Saturday, April 18, 2015

Certificate Management

Certificate creation

Use XCA (http://sourceforge.net/projects/xca)

Create Certification Authority root certificate

  • Create a new database
  • Create a new key by using the CA template (RSA, minimum 2048 bits length)
  • Create a new certificate for CA (using previously created key, minimum SHA256 signing algorithm - SHA1 is about to be not supported anymore starting from 2017)

Create certificates

  • Create a new Template based on HTTPS server existing template (depending on your future needs)
  • Create certificates:
    • Go to Templates tab->right click->Create certificate;if using the option to create a new certificate from Certificates tab do not forget to select a template and click one of the Apply options buttons
    • Change the default option for signing the certificate (->Use this certificate...; select the CA certificate)
    • Change the default signing algorithm to something >SHA1
    • On Subject tab:
      • Change the relevant fields (commonName especially)
      • Create a new private key for certificate (Generate new key button)

Misc operations

Apart from exporting certificates to different formats (including or not private key, including or not certificate chain) you can obtain the public or private key in PEM format by going to Private Keys tab ->right click a key->Export to clipboard, etc

Managing a JKS Store

Use KeyStore Explorer (http://keystore-explorer.sourceforge.net/). An alternative would be to use Poretcle but KeyStore has the advantage (from my point of view) that being a Windows application can be registered as default for JKS files.

Import now the trusted CA certificates (*.cer or *.crt for instance) and the key pairs (certificates containing the private key) (*.p12 for instance).

IyBDZXJ0aWZpY2F0ZSBjcmVhdGlvbg0KDQpVc2UgKipYQ0EqKiAoW2h0dHA6Ly9zb3VyY2Vmb3JnZS5uZXQvcHJvamVjdHMveGNhXShodHRwOi8vc291cmNlZm9yZ2UubmV0L3Byb2plY3RzL3hjYSkpDQoNCiMjIENyZWF0ZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSByb290IGNlcnRpZmljYXRlDQoqIENyZWF0ZSBhIG5ldyBkYXRhYmFzZQ0KKiBDcmVhdGUgYSBuZXcga2V5IGJ5IHVzaW5nIHRoZSBDQSB0ZW1wbGF0ZSAoUlNBLCBtaW5pbXVtIDIwNDggYml0cyBsZW5ndGgpDQoqIENyZWF0ZSBhIG5ldyBjZXJ0aWZpY2F0ZSBmb3IgQ0EgKHVzaW5nIHByZXZpb3VzbHkgY3JlYXRlZCBrZXksIG1pbmltdW0gYFNIQTI1NmAgc2lnbmluZyBhbGdvcml0aG0gLSBgU0hBMWAgaXMgYWJvdXQgdG8gYmUgbm90IHN1cHBvcnRlZCBhbnltb3JlIHN0YXJ0aW5nIGZyb20gMjAxNykNCg0KIyMgQ3JlYXRlIGNlcnRpZmljYXRlcw0KDQoqIENyZWF0ZSBhIG5ldyBUZW1wbGF0ZSBiYXNlZCBvbiBIVFRQUyBzZXJ2ZXIgZXhpc3RpbmcgdGVtcGxhdGUgKGRlcGVuZGluZyBvbiB5b3VyIGZ1dHVyZSBuZWVkcykNCiogQ3JlYXRlIGNlcnRpZmljYXRlczoNCgkqIEdvIHRvIGBUZW1wbGF0ZXNgIHRhYi0+YHJpZ2h0IGNsaWNrYC0+YENyZWF0ZSBjZXJ0aWZpY2F0ZWA7aWYgdXNpbmcgdGhlIG9wdGlvbiB0byBjcmVhdGUgYSBuZXcgY2VydGlmaWNhdGUgZnJvbSBgQ2VydGlmaWNhdGVzYCB0YWIgZG8gbm90IGZvcmdldCB0byBzZWxlY3QgYSB0ZW1wbGF0ZSBhbmQgY2xpY2sgb25lIG9mIHRoZSBgQXBwbHlgIG9wdGlvbnMgYnV0dG9ucw0KCSogQ2hhbmdlIHRoZSBkZWZhdWx0IG9wdGlvbiBmb3Igc2lnbmluZyB0aGUgY2VydGlmaWNhdGUgKC0+VXNlIHRoaXMgY2VydGlmaWNhdGUuLi47IHNlbGVjdCB0aGUgQ0EgY2VydGlmaWNhdGUpDQoJKiBDaGFuZ2UgdGhlIGRlZmF1bHQgc2lnbmluZyBhbGdvcml0aG0gdG8gc29tZXRoaW5nID5TSEExDQoJKiBPbiBgU3ViamVjdGAgdGFiOg0KCQkqIENoYW5nZSB0aGUgcmVsZXZhbnQgZmllbGRzIChjb21tb25OYW1lIGVzcGVjaWFsbHkpDQoJCSogQ3JlYXRlIGEgbmV3IHByaXZhdGUga2V5IGZvciBjZXJ0aWZpY2F0ZSAoYEdlbmVyYXRlIG5ldyBrZXlgIGJ1dHRvbikNCg0KIyMgTWlzYyBvcGVyYXRpb25zDQpBcGFydCBmcm9tIGV4cG9ydGluZyBjZXJ0aWZpY2F0ZXMgdG8gZGlmZmVyZW50IGZvcm1hdHMgKGluY2x1ZGluZyBvciBub3QgcHJpdmF0ZSBrZXksIGluY2x1ZGluZyBvciBub3QgY2VydGlmaWNhdGUgY2hhaW4pIHlvdSBjYW4gb2J0YWluIHRoZSBwdWJsaWMgb3IgcHJpdmF0ZSBrZXkgaW4gUEVNIGZvcm1hdCBieSBnb2luZyB0byBgUHJpdmF0ZSBLZXlzYCB0YWIgLT5gcmlnaHQgY2xpY2tgIGEga2V5LT5gRXhwb3J0YCB0byBjbGlwYm9hcmQsIGV0Yw0KDQoNCiMgTWFuYWdpbmcgYSBKS1MgU3RvcmUNCg0KVXNlIEtleVN0b3JlIEV4cGxvcmVyIChbaHR0cDovL2tleXN0b3JlLWV4cGxvcmVyLnNvdXJjZWZvcmdlLm5ldC9dKGh0dHA6Ly9rZXlzdG9yZS1leHBsb3Jlci5zb3VyY2Vmb3JnZS5uZXQvKSkuDQpBbiBhbHRlcm5hdGl2ZSB3b3VsZCBiZSB0byB1c2UgW1BvcmV0Y2xlXShodHRwOi8vcG9ydGVjbGUuc291cmNlZm9yZ2UubmV0LykgYnV0IEtleVN0b3JlIGhhcyB0aGUgYWR2YW50YWdlIChmcm9tIG15IHBvaW50IG9mIHZpZXcpIHRoYXQgYmVpbmcgYSBXaW5kb3dzIGFwcGxpY2F0aW9uIGNhbiBiZSByZWdpc3RlcmVkIGFzIGRlZmF1bHQgZm9yIEpLUyBmaWxlcy4NCg0KSW1wb3J0IG5vdyB0aGUgdHJ1c3RlZCBDQSBjZXJ0aWZpY2F0ZXMgKFwqLmNlciBvciBcKi5jcnQgZm9yIGluc3RhbmNlKSBhbmQgdGhlIGtleSBwYWlycyAoY2VydGlmaWNhdGVzIGNvbnRhaW5pbmcgdGhlIHByaXZhdGUga2V5KSAoKi5wMTIgZm9yIGluc3RhbmNlKS4=
Posted by at

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )