Versions Compared

Old Version 12

changes.mady.by.user jim mason

Saved on

compared with

New Version 13

changes.mady.by.user jim mason

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Reference_description_with_linked_URLs_______________________Notes______________________________________________________________








https://www.openssl.org/

https://www.openssl.org/docs/

https://www.openssl.org/docs/man1.1.1/


https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html
Openssl Cookbook - 2016 - gdrive
https://slproweb.com/products/Win32OpenSSL.htmlOpenssl Windows binaries

Linux includes openssl  ...   openssl version -a   ( shows details )
https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrsTutorial creating ssl certificates with openssl


https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----OverviewJava Keystore types
https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549Java keytool for CA administration


https://www.geotrust.com/resources/csr/apache_mod_ssl.htm

openssl-create-server-cert-process-geotrust.com-Generate a Certificate Signing Request CSR.pdf

common openssl process to create a server certificate for ssl - geotrust


https://www.thewindowsclub.com/manage-trusted-root-certificates-windows

windows10-certificate-trust-mgt-mmc-thewindowsclub.com-How to manage Trusted Root Certificates in Windows 10.pdf

Using Windows 10 Trust store with MMC - add certificates to Windows Trust Store

Mozilla keeps the trust store in the source code repository:

This file contains the object definitions for the certs and other
# information "built into" NSS.


Key Concepts


Certificate and PKI concepts



https://support.code42.com/Administrator/6/Configuring/Install_a_CA-signed_SSL_certificate_for_HTTPS_console_access

These instructions use the following terms:

  • Key: A unique string of characters that seeds a mathematical algorithm for encryption and decryption. Keys come in pairs. A public key encrypts data to be decrypted with the corresponding private key.
  • Certificate: A file that contains a public key and identifies who owns that key and its corresponding private key. In a signed certificate, a trusted certificate authority (CA) affirms that a public key does indeed belong to the owner named in the certificate. A certificate chain links a public key to a widely trusted root certificate.
  • Keystore: A file that holds a combination of keys and certificates.
  • PKCS, PFX: A binary format for key, certificate, and keystore files. Typical file names are *.pkcs, *.p12, *.p7b, *.pfx
  • Java keystore: The binary format for keystores used by Code42 servers. Typical file names are .keystore and *.jks
  • PEM: An ASCII text format for keys and certificates. Typical file extensions are *.pem, *.key, *.csr, *.cert. The binary counterpart is DER-format file. An X.509 certificate may or may not be in PEM format.

To identify a PEM file, read it with a console or text editor. If you see ASCII text, it's a PEM file.


Java Keytool Management

https://support.code42.com/Administrator/6/Configuring/Install_a_CA-signed_SSL_certificate_for_HTTPS_console_access

The Java keytool installs as part of a system's Java runtime engine (JRE) and runs at the Windows or Linux command line. To use keytool, install it on your system and configure its use as described below.

Windows keytool install

  1. Download and install a recent version of the JRE from Oracle.
  2. Locate the keytool with two commands.
    The second command returns the location of keytool.exe.
    cd \
    dir /b/s keytool.exe
  3. Add the directory where keytool.exe resides to the PATH variable.
    PATH=%PATH%;<directoryWhereKeytool.exeResides>
    For example:
    PATH=%PATH%;C:\Program Files\Java\jre1.8.0_111\bin
  4. Return to a directory that belongs to your user name:
    cd \Users\<yourusername>
  5. Repeat steps 2 and 3 for any terminal window in which you want to use the keytool command.

KeytoolImage Added

Linux keytool install

Install a recent version of the JRE with commands like the following:
sudo apt-get update
sudo apt-get install default-jre

Create a keystore

Create a keystore using one of the following options:

  • Option 1: Create a new key and Java keystore; import a CA's signature.
  • Option 2: Package existing PEM-format keys and certificates in a new Java keystore.
  • Option 3: Convert an existing PKCS or PFX keystore to a Java keystore.

Option 1: Create a new key and Java keystore; import a CA's signature

Step 1: Create a keystore and a signing request

Create a Java keystore and a request for a CA to sign your public key.

Help writing commands
For help writing these commands, see DigiCert's Java Keytool CSR Wizard.
  1. Create the keystore with the command below, after substituting your value for one variable:
Enter the same password twice
The command will prompt you for two passwords. Supply the same value for both of them:
Enter keystore password:
Enter key password:
keytool -genkeypair -alias <your.domain.com> -storetype jks -keystore <your.domain.com>.jks -validity 366 -keyalg RSA -keysize 4096
  1. The command prompts you for identifying data.
    At "What is your first and last name" you must supply the domain name of the Code42 server you want to secure.
    Most CAs require values for the other fields as well.
What is your first and last name? <your.domain.com>
What is the name of your organizational unit? yourunit
What is the name of your organization? yourorg
What is the name of your City or Locality? yourcity
What is the name of your State or Province? yourstate
What is the two-letter country code for this unit? US
  1. Create the certificate signing request (CSR) with the command below, after substituting your value for all four occurrences of one variable:
keytool -certreq -alias <your.domain.com> -file <your.domain.com>.csr 
        -keystore <your.domain.com>.jks -ext san=dns:<your.domain.com>

Step 2: Request a CA-signed certificate

  1. In the directory where you ran Step 1 above, find the file <your.domain.com>.csr
  2. Submit the file <your.domain.com>.csr to your CA.
    • Details vary from one CA to another. Typically, you submit your request via a website, then the CA contacts you to verify your identity.
    • CAs can send signed reply files in a variety of formats, and CAs use a variety of names for those formats. You want the CA's reply in PEM or PKCS#7 format.
  3. Wait (usually days or a week) for the CA's reply.

