JDK Tutorials - Herong's Tutorial Examples - Version 6.02, by Dr. Herong Yang

JDK Tutorials - Herong's Tutorial Examples

∟SSL Client Authentication

∟Preparing Certificates for Client Authentication

JDK "keytool" seems to be a good tool to generate and manage certificates. So I will "keytool" to generate and manage "full" and "public" certificates for both server and client sides. Let's see what I did on the server side first:

>keytool -genkey -alias server_full -keypass ServerKey
   -keystore server.jks -storepass ServerJKS 

What is your first and last name?
  [Unknown]:  my.server.com
What is the name of your organizational unit?
  [Unknown]:  My Unit
What is the name of your organization?
  [Unknown]:  My Home
What is the name of your City or Locality?
  [Unknown]:  My City
What is the name of your State or Province?
  [Unknown]:  My State
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=my.server.com, OU=My Unit, O=My Home, L=My City, ST=My State...
  [no]:  yes

>keytool -export -alias server_full -file server_pub.crt 
   -keystore server.jks -storepass ServerJKS

Certificate stored in file <server_pub.crt>

>"send server_pub.crt to the client side..."

At this moment, the server's "full" certificate is ready and stored in server.jks. The server's "public" certificate is also ready and stored in server_pub.crt. Next, let's see what I did on the client side:

>keytool -genkey -alias client_full -keypass ClientKey
   -keystore client.jks -storepass ClientJKS
   
What is your first and last name?
  [Unknown]:  my.client.com
What is the name of your organizational unit?
  [Unknown]:  My Unit
What is the name of your organization?
  [Unknown]:  My Home
What is the name of your City or Locality?
  [Unknown]:  My City
What is the name of your State or Province?
  [Unknown]:  My State
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=my.client.com, OU=My Unit, O=My Home, L=My City, ST=My State...
  [no]:  yes

>keytool -export -alias client_full -file client_pub.crt 
   -keystore client.jks -storepass ClientJKS
   
Certificate stored in file <client_pub.crt>
       
>"send client_pub.crt to the server side..."

>"receive server_pub.crt from the server side..."

>keytool -import -alias cerver_pub -file server_pub.crt 
   -keystore client.jks -storepass ClientJKS

Owner: CN=my.server.com, OU=My Unit, O=My Home, L=My City, ST=My S...
Issuer: CN=my.server.com, OU=My Unit, O=My Home, L=My City, ST=My ...
......
Trust this certificate? [no]:  yes
Certificate was added to keystore

>keytool -list -keystore client.jks -storepass ClientJKS

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

client_full, Jul 1, 2014, keyEntry,
Certificate fingerprint (MD5): 53:5F:62:00:4A:5F:0E:DC:1A:8F:4B:8E...
cerver_pub, Jul 1, 2014, trustedCertEntry,
Certificate fingerprint (MD5): 34:71:CD:2F:E8:D9:32:57:34:61:46:4C...

At this moment, the client's "full" certificate is ready and stored in client.jks. The client's "public" certificate is also ready and stored in client_pub.crt. The server's "public" certificate is also added client.jks as a trusted certificate. Next, I have to go the server side and add the client's "public" certificate:

>keytool -import -alias client_pub -file client_pub.crt 
   -keystore server.jks -storepass ServerJKS
   
Owner: CN=my.client.com, OU=My Unit, O=My Home, L=My City, ST=My S...
Issuer: CN=my.client.com, OU=My Unit, O=My Home, L=My City, ST=My ...
......
Trust this certificate? [no]:  yes
Certificate was added to keystore

>keytool -list -keystore server.jks -storepass ServerJKS

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

server_full, Jul 1, 2014, keyEntry,
Certificate fingerprint (MD5): 34:71:CD:2F:E8:D9:32:57:34:61:46:4C...
client_pub, Jul 1, 2014, trustedCertEntry,
Certificate fingerprint (MD5): 53:5F:62:00:4A:5F:0E:DC:1A:8F:4B:8E...

I think I am ready to perform a SSL communication with both server and client authentications. What do you think?

Last update: 2014.

Table of Contents

 About This JDK Tutorial Book

 Downloading and Installing JDK 1.8.0 on Windows

 Downloading and Installing JDK 1.7.0 on Windows

 Downloading and Installing JDK 1.6.2 on Windows

 Java Date-Time API

 Date, Time and Calendar Classes

 Date and Time Object and String Conversion

 Number Object and Numeric String Conversion

 Locales, Localization Methods and Resource Bundles

 Calling and Importing Classes Defined in Unnamed Packages

 HashSet, Vector, HashMap and Collection Classes

 Character Set Encoding Classes and Methods

 Character Set Encoding Maps

 Encoding Conversion Programs for Encoded Text Files

 Socket Network Communication

 Datagram Network Communication

 DOM (Document Object Model) - API for XML Files

 SAX (Simple API for XML)

 DTD (Document Type Definition) - XML Validation

 XSD (XML Schema Definition) - XML Validation

 XSL (Extensible Stylesheet Language)

 Message Digest Algorithm Implementations in JDK

 Private key and Public Key Pair Generation

 PKCS#8/X.509 Private/Public Encoding Standards

 Digital Signature Algorithm and Sample Program

 "keytool" Commands and "keystore" Files

 KeyStore and Certificate Classes

 Secret Key Generation and Management

 Cipher - Secret Key Encryption and Decryption

 The SSL (Secure Socket Layer) Protocol

 SSL Socket Communication Testing Programs

►SSL Client Authentication

 What Is SSL Client Authentication?

►Preparing Certificates for Client Authentication

 Test Server Program for Client Authentication

 Test Client Program for Client Authentication

 SSL Client Authentication Test Result

 HTTPS (Hypertext Transfer Protocol Secure)

 Outdated Tutorials

 References

 PDF Printing Version

Preparing Certificates for Client Authentication - Updated in 2017, by Dr. Herong Yang