Over the last few years we’ve seen a series of high profile SSL fails with names like Heartbleed, BEAST and POODLE which are based on various flaws in SSL and its various algorithm/cipher implementations. SSL (otherwise formerly known as SSLv3) is dead and has now all but been abandoned as essentially “not fixable”.
TLS is now the only show in town with three active versions TLSv1, TLSv1.1 and TLSv1.2 (and TLSv1.3 is on its way in hopefully 2016). Given the age of TLSv1, it probably doesn’t hurt to disable it too, unless you’ve got some semi-ancient clients (Java 6 can only do up to TLSv1).
With an increased focus on security, I thought I’d document some simple steps to getting a new TLS certificate setup.
One can purchase a certificate from a Certificate Authority (CA) such as StartSSL, Comodo or Gandi. Alternatively, one could generate a certificate but that wouldn’t be signed by a trusted CA, a self-signed certificate, which thus wouldn’t be trusted by browsers. Self-signed certificates result in some at times scary looking browser security warnings but it depends on the target audience and your degree of annoyance.
Generate a private key
To get things started you’ll need to generate a private key file:
openssl genrsa -out dash.thecuriousdev.com.key 2048
This will produce a file dash.thecuriousdev.com.key which will contain something like this (truncated):
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAw1Fo5Ay3U/AeO0AVNieFpjcEe63S8bAN8+YPqpIwQzauXzTA ukOOXSYXR+RrN33KFQT+AzusQ1Ska5+VNM0tV+cjgYMB2I0JsUQ6tQ== -----END RSA PRIVATE KEY-----
Generate a CSR
As an input of the certificate creation process you’ll need a Certificate Signing Request (CSR) which you generate from your private key:
openssl req -new -key dash.thecuriousdev.com.key -out thecuriousdev.com.csr -config "C:\Program Files (x86)\Git\ssl\openssl.cnf"
That last bit with the openssl.cnf file is required otherwise OpenSSL has a whinge about not finding the configuration, the OpenSSL on my machine is the one that came with the very helpful Git Bash tools package, so I just tell it where the config is.
The output file dash.thecuriousdev.com.csr will look something like this (truncated):
-----BEGIN CERTIFICATE REQUEST----- MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCQVUxGjAYBgNVBAgMEVdlc3Rlcm4gQXVz CWHCQjHlWoTnuKeRpXuEVhF3Dt5RHiD9G4c3TQ4207V4azsvEt/7HWH1An6F6RRv -----END CERTIFICATE REQUEST-----
When buying a certificate there will typically be a text area to input the contents of this file.
Purchasing the Certificate
Upon purchasing the certificate from your CA, you’ll typically be provided with a certificate file to download or a block of text to select, it’ll have the form similar to this (truncated):
-----BEGIN CERTIFICATE----- MIIGMjCCBRqgAwIBAgIHBjI4n6fkszANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE 9YVDp+AnN/0tLTS0MxVVtJJZHwDCF3lRrcnuNm6tzufSwQlFLnsoqQWEufFLls8a -----END CERTIFICATE-----
In addition to your certificate you’ll likely be provided an “intermediate” CA certificate which links your certificate up to the global certificate used by the CA (which is typically included in the various browsers etc). Depending on the CA, there may be multiple intermediate certificates.
Save the contents of all of these certificates to the same file, i.e. concatenated one after another and name it accordingly, such as dash.thecuriousdev.com.pem.
Note: I’m not sure whether the order of the certificate blocks makes a difference.
This looks something like this truncated example:
-----BEGIN CERTIFICATE----- MIIGMjCCBRqgAwIBAgIHBjI4n6fkszANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE 9YVDp+AnN/0tLTS0MxVVtJJZHwDCF3lRrcnuNm6tzufSwQlFLnsoqQWEufFLls8a -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp -----END CERTIFICATE-----
Create a PKCS12 keystore
Next up we’ll generate a PKCS12 keystore from the certificates (pem file) and private key.
Input files needed:
- pem file - dash.thecuriousdev.com.pem (containing the new certificate and any intermediate certificates)
- private key - dash.thecuriousdev.com.key (from your original steps to generate the CSR)
Using OpenSSL with the required certificates and key it can generate a PKCS12 keystore (typically with a .p12 extension). You’ll be prompted for a password, for this example I’ll stick with the default
changeit that the Java keytool uses.
openssl pkcs12 -export -in dash.thecuriousdev.com.pem -inkey dash.thecuriousdev.com.key -out dash.thecuriousdev.com.p12 -name dash.thecuriousdev.com
Create a JKS keystore
Now that we’ve got a PKCS12 keystore, we can easily produce our JKS keystore from it.
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore dash.thecuriousdev.com.jks -srckeystore dash.thecuriousdev.com.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias dash.thecuriousdev.com
Note: I believe there can be problems if a
srcstorepass is not provided.
You should now have a JKS keystore dash.thecuriousdev.com.jks that will contain one entry,
keytool -list -keystore dash.thecuriousdev.com.jks, will produce something like this:
Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry dash.thecuriousdev.com, 08/07/2015, PrivateKeyEntry, Certificate fingerprint (SHA1): 76:E4:54:8B:71:72:F6:1F:CB:80:47:D5:A9:C6:1C:46:0E:91:96:2E
You can now use this keystore in your web/application server or even for AWS CloudFront, more on this in another post perhaps.