This Blog Is Not Updated Any More.

Check out my new blog on Medium:

Topics: Identity and Access Management, Blockchain, Ethereum, Bitcoin, Security, PSD2, GDPR

Friday, March 28, 2008

Keystore management - Part II

In Part I of this, we discussed how you can create a signed certificate for your web server. There we got a certificate signed by VeriSign trial CA. This post discusses how you can create your own CA - where you can sign your certificate, your self. In other words this post simply replaces the steps 4, 5 & 6 of Part I.

Here we use OpenSSL to build the required CA infrastructure. For Windows you can download Win32 OpenSSL v0.9.8g from here.Once installed make sure you add C:\OpenSSL\bin [i.e [INSTALLED_LOCATION]\bin] to the PATH env variable.

1. First we need to create a private key for our CA

openssl genrsa -des3 -out CA_key.pem 2048

This creates a private key with length 2,048 bits. With -des3 switch, we specified that we wish to protect our private key with a password. So in the process of private key generation you'll be prompted to enter a pass phrase.

2. Now we need to create a public-key certificate for our CA with the private key generated in step 1

openssl req -new -key CA_key.pem -x509 -days 365 -out CA_cert.pem

With -x509 switch we ask to generate an X.509 certificate, and -days switch adds the generated certificate an expiration date. During the certificate generation you'll be asked few questions to populate the necessary certificate information.

3. All set..! Now you can sign your certificate which you created for your web server in Part I.

If you followed steps up to 3 in Part I you'll have the Certificate Signing Request with you --> csr-for-mycert.pem

You may recall, this is the file we used at VeriSign Trial CA to sign our certificate in Part I. Now we use the same CSR to create a signed certificate with our own CA

openssl x509 -req -days 365 -in csr-for-mycert.pem -CA CA_cert.pem -CAkey CA_key.pem -CAcreateserial -out SignedCert.pem

This will output SignedCert.pem, which is your signed certificate.

With -CAcreateserial switch we enable the unique assignment of serial numbers to our issued certificates. Since this is the first certificate issued by our CA, a new file is created ( containing the number "02," which is the next serial number to be used when the next certificate is issued (serial number "01" was used by the first certificate). So when issuing subsequent certificates we should use the following command:

openssl x509 -req -days 365 -in csr-for-mycert2.pem -CA CA_cert.pem -CAkey CA_key.pem -CAserial -out new_SignedCert.pem

4. Import root CA certificate to the keystore

This replaces the steps 5 & 6 of Part I. Here we don't have a corresponding step to step 5, since in this case we do not have an Intermediate certificate.

So, lets add our CA root certificate to the keystore [remember - we created a keystore in Part I]

keytool -import -v -noprompt -trustcacerts -alias verisigndemocert -file CA_cert.pem -keystore mykeystore.jks -storepass mystorepassword

5. Now, lets add the signed certificate to our keystore.

keytool -import -v -alias myowncert -file SignedCert.pem -keystore mykeystore.jks -keypass mypkpassword -storepass mystorepassword

Thursday, March 27, 2008

Keystore management - Part I

A keystore is a special file type that can hold your keys and certificates and encrypt them all with a password. In other words, a keystore is just like a hashtable which has an alias that identifies a certificate and then the certificate itself.

Make sure you have installed Java and set your PATH env variable to C:\Program Files\Java\jdk1.5.0_06\bin [i.e : JAVA_HOME\bin]

This post covers all what you need to create a keystore. Let's move step by step.

1. Create a private key

This is the first thing you need to do.

keytool -genkey -alias mycert -keyalg RSA -keysize 1024 -dname "CN=localhost,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass mypkpassword -keystore mykeystore.jks -storepass mystorepassword

CN --> Common Name
OU --> Organizational Unit
O --> Oranization
L --> Locality
S --> State
C --> Country

This generates a private key and stores it in the given keystore [mykeystore.jks]. In case you didn't have a keystore then the above will create a new keystore for you with a private key.

