During the last few months, I have written several blog posts in my company’s blog about how to secure a site with HTTPS. I started off talking about how to encrypt an Azure web site with Let’s encrypt, and then continued on to discuss how to try to prevent the browser being tricked into making non-HTTPS requests to the server. Finally, I talked about how to narrow the range of certificate issuers we want the browser to trust for our site in order to prevent ill-behaving issuers to make our site insecure, using so-called certificate pinning.
Quite recently, there has been discussions on how HTTPS is gaining traction, and that HTTPS is becoming the norm. Your web site should use it, too.
The Java keystore is powerful, yet not very user-friendly. While the Java documentation provides an OK reference on keystore commands, there are not many comprehensive examples out there.
So, here is a simple walkthrough on how to create your keystore containing your private key, your signed certificate, and the certificate of the CA that signed your certificate.
REM “Step 1: Create your store and your private/public key pair”
keytool -genkey -dname “cn=myhost,c=mycompany” -alias myhost -keypass z0Ld6#MdeR -validity 365 -keystore mykeystore.jks -storepass kru6+Qb76_
REM “Step 2: Create a Certificate Signing Request (CSR)”
keytool -certreq -alias myhost -file myhost.csr -keypass z0Ld6#MdeR -keystore mykeystore.jks -storepass kru6+Qb76_
REM “Step 3: Import CA certificate into keystore, and make it trusted”
keytool -import -alias myCA -file c:myca.cer -keystore mykeystore.jks -storepass kru6+Qb76_
REM “Step 4: import my signed personal certificate”
keytool -import -file c:myhost.cer -keystore mykeystore.jks -storepass kru6+Qb76_
REM “Step 5: list and verify certificates”
keytool -list -keystore mykeystore.jks -storepass kru6+Qb76_
- If you shall use the certificate for securing browser communication using SSL, make sure the common name (CN) is the fully qualified hostname of your server, e.g. myhost.domain.com.
- When it comes to choosing key length, use www.keylength.com as reference.
- Between step 2 and 3 above, you have to have the certificate signed by a certificate authority like VeriSign. Alternatively, you can set up your own CA in your company using OpenSSL or Windows Certificate Services
- Please do not use the same passwords as shown above. That would not be very wise…