How to install SSL certificates
Instructions on how to install SSL certificates and other SSL tips.
Tip #1 : How to create an SSL certificate for Java
Following these instructions you will be able to install to your local keystore the SSL certificates that your application needs to connect to a remote server over SSL. First download and unzip the archive InstallCert from http://opentox.ntua.gr/files/InstallCert.zip. Open a terminal and type:
mkdir InstallCert cd InstallCert wget http://opentox.ntua.gr/files/InstallCert.zip unzip InstallCertThen export your JAVA_HOME variable (customize the following line according to your Java installation directory):
export JAVA_HOME=/usr/lib/jvm/java-6-sun-1.6.0.24/
Now assume you need to download the SSL certificate of the server at https://server.com and add it to your local repository. Run:
java InstallCert server.com:443
Repeat the same to add more SSL certificates. For example run:
java InstallCert ambit.uni-plovdiv.bg:8443
These commands will create a file called jssecacerts and will be updating it with more SSL certificates every time you want to add a certificate. Copy this file to your Java security folder (usually at $JAVA_HOME/jre/lib/security). Do:
sudo cp jssecacerts $JAVA_HOME/jre/lib/security
And now your Java applications will be able to connect to the servers you allowed over SSL.
OpenTox lists the following SSL certificates:
- The AMBIT certificate for ambit.uni-plovdiv.bg:8443
- The OpenSSO server certificate at opensso.in-silico.ch
Tip: In order to create a jssecacerts file for these servers run sequentially:
java InstallCert opensso.in-silico.ch java InstallCert ambit.uni-plovdiv.bg:8443
And as already explained, move the file to your Java security folder (yes, a single file is created, not two). That should be enough for any Java-based client to access protected resources in OpenTox (e.g. Q-edit)
Tip #2 : List the contents of your keystore
In order to list the contents of your Java keystore (the file jssecacets you created in the previous section) run:
keytool -list -keystore ./jssecacerts
Tip #3 : Export you keystore as PEM
If you need you keystore in PEM format, you can exporting using the following command:
keytool -exportcert -keystore ./jssecacerts \ -alias digicertassuredidrootca -file ./digicertassuredidrootca.pem \ -rfc -v
This will create the file digicertassuredidrootca.pem. Your PEM file looks like this:
-----BEGIN CERTIFICATE----- MIIDtzCCAp+gAeIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuFGlnaWNlcnQuY29tMSQw ... 8b5QZ7dsvfPxH2sMNgcWfz08qVttevESRmCD1zcEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe +o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g== -----END CERTIFICATE-----
You don't understand much from that huh? In the next paragraph we explain how you can convert it to a more human-readable format.
Tip #4 : Inspect a PEM certificate
If you need a human-readable variant of the above PEM certificate, then run:
openssl x509 -in digicertassuredidrootca.pem -text -noout > mycert.txt
Now the certificate looks like this:
Certificate: Data: Version: 3 (0x2) Serial Number: 0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA Validity Not Before: Nov 10 00:00:00 2006 GMT Not After : Nov 10 00:00:00 2031 GMT Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:ad:0e:15:ce:e4:43:80:5c:b1:87:f3:b7:60:f9: 71:12:a5:ae:dc:26:94:88:aa:f4:ce:f5:20:39:28: 58:60:0c:f8:80:da:a9:15:95:32:61:3c:b5:b1:28: 84:8a:8a:dc:9f:0a:0c:83:17:7a:8f:90:ac:8a:e7: 79:53:5c:31:84:2a:f6:0f:98:32:36:76:cc:de:dd: 3c:a8:a2:ef:6a:fb:21:f2:52:61:df:9f:20:d7:1f: e2:b1:d9:fe:18:64:d2:12:5b:5f:f9:58:18:35:bc: 47:cd:a1:36:f9:6b:7f:d4:b0:38:3e:c1:1b:c3:8c: 33:d9:d8:2f:18:fe:28:0f:b3:a7:83:d6:c3:6e:44: c0:61:35:96:16:fe:59:9c:8b:76:6d:d7:f1:a2:4b: 0d:2b:ff:0b:72:da:9e:60:d0:8e:90:35:c6:78:55: 87:20:a1:cf:e5:6d:0a:c8:49:7c:31:98:33:6c:22: e9:87:d0:32:5a:a2:ba:13:82:11:ed:39:17:9d:99: 3a:72:a1:e6:fa:a4:d9:d5:17:31:75:ae:85:7d:22: ae:3f:01:46:86:f6:28:79:c8:b1:da:e4:57:17:c4: 7e:1c:0e:b0:b4:92:a6:56:b3:bd:b2:97:ed:aa:a7: f0:b7:c5:a8:3f:95:16:d0:ff:a1:96:eb:08:5f:18: 77:4f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 45:EB:A2:AF:F4:92:CB:82:31:2D:51:8B:A7:A7:21:9D:F3:6D:C8:0F X509v3 Authority Key Identifier: keyid:45:EB:A2:AF:F4:92:CB:82:31:2D:51:8B:A7:A7:21:9D:F3:6D:C8:0F Signature Algorithm: sha1WithRSAEncryption a2:0e:bc:df:e2:ed:f0:e3:72:73:7a:64:94:bf:f7:72:66:d8: 32:e4:42:75:62:ae:87:eb:f2:d5:d9:de:56:b3:9f:cc:ce:14: 28:b9:0d:97:60:5c:12:4c:58:e4:d3:3d:83:49:45:58:97:35: 69:1a:a8:47:ea:56:c6:79:ab:12:d8:67:81:84:df:7f:09:3c: 94:e6:b8:26:2c:20:bd:3d:b3:28:89:f7:5f:ff:22:e2:97:84: 1f:e9:65:ef:87:e0:df:c1:67:49:b3:5d:eb:b2:09:2a:eb:26: ed:78:be:7d:3f:2b:f3:b7:26:35:6d:5f:89:01:b6:49:5b:9f: 01:05:9b:ab:3d:25:c1:cc:b6:7f:c2:f1:6f:86:c6:fa:64:68: eb:81:2d:94:eb:42:b7:fa:8c:1e:dd:62:f1:be:50:67:b7:6c: bd:f3:f1:1f:6b:0c:36:07:16:7f:37:7c:a9:5b:6d:7a:f1:12: 46:60:83:d7:27:04:be:4b:ce:97:be:c3:67:2a:68:11:df:80: e7:0c:33:66:bf:13:0d:14:6e:f3:7f:1f:63:10:1e:fa:8d:1b: 25:6d:6c:8f:a5:b7:61:01:b1:d2:a3:26:a1:10:71:9d:ad:e2: c3:f9:c3:99:51:b7:2b:07:08:ce:2e:e6:50:b2:a7:fa:0a:45: 2f:a2:f0:f2
That's all folks! Stay tuned for more!
Ah, one more thing, kind of comment on computer security systems. I think the following cartoon best summarizes my point :) - [retrieved from http://xkcd.com/538/ ]:
References
- The original article was posted in the opentox.ntua.gr blog.
- Introductory wikipedia article on secure HTTP (HTTPS).
- SSL certificates how-to by Franck Martin
- A tutorial for openSSL by the Ubuntu community documentation.
- Keytool documentation can be found here.
- Community documentation on certificates can be found here.