Hi I'm working on a java project with a client and a server that use SSL sockets with client authentication set to true. I got everything working, but I would like to be sure what each side should contain in their jks.
Client:
1. client private key(key.pem) & public key(cert.pem).
2. Intermediate CA public key(cert.pem).
Server:
1. server private key(key.pem) & public key(cert.pem).
2. Intermediate CA public key(cert.pem).
I have been reading a lot about certificates, but I can't really understand what certificates are really necesary.
Questions:
1. I read the client should only contain the rootCA and his certificates, and the server all the chain and his certificate. Is this the correct way of handling this?
2. I also read that the server should have two jks, one with the certificates and another with the trustchain. I don't really know what each should contain then.
3. The code only works if the server and the client have javax.net.ssl.keyStore and javax.net.ssl.trustStore. If i remove one of them they stop working, why? From what I read the client should be able to work only with the trustStore.
I know there is lot of information in the internet, I have spend a week reading about it, but I still can't really get this points strait. Even if the code works I really want to know why it works and what is the correct way to do it.
I created a batch from the tutorila in the following website: https://jamielinux.com/docs/openssl-certificate-authority/.
I'm using a secondary project to test the ssl socket connection. This is what I'm using:
Client (MWE):
package com.test.ssl;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
public class Client {
private static final String IP = "127.0.0.1";
private static final int PORT = 15000;
private static DataOutputStream os;
private static DataInputStream is;
private static final byte messageEnd = 0;
public static void main(String[] args) {
System.setProperty("javax.net.ssl.keyStore", "D:\\workspace\\Client_Server_SSL\\clientKeyStore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "CertPass");
System.setProperty("javax.net.ssl.trustStore", "D:\\workspace\\Client_Server_SSL\\clientKeyStore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "CertPass");
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
try {
SSLSocket sslsocket = (SSLSocket) factory.createSocket(IP, PORT);
sslsocket.setNeedClientAuth(true);
is = new DataInputStream(sslsocket.getInputStream());
System.out.println("Loading output streams");
os = new DataOutputStream(sslsocket.getOutputStream());
System.out.println("Streams loaded");
os.write("Hi\0".getBytes());
byte character;
List<Byte> message = new ArrayList<>();
while ((character = is.readByte()) != messageEnd) {
message.add(character);
}
byte[] messageBytes = byteListToByteArray(message);
String response = new String(messageBytes);
System.out.println("Server response: " + response);
} catch (IOException e) {
e.printStackTrace();
}
}
public static byte[] byteListToByteArray(List<Byte> bytes) {
byte[] result = new byte[bytes.size()];
for (int i = 0; i < bytes.size(); i++) {
result[i] = bytes.get(i).byteValue();
}
return result;
}
}
Server (MWE):
package com.test.ssl;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
public class Server {
private static boolean serverListening = true;
private static SSLServerSocket sslserversocket;
private static final int PORT = 15000;
private static DataInputStream is;
private static DataOutputStream os;
public static void main(String[] args) {
System.setProperty("javax.net.ssl.keyStore", "D:\\workspace\\Client_Server_SSL\\serverKeyStore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "CertPass");
System.setProperty("javax.net.ssl.trustStore", "D:\\workspace\\Client_Server_SSL\\serverKeyStore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "CertPass");
SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
try {
sslserversocket = (SSLServerSocket) factory.createServerSocket(PORT);
sslserversocket.setNeedClientAuth(true);
while (serverListening) {
System.out.println("Waiting for client");
// Accept return a new socket to handle the client.
SSLSocket sslsocket = (SSLSocket) sslserversocket.accept();
is = new DataInputStream(sslsocket.getInputStream());
os = new DataOutputStream(sslsocket.getOutputStream());
System.out.println("Client connected");
List<Byte> message = new ArrayList<>();
byte character;
while ((character = is.readByte()) != 0) {
message.add(character);
}
byte[] messageBytes = byteListToByteArray(message);
String response = new String(messageBytes);
System.out.println("Client sad: " + response);
os.write("Welcome\0".getBytes());
}
} catch (IOException e) {
System.err.println("Exception: " + e);
}
}
public static byte[] byteListToByteArray(List<Byte> bytes) {
byte[] result = new byte[bytes.size()];
for (int i = 0; i < bytes.size(); i++) {
result[i] = bytes.get(i).byteValue();
}
return result;
}
}
Batch script:
Downloaded openSSL from : https://slproweb.com/products/Win32OpenSSL.html
Copied the bin folder in a separate folder, and added the batch file there.
