Setting Up Keystores for a Client and a Service

There has been many queries about setting up the keys and certificates properly for services and clients when securing Web services. By default Rampart/WSS4J supports using Java and PKCS12 keystores, to extract keys and certificates to be used by services and clients.This tutorial explains how to create key pairs for a client and a service, create keys for a certificate authority (CA), sign public key certificates of the client and the service using CA private key and import the certificates into the client at service keystores.
Date: Thu, 29th Jun, 2006
Level:
Reads: 35217 Comments: 17 | Login or register to post comments
Ruchith Fernando
Software Engineer
WSO2 Inc.

We will use openssl suite and Java keytool utility that is available with the JDK to create the keystores.

Step 1 : Creating Certificate Authority Keys

A certificate authority is an entity trusted by all parties participating in a secure communication. This entity will certify the trusted party's public keys by signing them. Since the certificate authority is a trusted one it will accept the public key certificates signed by that particular CA as trusted. First we will be creating a new self signed key pair for the certificate authority. We will use openssl to create this key pair. IMPORTANT: Download the following three files and copy them to the directory that will be used to create the keys. index.txt openssl.cnf serial Try the following from the same directory that you saved the above files in:


$ openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -config openssl.cnf

Now you will be asked a set of questions in creating the key pair as shown below:

Generating a 1024 bit RSA private key
...++++++
..............++++++
writing new private key to 'CAKey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank. For some fields 
there will be a default value,If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:LK
State or Province Name (full name) [Some-State]:Western
Locality Name (eg, city) []:Colombo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WSO2
Organizational Unit Name (eg, section) []:Axis2
Common Name (eg, YOUR name) []:Ruchith Fernando
Email Address []:ruchith@axis2.com

The result of the above will be two files:

  • cakey.pem
  • cacert.pem

The cakey.pem file contains the encrypted private key and the cacert.pem file contains the publik key certificate signed using the private key (Figure 1).

Figure 1: CA's private key and the self signed certificate

Step 2 : Client and Service Keys

Now lets create the two sets of keys for the service and the client using the 'keytool' that comes with the JDK. Lets use the 'keytool -genkey' to create a keypair and store it in a keystore using the following command:


$ keytool -genkey -alias client -keyalg RSA -keystore client.jks

Once again you will be asked a series of questions as shown below:

Enter keystore password:  changeme
What is your first and last name?
  [Unknown]:  Client
What is the name of your organizational unit?
  [Unknown]:  Axis2
What is the name of your organization?
  [Unknown]:  WSO2
What is the name of your City or Locality?
  [Unknown]:  Colombo
What is the name of your State or Province?
  [Unknown]:  Western
What is the two-letter country code for this unit?
  [Unknown]:  LK
Is CN=Client, OU=Axis2, O=WSO2, L=Colombo, ST=Western, C=LK correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):

The created keys are stored in the client.jks file (Figure 2) which is a Java keystore under the alias client.

Figure 2: Contents of a keystore with a single key entry To verify this fact we can list the contents of the keystore as shown below.

$ keytool -list -v -keystore client.jks -storepass changeme

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: client
Creation date: Apr 12, 2006
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Client, OU=Axis2, O=WSO2, L=Colombo, ST=Western, C=LK
Issuer: CN=Client, OU=Axis2, O=WSO2, L=Colombo, ST=Western, C=LK
Serial number: 443d2226
Valid from: Wed Apr 12 21:52:06 LKT 2006 until: Tue Jul 11 21:52:06 LKT 2006
Certificate fingerprints:
         MD5:  EB:25:BA:E1:A9:7F:FB:41:2D:B9:B4:75:D4:47:88:D8
         SHA1: F2:6F:93:3F:51:FA:CC:48:AE:E1:BE:20:04:C7:0E:90:C4:2C:D2:DB


*******************************************
*******************************************

Similar to the way we created the client's keys we can create the service's keys using the following command:


$ keytool -genkey -alias service -keyalg RSA -keystore service.jks

Note that we will be using 'changeme' (without quotes) as the password of both keys and keystores.

Step 3 : Producing Signed X509 Certificates

We can create signed X509 (version 3) certificates using openssl using certificate requests. First we have to create the certificate requests using the generated keys for the client and the service.


