Signing Certificates

Discussion in 'Java' started by Tim Wong, Aug 23, 2005.

  1. Tim  Wong

    Tim Wong Guest

    I'm running a development weblogic server and have setup both the
    server Identity and trust keystores. However...I would like to
    configure my WL server to (Request and Enforce Client Certificates).

    Does anyone know how to use either the SUN keytool or weblogic
    utils.CertGen to use a CSR to generate a certificate that a test client
    can import into his/her browser?

    Thanks...
    Tim Wong, Aug 23, 2005
    #1
    1. Advertising

  2. Tim  Wong

    Roedy Green Guest

    On 23 Aug 2005 11:24:44 -0700, "Tim Wong" <>
    wrote or quoted :

    >I'm running a development weblogic server and have setup both the
    >server Identity and trust keystores. However...I would like to
    >configure my WL server to (Request and Enforce Client Certificates).


    this is the first time I have heard of client SSL certs.

    What is unusual about your application that requires them?
    --
    Canadian Mind Products, Roedy Green.
    http://mindprod.com
    Roedy Green, Aug 23, 2005
    #2
    1. Advertising

  3. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Roedy Green wrote:

    > this is the first time I have heard of client SSL certs.
    >
    > What is unusual about your application that requires them?


    They are for secure authentication. I'm not the OP so I can't answer the
    specific question.

    - --
    Kenneth P. Turvey <>

    Currently seeking employment as a Java developer in the St. Louis area.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (GNU/Linux)

    iD4DBQFDC+qK3naBnF2rJNURAvBtAJY6naqvc62PHF6uzSbSl8RdXK4jAKCP97ZH
    bOFihF2VUCkg9rMLa8JEyg==
    =pXgl
    -----END PGP SIGNATURE-----
    Kenneth P. Turvey, Aug 24, 2005
    #3
  4. Tim  Wong

    Roedy Green Guest

    On Wed, 24 Aug 2005 03:33:19 +0000, "Kenneth P. Turvey"
    <> wrote or quoted :

    >They are for secure authentication. I'm not the OP so I can't answer the
    >specific question.


    If that is so, he has to get the clients to generate private keys and
    send him the cert requests containing only the private key. He signs
    them and sends them back. He is acting like a miniature CA.

    If this is for secure authentication, you don't want to be emailing
    certs around complete with private and public key.

    My experience is with code signing certs, but principles should be the
    same.

    There is a little information in the book Digital Certificates:
    Applied Internet Security at
    http://mindprod.com/jgloss/certificate.html#LEARNINGMORE about client
    authorisation SSL, and how you can get Verisign to generate test certs
    for you.

    I don't see any sign of SSL certificate support in JCE either in Sun's
    or BouncyCastle. However, there is Diffie Hellman and DES.

    Further I don't see anything about keystore support for something that
    holds SSL certs.

    However, I found some SSL support in
    http://jce.iaik.tugraz.at/products/index.php
    which is a commercial suite of JCE providers.

    Perhaps this is why CA's can get away with charging such outrageous
    prices for SSL certs.

    --
    Canadian Mind Products, Roedy Green.
    http://mindprod.com
    Roedy Green, Aug 24, 2005
    #4
  5. Tim  Wong

    Tim Wong Guest

    I guess I am using the incorrect terminology.

    What I am trying to do is setup Client Authentication via 2-Way SSL on
    weblogic.

    E.G. - A client hits my webserver https://www.123test.com. The server
    presents it's cert saying who it is. Afterwards it asks the client for
    his/her cert (this is what I was refering to when I said client cert)
    in order for this person to access the website. If the client's
    certificate (I guess this is a personal certificate in IE when you
    click on "Internet Options" -> "Content" -> "Certificates...") was
    issued by a CA that is in the Weblogic Server's CA trust
    keystore....they should be allowed to access the site.

    What I am asking for is if SUN's keytool (or another free app) can
    generate both a CA Cert (self signed cert I'm guessing?) and sign
    cert's based upon the CA cert for a client. I would only be using
    these certs for testing.....

