you can sign your certificate which you created for your web server in Part I.

If you followed steps up to 3 in Part I you'll have the Certificate Signing Request with you --> csr-for-mycert.pem

You may recall, this is the file we used at VeriSign Trial CA to sign our certificate in Part I. Now we use the same CSR to create a signed certificate with our own CA

openssl x509 -req -days 365 -in csr-for-mycert.pem -CA CA_cert.pem -CAkey CA_key.pem -CAcreateserial -out SignedCert.pem

This will output SignedCert.pem, which is your signed certificate.

With -CAcreateserial switch we enable the unique assignment of serial numbers to our issued certificates. Since this is the first certificate issued by our CA, a new file is created (CA_cert.srl) containing the number "02," which is the next serial number to be used when the next certificate is issued (serial number "01" was used by the first certificate). So when issuing subsequent certificates we should use the following command:

openssl x509 -req -days 365 -in csr-for-mycert2.pem -CA CA_cert.pem -CAkey CA_key.pem -CAserial CA_cert.srl -out new_SignedCert.pem

4. Import root CA certificate to the keystore

This replaces the steps 5 & 6 of Part I. Here we don't have a corresponding step to step 5, since in this case we do not have an Intermediate certificate.

So, lets add our CA root certificate to the keystore [remember - we created a keystore in Part I]

keytool -import -v -noprompt -trustcacerts -alias verisigndemocert -file CA_cert.pem -keystore mykeystore.jks -storepass mystorepassword

5. Now, lets add the signed certificate to our keystore.

keytool -import -v -alias myowncert -file SignedCert.pem -keystore mykeystore.jks -keypass mypkpassword -storepass mystorepassword

Keystore management - Part I

A keystore is a special file type that can hold your keys and certificates and encrypt them all with a password. In other words, a keystore is just like a hashtable which has an alias that identifies a certificate and then the certificate itself.

Make sure you have installed Java and set your PATH env variable to C:\Program Files\Java\jdk1.5.0_06\bin [i.e : JAVA_HOME\bin]

This post covers all what you need to create a keystore. Let's move step by step.

1. Create a private key

This is the first thing you need to do.

keytool -genkey -alias mycert -keyalg RSA -keysize 1024 -dname "CN=localhost,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass mypkpassword -keystore mykeystore.jks -storepass mystorepassword

CN --> Common Name
OU --> Organizational Unit
O --> Oranization
L --> Locality
S --> State
C --> Country

This generates a private key and stores it in the given keystore [mykeystore.jks]. In case you didn't have a keystore then the above will create a new keystore for you with a private key.

Also note the two parameters -keypass and -keystore. -keypass is the password used for your private key and -storepass is the password used for keystore.

Once you executed the above command a new file with the name mykeystore.jks will be created at your current location - that is your keystore.

2. View what is in your keystore

In step 1, we created a keystore and added our private key to the keystore. Let's see what it actually has.

keytool -list -v -keystore mykeystore.jks -storepass mystorepassword

You'll get something like this as the output.

==================================================================================
Your keystore contains 1 entry

Alias name: mycert
Creation date: Mar 27, 2008
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=Home, O=Home, L=SL, ST=WS, C=LK
Issuer: CN=localhost, OU=Home, O=Home, L=SL, ST=WS, C=LK
Serial number: 47eb5684
Valid from: Thu Mar 27 14:10:44 LKT 2008 until: Wed Jun 25 14:10:44 LKT 2008
Certificate fingerprints:
MD5: 4E:32:22:91:F5:64:FF:4D:C5:A9:F4:29:C5:5C:11:AB
SHA1: E0:E1:33:D3:1E:62:30:5B:29:E7:76:A0:B6:45:AF:D4:7E:39:8D:23
===================================================================================

3. Create Certificate Signing Request (CSR)

Now we need to sign our certificate by a Certificate Authority(CA). To do that we need to create a CSR.

keytool -certreq -v -alias mycert -file csr-for-mycert.pem -keypass mypkpassword -storepass mystorepassword -keystore mykeystore.jks

This will output the csr-for-mycert.pem to your current location - and this is the CSR which you need to provide for the CA for signing.

4. Get signed by a CA

You can get this done by VeriSign Trial CA - which signs your certificate, which is valid only for 14 days.

Follow the wizard there and when asked to provide the CSR, open the file csr-for-mycert.pem in a notepad, copy the text and paste it on the appropriate location on the wizard page.

==================================================================================
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBmTCCAQICAQAwWTELMAkGA1UEBhMCTEsxCzAJBgNVBAgTAldTMQswCQYDVQQHEwJTTDENMAsG
A1UEChMESG9tZTENMAsGA1UECxMESG9tZTESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCmLlMusTGJ65RKKCRfR2RfLqtQb/o9G03n5Q32hFwi0pP5cherYxyQ
TYA4NK0CcaE3cJ4UC8GsjcNTFV4AfrOtGiC185CyY6FjHkjyrkYCi7FmAQIHoDfaUCCG1gx/jnv+
jWfopsgVU954mxoykP4zS/xdxb4u0fOZ27tn6xEZ+QIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA
VHQ63R83Q1ylODuXGrPHrlOM7EhzZLJTPLKsa3JOmFp5y+WILqujPYfqH7J8Rc2pH6M1+EFlVHE6
tP1vksj+rXssksXVjyUyHTsHsnz4FqtVxA0oXKEa3zBrB+qxHLLuwYycTWHXyZ4YPZtrv8oGaFYX
GdWiMlITQ9qM+OW7ulc=
-----END NEW CERTIFICATE REQUEST-----
==================================================================================

5. Importing CA root certificate.

Once you completed the wizard in step, within few minutes you'll receive an email from VeriSign with the signed certificate.