$ keytool -certreq -keystore client.jks -storepass changeme -alias client -file client.cert.req
$ keytool -certreq -keystore service.jks -storepass changeme -alias service -file service.cert.req

The above command will create the client.cert.req and service.cert.req files which we will use in the next step to produce X509 certificates signed by the private key of the CA using 'openssl ca' command.


$ openssl ca -config openssl.cnf -out client.pem -infiles client.cert.req
$ openssl ca -config openssl.cnf -out service.pem -infiles service.cert.req

It should be noted that the CA's configuration (openssl.cnf) file is configured to point to the cakey.pem file as the private key to use. The output produced in the client.pem and service.pem files are plain text. To import these signed certificates into the keystores we will have to convert them into the binary (DER) format using 'openssl x509' command.


$ openssl x509 -outform DER -in client.pem -out client.cert
$ openssl x509 -outform DER -in service.pem -out service.cert

Also we will have to convert the CA's certificate to the binary form to be imported to both keystores.


$ openssl x509 -outform DER -in cacert.pem -out cacert.cert

Step 4 : Importing the certificates

First we must import the CA's self signed certificate to both client and service keystores. Lets use the alias 'ca' to identify the CA's certificate.


$ keytool -import -file cacert.cert -keystore service.jks -storepass changeme -alias ca
$ keytool -import -file cacert.cert -keystore client.jks -storepass changeme -alias ca

The 'keytool' will display the information in the certificate and will ask for confirmation to import.

Owner: CN=Ruchith Fernando, OU=Axis2, O=WSO2, L=Colombo, ST=Western, C=LK
Issuer: CN=Ruchith Fernando, OU=Axis2, O=WSO2, L=Colombo, ST=Western, C=LK
Serial number: c2889b1153b983b6
Valid from: Wed Apr 12 23:10:23 LKT 2006 until: Fri May 12 23:10:23 LKT 2006
Certificate fingerprints:
         MD5:  0C:D8:14:DA:B2:32:3A:DA:F3:9B:2F:C8:B8:4E:C8:A0
         SHA1: 20:77:05:EA:50:E6:64:EE:81:05:57:EE:8B:E4:C8:7C:76:98:C0:06
Trust this certificate? [no]:  yes

When we type in 'yes' and confirm the import, the CA's certificate will be imported as a trusted certificate entry.

Certificate was added to keystore

Now we will import the signed certificates to the keystores.


$ keytool -import -file client.cert -keystore client.jks -storepass changeme -alias client
$ keytool -import -file service.cert -keystore service.jks -storepass changeme -alias service

Since the certificate being imported matches the certificate of the given alias and is signed by the trusted CA cert (which is now in the keystore) the keytool will simply import the signed certificate and respond with the following.

Certificate reply was installed in keystore

Its important to note that we must have the CA's certificate imported first before importing the other certificates. If not, when we try to import a certificate the keytool will give the following error:

keytool error: java.lang.Exception: Failed to establish chain from reply

In order to allow secure communication between the client and the service we have to make sure that each party has the other's public key with them. Now lets import the client.cert into the service's keystore and the service.cert into the client's keystore.


$ keytool -import -file client.cert -keystore service.jks -storepass changeme -alias client
$ keytool -import -file service.cert -keystore client.jks -storepass changeme -alias service

Once again since certificates added are signed by a trusted certificate it will be simply imported to the keystore and the keytool will confirm that with the following output.

Certificate was added to keystore

Now we have two keystores for the client and the service including their key pairs and the certificates of the other party and the certificate authority.

Author

Ruchith Fernando, Senior Software Engineer, WSO2 Inc. ruchith @ wso2

dpelaezmartin.gmail.com's picture

Mixing Rampart with signing x509v3

Submitted by dpelaezmartin.g... on February 15, 2011 - 19:58.
Hi Ruchith. First at all. Congratulations for your articles and thanks for sharing them. I have to develop a client for a WS. The especifications said that the request should be signed with a x509.v3 Certificate according with WS-Security specifications. I have been reading rampart documentation and I have downloaded rampart-1.5.1 (always using AXIS2 1.5.3). There many available configurations. I thought the one I have to use is policy "sample 2" (only sign). I'd like you confirm me which sample is the one I have to use? I have made an example similar to sample02 but always with de keystores it brings. ¿Do I have to create an x509.v3 certificate and send it to the Web Service server to add it on their trustkeystore? By other hand. I need to implement WS in AXIS2 with the same security policy. If the sample 02 correspond with the one I need, What do I have to do with certificates? Do I have to create one for my server (signed by a CA)? What do I give to WS clients? Any information you can give me is wellcome. Thanks a lot.
siddharthvishwakarma.ymail.com's picture

