Using Application Client Certificates
INDEX:
1. Acquiring an Application Client Certificate
a. Generate an rsa key
b. Generate a request for a certificate
Where to send the certificate request
Obtaining the mitClient.crt
2. Creating a java keystore containing a Application Client Certificate
3. Creating a server trust store for use with an application
Obtaining the mitca.crt
Obtaining the mitClient.crt
4. Using the keystore in an applicationThis document addresses only how to acquire for an application client certificate and how to create a Java keystore that can be used by an application. This is not a document on how to use SSL
1. Acquiring a Application Client Certificate
a. Generate an rsa key
For UNIX or LINUX systems:
On the system you want the certificate for:
1. Create a directory which will be used to for generating the certificate request.
2. cd to the newly created directory.
3. Now generate some random stuff by doing the following command lines:
ps > foo
ps -elf >> foo
4. Execute the following command:
openssl genrsa -rand foo 1024 > [appname]-key.pem
where [appname] matches the name the final certificate will apply to, i.e. for "foo.app.mit.edu," you would name this file foo-key.pem
For WINDOWS systems:
Generate an rsa key:
1. Create a directory which will be used to for generating the certificate request.
2. cd to the newly created directory.
3. Execute the following command:
openssl genrsa 1024 > [appname]-key.pem
where [appname] matches the name the final certificate will apply to, i.e. for "foo.app.mit.edu," you would name this file foo-key.pem
- Generate a request for a certificate
To generate a request for a certificate, execute to following command line:
openssl req -key [appname]-key.pem -new > [appname]-req.pem
Where [appname] is as in a) above.
When prompted for input, use these answers: (or use the default answers for all but Common name and challenge password)
Country Name (2 letter code): US
State or Province Name (full name): Massachusetts
Locality Name (eg, city): Cambridge
Organization Name (eg, company): Massachusetts Institute of Technology
Organizational Unit Name (eg, section): (e.g. Information Services & Technology)
Common Name (eg, YOUR name): [appname].app.mit.edu
name of the application certificate
Email Address: enter a valid email address. This email address will receive certificate renewal notices.
A challenge password: (anything you choose - keep a record)
An optional company name: (no entry required)
The file, [appname]-req.pem, contains the information for your certificate. Cut and paste the contents of this file into an email and sent it to mitcert@mit.edu. When you paste the contents of the req.pem file into the email, be sure to include the BEGIN and END lines.
The Subject line of the email should read: Request for an Application Client Certificate.
Also include in the body of the email, a short line stating that you are requesting an Application Client Certificate. Stating that you want an Application Client Certificate is important. If you do not do this, you may be sent a server certificate which will not work.
2. Creating a java keystore containing an Application Client Certificate.
After a few days, you will receive an email that has your Application Client Certificate as an attachment. Save the Application Client Certificate to the directory you created in 1a above. You can change the name of the certificate file to something that is meaningful to you. In this document, the Application Client Certificate was assumed to be saved as [appname]‑Certificate.pem, where [appname] is as in a) above.
View the Application Client Certificate to verify that you have the correct certificate. To view the certificate, execute the following command line:
openssl x509 -in [appname]-Certificate.pem -text
Find the line that says: Netscape Cert Type. The line immediately following this line should say: SSL Client, SSL Server, S/MIME, Object Signing. If this is not the case, then you have the wrong type of certificate.
Also verify that the issuer of the certificate is the MIT client certificate authority by finding the following line:
Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=Client CA V1
Also verify that the certificate is for your machine by finding your application certificate name in the certificate's Subject: line. It will be the CN entry and will be of the form <applicationName>.app.mit.edu
Finally verify the certificate's activation and expiration dates by looking at the two lines following Validity.
The Application Client Certificate must be converted from x509v3 format to a pkcs12 format. To do this, obtain the mitClient.crt (this is the MIT client CA V1 public key) and place it in the directory you created in 1a. You can get the mitClient.crt by going to http://ca.mit.edu/mitClient.crt
and saving the certificate to your working directory as mitClient.crt.
To convert the Application Client Certificate to a pkcs12 format, execute the following command line:
openssl pkcs12 -in [appname]-Certicate.pem -inkey [appname]-key.pem -export -out [appname]-Certificate.p12 -nodes -CAfile mitClient.crt
[appname]-Certificate.p12 now contains the new application client certificate. This certificate must now be imported into a java keystore. To do this, obtain a copy of PKCS12Import.jar and place it in your working directory. Execute the following command line:
java -jar PKCS12Import.jar [appname]-Certificate.p12 [appname].jks changeit
The keystore password will be set to changeit.
For example: If your certificate name is foo.app.mit.edu, the command line would be:
java -jar PKCS12Import foo-Certificate.p12 foo.jks changeit
Verify that the keystore was created successfully by executing the following command line:
keytool -list -keystore [appname].jks
If everything is correct, something similar to the following line should be displayed. (The keystore password is changeit.)
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
[appname]-Certificate.p12, Jan 8, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 66:C1:4E:0D:B1:59:FB:4C:99:E8:1A:49:7D:F6:EF:32
The [appname].jks keystore can now be used by your application as a Java keystore.
NOTE: the keystore that you have created must contain only 1 certificate.
3. Creating a server trust store for use with an application.
You will need to obtain an mitca certificate and a mitClient certificate.
For the mitca certificate, go to: http://ca.mit.edu/mitca.crt , down load and save the certificate.
For the mitClient certificate, go to http://ca.mit.edu/mitClient.crt , down and save the certificate.
To create the server trust store, use the following command line:
keytool -import -keystore serverTrustStore.jks -alias mitca -file mitca.crt
keytool -import -keystore serverTrustStore.jks -alias mitClient -file mitClient.crt
When prompted for a password, use changeit. Answer yes the prompted for Trust this certificate? [no]:
The serverTrustStore,jks should now contain only the mitca and mitClient certificate. You can verify this by using the following command line:
keytool -list -keystore serverTrustStore.jks
And you should get something similar to:
Your keystore contains 2 entries
mitclient, Sep 20, 2007, trustedCertEntry,
Certificate fingerprint (MD5): CF:41:AB:E1:03:6D:F8:21:37:55:62:C1:EF:18:71:96
mitca, Sep 20, 2007, trustedCertEntry,
Certificate fingerprint (MD5): F6:F0:04:3B:10:F9:5C:CE:0B:9E:0C:A0:DA:36:93:2A
4. Using the keystore in an application.
To use the application certificate keystore (created in section 2) in an application, add the following 4 lines of java code somewhere prior to making the first call to the web service.
System.setProperty("javax.net.ssl.keyStore", KeyStoreFile);
System.setProperty("javax.net.ssl.keyStorePassword",keyStorePasswor);
System.setProperty("javax.net.ssl.trustStore", ServerTrustStoreFile);
System.setProperty("javax.net.ssl.trustStorePassword",ServerTrustStorePassword);
o The KeyStoreFile is a string containing the path to and filename of the application certificate keystore file.
o The KeystorePassword is a string containing the application certificate keystore's password.
o The ServerTrustStoreFile is a string containing the path to and filename of the server trust store file.
o The ServerTrustStorePassword is a string containing the server trust store password.
If the application certificate is going to be used with and ISDA web service, the application certificate's CN must be entered into the web service access control list. Contact IDSA operations for further instruction.