Research and study Notes on HTTPS, SSL, Certificates and Around it
SNI – Server name Indication – Enables multiple certs on the one IP address
Public Key Pinning , Ensures a client will only accept predefined certs
SAN – Subject Alternative Name : combine multiple domain names on the one cert
PFS : Perfect Forward Secrecy : Protects past sessions, against future key compromise
DNSSEC : Domain Name System Security Extensions – Protects against forged DNS Records
DANE : DNS Based Authentication of Named Entities – Specified the cert keys at DNS level
Certificate Authority Authorization – Specified allowable CAs for the domain at the DNS level
CRL Certificate Revocation List – List of revoked certificates maintained by the CA
OCSP : Online Certificates Status Protocol : List of revoked certificates maintained by the CA
PKP – Public Key Pinning : Ensures a client will only accept predefined certs
PKP,
Defines the public keys are allowed , Specifies the max age ,
Defines whether it applies to subdomains
Facilitates reporting of violations
SSL Labs
Extended validation certificates
HTTPS
Code :
https://github.com/zephyrdeveloper
Used this one : apache-tomcat-9.0.1.tar.gz
Finally this one worked : https://dzone.com/articles/setting-ssl-tomcat-5-minutes
All Concepts of Certificate :
Posted my doubt here :
Keytool Command to See the Certificate Contents : keytool -list -keystore sumitcert
Keytool Available Directory : /apache-tomcat-9.0.1/bin
Certificate Generation :
eSumit@Sumits-MacBook-Pro:~/Documents/ApacheTomcat/Apache9-0/apache-tomcat-9.0.1/bin$ keytool -genkey -alias sumit -keyalg RSA -keystore sumitcert eSumit@Sumits-MacBook-Pro:~/Documents/ApacheTomcat/Apache9-0/apache-tomcat-9.0.1/bin$ keytool -genkey -alias sumit -keyalg RSA -keystore sumitcert Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Sumit Arora What is the name of your organizational unit? [Unknown]: Japan What is the name of your organization? [Unknown]: Russia What is the name of your City or Locality? [Unknown]: Delhi What is the name of your State or Province? [Unknown]: Rohita What is the two-letter country code for this unit? [Unknown]: RA Is CN=Sumit Arora, OU=Japan, O=Russia, L=Delhi, ST=Rohita, C=RA correct? [no]: yes Enter key password for <sumit> (RETURN if same as keystore password): Re-enter new password: eSumit@Sumits-MacBook-Pro:~/Documents/ApacheTomcat/Apache9-0/apache-tomcat-9.0.1/bin$ ls
eSumit@Sumits-MacBook-Pro:~/Documents/ApacheTomcat/Apache9-0/apache-tomcat-9.0.1/bin$ keytool -list -keystore sumitcert Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry sumit, 6 Oct, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 17:F4:0A:C2:2A:AA:B4:52:9C:0F:B1:FA:3C:6E:F9:4E:FC:87:B7:C5 eSumit@Sumits-MacBook-Pro:~/Documents/ApacheTomcat/Apache9-0/apache-tomcat-9.0.1/bin$
Configuration :
// See the Path of File
<Connector SSLEnabled=”true” acceptCount=”100″ clientAuth=”false”
disableUploadTimeout=”true” enableLookups=”false” maxThreads=”25″
port=”8443″ keystoreFile=”/Users/eSumit/Documents/ApacheTomcat/Apache9-0/certdir/sumitcert.jks” keystorePass=”sumit123″
protocol=”org.apache.coyote.http11.Http11NioProtocol” scheme=”https”
secure=”true” sslProtocol=”TLS” />
Or
<Connector SSLEnabled=”true” acceptCount=”100″ clientAuth=”false”
disableUploadTimeout=”true” enableLookups=”false” maxThreads=”25″
port=”8443″ keystoreFile=”../certdir/sumitcert.jks” keystorePass=”sumit123″
protocol=”org.apache.coyote.http11.Http11NioProtocol” scheme=”https”
secure=”true” sslProtocol=”TLS” />
<!– Define an AJP 1.3 Connector on port 8009 –>
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />
Remember two different configurations :
- NIO implementation
2. APR/native implementation which always uses
OpenSSL for TLS
–>
<!– Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
–>
<!–
<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11NioProtocol”
maxThreads=”150″ SSLEnabled=”true”>
<SSLHostConfig>
<Certificate certificateKeystoreFile=”conf/localhost-rsa.jks”
type=”RSA” />
</SSLHostConfig>
</Connector>
–>
<!– Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
–>
<!–
<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11AprProtocol”
maxThreads=”150″ SSLEnabled=”true” >
<UpgradeProtocol className=”org.apache.coyote.http2.Http2Protocol” />
<SSLHostConfig>
<Certificate certificateKeyFile=”conf/localhost-rsa-key.pem”
certificateFile=”conf/localhost-rsa-cert.pem”
certificateChainFile=”conf/localhost-rsa-chain.pem”
type=”RSA” />
</SSLHostConfig>
</Connector>
Tomcat HTTPS :
http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
We only created certificate file, not created private key ?