The openssl.cnf is a copy of the one in the guide from the first link.
@echo on
cd /D %~dp0
REM could not create all subfolder at onces, I got a syntax error when trying root\ca\{certs,crl,newcerts,private}
mkdir root\ca\certs
mkdir root\ca\crl
mkdir root\ca\newcerts
mkdir root\ca\private
type NUL > root\ca\index.txt
echo 1000 > root\ca\serial
REM tried to use type but it was not working.
copy "%~dp0ConfigurationFiles\openssl_ca_test.cnf" root\ca\openssl.cnf
@echo ______________Creating CA
openssl genrsa -aes256 -out root/ca/private/ca.key.pem -passout pass:CAPassword 4096
openssl req -config root/ca/openssl.cnf -key root/ca/private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out root/ca/certs/ca.cert.pem -passin pass:CAPassword
openssl x509 -noout -text -in root/ca/certs/ca.cert.pem
@echo ______________INTERMEDIATE CERTIFICATES
mkdir root\ca\intermediate\certs
mkdir root\ca\intermediate\crl
mkdir root\ca\intermediate\newcerts
mkdir root\ca\intermediate\private
mkdir root\ca\intermediate\csr
type NUL > root\ca\intermediate\index.txt
echo 1000 > root\ca\intermediate\serial
echo 1000 > root\ca\intermediate\crlnumber
copy "%~dp0ConfigurationFiles\openss_intermediate_test.cnf" root\ca\intermediate\openssl.cnf
openssl genrsa -aes256 -out root/ca/intermediate/private/intermediate.key.pem -passout pass:InterMPassword 4096
openssl req -config root/ca/intermediate/openssl.cnf -new -sha256 -key root/ca/intermediate/private/intermediate.key.pem -out root/ca/intermediate/csr/intermediate.csr.pem -passin pass:InterMPassword
openssl ca -config root/ca/openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in root/ca/intermediate/csr/intermediate.csr.pem -out root/ca/intermediate/certs/intermediate.cert.pem -passin pass:CAPassword
type root\ca\intermediate\certs\intermediate.cert.pem root\ca\certs\ca.cert.pem > root\ca\intermediate\certs\ca-chain.cert.pem
@echo ______________GENERATING CERTIFICATES
openssl genrsa -aes256 -out root/ca/intermediate/private/www.client.com.key.pem -passout pass:CertPass 2048
openssl genrsa -aes256 -out root/ca/intermediate/private/www.server.com.key.pem -passout pass:CertPass 2048
openssl req -config root/ca/intermediate/openssl.cnf -key root/ca/intermediate/private/www.client.com.key.pem -new -sha256 -out root/ca/intermediate/csr/www.client.com.csr.pem -passin pass:CertPass
openssl req -config root/ca/intermediate/openssl.cnf -key root/ca/intermediate/private/www.server.com.key.pem -new -sha256 -out root/ca/intermediate/csr/www.server.com.csr.pem -passin pass:CertPass
@echo ______________SIGNING CERTIFICATES
openssl ca -config root/ca/intermediate/openssl.cnf -extensions usr_cert -days 7000 -notext -md sha256 -in root/ca/intermediate/csr/www.client.com.csr.pem -out root/ca/intermediate/certs/www.client.com.cert.pem -passin pass:InterMPassword
openssl ca -config root/ca/intermediate/openssl.cnf -extensions server_cert -days 7000 -notext -md sha256 -in root/ca/intermediate/csr/www.server.com.csr.pem -out root/ca/intermediate/certs/www.server.com.cert.pem -passin pass:InterMPassword
@echo ______________DONE
PAUSE
I would like to be sure what each side should contain in their jks.
First, for mutually-authenticated SSL, each side needs two JKS files: a keystore and a truststore. Do not confuse these files, or conflate their purposes, or use a single file for both.
The keystore in each case contains that side's own private key and certificate, and the signed certificate chain up to whatever root CA is trusted by the peer.
The truststore in each case contains the root CA that this side trusts. If the peer is for some unfortunate reason using a self-signed certificate, this amounts to requiring an exported copy of that certificate in this side's truststore.