In the second part of the series, you can see how we can utilize EJBCA to create certification for a client side application which will communicate with Glassfish server when Client cert authentication (Mutual Authentication) is enabled whether by changing the listener attributes or by describing it in the web-config.xml.
In order to create client certification we will need to perform following steps as described in 4 sections:
Section 1: Creating clients certification profile:
- Go to https://localhost:8080/ejbca/ and select Administration.
- Select Edit Certification profiles from the left side menu.
- Enter a name for the profile and press add button. I choose Clients as the name.
- From the list select Clients Item and press Edit button.
- Now profile edit page will open change the attribute as follow:
- for Key Usage you should select at least Digital Signature and Key Encypherment.
- From Extended Key Usage select Client Authentication
- press save button.
Section 2: Create servers end entities profile:
Now you have create a profile which in next sections you can create certifications which will comply with it. Now we will need to create an End Entity Profile so follow these steps to create it.
- From the left side menu click on edit end entities profile .
- Enter ClientsProfile as profile name and press add button.
- From the list select ClientsProfile and press Edit End Entity Profile button.
- Enter a user name and a password for the profile, I choose cAdmin/ cAdminAdmin.
- Enter the common name
- From the list of Available Certificate Profiles select Clients which we made in last step.
- select JKS as default token.
- click Save
Now we are reaching an step in which we will create the real certificate that client will use to prove its identity and initiate SSL enabled session. To create the certificate perform following steps:
Section 3: Create Client certification
- From the left side menu select add end entity link.
- Select ClientsProfile as End Entity Profile.
- Enter all information as you like.
- Select JKS as Token.
- press add end entity button
Section 4: Use the certification in Client Application.
You are done, the certification is ready to be downloaded and used.
- Go to https://localhost:8080/ejbca/ and select Certification Enrollment.
- Select Manually for a Server
- Enter user name and password which you have entered for end entity in previous step.
- Click OK.
By pressing OK a JKS file will download to your computer.
Create two copies of the file and Rename them to keystore.JKS and cacerts.jks. In order to create a SSL enabled client, either web service client or any type of socket client which need to use SSL you can follow one of the following path:
- When you want to run your java application pass following parameter to JVM, it will ask JVM to use your cacerts.jks and keystore.jks during initialing SSL communication and authentication.
-Djavax.net.ssl.trustStore="Truststore_Location" -Djavax.net.ssl.trustStorePassword="Truststore_Password" -Djavax.net.ssl.keyStore ="Keystore_Location" -Djavax.net.ssl.keyStorePassword="Keystore_Password"
- Second way is adding the same parameter to your JVM during execution of your application code. using this way you are not forced to pass parameter and disclose your key stores passwords.
System.getProperties.put("javax.net.ssl.trustStore","Truststore_Location"); System.getProperties.put("javax.net.ssl.trustStorePassword","Truststore_Password"); System.getProperties.put("javax.net.ssl.keyStore","Keystore_Location"); System.getProperties.put("javax.net.ssl.keyStorePassword","Keystore_Password");
Make sure that you are using correct location and password for your files, passwords are same as one you used to download the JKS files.
I should say again that you can explore and perhaps learn more about jks files, keys and certification by exploreing your stores, you can use jks file editor located at http://members.aon.at/bhuber14/nbm.html. Also if you are may find more cool key store editor in NetBeans Module Portal
For more information or maybe to find some of your questions answered you may take a look at: