Securing your Java application with an SSL certificate can be extremely important. Fortunately, it is (usually) quite simple to do using Java Keytool. Most situations require that you buy a trusted certificate, but there are many cases when you can generate and use a self signed certificate for free.

  1. Public Key Example
  2. Java Create X509 Certificate From Public Key
  3. Generate X.509 Certificate From Public Key In Java Windows 10
  4. Public Key Definition

When to Use a Keytool Self Signed Certificate

Probably the most widely visible application of X.509 certificates today is in web browsers (such as Mozilla Firefox and Microsoft Internet Explorer) that support the TLS protocol. TLS (Transport Layer Security) is a security protocol that provides privacy. Apr 17, 2016 If you want to create a self-signed certificate using openSSL on your local machine which is running any Windows desktop version, continue reading. I was struggling to create any certificates that work with IdentityServer. After browsing a few hours and setting up my IdentityServer in a way that finally worked, I will tell you all.

An SSL certificate serves two essential purposes: distributing the public key and verifying the identity of the server so users know they aren't sending their information to the wrong server. It can only properly verify the identity of the server when it is signed by a trusted third party. A self signed certificate is a certificate that is signed by itself rather than a trusted authority. Since any attacker can create a self signed certificate and launch a man-in-the-middle attack, a user can't know whether they are sending their encrypted information to the server or an attacker. Because of this, you will almost never want to use a self signed certificate on a public Java server that requires anonymous visitors to connect to your site. However, self signed certificates have their place:

Never use a self signed certificate on an e-commerce site or any site that transfers valuable personal information like credit cards, social security numbers, etc.

  • An Intranet. When clients only have to go through a local Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
  • A Java development server. There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.
  • Personal sites with few visitors. If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.

Just keep in mind that visitors will see a warning in their browsers (like the one below) when connecting to a server that uses a self signed certificate until it is permanently stored in their certificate store.

Generate a Self Signed Certificate using Java Keytool

Now that you know when to use a Keytool self signed certificate, let's create one using a simple Java Keytool command:

  1. Open the command console on whatever operating system you are using and navigate to the directory where keytool.exe is located (usually where the JRE is located, e.g. c:Program FilesJavajre6bin on Windows machines).
  2. Run the following command (where validity is the number of days before the certificate will expire):
    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
  3. Fill in the prompts for your organization information. When it asks for your first and last name, enter the domain name of the server that users will be entering to connect to your application (e.g. www.google.com)

This will create a keystore.jks file containing a private key and your sparklingly fresh self signed certificate. Now you just need to configure your Java application to use the .jks file. If you are using Tomcat, you can follow our Tomcat SSL Installation Instructions.

For more information on creating a Java Keytool Self Signed Certificate, see the following links:

Originally posted on Sat Oct 30, 2010

Save

Save

Save

In One Sentence: What is aCertificate?
What Applications use Certificates?
How do I get a Certificate?
What is Inside an X.509 Certificate?
What Java API Can Be Used to Access and ManageCertificates?
What Java Tool Can Generate, Display, Import,and Export X.509 Certificates?

In One Sentence: What is aCertificate?

A public-key certificate is a digitally signed statementfrom one entity, saying that the public key (and some otherinformation) of another entity has some specific value.

Let us expand on some of the key terms used in thissentence:

Public Keys
These are numbers associated with a particular entity, and areintended to be known to everyone who needs to have trustedinteractions with that entity. Public keys are used to verifysignatures.
Digitally Signed
If some data is digitally signed it has been stored withthe 'identity' of an entity, and a signature that proves thatentity knows about the data. The data is rendered unforgeable bysigning with the entitys' private key.
Identity
A known way of addressing an entity. In some systems theidentity is the public key, in others it can be anything from aUNIX UID to an Email address to an X.509 Distinguished Name.
Signature
A signature is computed over some data using the private key ofan entity (the signer).
Private Keys
These are numbers, each of which is supposed to be known onlyto the particular entity whose private key it is (that is, it'ssupposed to be kept secret). Private and public keys exist in pairsin all public key cryptography systems (also referred to as 'publickey crypto systems'). In a typical public key crypto system, suchas DSA, a private key corresponds to exactly one public key.Private keys are used to compute signatures.
Entity
An entity is a person, organization, program, computer,business, bank, or something else you are trusting to somedegree.

