Versions Compared

Old Version 1

changes.mady.by.user David E Tanner

Saved on

compared with

New Version Current

changes.mady.by.user David E Tanner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Using Application Client Certificates
INDEX:

1.   Acquiring an Application Client Certificate

a.   Generate an rsa key
b.   Generate a request for a certificate
Where to send the certificate request

Obtaining the mitClient.crt

2.   Creating a java keystore containing a Application Client Certificate

3.   Creating a server trust store for use with an application

Obtaining the mitca.crt

Obtaining the mitClient.crt

Wiki Markup
4.   Using the keystore in an applicationThis document addresses only how to acquire for an application client certificate and how to create a Java keystore that can be used by an application.  This is not a document on how to use SSL
*1.** * *Acquiring a Application Client Certificate*
a.  Generate an rsa key
For UNIX or LINUX systems:
On the system you want the certificate for:
1.  Create a directory which will be used to for generating the certificate request.
2.  cd to the newly created directory.
3.  Now generate some random stuff by doing the following command lines:
*ps > foo*
*ps \-elf{*}* * *>>* * *{*}foo*
           
4.  Execute the following command:
*openssl genrsa \-rand foo 1024* * **>* * **\[appname\]-key.pem*
_where \[appname\] matches the name the final certificate will apply to, i.e. for "foo.app.mit.edu," you would name this file foo-key.pem_
For WINDOWS systems:
*Generate an rsa key:*
1.      Create a directory which will be used to for generating the certificate request.
2.      cd to the newly created directory.
3.      Execute the following command:
*openssl genrsa 1024{*}* * *>** * *\[appname\]-key.pem*

Wiki Markup
_where \[appname\] matches the name the final certificate will apply to, i.e. for "foo.app.mit.edu," you would name this file foo-key.pem_

