HTTPS Misc

(updated: )
  1. 1. JCE
    1. 1.1. JDK 7
    2. 1.2. JDK 8
  2. 2. File Formats
    1. 2.1. .pem
    2. 2.2. .csr
    3. 2.3. .key
    4. 2.4. .pkcs12 .pfx .p12
    5. 2.5. .der
    6. 2.6. .cert .cer .crt
  3. 3. Openssl
  4. 4. Keytool

JCE

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.

If you need keys that longer than 1024 bits. Unzip the jce package into $JAVA_HOME/lib/security/

JDK 7

1
curl -jkLH "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jce/7/UnlimitedJCEPolicyJDK7.zip -o UnlimitedJCEPolicyJDK7.zip

JDK 8

1
curl -jkLH "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip -o jce_policy-8.zip

File Formats

.pem

Privacy Enhanced Mail, a way of encoding data.
It may contain:

  • public key (certificate)
  • private key
  • CA certificates (root, chain)
  • CSR pkcs10 encoded (not common)

.csr

Format of pkcs10, you generate csr and submit it to the CA to generate your certificate.

.key

Private key or public key.

.pkcs12 .pfx .p12

A passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted.
Openssl can turn this into a .pem file with both public and private keys:

1
2
3
4
openssl pkcs12 \
  -nodes \
  -in file-to-convert.p12 \
  -out converted-file.pem

.der

The parent format of PEM. It’s useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used by much outside of Windows.

.cert .cer .crt

A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.

###

Openssl

Generate a new private key and Certificate Signing Request

1
2
3
4
5
openssl req \
  -newkey rsa:2048 \
  -nodes \
  -keyout private.key \
  -out domain.csr

Generate a self-signed certificate

1
2
3
4
5
6
7
8
openssl req \
  -x509 \
  -sha256 \
  -nodes \
  -days 3600 \
  -newkey rsa:2048 \
  -keyout private.key
  -out certificate.crt

Generate a certificate signing request (CSR) for an existing private key

1
2
3
4
openssl req \
  -new \
  -key private.key \
  -out domain.csr

Remove a passphrase from a private key

1
openssl rsa -in privateKey.pem -out newPrivateKey.pem

Convert DER file (.crt .cer .der) to PEM

1
2
3
4
openssl x509 \
  -inform der \
  -in cert.cer \
  -out cert.pem

Convert PEM file to DER

1
2
3
4
openssl x509 \
  -outform der \
  -in cert.pem \
  -out certi.der

Importing an existing certificate into a PKCS12 keystore

1
2
3
4
5
6
7
8
openssl pkcs12 -export \
  -in domain.crt \
  -inkey domain.key \
  -out domain.p12 \
  -name tomcat \
  -CAfile ca.crt \
  -caname root \
  -chain

Keytool

Create a keystore file to store the server’s private key and self-signed certificate

1
2
3
4
5
keytool -genkey \
  -alias domain.com \
  -keyalg RSA \
  -keystore keystore.jks \
  -validity 3600

Create a CSR based on the keystore

1
2
3
4
5
keytool -certreq \
  -keyalg RSA \
  -alias tomcat \
  -file certreq.csr
  -keystore keystore.jks

Import the self-signed certificate into JRE’s keystore, so that your Java program can communicate with remote servers that serve https services with that self-signed certificate

1
2
3
4
keytool -importcert \
  -keystore "$JAVA_HOME/lib/security/cacerts" \
  -file corp.cer \
  -alias corpcert