Certificates and JKS

jks

  • https://en.wikipedia.org/wiki/Java_KeyStore

  • https://www.moreofless.co.uk/java-keystore-truststore-difference-certificate/

  • https://dzone.com/articles/extracting-a-private-key-from-java-keystore-jks

truststore jks

  • public cert - trusted server to talk to

  • use intermediate/root

  • Have a only one cert in there

    • when used it will take the first cert it finds

  • truststore passwords can be very simple, as contents is public

keystore jks

  • client certs

  • contain private and public cert

  • the keystore password

    • is the same for both private key and public cert

    • It is used in app to extract out key and cert to do tls/ssl

    • if wrong one used (not correctly set) then tls/ssl will fail

    • in production this should only be set and known within prod env, and only privileged users should be able to access

keytool

  • Can use to view cacerts (part of jvm) at $JAVA_HOME/jre/lib/security/cacerts

  • A way to look at jks contents

    • keytool -list -keystore <name of jks> or keytool -list -v -keystore <name of jks>

      • this will ask for password, but can press enter and will list out with less details

  • Export private key from key store

    • keytool -importkeystore -srckeystore <source keystore>.jks -srcstorepass <source keystore password> -srckeypass <source key password> -srcalias <source alias> -destalias <destination alias> -destkeystore <destination keystore>.p12 -deststoretype PKCS12 -deststorepass <destination keystore password> -destkeypass <destination key password>

    • then use openssl to view contents of cert

  • Other commands

    • https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores

openssl

  • A tool to look at certs

csr - certificate signing request

  • https://en.wikipedia.org/wiki/Certificate_signing_request

crt/cer

  • multiple crts

  • openssl

  • multiple domains

  • https://en.wikipedia.org/wiki/Public_key_certificate

  • cer - generated by windows

  • Add the chain to the certificate, app specific cert followed by issuing intermediate cert

ca/signing authority

cert chain

root ca

intermediate ca

end entity or leaf or site specific ca

self signed cert

  • https://devcenter.heroku.com/articles/ssl-certificate-self

  • https://www.akadia.com/services/ssh_test_certificate.html

  • https://developer.okta.com/blog/2019/10/23/dangers-of-self-signed-certs

pem format

der format

public key and cert

private key

tls/ssl

  • https://www.youtube.com/watch?v=yJrJEvvW_HA

  • https://www.cloudflare.com/en-gb/learning/ssl/what-happens-in-a-tls-handshake/

  • SSL TLS for Mortals by Maarten Mulders https://youtu.be/ft7fbbPXlq0

    • https://www.slideshare.net/MaartenMulders2/ssltls-for-mortals-devoxx

Mutual tls

  • Where the server authenticates the client during the ssl handshake

  • The client must have a signed public certificate which is trusted by the server

    • The client sends a csr to a Trusted Certificate Issuing Authorities that the server trusts (This can be themselves) who will create the public client cert

  • When the client communicates with the server, the server will check the public client cert, follow the signing chain and if it matches any that it trusts (some truststore in the server) it will allow communication

  • Client certificates don’t encrypt any data; they’re installed for validation purposes only.

  • Issues

    • If someone gets hold of this client cert, then the server will allow them to access the server

  • https://youtu.be/KwpV-ICpkc4 Mutual TLS | The Backend Engineering Show

https communication

jetty https server

-https://newfivefour.com/jetty-9-ssl-https.html

PreviousAPI KeysNextCluster Secruity

Last updated