    Thanks
    Tim Wong, Aug 24, 2005
    #5
  6. Tim  Wong

    Rogan Dawes Guest

    Tim Wong wrote:
    > I guess I am using the incorrect terminology.
    >
    > What I am trying to do is setup Client Authentication via 2-Way SSL on
    > weblogic.
    >
    > E.G. - A client hits my webserver https://www.123test.com. The server
    > presents it's cert saying who it is. Afterwards it asks the client for
    > his/her cert (this is what I was refering to when I said client cert)
    > in order for this person to access the website. If the client's
    > certificate (I guess this is a personal certificate in IE when you
    > click on "Internet Options" -> "Content" -> "Certificates...") was
    > issued by a CA that is in the Weblogic Server's CA trust
    > keystore....they should be allowed to access the site.
    >
    > What I am asking for is if SUN's keytool (or another free app) can
    > generate both a CA Cert (self signed cert I'm guessing?) and sign
    > cert's based upon the CA cert for a client. I would only be using
    > these certs for testing.....
    >
    > Thanks
    >


    Easiest is probably to use OpenSSL, and one of the "easy CA" tools. e.g.
    see FreshMeat

    http://freshmeat.net/search/?q=certificate&section=projects&Go.x=0&Go.y=0

    I would suggest 1,2,5,7,10,11,12,13,17 all offer something . . .

    Regards,

    Rogan
    Rogan Dawes, Aug 24, 2005
    #6
  7. Tim  Wong

    Rogan Dawes Guest

    Roedy Green wrote:
    > On 23 Aug 2005 11:24:44 -0700, "Tim Wong" <>
    > wrote or quoted :
    >
    >
    >>I'm running a development weblogic server and have setup both the
    >>server Identity and trust keystores. However...I would like to
    >>configure my WL server to (Request and Enforce Client Certificates).

    >
    >
    > this is the first time I have heard of client SSL certs.


    Client side certs allow for mutual authentication - i.e. the server
    identifies itself to the client, and the client identifies itself to the
    server. This is significantly stronger than any username and password
    could ever be, simply because of the amount of randomness in the private
    key (1024/2048/4096 bits)

    WebScarab supports using client side certs for authentication to "highly
    secure" web servers. See:

    <http://cvs.sourceforge.net/viewcvs.py/owasp/webscarab/src/org/owasp/webscarab/httpclient/URLFetcher.java?rev=1.32&view=markup>

    and

    <http://cvs.sourceforge.net/viewcvs.py/owasp/webscarab/src/org/owasp/webscarab/httpclient/HTTPClientFactory.java?rev=1.4&view=log>

    for references to SSLContext.

    Rogan
    Rogan Dawes, Aug 24, 2005
    #7
  8. Tim  Wong

    Roedy Green Guest

    On 24 Aug 2005 07:02:56 -0700, "Tim Wong" <>
    wrote or quoted :

    >What I am asking for is if SUN's keytool (or another free app) can
    >generate both a CA Cert (self signed cert I'm guessing?) and sign
    >cert's based upon the CA cert for a client. I would only be using
    >these certs for testing.....


    If you plan to get real certs for the clients in the end, it is
    probably easiest just to go the verisign site and get some test free
    client certs. They used to have them in 1999. I have not looked
    recently.

    As I said earlier I saw no sign of SSL support in free JCE providers,
    but here was some in the commercial IAIK provider.
    --
    Canadian Mind Products, Roedy Green.
    http://mindprod.com
    Roedy Green, Aug 25, 2005
    #8
  9. Tim  Wong

    Dag Sunde Guest

    "Roedy Green" <> wrote in message
    news:...
    > On 24 Aug 2005 07:02:56 -0700, "Tim Wong" <>
    > wrote or quoted :
    >
    >>What I am asking for is if SUN's keytool (or another free app) can
    >>generate both a CA Cert (self signed cert I'm guessing?) and sign
    >>cert's based upon the CA cert for a client. I would only be using
    >>these certs for testing.....

    >
    > If you plan to get real certs for the clients in the end, it is
    > probably easiest just to go the verisign site and get some test free
    > client certs. They used to have them in 1999. I have not looked
    > recently.
    >
    > As I said earlier I saw no sign of SSL support in free JCE providers,
    > but here was some in the commercial IAIK provider.


