Generating Self-signed Certificates for Mutual Authentication in Java
This post is a follow up to my previous post on Generating Self-Signed Certificate for use in Java. This post will follow many of the same steps, but will show you how to generate both server and client certificates for use with mutual authentication (Two-Way SSL). Once again we will be using OpenSSL and Java Keytool.
1) Create private keys using OpenSSL
openssl genrsa -out server-private.pem 2048
openssl genrsa -out client-private.pem 20482) Create self-signed X509 certificates
openssl req -new -x509 -key server-private.pem -out server-certificate.pem -days 365
openssl req -new -x509 -key client-private.pem -out client-certificate.pem -days 365Country Name (2 letter code) []: US
State or Province Name (full name) []: South Carolina
Locality Name (eg, city) []: Charleston
Organization Name (eg, company) []: Red Hat
Organizational Unit Name (eg, section) []: Consulting
Common Name (eg, YOUR name) []: HOSTNAME
Email Address []:.If you want to avoid having to manually enter all of this information each time, you can use the subj argument and pass all of the relevant information in to OpenSSL. If you use the subj argument, the command will look like this:
openssl req -new -x509 -key server-private.pem -out server-certificate.pem -days 365 -subj "/C=US/ST=South Carolina/L=Charleston/O=Red Hat/OU=Consulting/CN=localhost"
3) Create JKS trust stores
In order to use our keys and certificates in Java applications we need to import them into keystores.
keytool -importcert -trustcacerts -keystore server_truststore.jks -storetype jks -storepass <server_truststore_password> -file client-certificate.pem
keytool -importcert -trustcacerts -keystore client_truststore.jks -storetype jks -storepass <client_truststore_password> -file server-certificate.pem
4) Create PKCS12 keystores and import the certificates
Java's keytool application will not let us import an existing private key into a keystore. The workaround to this problem is to combine the private key with the certificate into a pkcs12 file and then import this pkcs12 keystore into a regular keystore.
openssl pkcs12 -export -inkey server_private.pem -in server-certificate.pem -out server.p12
openssl pkcs12 -export -inkey client_private.pem -in client-certificate.pem -out client.p12
5) Convert the PKCS12 keystores to Java keystores using Java keytool
keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -destkeystore server.jks –deststoretype jks
keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.jks –deststoretype jksEnter destination keystore password:<br />
Re-enter new password:<br />
Enter source keystore password:<br />
Entry for alias 1 successfully imported.<br />
Import command completed: 1 entries successfully imported, 0 entries failed or cancelledIf nothing went wrong, you should have 2 new keystore files: server.jks & client.jks.
6) Configure server
Depending on how you are using your keys, you will now need to configure your server. The file server.jks contains your servers self signed certificate, and the file server_truststore.jks contains your servers trust store that trusts your client certificate.
For an example of how to configure SSL using an Embedded Jetty server, see Using SSL with Embedded Jetty
7) Configure client
Depending on how you are using your keys, you will now need to configure the client. The file client.jks contains your servers self signed certificate, and the file client_truststore.jks contains your clients trust store that trusts your server certificate.
If your are going to be using a browser as the client, then you will want to import the client.p12 file into your browser.
References
- http://www.openssl.org/docs/HOWTO/
- http://docs.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html