Signing Certificates

[Tim Wong]

I'm running a development weblogic server and have setup both the
server Identity and trust keystores. However...I would like to
configure my WL server to (Request and Enforce Client Certificates).

Does anyone know how to use either the SUN keytool or weblogic
utils.CertGen to use a CSR to generate a certificate that a test client
can import into his/her browser?

Thanks...

 

[Roedy Green]

I'm running a development weblogic server and have setup both the
server Identity and trust keystores. However...I would like to
configure my WL server to (Request and Enforce Client Certificates).

this is the first time I have heard of client SSL certs.

What is unusual about your application that requires them?

 

[Kenneth P. Turvey]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

this is the first time I have heard of client SSL certs.

What is unusual about your application that requires them?

They are for secure authentication. I'm not the OP so I can't answer the
specific question.

- --
Kenneth P. Turvey <[email protected]>

Currently seeking employment as a Java developer in the St. Louis area.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD4DBQFDC+qK3naBnF2rJNURAvBtAJY6naqvc62PHF6uzSbSl8RdXK4jAKCP97ZH
bOFihF2VUCkg9rMLa8JEyg==
=pXgl
-----END PGP SIGNATURE-----

 

[Roedy Green]

They are for secure authentication. I'm not the OP so I can't answer the
specific question.

If that is so, he has to get the clients to generate private keys and
send him the cert requests containing only the private key. He signs
them and sends them back. He is acting like a miniature CA.

If this is for secure authentication, you don't want to be emailing
certs around complete with private and public key.

My experience is with code signing certs, but principles should be the
same.

There is a little information in the book Digital Certificates:
Applied Internet Security at
http://mindprod.com/jgloss/certificate.html#LEARNINGMORE about client
authorisation SSL, and how you can get Verisign to generate test certs
for you.

I don't see any sign of SSL certificate support in JCE either in Sun's
or BouncyCastle. However, there is Diffie Hellman and DES.

Further I don't see anything about keystore support for something that
holds SSL certs.

However, I found some SSL support in
http://jce.iaik.tugraz.at/products/index.php
which is a commercial suite of JCE providers.

Perhaps this is why CA's can get away with charging such outrageous
prices for SSL certs.

 

[Tim Wong]

I guess I am using the incorrect terminology.

What I am trying to do is setup Client Authentication via 2-Way SSL on
weblogic.

E.G. - A client hits my webserver https://www.123test.com. The server
presents it's cert saying who it is. Afterwards it asks the client for
his/her cert (this is what I was refering to when I said client cert)
in order for this person to access the website. If the client's
certificate (I guess this is a personal certificate in IE when you
click on "Internet Options" -> "Content" -> "Certificates...") was
issued by a CA that is in the Weblogic Server's CA trust
keystore....they should be allowed to access the site.

What I am asking for is if SUN's keytool (or another free app) can
generate both a CA Cert (self signed cert I'm guessing?) and sign
cert's based upon the CA cert for a client. I would only be using
these certs for testing.....

Thanks

 

[Rogan Dawes]

I guess I am using the incorrect terminology.

What I am trying to do is setup Client Authentication via 2-Way SSL on
weblogic.

E.G. - A client hits my webserver https://www.123test.com. The server
presents it's cert saying who it is. Afterwards it asks the client for
his/her cert (this is what I was refering to when I said client cert)
in order for this person to access the website. If the client's
certificate (I guess this is a personal certificate in IE when you
click on "Internet Options" -> "Content" -> "Certificates...") was
issued by a CA that is in the Weblogic Server's CA trust
keystore....they should be allowed to access the site.

What I am asking for is if SUN's keytool (or another free app) can
generate both a CA Cert (self signed cert I'm guessing?) and sign
cert's based upon the CA cert for a client. I would only be using
these certs for testing.....

Thanks

Easiest is probably to use OpenSSL, and one of the "easy CA" tools. e.g.
see FreshMeat

http://freshmeat.net/search/?q=certificate&section=projects&Go.x=0&Go.y=0

I would suggest 1,2,5,7,10,11,12,13,17 all offer something . . .

