Key Points
- Java supports full security management - stores, certificates, keys in different key stores ( see m Java Security Certificate Mgt )
- Openssl provides CLI interface to fully manage certificates, stores, signing requests, key management etc
References
Reference_description_with_linked_URLs_______________________ | Notes______________________________________________________________ |
---|---|
https://www.openssl.org/ | |
https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html | |
Openssl Cookbook - reasonably thorough | |
https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/ | Common Openssl commands from freecodecamp |
https://slproweb.com/products/Win32OpenSSL.html | Openssl Windows binaries |
Linux includes openssl ... openssl version -a ( shows details ) | |
https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs | Tutorial creating ssl certificates with openssl |
https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview | Java Keystore types |
https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549 | Java keytool for CA administration |
https://www.geotrust.com/resources/csr/apache_mod_ssl.htm openssl-create-server-cert-process-geotrust.com-Generate a Certificate Signing Request CSR.pdf | common openssl process to create a server certificate for ssl - geotrust |
https://www.thewindowsclub.com/manage-trusted-root-certificates-windows | Using Windows 10 Trust store with MMC |
Mozilla keeps the trust store in the source code repository: This file contains the object definitions for the certs and other # information "built into" NSS. | |
https://support.google.com/a/answer/6342198?hl=en | Generate Keys and Certificates for SSO for a GSuite account how to create keys, certificates and link them to a GSuite account |
Let's encrypt or other root CAs - provides certs, CAAS - certificate admin as a service using a client agent on your server Let's Encrypt has short key rotation ( 90 days or less to expiration ) | |
https://upcloud.com/community/tutorials/use-ssh-keys-authentication/ | Using ssh with Openssl or Puttygen ** |
https://security.stackexchange.com/questions/146360/ssh-keypair-works-in-putty-but-not-in-openssh-inside-the-puttys-session | Puttygen keys are not compatible with OpenSSH or OpenSSL Puttygen's private key format (PPK) can by converted OpenSSL format |
https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file | Common certificate and key file formats |
https://www.https.in/ssl-security/renew-ssl-certificate-steps/ ssl-How to Renew SSL Certificate for my Website.pdf | Renew SSL certificates ** |
https://docs.aws.amazon.com/acm/index.html | AWS ACM certificate management ** |
Simple ssh - Using ssh with Openssl or Puttygen on Linux or Windows
https://upcloud.com/community/tutorials/use-ssh-keys-authentication/
_ssh-keys-How to use SSH keys for authentication.pdf
Login to server w private key
after public key stored on server,
then
run ssh with the private key for the user at the server address
ssh -i id_rsa jimmason@jim-macbook.local
https://docs.rackspace.com/support/how-to/logging-in-with-an-ssh-private-key-on-linuxmac
Key Concepts
Certificate Use Cases
Manage Client and Server SSL certificates for SSL encryption of messages
- Client and server each have their own private key and matching public key pairs
- Client and server can self-sign their private keys or create a CSR ( certificate signing request ) to have a root CA sign them for higher trust level
- Client and server exchange public keys as certificates
- For each message sent, the source system encrypts the message with the private key
- For each message received, the receiver uses the public key to decrypt the message
Can use a variety of tools to generate an RSA 2048 key pair for SSL: Openssl, Java keytool, Puttygen
After generating the key pair file, copy the pair to the secure local key store ( PKCS12 format or ? )
Send the public key to the other end of the SSL connection to use to decrypt messages
Gopher blog on Key management for SSL setup
Full CA keystore setup, generate of RSA certificates and management for SSL server
- Typically a server is setup by a Certificate Authority administrator in a very secure environment.
- The CA is often an intermediate CA with a trust chain back to a root CA ( Verisign, Thawte or other root CA )
- Certificate files will often use a user, domain name or server name depending on planned usage
- Private keys are generated and usually well protected in a secure key store.
- A CSR ( Certificate Signing Request ) is generated for root CA authentication ( vs self signed certs )
- the server CA reviews and approves the CSR providing a complete trust chain to a root CA
- The public key is generated from the private key as a certificate PEM file normally. ( validate )
- If needed, a PKCS12 file can be generated from the private key as a format to send the certificate to the client
Client setup for PKI certificates
Key management and distribution concepts
private keys can have a pass phrase to protect access
better use an encrypted wrapper with a password for key distribution via sftp or secure email
store in a secure location documented for trusted users only
send keys as encrypted messages ( PGP, zip or ? )
Document signing with the Private key
Create personal certificate for shared SSL
use a personal name or identity or a proxy name
Setup a Web Server with SSL
Common certificate and key file formats
Java Certificate Administration
Java Keystore Types
https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview
Keystore is a storage facility to store cryptographic keys and certificates. They are most frequently used in SSL communications to prove the identity of servers and clients. A keystore can be a file or a hardware device. Three are three kinds of entries can be stored in a keystore depending on the types of keystores.
