Java Keystore walkthrough

The Java keystore is powerful, yet not very user-friendly. While the Java documentation provides an OK reference on keystore commands, there are not many comprehensive examples out there.

So, here is a simple walkthrough on how to create your keystore containing your private key, your signed certificate, and the certificate of the CA that signed your certificate.

REM “Step 1: Create your store and your private/public key pair”
keytool -genkey -dname “cn=myhost,c=mycompany” -alias myhost -keypass z0Ld6#MdeR -validity 365 -keystore mykeystore.jks -storepass kru6+Qb76_

REM “Step 2: Create a Certificate Signing Request (CSR)”
keytool -certreq -alias myhost -file myhost.csr -keypass z0Ld6#MdeR -keystore mykeystore.jks -storepass kru6+Qb76_

REM “Step 3: Import CA certificate into keystore, and make it trusted”
keytool -import -alias myCA -file c:myca.cer -keystore mykeystore.jks -storepass kru6+Qb76_

REM “Step 4: import my signed personal certificate”
keytool -import -file c:myhost.cer -keystore mykeystore.jks -storepass kru6+Qb76_

REM “Step 5: list and verify certificates”
keytool -list -keystore mykeystore.jks -storepass kru6+Qb76_

Comments:

  • If you shall use the certificate for securing browser communication using SSL, make sure the common name (CN) is the fully qualified hostname of your server, e.g. myhost.domain.com.
  • When it comes to choosing key length, use www.keylength.com as reference.
  • Between step 2 and 3 above, you have to have the certificate signed by a certificate authority like VeriSign. Alternatively, you can set up your own CA in your company using OpenSSL or Windows Certificate Services
  • Please do not use the same passwords as shown above. That would not be very wise…

Immune system whitelisting

I read an interesting article called The non-denial of the non-self on the web today. An interesting article
about how to secure databases. However, I found it also interesting to read about how the human immune system relates to attackers:

“The immune system is interesting, because it protects its owner from pathogens without needing to know what a pathogen will look like. Instead, it relies on a negative database to tell it what to destroy. It learns early on which biological molecules are ‘self’, in the sense that they are routine parts of the body it is protecting. Whenever it meets one that is ‘not self’ and thus likely to be part of a pathogen, it destroys it.”

In security terms, this is actually called whitelisting.  It is typically used for input validation. Instead of trying to list all  illegal inputs (which is called blacklisting), list all legal inputs. The problems  with the former is that you have to make sure you think about all illegal instances, which is often very difficult, using the latter you only have to focus on the legal cases. Seemingly, this is how nature works…