Regards,

Rogan

 

[Rogan Dawes]

this is the first time I have heard of client SSL certs.

Client side certs allow for mutual authentication - i.e. the server
identifies itself to the client, and the client identifies itself to the
server. This is significantly stronger than any username and password
could ever be, simply because of the amount of randomness in the private
key (1024/2048/4096 bits)

WebScarab supports using client side certs for authentication to "highly
secure" web servers. See:

<http://cvs.sourceforge.net/viewcvs....tpclient/URLFetcher.java?rev=1.32&view=markup>

and

<http://cvs.sourceforge.net/viewcvs....lient/HTTPClientFactory.java?rev=1.4&view=log>

for references to SSLContext.

Rogan

 

[Roedy Green]

What I am asking for is if SUN's keytool (or another free app) can
generate both a CA Cert (self signed cert I'm guessing?) and sign
cert's based upon the CA cert for a client. I would only be using
these certs for testing.....

If you plan to get real certs for the clients in the end, it is
probably easiest just to go the verisign site and get some test free
client certs. They used to have them in 1999. I have not looked
recently.

As I said earlier I saw no sign of SSL support in free JCE providers,
but here was some in the commercial IAIK provider.

 

[Dag Sunde]

If you plan to get real certs for the clients in the end, it is
probably easiest just to go the verisign site and get some test free
client certs. They used to have them in 1999. I have not looked
recently.

As I said earlier I saw no sign of SSL support in free JCE providers,
but here was some in the commercial IAIK provider.

Download OpenSSL. The Un*x tool. It can (among other things)
be used to create your CA cert to use signing your test-certs.

If you're on a Un*x box you have it already, if not, download
CygWin and be sure to check off OpenSSL in during the
installation.

See these two pages for step-by-step instructions:
http://eal.us/blog/_archives/2003/6/2/25109.html
http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html

 

[Kenneth P. Turvey]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you plan to get real certs for the clients in the end, it is
probably easiest just to go the verisign site and get some test free
client certs. They used to have them in 1999. I have not looked
recently.

I know that Thawte deals in them. They would probably be willing to provide
you with one for testing if you emailed them.

- --
Kenneth P. Turvey <[email protected]>

Currently seeking employment as a Java developer in the St. Louis area.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDDcFn3naBnF2rJNURAozpAJ9CPa3oBSSiTKeISLuzP9KeQIDDnwCdETHj
OWIXeHKZ2ieo1QmY51uAz1Y=
=GyHZ
-----END PGP SIGNATURE-----

 

[Kenneth P. Turvey]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you're on a Un*x box you have it already, if not, download
CygWin and be sure to check off OpenSSL in during the
installation.

This isn't technically true. If you have a Un*x box you might have it
already. You might not. If you don't you can download and install OpenSSL
fairly quickly. Do a search for OpenSSL.

- --
Kenneth P. Turvey <[email protected]>

Currently seeking employment as a Java developer in the St. Louis area.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDDcHj3naBnF2rJNURArGHAJ48uatgj8yvGbD9sbtRytTPxNzW7wCgxniZ
/A3x3kCkIA+CutNKl3TjulE=
=ej+F
-----END PGP SIGNATURE-----

 

[Greg Stark]

Your terminology was fine.

The JDK (at least JDK 5.0) has full support for 2-way authenticated
SSL using certificates.

It does not appear that keytool can sign CSR's. It can generate
self-signed certificates. These may or may not be adequate for doing
your testing; it depends on the specifics of configuring your SSL
server. I would guess that the answer is yes, have the clients generate
self-signed certificates (with distinct DN's) and then export them from
the clients and import them into the SSL server as trusted certs.

If not, then I would recommend using openssl as a CA.

 

[Roedy Green]

The JDK (at least JDK 5.0) has full support for 2-way authenticated
SSL using certificates.

what packages/classes are involved? I gather this is separate from
JCE.

 

[Greg Stark]

Yes, it separate and is called the JSSE. See
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html