Here is an example of how I created certificates for use with the example programs. These are the simplest examples I could come up with; for more information on exactly what's happening here see the documentation for openssl(1) and keytool.
> keytool -genkey -keystore j.keystore -alias j_cert -dname "cn=j_cert" Enter keystore password: jpassword Enter key password for [j_cert] (RETURN if same as keystore password):
> keytool -export -keystore j.keystore -rfc -file j_cert.pem Enter keystore password: {won't be echoed}
> java -Djavax.net.ssl.keyStore="j.keyStore" -Djavax.net.ssl.keyStorePassword="jpassword" ExampleSSLServer 6000 c
> java -Djavax.net.ssl.trustStore="j.keyStore" ExampleSSLClient server 6000 c 1or OpenSSL (shown here on VMS):
$ truststore="j_cert.pem" $ ExampleSSLClient server 6000 c 1
Note that the example shown here creates a RSA encoded key, which means that the server using it won't ever negotiate DSS ciphers. See OpenSSL Gotcha #4 for more info.
$ openssl req -x509 -new -out o_cert.pem -config o_conf.cnf -keyout o_key.pem Using configuration from o_conf.cnf Generating a 512 bit RSA private key ....++++++++++++ ...++++++++++++ writing new private key to 'o_key.pem' Enter PEM pass phrase: {"opassword" - won't be echoed} Verifying password - Enter PEM pass phrase: {"opassword" - won't be echoed}where a valid (but minimal) "o_conf.cnf" would be:
[ req ] prompt=no RANDFILE = rubbish.rubbish # this file must exist but may get overwritten distinguished_name = req_distinguished_name [ req_distinguished_name ] commonName = o_cert
> keytool -import -keystore o.keystore -file o_cert.pem Enter keystore password: okeystore Owner: CN=o_cert Issuer: CN=o_cert Serial number: 0 Valid from: Fri May 31 13:34:53 BST 2002 until: Sun Jun 30 13:34:53 BST 2002 Certificate fingerprints: MD5: 38:72:29:A3:29:4D:64:74:BD:EA:68:FB:68:AD:92:EE SHA1: F5:93:43:2E:F8:0F:25:AB:12:47:77:F8:7E:25:04:C9:31:C6:A0:B7 Trust this certificate? [no]: yes Certificate was added to keystore
% setenv servercert o_cert.pem % setenv privatekey o_key.pem % setenv serverpwd opassword % ExampleSSLServer 6000 c 4
> java -Djavax.net.ssl.trustStore="o.keyStore" ExampleSSLClient server 6000 c 1or OpenSSL (shown here on UNIX):
csh> setenv truststore=o_cert.pem csh> ExampleSSLClient server 6000 c 1