The three types of entries are:
PrivateKey : This is a type of keys which are used in asymmetric cryptography. It is usually protected with password because of its sensitivity. It can also be used to sign a digital signature.
Certificate : A certificate contains a public key which can identify the subject claimed in the certificate. It is usually used to verify the identity of a server. Sometimes it is also used to identify a client when requested.
SecretKey : A key entry which is sued in symmetric cryptography.
Depending on what entries the keystore can store and how the keystore can store the entries, there are a few different types of keystores in Java: JKS, JCEKS, PKCS12, PKCS11 and DKS. You can find the introduction of these keystore on Oracle's Java Cryptography Architecture description.
Next, we will have an overview of these keystore types.
JKS, Java Key Store. You can find this file at sun.security.provider.JavaKeyStore. This keystore is Java specific, it usually has an extension of jks. This type of keystore can contain private keys and certificates, but it cannot be used to store secret keys. Since it's a Java specific keystore, so it cannot be used in other programming languages. The private keys stored in JKS cannot be extracted in Java.
JCEKS, JCE key store(Java Cryptography Extension KeyStore). It is a super set of JKS with more algorithms supported. It is an enhanced standard added later by Sun. You can find this file at com.sun.crypto.provider.JceKeyStore. This keystore has an extension of jceks. The entries which can be put in the JCEKS keystore are private keys, secret keys and certificates. This keystore provides much stronger protection for stored private keys by using Triple DES encryption.
The provider of JCEKS is SunJCE, it was introduced in Java 1.4. Hence prior to Java 1.4, only JKS can be used.
PKCS12, this is a standard keystore type which can be used in Java and other languages. You can find this keystore implementation at sun.security.pkcs12.PKCS12KeyStore. It usually has an extension of p12 or pfx. You can store private keys, secret keys and certificates on this type. Unlike JKS, the private keys on PKCS12 keystore can be extracted in Java. This type is portable and can be operated with other libraries written in other languages such as C, C++ or C#.
The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.
Currently the default keystore type in Java is JKS, i.e the keystore format will be JKS if you don't specify the -storetype while creating keystore with keytool. However, the default keystore type will be changed to PKCS12 in Java 9 because its enhanced compatibility compared to JKS. You can check the default keystore type at $JRE/lib/security/java.security file:
PKCS11, this is a hardware keystore type. It provides an interface for the Java library to connect with hardware keystore devices such as SafeNet's Luna, nCipher or Smart cards. You can find this implementation at sun.security.pkcs11.P11KeyStore. When you load the keystore, you no need to create a specific provider with specific configuration. This keystore can store private keys, secret keys and certificates. When loading the keystore, the entries will be retrieved from the keystore and then converted into software entries.
DKS, Domain KeyStore is a keystore of keystore. It abstracts a collection of keystores that are presented as a single logical keystore. Itself is actually not a keystore. This new keystore type is introduced in Java 8. There is a new class DomainLoadStoreParameter which closely relates to DKS.
This keystore is located at sun.security.provider.DomainKeyStore.java.
Windows-MY, this is a type of keystore on Windows which is managed by the Windows operating system. It stores the user private keys and certificates which can be used to perform cryptographic operations such as signature verification, data encryption etc. Since it's a kind of native keystore, Java doesn't have a general API to access it. Oracle provides a separate API to access the Windows-MY keystore -- SunMSCAPI. The provider class for this API is sun.security.mscapi.SunMSCAPI.
BKS, BoucyCastle keystore, is a keystore format provided the popular third party Java cryptographic library provider -- BouncyCastle. It is a keystore similar to the JKS provided by Oracle JDK. But it supports storing secret key, private key and certificate. It is frequently used in mobile application developments.
In Java, there are a few choices on how a keystore can be processed. Writing the Java code is apparently a choice. Apart from this, a tool comes along with the JDK can also be used, it is called keytool.
keytool is a command line tool. It can be used to create keystore, generate keys, import and export certificates etc. For a full list of commands keytool supports, you can refer to Oracle keytool guideline.
If you are using IBM JDK, there is one more tool which can be used, it is ikeyman. ikeyman is a GUI tool which can provide a straightforward view of the keystore. The entries in the keystore. Keys and certificates can be created using ikeyman as well. It is a tool used frequently by system administrators.
