This section provides a tutorial example on how to prepare keys and certificates for the server and the client for a SSL client authentication test.
JDK "keytool" seems to be a good tool to generate and manage certificates.
So I will "keytool" to generate and manage "full" and "public" certificates
for both server and client sides. Let's see what I did on the server side first:
>keytool -genkey -alias server_full -keypass ServerKey
-keystore server.jks -storepass ServerJKS
What is your first and last name?
[Unknown]: my.server.com
What is the name of your organizational unit?
[Unknown]: My Unit
What is the name of your organization?
[Unknown]: My Home
What is the name of your City or Locality?
[Unknown]: My City
What is the name of your State or Province?
[Unknown]: My State
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=my.server.com, OU=My Unit, O=My Home, L=My City, ST=My State...
[no]: yes
>keytool -export -alias server_full -file server_pub.crt
-keystore server.jks -storepass ServerJKS
Certificate stored in file <server_pub.crt>
>"send server_pub.crt to the client side..."
At this moment, the server's "full" certificate is ready and stored in server.jks.
The server's "public" certificate is also ready and stored in server_pub.crt.
Next, let's see what I did on the client side:
>keytool -genkey -alias client_full -keypass ClientKey
-keystore client.jks -storepass ClientJKS
What is your first and last name?
[Unknown]: my.client.com
What is the name of your organizational unit?
[Unknown]: My Unit
What is the name of your organization?
[Unknown]: My Home
What is the name of your City or Locality?
[Unknown]: My City
What is the name of your State or Province?
[Unknown]: My State
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=my.client.com, OU=My Unit, O=My Home, L=My City, ST=My State...
[no]: yes
>keytool -export -alias client_full -file client_pub.crt
-keystore client.jks -storepass ClientJKS
Certificate stored in file <client_pub.crt>
>"send client_pub.crt to the server side..."
>"receive server_pub.crt from the server side..."
>keytool -import -alias cerver_pub -file server_pub.crt
-keystore client.jks -storepass ClientJKS
Owner: CN=my.server.com, OU=My Unit, O=My Home, L=My City, ST=My S...
Issuer: CN=my.server.com, OU=My Unit, O=My Home, L=My City, ST=My ...
......
Trust this certificate? [no]: yes
Certificate was added to keystore
>keytool -list -keystore client.jks -storepass ClientJKS
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
client_full, Mar 29, 2005, keyEntry,
Certificate fingerprint (MD5): 53:5F:62:00:4A:5F:0E:DC:1A:8F:4B:8E...
cerver_pub, Mar 29, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 34:71:CD:2F:E8:D9:32:57:34:61:46:4C...
At this moment, the client's "full" certificate is ready and stored in client.jks.
The client's "public" certificate is also ready and stored in client_pub.crt.
The server's "public" certificate is also added client.jks as a trusted certificate.
Next, I have to go the server side and add the client's "public" certificate:
>keytool -import -alias client_pub -file client_pub.crt
-keystore server.jks -storepass ServerJKS
Owner: CN=my.client.com, OU=My Unit, O=My Home, L=My City, ST=My S...
Issuer: CN=my.client.com, OU=My Unit, O=My Home, L=My City, ST=My ...
......
Trust this certificate? [no]: yes
Certificate was added to keystore
>keytool -list -keystore server.jks -storepass ServerJKS
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
server_full, Mar 29, 2005, keyEntry,
Certificate fingerprint (MD5): 34:71:CD:2F:E8:D9:32:57:34:61:46:4C...
client_pub, Mar 29, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 53:5F:62:00:4A:5F:0E:DC:1A:8F:4B:8E...
I think I am ready to perform a SSL communication with both server and client
authentications. What do you think?