Basically, public key cryptography requires access to users'public keys. In a large-scale networked environment it isimpossible to guarantee that prior relationships betweencommunicating entities have been established or that a trustedrepository exists with all used public keys. Certificates wereinvented as a solution to this public key distribution problem. Nowa Certification Authority (CA) can act as a Trusted ThirdParty. CAs are entities (e.g., businesses) that are trusted tosign (issue) certificates for other entities. It is assumed thatCAs will only create valid and reliable certificates as they arebound by legal agreements. There are many public CertificationAuthorities, such as VeriSign, Thawte, Entrust, and so on. You can also runyour own Certification Authority using products such as theNetscape/Microsoft Certificate Servers or the Entrust CA productfor your organization.

What Applications useCertificates?

Probably the most widely visible application of X.509certificates today is in web browsers (such as Mozilla Firefox andMicrosoft Internet Explorer) that support the TLS protocol. TLS(Transport Layer Security) is a security protocol that providesprivacy and authentication for your network traffic. These browserscan only use this protocol with web servers that support TLS.

Other technologies that rely on X.509 certificates include:

  • Various code-signing schemes, such as signed Java ARchives, andMicrosoft Authenticode.
  • Various secure E-Mail standards, such as PEM and S/MIME.
  • E-Commerce protocols, such as SET.

How do I Get aCertificate?

There are two basic techniques used to get certificates: Generate a private key file.

  1. you can create one yourself (using the right tools, such askeytool), or
  2. you can ask a Certification Authority to issue you one (eitherdirectly or using a tool such as keytool to generate therequest).
The main inputs to the certificate creation process are:
  • Matched public and private keys, generated using somespecial tools (such as keytool), or a browser.Only the public key is ever shown to anyone else.The private key is used to sign data; if someone knows your privatekey, they can masquerade as you .. perhaps forging legal documentsattributed to you!
  • You need to provide information about the entity beingcertified (e.g., you). This normally includes information suchas your name and organizational address. If you ask a CA to issue acertificate for you, you will normally need to provide proof toshow correctness of the information.

If you are asking a CA to issue you a certificate, you provideyour public key and some information about you. You'll use a tool(such as keytool or a browser that supportsCertificate Signing Request generation). to digitally sign thisinformation, and send it to the CA. The CA will then generate thecertificate and return it.

Public Key Example

If you're generating the certificate yourself, you'll take thatsame information, add a little more (dates during which thecertificate is valid, a serial number), and just create thecertificate using some tool (such as keytool).Not everyone will accept self-signed certificates; one part of thevalue provided by a CA is to serve as a neutral and trustedintroduction service, based in part on their verificationrequirements, which are openly published in their CertificationService Practices (CSP).

What's Inside an X.509Certificate?

The X.509 standard defines what information can go into acertificate, and describes how to write it down (the data format).All X.509 certificates have the following data, in addition to thesignature:

Java Create X509 Certificate From Public Key

Version
This identifies which version of the X.509 standard applies tothis certificate, which affects what information can be specifiedin it. Thus far, three versions are defined.
Serial Number
The entity that created the certificate is responsible forassigning it a serial number to distinguish it from othercertificates it issues. This information is used in numerous ways,for example when a certificate is revoked its serial number isplaced in a Certificate Revocation List (CRL).
Signature Algorithm Identifier
This identifies the algorithm used by the CA to sign thecertificate.
Issuer Name
The X.500 name of the entity that signed the certificate. Thisis normally a CA. Using this certificate implies trusting theentity that signed this certificate. (Note that in some cases, suchas root or top-level CA certificates, the issuer signs itsown certificate.)
Validity Period
Each certificate is valid only for a limited amount of time.This period is described by a start date and time and an end dateand time, and can be as short as a few seconds or almost as long asa century. The validity period chosen depends on a number offactors, such as the strength of the private key used to sign thecertificate or the amount one is willing to pay for a certificate.This is the expected period that entities can rely on the publicvalue, if the associated private key has not been compromised.
Subject Name
The name of the entity whose public key the certificateidentifies. This name uses the X.500 standard, so it is intended tobe unique across the Internet. This is the Distinguished Name (DN)of the entity, for example,(These refer to the subject's Common Name, Organizational Unit,Organization, and Country.)
Subject Public Key Information
This is the public key of the entity being named, together withan algorithm identifier which specifies which public key cryptosystem this key belongs to and any associated key parameters.

