Setting up Certificates for the example programs

Here is an example of how I created certificates for use with the example programs. These are the simplest examples I could come up with; for more information on exactly what's happening here see the documentation for openssl(1) and keytool.

Creating a certificate for JSSE server

  1. First create a self-signed certificate in "j.keystore", which will be created as a result of the following command. Note that you should use the same password for the keystore and the key:
    > keytool -genkey -keystore j.keystore -alias j_cert -dname "cn=j_cert"
    Enter keystore password: jpassword
    Enter key password for [j_cert]
            (RETURN if same as keystore password):
    
  2. Now export that certificate to a PEM file, which you can copy to your OpenSSL system:
    > keytool -export -keystore j.keystore -rfc -file j_cert.pem
    Enter keystore password: {won't be echoed}
    
  3. Now we can run the JSSE server using:
    > java -Djavax.net.ssl.keyStore="j.keyStore" -Djavax.net.ssl.keyStorePassword="jpassword" ExampleSSLServer 6000 c
    
  4. and get the clients to talk to it using JSSE:
    > java -Djavax.net.ssl.trustStore="j.keyStore" ExampleSSLClient server 6000 c 1
    
    or OpenSSL (shown here on VMS):
    $ truststore="j_cert.pem"
    $ ExampleSSLClient server 6000 c 1
    

Creating a certificate for OpenSSL server

Note that the example shown here creates a RSA encoded key, which means that the server using it won't ever negotiate DSS ciphers. See OpenSSL Gotcha #4 for more info.

  1. First create a self-signed certificate and private key:
    $ openssl req -x509 -new -out o_cert.pem -config o_conf.cnf -keyout o_key.pem
    Using configuration from o_conf.cnf
    Generating a 512 bit RSA private key
    ....++++++++++++
    ...++++++++++++
    writing new private key to 'o_key.pem'
    Enter PEM pass phrase: {"opassword" - won't be echoed}
    
    Verifying password - Enter PEM pass phrase: {"opassword" - won't be echoed}
    where a valid (but minimal) "o_conf.cnf" would be:
    [ req ]
    prompt=no
    RANDFILE = rubbish.rubbish  # this file must exist but may get overwritten
    distinguished_name = req_distinguished_name
    
    [ req_distinguished_name ]
    commonName                      = o_cert
  2. Now copy the resultant "o_cert.pem" to your JSSE system, and import it into a keystore as a trusted certificate:
    > keytool -import -keystore o.keystore -file o_cert.pem
    Enter keystore password:  okeystore
    Owner: CN=o_cert
    Issuer: CN=o_cert
    Serial number: 0
    Valid from: Fri May 31 13:34:53 BST 2002 until: Sun Jun 30 13:34:53 BST 2002
    Certificate fingerprints:
    	 MD5:  38:72:29:A3:29:4D:64:74:BD:EA:68:FB:68:AD:92:EE
    	 SHA1: F5:93:43:2E:F8:0F:25:AB:12:47:77:F8:7E:25:04:C9:31:C6:A0:B7
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  3. Now run the OpenSSL server using (UNIX):
      % setenv servercert o_cert.pem
      % setenv privatekey o_key.pem
      % setenv serverpwd opassword
      % ExampleSSLServer 6000 c 4
    
  4. and get the clients to talk to it using JSSE:
    > java -Djavax.net.ssl.trustStore="o.keyStore" ExampleSSLClient server 6000 c 1
    or OpenSSL (shown here on UNIX):
    csh> setenv truststore=o_cert.pem
    csh> ExampleSSLClient server 6000 c 1

Go back to Nick's JSSE and OpenSSL notes