Tuesday, June 27, 2017

Java and SSL: How to Create a Certificate in Java

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to Create a Certificate in Java

  • A brief digression: what is a certificate?
  • How to create a certificate signing request
  • How to sign a CSR
  • How to import the certificate to a keystore
As the bullet points indicate, there are 3 steps to creating a certificate: creating the certificate signing request (CSR), signing the CSR, and importing the resulting certificate to the keystore.

A certificate is merely a public key that has been "signed" but another party.  The signature takes the form of a one-way hash of the public key to be signed, encrypted with the private key of the signer. The public key is singed by the sender, to ensure that the public key is genuine.

Others can verify the certificate by computing the hash of the public key, and decrypting the value from the certificate with the signer's public key.  If the computed hash matches the decrypted value, then the certificate is considered good.

For this scheme to work, the public key of the signer must be widely available, and the hashing algorithm and the signature must be readily available, which is why file formats are so important with SSL.

No comments:

Post a Comment