X.509 Version 1 has been available since 1988, is widelydeployed, and is the most generic.

X.509 Version 2 introduced the concept of subject andissuer unique identifiers to handle the possibility of reuse ofsubject and/or issuer names over time. Most certificate profiledocuments strongly recommend that names not be reused, and thatcertificates should not make use of unique identifiers. Version 2certificates are not widely used.

X.509 Version 3 is the most recent (1996) and supportsthe notion of extensions, whereby anyone can define an extensionand include it in the certificate. Some common extensions in usetoday are: KeyUsage (limits the use of the keys toparticular purposes such as 'signing-only') andAlternativeNames (allows other identities to also beassociated with this public key, e.g. DNS names, Email addresses,IP addresses). Extensions can be marked critical to indicatethat the extension should be checked and enforced/used. Forexample, if a certificate has the KeyUsage extension markedcritical and set to 'keyCertSign' then if this certificate ispresented during SSL communication, it should be rejected, as thecertificate extension indicates that the associated private keyshould only be used for signing certificates and not for SSLuse.

All the data in a certificate is encoded using two relatedstandards called ASN.1/DER. Abstract Syntax Notation 1describes data. The Definite Encoding Rules describe asingle way to store and transfer that data. People have been knownto describe this combination simultaneously as 'powerful andflexible' and as 'cryptic and awkward'.

The IETF PKIXworking group is in the process of defining standards for theInternet Public Key Infrastructure. Aws generate new access key. We are closely following theirwork, and support the X.509 Certificate and CRL Profile,which is specified in RFC 3280.

What Java API Can Be Used to Access andManage Certificates?

The Certificate API, found in the java.security.cert

Generate X.509 Certificate From Public Key In Java Windows 10

package, includes the following:
  • the CertificateFactory class defines the functionalityof a certificate factory, which is used to generate certificate,certificate revocation list (CRL), and certification path objectsfrom their encoding.
  • the Certificate class is an abstract class for managinga variety of certificates. It is an abstraction for certificatesthat have different formats but important common uses. For example,different types of certificates, such as X.509 and PGP, sharegeneral certificate functionality (like encoding and verifying) andsome types of information like public key.
  • the CRL class is an abstract class for managing avariety of Certificate Revocation Lists (CRLs).
  • the X509Certificate class is an abstract class for X.509Certificates. It provides a standard way to access all theattributes of an X.509 certificate.
  • the X509Extension interface is an interface for an X.509extension. The extensions defined for X.509 v3 certificates and v2CRLs (Certificate Revocation Lists) provide mechanisms forassociating additional attributes with users or public keys, suchas for managing the certification hierarchy, and for managing CRLdistribution.
  • the X509CRL class is an abstract class for an X.509Certificate Revocation List (CRL). A CRL is a time-stamped listidentifying revoked certificates. It is signed by a CertificationAuthority (CA) and made freely available in a publicrepository.
  • the X509CRLEntry class is an abstract class for a CRLentry.
In JDK 1.4, new classes were added to support building andvalidating chains of certificates, or certification paths. Theseclasses are described in further detail in the PKI Programmer's Guide.

What Java Tool Can Generate,Display, Import, and Export X.509 Certificates?

There is a tool named keytool ( for Solaris, Linux, or Mac OS X)( for Windows ) that can beused to create public/private key pairs and self-signed X.509 v3certificates, and to manage keystores. Keys and certificates areused to digitally sign your Java applications and applets (see thejarsigner

Public Key Definition

(forSolaris, Linux, or Mac OS X)(forWindows) tool).

A keystore is a protected database that holds keys andcertificates. Access to a keystore is guarded by a password(defined at the time the keystore is created, by the person whocreates the keystore, and changeable only when providing thecurrent password). In addition, each private key in a keystore canbe guarded by its own password.

Using keytool, it is possible to display, import, andexport X.509 v1, v2, and v3 certificates stored as files, and togenerate new self-signed v3 certificates. For examples, see the'EXAMPLES' section of the keytool documentation ( for Solaris, Linux,or Mac OS X ) (for Windows).

Copyright © 1993, 2020, Oracleand/or its affiliates. All rights reserved.