Also note the two parameters -keypass and -keystore. -keypass is the password used for your private key and -storepass is the password used for keystore.

Once you executed the above command a new file with the name mykeystore.jks will be created at your current location - that is your keystore.

2. View what is in your keystore

In step 1, we created a keystore and added our private key to the keystore. Let's see what it actually has.

keytool -list -v -keystore mykeystore.jks -storepass mystorepassword

You'll get something like this as the output.

Your keystore contains 1 entry

Alias name: mycert
Creation date: Mar 27, 2008
Entry type: keyEntry
Certificate chain length: 1
Owner: CN=localhost, OU=Home, O=Home, L=SL, ST=WS, C=LK
Issuer: CN=localhost, OU=Home, O=Home, L=SL, ST=WS, C=LK
Serial number: 47eb5684
Valid from: Thu Mar 27 14:10:44 LKT 2008 until: Wed Jun 25 14:10:44 LKT 2008
Certificate fingerprints:
MD5: 4E:32:22:91:F5:64:FF:4D:C5:A9:F4:29:C5:5C:11:AB
SHA1: E0:E1:33:D3:1E:62:30:5B:29:E7:76:A0:B6:45:AF:D4:7E:39:8D:23

3. Create Certificate Signing Request (CSR)

Now we need to sign our certificate by a Certificate Authority(CA). To do that we need to create a CSR.

keytool -certreq -v -alias mycert -file csr-for-mycert.pem -keypass mypkpassword -storepass mystorepassword -keystore mykeystore.jks

This will output the csr-for-mycert.pem to your current location - and this is the CSR which you need to provide for the CA for signing.

4. Get signed by a CA

You can get this done by VeriSign Trial CA - which signs your certificate, which is valid only for 14 days.

Follow the wizard there and when asked to provide the CSR, open the file csr-for-mycert.pem in a notepad, copy the text and paste it on the appropriate location on the wizard page.


5. Importing CA root certificate.

Once you completed the wizard in step, within few minutes you'll receive an email from VeriSign with the signed certificate.

Before adding it to the keystore, in this case, we need to add CA root certificate to the keystore.

You can get the VeriSign's root certificate from here.

Copy all the text from there to a new file and name it as verisign-demo-root-cert.pem.

Now, let's add it to our keystore.

keytool -import -v -noprompt -trustcacerts -alias verisigndemocert -file verisign-demo-root-cert.pem -keystore mykeystore.jks -storepass mystorepassword

6. Importing Intermediate CA Certificate.

You can get the VeriSign's intermediate CA certificate from here.

As in the case of step 5, copy the text from there to a new file and name it as verisign-demo-root-im-cert.pem.

Let's add it to our keystore, as well.

keytool -import -v -noprompt -trustcacerts -alias verisigndemoimcert -file verisign-demo-root-im-cert.pem -keystore mykeystore.jks -storepass mystorepassword

7. Import signed certificate

All set now, lets import our signed certificate to the keystore.

You can find the certificate at the bottom of the email you received from VeriSign.


Copy the text from there to a new file and name it as mysignedcert.pem

Now, lets add the signed certificate to our keystore.

keytool -import -v -alias mycert -file mysignedcert.pem -keystore mykeystore.jks -keypass mypkpassword -storepass mystorepassword

All done - now you have a keystore with your own certificate signed by a CA.

Friday, March 14, 2008

Identity Interop begins....!

Most of the participant of RSA 2008 have hosted their end points by now.

We have hosted our WSO2 Identity Solution at

WSO2 acts as both an Information Card provider with SAML 2.0 support and an OpenID Provider.

Once you visit the above url you can register yourself either with a self-issued information card [password-less login] or by providing user name/password. Once you are are a registered user, you are automatically assigned an OpenID - which can be used at any OpenID RP. Also, once you logged-in you can download an OpenID Information card corresponding to your default profile.

WSO2 relying party end point is available at