This week's book giveaways are in the Cloud and AI/ML forums.
We're giving away four copies each of Cloud Native Patterns and Natural Language Processing and have the authors on-line!
See this thread and this one for details.
Win a copy of Cloud Native PatternsE this week in the Cloud forum
or Natural Language Processing in the AI/ML forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

SSL Certificates

 
Ranch Hand
Posts: 401
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am going through the article: https://docs.oracle.com/cd/E19798-01/821-1841/bnbyb/index.html to learn more about the SSL Certificates. I have few queries:


1. Do we generate the certificates on our own or it is given by CA?

2. If your server certificate is self-signed, you must install it in the GlassFish Server keystore file (keystore.jks). If your client certificate is self-signed, you should install it in the GlassFish Server truststore file (cacerts.jks).
Query - What is a client certificate here? Where do we have keystore.jks and cacerts.jks on tomcat/websphere/jboss etc?

3. What is a self-signed certified? And, what is a Digital Signature? What is the meaning of signing a certificate?

4. I observed that we pass all algorithmic information in the certficate which is visible to the user but won't it be security threat if user can try to decrypt the info?

5. Do we store keys or certificates on our server?

Any other good read about SSL certificates would really help.
 
Bartender
Posts: 20921
127
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is a fairly broad topic and it's really too big to discuss on the Ranch. There are plenty of books out there for that. A few highlights, though:

1. Client certs are very rare, since they're attached to the client computer, have to be installed on each client computer, and if the client computer should be stolen or hacked, the usurper has a free access to the server (until the client cert is revoked).

2. The keystore is an encrypted database and it holds both public certs and private keys. For server certs, the keystore is located on the server's filesystem.

3. All certs are based on a "chain of trust". Client applications are given a set of root certs that they can trust and all other certs encountered must either reference one of those certs or reference a cert that has been approved ("signed") by one of those certs. You create a Certificate Signing Request and forward it with your domain details to one of the signing agents and they'll return a signed cert which can then be installed with the CSR private key in your keystore. Or you can "self sign" the cert, but then the clients will be prompted to accept or reject the cert depending on whether they can trust you are who you say you are.

4. The only "decryptable" information in a cert is public data. So there's no security issue there.

Finally, you might want to look at the Tomcat server documentation on how Tomcat certificate management is done. It's not going to be the same as Glassfish, but many of the steps it describes are, since cert management is a generic process. And the Tomcat docs are fairly well-written.
 
Vaibhav Gargs
Ranch Hand
Posts: 401
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Tim. Here is my understanding regarding SSL Certificates:

1. We generate the public and private keys and certificates using keystore.
2. We raise a CSR request to get the certs signed by some CA.
3. CA signs the certificate and give it to us.
4. We embed the certificate in the application server.

Please let me know if this understanding is correct.

Queries:

1. We generate these certificates ourselves and signed by CA or CA generates the certificates?

2. App server passes the certificate along with public key to the browser which is used to encrypt/decrypt the information. Is it correct?

3. App server uses the private key to encrypt/decrypt the request/response. Is it correct?

4. What is the difference between keystore and truststore?

5. What is the meaning of signing a certificate?

6. What security checks does CA carryout for providing certificates approvals?
 
Saloon Keeper
Posts: 10399
221
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Vaibhav Gargs wrote:We generate the public and private keys and certificates using keystore.


No. Key stores store keys. They don't generate them.

1. We generate these certificates ourselves and signed by CA or CA generates the certificates?


A certificate authority creates a certificate based on the data from a CSR. The CSR is created by you.

2. App server passes the certificate along with public key to the browser which is used to encrypt/decrypt the information. Is it correct?


No. Certificates contain the public key, and the public key is used to verify signatures and encrypt symmetric keys.

3. App server uses the private key to encrypt/decrypt the request/response. Is it correct?


No. The private key is used to create signatures and decrypt symmetric keys

4. What is the difference between keystore and truststore?


A key store stores private keys held by the owner of the store. A trust store stores certificates of trusted third parties.

5. What is the meaning of signing a certificate?


A CA signs a certificate to indicate that they trust the owner of the key that the certificate is based on. Other people can verify that the certificate is trusted by verifying the signature of the CA.

6. What security checks does CA carryout for providing certificates approvals?


They may phone your company to find out if you really requested the certificate, and in more sensitive cases might send someone over to verify what you requested.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!