Below are the details of each keystore supported in Java.
- Different types of keystore in Java -- JKS
- Different types of keystore in Java -- JCEKS
- Different types of keystore in Java -- PKCS12
- Different types of keystore in Java -- PKCS11
- Different types of keystore in Java -- DKS
- Different types of keystore in Java -- Windows-MY
- Different types of keystore in Java -- BKS
Certificate administration options
Java keytool
https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549
Openssl command line on any platform
Free CA admin tools including Fabric
Openssl certficate adminisration
Use Linux default openssl if possible
includes default trust store for certificates
To create CA, keystore and manage certificates see these detail use cases then read the references below
Use case - Manage Client and Server SSL certificates for SSL encryption of messages
Use case - Full CA keystore setup, generate of RSA certificates and management for SSL server
see References :
Sample Openssl CA certificate management commands
Openssl on Windows
install a valid Openssl binary from
Compile Openssl for Windows or get a binary package
only if needed ( usually on Windows if a binary not available )
add a trust store
Use or Create a Trust Store
either use system trust store or get Mozilla trust store
Windows Certificates Trust Store via mmc
Mozilla Root Certificate trust store text file
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
Download & Install Windows Openssl binary
https://slproweb.com/products/Win32OpenSSL.html
For Windows, create openssl_start.bat
sets up openssl environment in Windows
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
This can be solved as following:
- Close OpenSSL.
- Open a Command Prompt (CMD) as Administrator
- Run the following command:
SET OPENSSL_CONF=<<my openssl bin path>>\openssl.cnf
Create Keystore, Admin key, User key & cert
use pkcs12 keystore
all key types and portable to any language
Generate a private key for the admin
if using a protected passfile, store in protected zip w option name + dddd
D:\dsfw\files\keyhome>
openssl genrsa -aes256 -passout file:passfile.txt -out jemason1.key 2048
Generating RSA private key, 2048 bit long modulus
..............+++++
.........................................................................................................+++++
e is 65537 (0x010001)
The password file ideally is in UTF-8 encoding for openssl
type or cat the key file to see the encrypted text for the private key generated
type jemason1-pub.pem | more
-----BEGIN PUBLIC KEY-----
.... << more >> ...
-----END PUBLIC KEY-----
create the public key from the private key file
openssl rsa -in jemason1.key -out jemason1-pub.key -pubout
key files output:
jemason1-pub.key jemason1.key passfile.txt
OpenSSL on Linux
error - unknown option on openssl command - can't copy dashes
Search Results
Web results
openssl keeps giving me "unknown option" errors - Server Fault
https://serverfault.com › questions › openssl-keeps-giving-me-unknown-o...
2 answers
Aug 13, 2011 - Delete all of your dashes and re-type them on the command line. when you wish to copy and paste! the - in the out so use arrows to get there and remove - and then type - and press enter, the - near the out is the only - you need to delete and type then it works :D.
CSR - Certificate Signing Request
Get details from the site admin for OU, Cname, email, challenge password etc first
openssl req -new -key fd.key -out fd.cs
Create a pkcs12 file store for certificates
PKCS 12. In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. ... The filename extension for PKCS #12 files is .p12 or .pfx .
The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys
https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs12.html
For PKCS#12 file parsing only -in and -out need to be used for PKCS#12 file creation -export and -name are also used.
Controlling order of keys in pkcs12 file
If none of the -clcerts, -cacerts or -nocerts options are present then all certificates will be output in the order they appear in the input PKCS#12 files. There is no guarantee that the first certificate present is the one corresponding to the private key. Certain software which requires a private key and certificate and assumes the first certificate in the file is the one corresponding to the private key: this may not always be the case. Using the -clcerts option will solve this problem by only outputting the certificate corresponding to the private key. If the CA certificates are required then they can be output to a separate file using the -nokeys -cacerts options to just output CA certificates.
creates a pkcs12 file from a public key
openssl pkcs12 -export -in jemason1-pub.key -out jemason1.p12 -name "jmason Certificate"
jemfebapr
Tutorial - Create SSL certificates with OpenSSL
https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs
On Ubuntu
ssl folder /usr/lib/ssl is a link to
/etc/ssl
which contains /certs openssl.cnf /private
openssl.cnf has default values for a CSR otherwise they must be entered on CLI
openssl req –out certificatesigningrequest.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key
create the new key and csr request
openssl req –out jmason1.csr -new -newkey rsa:2048 -nodes -keyout jmason1.key
read the key
openssl req -in jmason1
.csr -noout -text
Create a public key as a PEM file from private key
openssl rsa -in jmason1.key -outform PEM -pubout -out jmason1-pub.PEM
Create a PKCS12 format file that can be imported into a Windows keystore
Create self-signed certificate with openssl req
openssl-req, req - PKCS#10 certificate request and certificate generating utility
The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.