./demoCA/serial: Permission denied

Submitted by siddharthvishwa... on December 13, 2010 - 21:22.
I am getting following error when running "*openssl ca -config openssl.cnf -out client.pem -infiles client.cert.req*" command. D:\work\ssl>openssl ca -config openssl.cfg -out client.pem -infiles client.cert.req Using configuration from openssl.cfg Loading 'screen' into random state - done Enter pass phrase for ./demoCA/private/cakey.pem: ./demoCA/serial: Permission denied error while loading serial number 5008:error:02001005:system library:fopen:Input/output error:.\crypto\bio\bss_file.c:392:fopen('./demoCA/serial','rb') 5008:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:394: Could you please help me solve this problem. Also its great if you send me openssl.conf file.
lolajopu.gmail.com's picture

Loading 'screen' into random

Submitted by lolajopu.gmail.com on October 28, 2010 - 13:27.
Loading 'screen' into random state - done Enter pass phrase for ./cakey.pem: ./serial: No such file or directory error while loading serial number 1432:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:352:fopen('./serial','rb') 1432:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:354: I looked at the output and found that the serial file had been downloaded as serial.htm_.txt.   arizona web design company
jim.nddie.gmail.com's picture

Concept of designing

Submitted by jim.nddie.gmail.com on October 5, 2010 - 15:58.
If we talk about designing Absolute Source are a full service Orange County Web design, online marketing and web development company. Our integrated line of services extends well beyond web design. Since 2001, Absolute Source and its subsidiaries has strategically designed and implemented each project to build our client’s customer base and increase revenues.
BiggiojdlkAlyssa.googlemail.com's picture

Hmm singular this instal is

Submitted by BiggiojdlkAlyss... on February 1, 2010 - 22:43.
Hmm singular this instal is totaly digressive to the look ask I entered in google but it was recorded on the original attender. __________________________________________________________________ retirement homes in utah | government seized car auction | massage therapy Reston | cosmetic surgery orange county | facelift seattle | imersão em inglês
hbetts3's picture

Followed Instructions to the letter, but

Submitted by hbetts3 on July 27, 2009 - 07:22.
When I ran the command "openssl ca -config openssl.cnf -out client.pem -infiles client.cert.req" I got the following output:   C:\workspace\DEVELOPMENT\Application Security\Authorization>openssl ca -config openssl.cnf -out client.pem -infiles client.cert.req Using configuration from openssl.cnf Loading 'screen' into random state - done Enter pass phrase for ./cakey.pem: ./serial: No such file or directory error while loading serial number 1432:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:352:fopen('./serial','rb') 1432:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:354: I looked at the output and found that the serial file had been downloaded as serial.htm_.txt. Once I renamed the file from "serial.htm_.txt" to "serial" everything processed fine.
danysh's picture

Using openssl ca -config ... generated pem file is empty

Submitted by danysh on April 25, 2009 - 00:00.
Hi, I followed the guide, but at Step 3 : Producing Signed X509 Certificates, following command $ openssl ca -config openssl.cnf -out client.pem -infiles client.cert.req $ openssl ca -config openssl.cnf -out service.pem -infiles service.cert.req always generated the pem file empty. I download the open ssl for windows edition, and run the command in windows, and I change the openssl.cnf to fit it. Would you please tell what's wrong? Thank you very much. Best Regards,
toxx's picture

ok, now lets go ldap ;-)

Submitted by toxx on June 1, 2007 - 08:51.
what i am looking for, for about two weeks is a good explanation of the axis/rampart/wss4j configuration for use with an ldap where x509 certificates are stored... so if you know something about that any hint is welcome ;-)
uraghu's picture

How to use these keystores with my Web Service?