  1. Generate a request for a certificate

Wiki Markup
To generate a request for a certificate, execute to following command line:
*openssl req \-key \[appname\]-key.pem \-new{*}* * *> \[appname\]-req.pem*
Where \[appname\] is as in a) above.
When prompted for input, use these answers: (or use the default answers for all but Common name and challenge password)
Country Name (2 letter code): *US*
State or Province Name (full name): *Massachusetts*
Locality Name (eg, city): *Cambridge*
Organization Name (eg, company): *Massachusetts Institute of Technology*
Organizational Unit Name (eg, section): *(e.g. Information Services & Technology)*
Common Name (eg, YOUR name): *\[appname\].app.mit.edu*
name of the application certificate
Email Address:   enter a valid email address.  This email address will receive certificate renewal notices.
A challenge password: *(anything you choose - keep a record)*
An optional company name: *(no entry required)*
The file, \[appname\]-req.pem, contains the information for your certificate.  Cut and paste the contents of this file into an email and sent it to mitcert@mit.edu.  When you paste the contents of the req.pem file into the email, be sure to include the BEGIN and END lines. 
The Subject line of the email should read: *Request for an Application Client Certificate.*
Also include in the body of the email, a short line stating that you are requesting an *Application Client Certificate*.  Stating that you want an *Application Client Certificate* is important.  If you do not do this, you may be sent a server certificate which will not work.
*2.** * *Creating a java keystore containing an Application Client Certificate.*
After a few days, you will receive an email that has your Application Client Certificate as an attachment.  Save the Application Client Certificate to the directory you created in 1a above.  You can change the name of the certificate file to something that is meaningful to you.  In this document, the Application Client Certificate was assumed to be saved as \[appname\]‑Certificate.pem, where \[appname\] is as in a) above.
View the Application Client Certificate to verify that you have the correct certificate.  To view the certificate, execute the following command line:
*openssl x509 \-in \[appname\]-Certificate.pem \-text*
Find the line that says: *Netscape Cert Type*.  The line immediately following this line should say:  *SSL Client, SSL Server, S/MIME, Object Signing*.  If this is not the case, then you have the wrong type of certificate.
Also verify that the issuer of the certificate is the MIT client certificate authority by finding the following line:
*Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=Client CA V1*
Also verify that the certificate is for your machine by finding your application certificate name in the certificate's *Subject:* line.&nbsp;&nbsp; It will be the CN entry and will be of the form <applicationName>.app.mit.edu
Finally verify the certificate's activation and expiration dates by looking at the two lines following *Validity*.
The Application Client Certificate must be converted from x509v3 format to a pkcs12 format.&nbsp; To do this, obtain the mitClient.crt (this is the MIT client CA V1 public key) and place it in the directory you created in 1a.&nbsp; You can get the mitClient.crt by going to http://ca.mit.edu/mitClient.crt and saving the certificate to your working directory as mitClient.crt.
To convert the Application Client Certificate to a pkcs12 format, execute the following command line:
*openssl pkcs12 \-in \[appname\]-Certicate.pem \-inkey \[appname\]-key.pem \-export \-out \[appname\]-Certificate.p12 \-nodes \-CAfile mitClient.crt*
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
\[appname\]-Certificate.p12 now contains the new application client certificate.&nbsp; This certificate must now be imported into a java keystore.&nbsp; To do this, obtain a copy of PKCS12Import.jar and place it in your working directory.&nbsp; Execute the following command line:
*java \-jar PKCS12Import.jar \[appname\]-Certificate.p12 \[appname\].jks changeit*
The keystore password will be set to *changeit*.
For example:&nbsp; If your certificate name is foo.app.mit.edu, the command line would be:
java \-jar PKCS12Import foo-Certificate.p12 foo.jks changeit
Verify that the keystore was created successfully by executing the following command line:
*keytool \-list \-keystore \[appname\].jks*
If everything is correct, something similar to the following line should be displayed. (The keystore password is *changeit*.)
*Keystore type: JKS*
*Keystore provider: SUN*
*Your keystore contains 1 entry*
*\[appname\]-Certificate.p12, Jan 8, 2007, PrivateKeyEntry,*
*Certificate fingerprint (MD5): 66:C1:4E:0D:B1:59:FB:4C:99:E8:1A:49:7D:F6:EF:32*
The \[appname\].jks keystore can now be used by your application as a Java keystore.
*NOTE*:&nbsp; the keystore that you have created must contain only 1 certificate.
*3.**&nbsp;* *Creating a server trust store for use with an application.*
You will need to obtain an *mitca* certificate and a *mitClient* certificate.
For the mitca certificate, go to: http://ca.mit.edu/mitca.crt , down load and save the certificate.
For the mitClient certificate, go to http://ca.mit.edu/mitClient.crt , down and save the certificate.
To create the server trust store, use the following command line:
*keytool \-import \-keystore serverTrustStore.jks \-alias mitca \-file mitca.crt*
*keytool \-import \-keystore serverTrustStore.jks \-alias mitClient \-file mitClient.crt*
When prompted for a password, use *changeit*.&nbsp; Answer *yes* the prompted for *Trust this certificate? \[no\]:*
The serverTrustStore,jks should now contain only the mitca and mitClient certificate.&nbsp; You can verify this by using the following command line:
*keytool \-list \-keystore serverTrustStore.jks*
And you should get something similar to:
*Your keystore contains 2 entries*
*mitclient, Sep 20, 2007, trustedCertEntry,*
*Certificate fingerprint (MD5): CF:41:AB:E1:03:6D:F8:21:37:55:62:C1:EF:18:71:96*
*mitca, Sep 20, 2007, trustedCertEntry,*
*Certificate fingerprint (MD5): F6:F0:04:3B:10:F9:5C:CE:0B:9E:0C:A0:DA:36:93:2A*
*4.**&nbsp;* *Using the keystore in an application.*
To use the application certificate keystore (created in section 2) in an application, add the following 4 lines of java code somewhere prior to making the first call to the web service.
*System.setProperty("javax.net.ssl.keyStore", KeyStoreFile);*
*System.setProperty("javax.net.ssl.keyStorePassword",keyStorePasswor);*
*System.setProperty("javax.net.ssl.trustStore", ServerTrustStoreFile);*
*System.setProperty("javax.net.ssl.trustStorePassword",ServerTrustStorePassword);*
o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The *KeyStoreFile* is a string containing the path to and filename of the application certificate keystore file.
o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The *KeystorePassword* is a string containing the application certificate keystore's password.
o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The *ServerTrustStoreFile* is a string containing the path to and filename of the server trust store file.
o&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The *ServerTrustStorePassword* is a string containing the server trust store password.
If the application certificate is going to be used with and ISDA web service, the application certificate's CN must be entered into the web service access control list.&nbsp; Contact IDSA operations for further instruction.