Step 3: Import the CA's reply

The CA's reply will provide one PKCS file or multiple PEM files. Import them into your keystore as follows:

  1. Copy the CA's files into the directory where you created the keystore in Step 1 above.
  2. Windows only: Configure the Keytool Command as described above.
  3. Use keytool  to import the CA reply files to your keystore
    (The commands will prompt you for your keystore password):
  • If the CA sent a PKCS file, use the command below, after substituting your values for two variables:
    • <your.domain.com> : The complete domain name of your Code42 server.
    • <CAreply.pkcs> : The name of the PKCS file provided by the CA.
keytool -importcert -alias <your.domain.com> -file <CAreply.pkcs> -keystore <your.domain.com>.jks -trustcacerts
  • If the CA sent PEM files, there may be one file, but most often there are two or three. Import the files to your keystore with commands in the order shown below, after substituting your values for four variables:
    • <root.cert.pem> : The name of the root certificate file
    • <intermediate.cert.pem> : The name of the intermediate certificate file
      The root and intermediate files link the CA's signature to a widely trusted root certificate that is known to web browsers. Most, but not all, CA replies include roots and intermediates.
    • <your.domain.com> : The complete domain name of your Code42 server
    • <server.cert.pem> : The name of the server certificate file
      The file links your domain name with your public key and the CA's signature.
keytool -importcert -alias root -file <root.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
keytool -importcert -alias intermediate -file <intermediate.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
keytool -importcert -alias intermediat2 -file <intermediat2.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
keytool -importcert -alias <your.domain.com> -file <server.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
Troubleshoot
If you import certificates in the wrong order, the above commands return an error message. To resolve the error, you can:
  • Consult your CA.
  • Re-arrange the order of certificates and try again.
  • Read each certificate with the following command:
    keytool -printcert -file <filename.cert.pem>
    In the output, note the Owner and Issuer (signer) of each certificate. Order your import commands so that the Issuer of each certificate matches the Owner in the previous command.
  1. Proceed to configuring your Code42 server below.

Option 2: Package existing PEM-format key and certificates in a new Java keystore

If you have an existing private key and certificates for your Code42 server's domain, in PEM format, importing them into a Java keystore requires the OpenSSL tool. OpenSSL can package the PEM files in a PKCS keystore. Java keytool can then convert the PKCS keystore to a Java keystore.

  1. Install OpenSSL:
    • Windows: Download and install OpenSSL.
    • Linux: Verify that OpenSSL is installed by issuing the command openssl version
      If that returns an error, install OpenSSL with a command like sudo apt-get install openssl
  2. Gather your private key, server certificate, and intermediate certificate into one directory.
  3. Package the key and certificates into a PKCS keystore with the command below, after substituting your values for four variables
    (The command will prompt you for your keystore password):
    • <server.cert.pem>: The name of the server certificate file
      The file links your domain name with your public key and CA's signature.
    • <private.key.pem>: The private counterpart to the public key in <server.cert.pem>
    • <intermediate.cert.pem>: The name of the intermediate certificate file
      The file links the CA's signature to a widely trusted root certificate that is known to web browsers.
    • <your.domain.com> : The complete domain name of your Code42 server
openssl pkcs12 -export -in <server.cert.pem> -inkey <private.key.pem> -certfile <intermediate.cert.pem> -name "<your.domain.com>" -out <your.domain.com>.p12
  1. Convert the resulting PKCS keystore file, <your.domain.com>.p12 into a Java keystore. See Option 3, below.

Option 3: Convert an existing PKCS or PFX keystore to a Java keystore

If you have an existing PKCS or PFX keystore for your Code42 server's domain, convert it to a Java keystore.

  1. Windows only: Configure the keytool command as described above.
  2. Issue the command below, after substituting your values for two variables
    (The command will prompt you for keystore passwords):
keytool -importkeystore -srckeystore <your.domain.com.p12> -srcstoretype PKCS12 -destkeystore <your.domain.com>.jks -deststoretype jks
  1. Proceed to configuring your Code42 server below.

Configure your server to use your keystore

Step 1: Back up your Code42 server's database

As a best practice, back up your Code42 server's database:

  1. Open the administration console.
  2. Navigate to Settings > Server.
  3. From the action menu, select Dump Database.

Step 2: Import your keystore to your Code42 server

  1. In the administration console, select Settings > Security > Keys.
  2. At SSL, check Require SSL to access console.
  3. Click Import Keystore.
  4. Select your Java keytore file, <your.domain.com>.jks, and provide <yourpassword>.
  5. Return to the system command line and stop and restart the Code42 server:





Certificate Use Cases


Client and Server SSL encryption of messages using PKI concept

...