openssl-x509, x509 - Certificate display and signing utility
https://www.openssl.org/docs/man1.1.1/
example 1 - create new self-signed root CA certificate, private and public key files and a password file
openssl req -x509 -sha256 -outform PEM -days 1000 -out jmason2-crt.pem -new -newkey rsa:2048 -nodes
-keyout jmason2-key.pem -passin file:passfile.txt
Generating a RSA private key
...........................................................+++++
.....................................................................................+++++
writing new private key to 'jmason2-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [MA]:MA
Locality Name (eg, city) []:North Attleboro
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paramount Software Solutions
Organizational Unit Name (eg, section) []:software
Common Name (e.g. server FQDN or YOUR name) []:Jim Mason
Email Address []:.
openssl req options
-outform DER|PEM
This specifies the output format, the options have the same meaning and default as the -inform option.
-in filename
This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation options (-new and -newkey) are not specified.
-x509
This option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option, a large random number will be used for the serial number.
If existing request is specified with the -in option, it is converted to the self signed certificate otherwise new request is created.
Openssl simple CA app to sign requests
https://www.openssl.org/docs/man1.1.0/man1/ca.html
Potential Value Opportunities
Potential Challenges
Puttygen key formats not compatible with OpenSSH and OpenSSL
Puttygen uses a new proprietary key format that OpenSSH and OpenSSL do not.
Puttygen has a conversion tool that can convert the Puttygen key format back to the older OpenSSL format
testing a converted Puttygen to OpenSSL format worked:
openssl rsa -in jmason-prv-ssh3b.key -noout -text
Enter pass phrase for jmason-prv-ssh3b.key:
Private-Key: (2048 bit)
modulus:
00:92:db:ff:65:08:32:42:c8:04:3d:43:65:52:23:
65:2a:a5:d8:18:55:20:47:ef:61:a2:e9:c4:77:84:
Tip to convert OpenSSL key format to new Puttygen format
https://gist.github.com/twelve17/0449491d86158960fdb630160799ff23
It looks like as of this writing, the PuTTY Gen conversion code only accepts keys that use the AES-128-CBC
or DES-EDE3-CBC
ciphers. Otherwise, it will complain with a "unsupported cipher" error. (The latest release version at the moment is beta 0.67.)
For example, one of my private keys was using AES-256-CBC:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,xxxxxxx
Note that if your key is encrypted with a passphrase or has a MAC(?), you might only see a header like:
-----BEGIN RSA PRIVATE KEY-----
xx252xljbl.....
The "openssl" tool can be used to convert an existing private key to one of the acceptable formats above. Which of the two is another discussion, but hey, here is some insight.
openssl.exe rsa -in /path/to/your/private_key -out /path/to/your/new_private_key -outform PEM -des-ede3-cbc
openssl supported cipher formats include:
Cipher commands (see the `enc' command for more details)
openssl help
aes-128-cbc | aes-128-ecb | aes-192-cbc | aes-192-ecb |
aes-256-cbc | aes-256-ecb | base64 | bf |
bf-cbc | bf-cfb | bf-ecb | bf-ofb |
camellia-128-cbc | camellia-128-ecb | camellia-192-cbc | camellia-192-ecb |
camellia-256-cbc | camellia-256-ecb | cast | cast-cbc |
cast5-cbc | cast5-cfb | cast5-ecb | cast5-ofb |
des | des-cbc | des-cfb | des-ecb |
des-ede | des-ede-cbc | des-ede-cfb | des-ede-ofb |
des-ede3 | des-ede3-cbc | des-ede3-cfb | des-ede3-ofb |
des-ofb | des3 | desx | idea |
idea-cbc | idea-cfb | idea-ecb | idea-ofb |
rc2 | rc2-40-cbc | rc2-64-cbc | rc2-cbc |
rc2-cfb | rc2-ecb | rc2-ofb | rc4 |
rc4-40 | seed | seed-cbc | seed-cfb |
seed-ecb | seed-ofb |
des-ede3-cbc is the Puttygen format for keys
Candidate Solutions
Step-by-step guide for Example
sample code block