OPENSSL

Openssl basics

•       OpenSSL is an open source implementation of the SSL and TLS protocols.
•       OpenSSL includes a command line utility that can be used to perform a variety of       cryptographic functions like digital certificates, digital signatures etc.
•       OpenSSL is available from the OpenSSL Project at     http://www.openssl.org/

Installation and configuration

•       Download and install latest version of openssl.

             http://www.brothersoft.com/openssl-27429.html

•       Set PATH environmental variable to bin directory or open ‘openssl.exe’ from bin directory.
•       Then go to the bin directory and create folder suppose name “mycerts” used to store all the created certificates.
•       Copy ‘bin/openssl.cfg’ in ‘mycerts’ directory and rename with name suppose openssl.myca.cfg.

Steps to create digital certificates with openssl:

           

1. create Certificate Authority’s (CA) certificate

We will use this to sign other certificate signing requests.

openssl req -config mycerts/openssl.myca.cfg -new -x509 -extensions v3_ca -keyout mycerts/myca.key -out mycerts/myca.crt -days 365

This creates a self-signed certificate with the default CA extensions which is valid for 1 year. You will be prompted for a passphrase for your CA’s private key.

And then need to provide some information about CA

            

2. Now create user certificate and private key

             openssl req -config mycerts/openssl.myca.cfg -new -nodes -keyout mycerts/usercert1.key -out mycerts/usercert1.csr -days 365

-nodes option is needed so that private key is not protected with passphrase

Then need to provide some information about user

3. To sign user certificate request with CA certificate

 A) Configuration required in OpenSSL to sign certificate request

Create following files in ‘bin/mycerts’ directory

•  index.txt
•  ca.srl  edit this file and write serial number as ‘01’
•  Some modifications to ‘mycerts/openssl.myca.cfg’ are mandatory. Change the part underlined with red.

Default openssl.myca.cfg looks like.

 Modified openssl. myca.cfg. looks like

           

Then sign the user certificate request using modified openssl.myca.cfg with following command.

openssl ca -config mycerts/openssl.myca.cfg -policy policy_anything -out mycerts/usercert1.crt -infiles mycerts/usercert1.csr

4. To convert .crt  format to PKCS12 (.p12)format

To include the entire certificate chain of the certificate include -chain option and provide path for CA certificate file.

openssl pkcs12 -export -chain -in mycerts/usercert1.crt -inkey mycerts/usercert1.key -out mycerts/usercert1.p12 -CAfile mycerts/myca.crt

5. To add certificate chaining in  java .keystore

JKS conversion using jetty

A)    Download jetty.jar from

http://oss.sonatype.org/content/groups/jetty/org/mortbay/jetty/jetty/6.1.26/jetty-6.1.26.jar

B)     Save it on drive suppose C:\conversion

C)    Place your PKCS12 format file in same folder

D)    Now open command prompt for that directory

E)     Run following command to import certificate chaining in jks

Enter the password for containing file and output the keystore as requested

java -classpath .;org.mortbay.jetty.jar org.mortbay.util.PKCS12Import usercert1.p12 mynewjks.jks

6. To revoke user certificate

 A.     Configuration required in OpenSSL to revoke user

       Create file crl.srl under mycerts directory.

       crl.srl edit this file and write serial number as ‘01’

                                                       Some modifications in openssl.myca.cfg are mandatory 

         B.     Revoke user certificate 

       openssl ca -config mycerts/openssl.myca.cfg -revoke 

       mycerts/usercert1.crt

        C.     Then generate CRL

      openssl ca -config mycerts/openssl.myca.cfg -gencrl -out 

      mycerts/myca.crl

Reference : 

http://jetty.codehaus.org/jetty/

http://www.openssl.org/