JDK Tutorials - Herong's Tutorial Examples - Version 6.02, by Dr. Herong Yang
Preparing Certificates for Client Authentication
This section provides a tutorial example on how to prepare keys and certificates for the server and the client for a SSL client authentication test.
JDK "keytool" seems to be a good tool to generate and manage certificates. So I will "keytool" to generate and manage "full" and "public" certificates for both server and client sides. Let's see what I did on the server side first:
>keytool -genkey -alias server_full -keypass ServerKey -keystore server.jks -storepass ServerJKS What is your first and last name? [Unknown]: my.server.com What is the name of your organizational unit? [Unknown]: My Unit What is the name of your organization? [Unknown]: My Home What is the name of your City or Locality? [Unknown]: My City What is the name of your State or Province? [Unknown]: My State What is the two-letter country code for this unit? [Unknown]: US Is CN=my.server.com, OU=My Unit, O=My Home, L=My City, ST=My State... [no]: yes >keytool -export -alias server_full -file server_pub.crt -keystore server.jks -storepass ServerJKS Certificate stored in file <server_pub.crt> >"send server_pub.crt to the client side..."
At this moment, the server's "full" certificate is ready and stored in server.jks. The server's "public" certificate is also ready and stored in server_pub.crt. Next, let's see what I did on the client side:
>keytool -genkey -alias client_full -keypass ClientKey -keystore client.jks -storepass ClientJKS What is your first and last name? [Unknown]: my.client.com What is the name of your organizational unit? [Unknown]: My Unit What is the name of your organization? [Unknown]: My Home What is the name of your City or Locality? [Unknown]: My City What is the name of your State or Province? [Unknown]: My State What is the two-letter country code for this unit? [Unknown]: US Is CN=my.client.com, OU=My Unit, O=My Home, L=My City, ST=My State... [no]: yes >keytool -export -alias client_full -file client_pub.crt -keystore client.jks -storepass ClientJKS Certificate stored in file <client_pub.crt> >"send client_pub.crt to the server side..." >"receive server_pub.crt from the server side..." >keytool -import -alias cerver_pub -file server_pub.crt -keystore client.jks -storepass ClientJKS Owner: CN=my.server.com, OU=My Unit, O=My Home, L=My City, ST=My S... Issuer: CN=my.server.com, OU=My Unit, O=My Home, L=My City, ST=My ... ...... Trust this certificate? [no]: yes Certificate was added to keystore >keytool -list -keystore client.jks -storepass ClientJKS Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries client_full, Jul 1, 2014, keyEntry, Certificate fingerprint (MD5): 53:5F:62:00:4A:5F:0E:DC:1A:8F:4B:8E... cerver_pub, Jul 1, 2014, trustedCertEntry, Certificate fingerprint (MD5): 34:71:CD:2F:E8:D9:32:57:34:61:46:4C...
At this moment, the client's "full" certificate is ready and stored in client.jks. The client's "public" certificate is also ready and stored in client_pub.crt. The server's "public" certificate is also added client.jks as a trusted certificate. Next, I have to go the server side and add the client's "public" certificate:
>keytool -import -alias client_pub -file client_pub.crt -keystore server.jks -storepass ServerJKS Owner: CN=my.client.com, OU=My Unit, O=My Home, L=My City, ST=My S... Issuer: CN=my.client.com, OU=My Unit, O=My Home, L=My City, ST=My ... ...... Trust this certificate? [no]: yes Certificate was added to keystore >keytool -list -keystore server.jks -storepass ServerJKS Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries server_full, Jul 1, 2014, keyEntry, Certificate fingerprint (MD5): 34:71:CD:2F:E8:D9:32:57:34:61:46:4C... client_pub, Jul 1, 2014, trustedCertEntry, Certificate fingerprint (MD5): 53:5F:62:00:4A:5F:0E:DC:1A:8F:4B:8E...
I think I am ready to perform a SSL communication with both server and client authentications. What do you think?
Last update: 2014.
Table of Contents
Downloading and Installing JDK 1.8.0 on Windows
Downloading and Installing JDK 1.7.0 on Windows
Downloading and Installing JDK 1.6.2 on Windows
Date, Time and Calendar Classes
Date and Time Object and String Conversion
Number Object and Numeric String Conversion
Locales, Localization Methods and Resource Bundles
Calling and Importing Classes Defined in Unnamed Packages
HashSet, Vector, HashMap and Collection Classes
Character Set Encoding Classes and Methods
Encoding Conversion Programs for Encoded Text Files
Datagram Network Communication
DOM (Document Object Model) - API for XML Files
DTD (Document Type Definition) - XML Validation
XSD (XML Schema Definition) - XML Validation
XSL (Extensible Stylesheet Language)
Message Digest Algorithm Implementations in JDK
Private key and Public Key Pair Generation
PKCS#8/X.509 Private/Public Encoding Standards
Digital Signature Algorithm and Sample Program
"keytool" Commands and "keystore" Files
KeyStore and Certificate Classes
Secret Key Generation and Management
Cipher - Secret Key Encryption and Decryption
The SSL (Secure Socket Layer) Protocol
SSL Socket Communication Testing Programs
What Is SSL Client Authentication?
►Preparing Certificates for Client Authentication
Test Server Program for Client Authentication
Test Client Program for Client Authentication
SSL Client Authentication Test Result