This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Security and the fly likes SSL Basic Concepts Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "SSL Basic Concepts" Watch "SSL Basic Concepts" New topic
Author

SSL Basic Concepts

Sudhanshu Mishra
Ranch Hand

Joined: May 28, 2011
Posts: 215

Hi all,
I have just started to learn SSL,and after going through many documents on the internet,I want to conclude few points and want your suggestions.(mainly regarding SSL certificate)

1:SSL certificate contains the public key of the server.
2:SSL certificate is created by the CA after the requester submits the CSR(Certificate signing request) to the CA.
3:The keystore stores the private key and the certificate(s).
4:In order to create a self-signed certificate,we will have to create our own CA,CSR and then use keytool to generate the certificate by submiting the CSR to the CA.
5:When the CA creates the certificate,in order to sign it,it uses the private key generated before.
6:There is no other way to create a certificate other than creating a CSR and getting it signed by CA(may be self-created).

These are the few points about which I need assurance.
Please guide me through.

Thanks.
Tim McGuire
Ranch Hand

Joined: Apr 30, 2003
Posts: 820

Sudhanshu Mishra wrote:Hi all,
I have just started to learn SSL,and after going through many documents on the internet,I want to conclude few points and want your suggestions.(mainly regarding SSL certificate)

4:In order to create a self-signed certificate,we will have to create our own CA,CSR and then use keytool to generate the certificate by submiting the CSR to the CA.



for a self-signed certificate, you do not have to submit anything to a CA. Yes, it is possible to create your own internal CA and then submit your CSR to that, but it is not required in using a self-signed CA.
Read this page:
https://help.ubuntu.com/10.04/serverguide/C/certificates-and-security.html

it has good information, including setting up your own internal CA with a root certificate .
Dave Trower
Ranch Hand

Joined: Feb 12, 2003
Posts: 86
There are two steps involved with using SSL.
1) The first step is you create the private and public key and the certificate. You can do this with the java keytool command. This will store the private key, public key and certificate in the keystore. You can then tell your web server to use this keystore and you can start using SSL. This is known as a self-signed certificate. If someone connects to your web site with a self signed certificate they will get a warning message that will say something like "This site is untrusted, do you wish to continue?"
Maybe this OK if you want to use SSL internally. At my work, most internal servers with SSL are setup this way. We just ignore the warning messages.

Now if you want users to be able to go your web site without a warning message, you must get a CA to sign your certificate. You can use the java keytool command to create a CSR (Certificate Signing Request). This creates a small file that you send to the CA. The CSR only contains the public part of the certificate. Remember you never want anyone to to have access to your private key. After the CA signs the request, they will send you back a file. You can then use the keytool command again to import that file into the keystore. After you do this, your certificate will contain a signature of the CA. Now when users connect to your web site, they will not get the warning message.

There is a good book about this. I have sitting on my desk at work and I am at home now so I cannot give you title until Monday morning. In the book, it shows how to do each step with the keytool command.
gurpeet singh
Ranch Hand

Joined: Apr 04, 2012
Posts: 924
    
    1

Dave Trower wrote:There are two steps involved with using SSL.
1) The first step is you create the private and public key and the certificate. You can do this with the java keytool command. This will store the private key, public key and certificate in the keystore. You can then tell your web server to use this keystore and you can start using SSL. This is known as a self-signed certificate. If someone connects to your web site with a self signed certificate they will get a warning message that will say something like "This site is untrusted, do you wish to continue?"
Maybe this OK if you want to use SSL internally. At my work, most internal servers with SSL are setup this way. We just ignore the warning messages.

Now if you want users to be able to go your web site without a warning message, you must get a CA to sign your certificate. You can use the java keytool command to create a CSR (Certificate Signing Request). This creates a small file that you send to the CA. The CSR only contains the public part of the certificate. Remember you never want anyone to to have access to your private key. After the CA signs the request, they will send you back a file. You can then use the keytool command again to import that file into the keystore. After you do this, your certificate will contain a signature of the CA. Now when users connect to your web site, they will not get the warning message.

There is a good book about this. I have sitting on my desk at work and I am at home now so I cannot give you title until Monday morning. In the book, it shows how to do each step with the keytool command.



i would like to know the title of the book. i shall wait for your reply .
Dave Trower
Ranch Hand

Joined: Feb 12, 2003
Posts: 86
The name of the book is "Developing Web Services with Apache Axis" by Tung Ka Iok,Kent

The book is a tutorial on how to create web services using all free open source products such as Tomcat, Apache Axis, etc.
Chapter 9 is "Signing and encrypting SOAP messages". This chapter talks about how to use the java keytool command to create certificates, get them signed, etc.
bhavit pant
Greenhorn

Joined: May 22, 2012
Posts: 21

hello ranchers
for a self-signed certificate, you do not have to submit anything to a CA. Yes, it is possible to create your own internal CA and then submit your CSR to that, but it is not required in using a self-signed CA.
Read this page:


just want to know that can i use/ create my own certificate, to be used as a demo/prcetice work on SSL implementation, is there any specific tool for that, and how to configure tomacat 7.0 for that.. ???

thank you
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SSL Basic Concepts
 
Similar Threads
CA how it's work?
weblogic 8.1 SSL configuration.
Creating CA using keytool
SATSA jsr 177
JBOSS and SSL