Submitted by uraghu on May 31, 2007 - 15:15.
Hi Ruchit, I've created the certificates & also the keystores according to what you've specified successfully. Now I have two keystores for the client and the service including their key pairs and the certificates of the other party and the certificate authority. How do I use these keystores or certificates in my Web Services? Do I need to send the client keystore to the client of my web service and Do I need to add the service keystore somewhere in my appserver .... And How does client send his keystore when invoking my web service & how do i validate that etc. How should I make my client use SSL to access my web service, is there any tutorial I can take a look at regarding this. Thanks Raghu Upadhyayula
vgillestad's picture

How to use these keystores with my Web Service?Re

Submitted by vgillestad on May 31, 2007 - 22:55.
Assuming that you are using Axis2 I would recommend you to take a look at the "Rampart module" for implementing Webservices-security. You can download and find installation instructions for Rampart here: http://ws.apache.org/axis2/modules/index.html I also would recommend you to take a look at the IBM-guide for how to use rampart found here: http://www.ibm.com/developerworks/edu/ws-dw-ws-understand-web-services4.html (You may need to register to be able to use/download this guide) I hope this could help you get started
vgillestad's picture

Error messages

Submitted by vgillestad on May 19, 2007 - 01:58.
1) I can not get your guide working on my computer. The problem occurs when I try to run the commando: openssl x509 -outform DER -in client.pem -out client.cert I get a printout like this: unable to load certificate 17308:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE I do not know what can be wrong, but it seems like the Certificate is not signed? 2) Because of the error message above have I also tried to do a workaround and combine this guide with using the CA.pl script (http://wso2.org/library/767). Then I got passed this error, but then I got a new problem as I tried to import the signed client certificate into the client.jks: keytool -import -file client.cert -keystore client.jks -storepass changeme -alias client I then get this printout: keytool error: java.security.cert.CertPathValidatorException: Failed to establish chain-of-trust from reply (I have imported the ca certificate into the client.jks) I would really appreciate your help!
vgillestad's picture

Error messages

Submitted by vgillestad on May 28, 2007 - 01:45.
Solved. Even if I had installed Sun-Java on my Linux-system (Ubuntu Feisty) and set the alternatives-variables, the global keytool-command was using GNU-Java. When I use Sun-Java-keytool and when I use my "workaround" I can successfully create my keystores and import certificates. When I do exactly as the guide on this page tells me to do, I still get the error-message described under 1 above.
cr2007's picture

openssl

Submitted by cr2007 on March 28, 2007 - 07:22.
I cannot connect to openssl in step 1 above - do i need to download openssl from www.openssl.org? If so which version is best to download? Thanks CR
marcelcasado's picture

I can not download the files needed for openssl

Submitted by marcelcasado on October 9, 2006 - 20:27.
Hi, The server to download the files is down. Where can I get the files needed for openssl with this article ? Thanks, Marcel
ruchith's picture

Re: I can not download the files needed for openssl

Submitted by ruchith on October 19, 2006 - 23:10.
The links are fixed now Thanks, Ruchith
krahd's picture

TXT_DB error number 2

Submitted by krahd on August 17, 2006 - 06:56.
Ruchith, Great tutorial.. but when I tried to followed it, always bumped into an error: When entering openssl ca -config openssl.cnf -out service.pem -infiles service.cert.req we sistematically get the following error failed to update database TXT_DB error number 2 but the index.txt file has only one entry V 070817144430Z 01 unknown /C=UY/ST=Montevideo/O=DGR/OU=DGR/CN=tom Any advice would be greatly appreciated :) Thanksalot, tom
ruchith's picture

Re: TXT_DB error number 2

Submitted by ruchith on August 22, 2006 - 23:01.
This should help: http://saintaardvarkthecarpeted.com/wiki_recovery/TxtDbErrorNumber2.html Thanks, Ruchith
library project main code
Popular Content
Learn Cloud
Learn
Cloud

How to deploy a web application in StratosLive using Carbon Studio
The WSO2 Application Server is a reliable application server that can host your enterprise web applications. The WSO2 Application Server as a Service is offered in StratosLive, the WSO2 Platform as a Service. This article explains how a simple web application can be developed and deployed from Carbon Studio to the WSO2 Application Server...
more>

Latest Webinar
KPI definition with Business Activity Monitor 2.0
Different groups within an organization need to monitor different Key Performance Indicators (KPIs) - An operations team will be interested in the response times of business services and loads of each service,..
Thursday, February 9th 2012, 09.00 AM (PST)
Register Now!

Thursday, February 9th 2012, 10.00 AM (GMT)
Register Now!