Before adding it to the keystore, in this case, we need to add CA root certificate to the keystore.

You can get the VeriSign's root certificate from here.

Copy all the text from there to a new file and name it as verisign-demo-root-cert.pem.

Now, let's add it to our keystore.

keytool -import -v -noprompt -trustcacerts -alias verisigndemocert -file verisign-demo-root-cert.pem -keystore mykeystore.jks -storepass mystorepassword

6. Importing Intermediate CA Certificate.

You can get the VeriSign's intermediate CA certificate from here.

As in the case of step 5, copy the text from there to a new file and name it as verisign-demo-root-im-cert.pem.

Let's add it to our keystore, as well.

keytool -import -v -noprompt -trustcacerts -alias verisigndemoimcert -file verisign-demo-root-im-cert.pem -keystore mykeystore.jks -storepass mystorepassword

7. Import signed certificate

All set now, lets import our signed certificate to the keystore.

You can find the certificate at the bottom of the email you received from VeriSign.

==================================================================================
-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgIQTSaSOpAlOT2tSzOUz5y/GDANBgkqhkiG9w0BAQUFADCB
yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV
BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
L3Rlc3RjYSAoYykwNTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl
cnZlciBUZXN0IENBMB4XDTA4MDMyNzAwMDAwMFoXDTA4MDQxMDIzNTk1OVowgZUx
CzAJBgNVBAYTAkxLMQswCQYDVQQIEwJXUzELMAkGA1UEBxQCU0wxDTALBgNVBAoU
BEhvbWUxDTALBgNVBAsUBEhvbWUxOjA4BgNVBAsUMVRlcm1zIG9mIHVzZSBhdCB3
d3cudmVyaXNpZ24uY29tL2Nwcy90ZXN0Y2EgKGMpMDUxEjAQBgNVBAMUCWxvY2Fs
aG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApi5TLrExieuUSigkX0dk
Xy6rUG/6PRtN5+UN9oRcItKT+XIXq2MckE2AODStAnGhN3CeFAvBrI3DUxVeAH6z
rRogtfOQsmOhYx5I8q5GAouxZgECB6A32lAghtYMf457/o1n6KbIFVPeeJsaMpD+
M0v8XcW+LtHzmdu7Z+sRGfkCAwEAAaOCAdcwggHTMAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgWgMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9TVlJTZWN1cmUtY3JsLnZl
cmlzaWduLmNvbS9TVlJUcmlhbDIwMDUuY3JsMEoGA1UdIARDMEEwPwYKYIZIAYb4
RQEHFTAxMC8GCCsGAQUFBwIBFiNodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
L3Rlc3RjYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgw
FoAUZiKOgeAxWd0qf6tGxTYCBnAnh1oweAYIKwYBBQUHAQEEbDBqMCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQgYIKwYBBQUHMAKGNmh0dHA6
Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJUcmlhbDIwMDUtYWlhLmNl
cjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsO
AwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2ln
bi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBAGWxtj0eI4Grpv+e
hgPYBWhDnOGRFXIqfDGbpXTZv3a3HfCnBShCbzhg8hbKbts52Mmj/Lr3NufeQXBN
/9fMIrIltWSAWgKXiSgU5ArsB3L8bAJT0BdMkzFUxlCkv6PDMMbpAVkaJydJoUnK
f47A+uw5BsvlxCx32kYRSQa1r1I2MakODXUXoxTfvfInZn2joGx35u+r2tHP6pCt
iIjFv8yXp8gxlDayZMe2jbCBDltgDQ2C3hE+Tc/sh59ce0q+EqAfnDxV4+AaXQLO
b+npcHuGMa6NBc2fGPgueQYujbA813jzrlLr2mz7iJcyUImoz14TNLXpouWDDv4n
+3V2hzE=
-----END CERTIFICATE-----
==================================================================================

Copy the text from there to a new file and name it as mysignedcert.pem

Now, lets add the signed certificate to our keystore.

keytool -import -v -alias mycert -file mysignedcert.pem -keystore mykeystore.jks -keypass mypkpassword -storepass mystorepassword

All done - now you have a keystore with your own certificate signed by a CA.

Identity Interop begins....!

Most of the participant of RSA 2008 have hosted their end points by now.

We have hosted our WSO2 Identity Solution at https://is.test.wso2.org.

WSO2 acts as both an Information Card provider with SAML 2.0 support and an OpenID Provider.

Once you visit the above url you can register yourself either with a self-issued information card [password-less login] or by providing user name/password. Once you are are a registered user, you are automatically assigned an OpenID - which can be used at any OpenID RP. Also, once you logged-in you can download an OpenID Information card corresponding to your default profile.

WSO2 relying party end point is available at https://is.test.wso2.org/javarp.