Difference between KeyStore and TrustStore
http://javarevisited.blogspot.in/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html
How to make sure that now tomcat server should only work on HTTPS , not on HTTP, so for that a configuration required.
Keytool Commands Executions :
eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ ls -l keyttoleSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ ls -l keyttolls: keyttol: No such file or directoryeSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ ls -l keytool-rwxrwxr-x 1 root wheel 101K Apr 10 2015 keytool*eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ ls -l /usr/bin/keytoollrwxr-xr-x 1 root wheel 77B Dec 19 2016 /usr/bin/keytool@ -> /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/keytooleSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ ls -l /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/keytool-rwxr-xr-x 1 root wheel 57K Dec 13 2016 /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/keytool*eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ lsjava* jjs* keytool* orbd* pack200* policytool* rmid* rmiregistry* servertool* tnameserv* unpack200*eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ keytool -genkey -alias sumit -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/serverkey.jks Enter keystore password: keytool error: java.lang.Exception: Key pair not generated, alias already existseSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ keytool -genkey -alias london -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Sumit AroraWhat is the name of your organizational unit? [Unknown]: SumitWhat is the name of your organization? [Unknown]: SumitWhat is the name of your City or Locality? [Unknown]: SumitWhat is the name of your State or Province? [Unknown]: SumitWhat is the two-letter country code for this unit? [Unknown]: SuIs CN=Sumit Arora, OU=Sumit, O=Sumit, L=Sumit, ST=Sumit, C=Su correct? [no]: yes
Enter key password for <london> (RETURN if same as keystore password): eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ keytool -certreq -alias london -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks -file londonkey.csrEnter keystore password: keytool error: java.io.FileNotFoundException: londonkey.csr (Permission denied)eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ sudo keytool -certreq -alias london -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks -file londonkey.csrPassword:Enter keystore password: eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ sudo keytool -export -alias london -file londonkey.crt -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks Password:Enter keystore password: Certificate stored in file eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ lsjava* keytool* londonkey.csr pack200* rmid* servertool* unpack200*jjs* londonkey.crt orbd* policytool* rmiregistry* tnameserv*eSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ sudo keytool -import -alias london -keystore ../lib/security/cacert -trustcacerts -file londonkey.crtPassword:Enter keystore password: Re-enter new password: Owner: CN=Sumit Arora, OU=Sumit, O=Sumit, L=Sumit, ST=Sumit, C=SuIssuer: CN=Sumit Arora, OU=Sumit, O=Sumit, L=Sumit, ST=Sumit, C=SuSerial number: 7b5df08cValid from: Sat Oct 07 21:55:51 IST 2017 until: Fri Jan 05 21:55:51 IST 2018Certificate fingerprints: MD5: EC:31:D2:27:57:73:90:9A:C7:EC:C7:B0:E1:2C:5F:5C SHA1: 93:82:A0:7F:D6:8C:8B:56:DB:FE:F8:9B:8A:FA:DD:FF:3F:70:3F:9A SHA256: 5C:08:A1:AC:A0:CD:10:68:57:CC:DF:80:02:EB:B2:1D:89:FB:5D:5B:92:C4:46:EA:79:BE:F4:D4:7C:28:E1:1B Signature algorithm name: SHA256withRSA Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 0D EE A4 E6 BC C3 B1 6A 52 B4 59 7B 7E C9 51 BD …….jR.Y…Q.0010: B1 D1 E1 1D ….]]
Trust this certificate? [no]: yesCertificate was added to keystoreeSumit@Sumits-MacBook-Pro:/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/bin$ where openssl-bash: where: command not found
Basics:
Difference between HTTPS and SSL
https://stackoverflow.com/questions/6093430/difference-between-https-and-ssl?rq=1
Apache Web-Server SSL Authentication
https://linuxconfig.org/apache-web-server-ssl-authentication
Disable Certificate Validation in Java SSL Connections
http://www.nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/
KeyTool Commands :
keytool -genkey -alias london -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks
keytool -certreq -alias london -keyalg RSA -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks -file londonkey.csr
keytool -export -alias london -file londonkey.crt -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks
keytool -export -alias london -file londonkey.crt -keystore /Users/eSumit/Documents/KeyToolKeys/NewKeys/londonkey.jks
CSR means Certificate Signing Request
http://hc.apache.org/httpclient-3.x/sslguide.html
Important : Java client certificates over HTTPS/SSL
https://stackoverflow.com/questions/875467/java-client-certificates-over-https-ssl
https://alvinalexander.com/blog/post/java/simple-https-example
http://www.java-samples.com/showtutorial.php?tutorialid=1343
https://dzone.com/articles/mutual-problems
https://github.com/AndrewStoliarov/HttpsClient/blob/master/src/module/HttpsClient.java
https://github.com/zmacdonald/HttpsClient/blob/master/src/HttpsClient.java
http://www.herongyang.com/JDK/HTTPS-Client-Test-Program-HttpsClient.html
Another Important Stuff on Apache CXF Java
https://radu.cotescu.com/java-https-rest-services-apache-cxf/
Sumit Arora 