    Download OpenSSL. The Un*x tool. It can (among other things)
    be used to create your CA cert to use signing your test-certs.

    If you're on a Un*x box you have it already, if not, download
    CygWin and be sure to check off OpenSSL in during the
    installation.

    See these two pages for step-by-step instructions:
    http://eal.us/blog/_archives/2003/6/2/25109.html
    http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html

    --
    Dag.
    Dag Sunde, Aug 25, 2005
    #9
  10. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Roedy Green wrote:

    > If you plan to get real certs for the clients in the end, it is
    > probably easiest just to go the verisign site and get some test free
    > client certs. They used to have them in 1999. I have not looked
    > recently.


    I know that Thawte deals in them. They would probably be willing to provide
    you with one for testing if you emailed them.

    - --
    Kenneth P. Turvey <>

    Currently seeking employment as a Java developer in the St. Louis area.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (GNU/Linux)

    iD8DBQFDDcFn3naBnF2rJNURAozpAJ9CPa3oBSSiTKeISLuzP9KeQIDDnwCdETHj
    OWIXeHKZ2ieo1QmY51uAz1Y=
    =GyHZ
    -----END PGP SIGNATURE-----
    Kenneth P. Turvey, Aug 25, 2005
    #10
  11. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Dag Sunde wrote:

    > If you're on a Un*x box you have it already, if not, download
    > CygWin and be sure to check off OpenSSL in during the
    > installation.


    This isn't technically true. If you have a Un*x box you might have it
    already. You might not. If you don't you can download and install OpenSSL
    fairly quickly. Do a search for OpenSSL.

    - --
    Kenneth P. Turvey <>

    Currently seeking employment as a Java developer in the St. Louis area.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (GNU/Linux)

    iD8DBQFDDcHj3naBnF2rJNURArGHAJ48uatgj8yvGbD9sbtRytTPxNzW7wCgxniZ
    /A3x3kCkIA+CutNKl3TjulE=
    =ej+F
    -----END PGP SIGNATURE-----
    Kenneth P. Turvey, Aug 25, 2005
    #11
  12. Tim  Wong

    Greg Stark Guest

    Your terminology was fine.

    The JDK (at least JDK 5.0) has full support for 2-way authenticated
    SSL using certificates.

    It does not appear that keytool can sign CSR's. It can generate
    self-signed certificates. These may or may not be adequate for doing
    your testing; it depends on the specifics of configuring your SSL
    server. I would guess that the answer is yes, have the clients generate
    self-signed certificates (with distinct DN's) and then export them from
    the clients and import them into the SSL server as trusted certs.

    If not, then I would recommend using openssl as a CA.
    Greg Stark, Aug 28, 2005
    #12
  13. Tim  Wong

    Roedy Green Guest

    On 28 Aug 2005 08:54:01 -0700, "Greg Stark" <> wrote
    or quoted :

    >The JDK (at least JDK 5.0) has full support for 2-way authenticated
    >SSL using certificates.


    what packages/classes are involved? I gather this is separate from
    JCE.
    --
    Canadian Mind Products, Roedy Green.
    http://mindprod.com Again taking new Java programming contracts.
    Roedy Green, Aug 31, 2005
    #13
  14. Tim  Wong

    Greg Stark Guest

    Greg Stark, Sep 1, 2005
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gad Rosenthal
    Replies:
    0
    Views:
    2,187
    Gad Rosenthal
    Apr 21, 2004
  2. Jonas Blunck

    Signing an ASP.NET assembly

    Jonas Blunck, Jan 20, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    446
    Jonas Blunck
    Jan 20, 2005
  3. Alan Fisher

    Signing and bundling data using certificates

    Alan Fisher, Jun 17, 2005, in forum: ASP .Net Security
    Replies:
    5
    Views:
    187
  4. n33470

    Are SSL certificates and x.509 certificates the same?

    n33470, Dec 14, 2005, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    183
    n33470
    Dec 14, 2005
  5. Roedy Green

    update on Code Signing Certificates

    Roedy Green, Dec 27, 2012, in forum: Java
    Replies:
    0
    Views:
    224
    Roedy Green
    Dec 27, 2012
Loading...

Share This Page