Acquiring and Using
Application Certificates
INDEX:
1. Acquiring an Application Certificatea. Generate an rsa key
b. Generate a request for a certificate
Where to send the certificate request
Obtaining the mitClient.cer
2. Creating a java keystore containing a Application Certificate
3. Creating a server trust store for use with an application
Obtaining the mitca.cer
4. Using the keystore with an application This document addresses only how to acquire for an application certificate and how to create a Java keystore that can be used by an application. This is not a document on how to use SSL
1. Acquiring a Application Certificate
a. Generate an rsa key
For UNIX or LINUX systems:
On the system you want the certificate for:
1. Create a directory which will be used to for generating the certificate request.
2. cd to the newly created directory.
3. Now generate some random stuff by doing the following command lines:
ps > foo
ps -elf >> foo
4. Execute the following command:
openssl genrsa -rand foo 1024 > [appname]-key.pem
where [appname] matches the name the final certificate will apply to, i.e. for "foo.app.mit.edu," you would name this file foo-key.pem
For WINDOWS systems:
Generate an rsa key:
1. Create a directory which will be used to for generating the certificate request.
2. cd to the newly created directory.
3. Execute the following command:
openssl genrsa 1024 > [appname]-key.pem
where [appname] matches the name the final certificate will apply to, i.e. for "foo.app.mit.edu," you would name this file foo-key.pem
Generate a request for a certificate To generate a request for a certificate, execute to following command line:
openssl req -key [appname]-key.pem -new > [appname]-req.pem
Where [appname] is as in a) above.
When prompted for input, use these answers: (or use the default answers for all but Common name and challenge password)
Country Name (2 letter code): US
State or Province Name (full name): Massachusetts
Locality Name (eg, city): Cambridge
Organization Name (eg, company): Massachusetts Institute of Technology
Organizational Unit Name (eg, section): (e.g. Information Services & Technology)
Common Name (eg, YOUR name): [appname].app.mit.edu
name of the application certificate
Email Address: enter a valid email address. This email address will receive certificate renewal notices.
A challenge password: (anything you choose - keep a record)
An optional company name: (no entry required)
The file, [appname]-req.pem, contains the information for your certificate. Cut and paste the contents of this file into an email and sent it to mitcert@mit.edu. When you paste the contents of the req.pem file into the email, be sure to include the BEGIN and END lines.
The Subject line of the email should read: Request for an Application Certificate.
Also include in the body of the email, a short line stating that you are requesting an Application Certificate. Stating that you want an Application Certificate is important. If you do not do this, you may be sent a server certificate which will not work.
2. Creating a java keystore containing an Application Certificate.
After a few days, you will receive an email that has your Application Certificate as an attachment. Save the Application Certificate to the directory you created in 1a above. You can change the name of the certificate file to something that is meaningful to you. In this document, the Application Certificate was assumed to be saved as [appname].pem, where [appname] is as in section 1 above.
View the Application Certificate to verify that you have the correct certificate. To view the certificate, execute the following command line:
openssl x509 -in [appname].pem -text
Find the line that says: Netscape Cert Type. The line immediately following this line should say: SSL Client, SSL Server, S/MIME, Object Signing. If this is not the case, then you have the wrong type of certificate.
Also verify that the issuer of the certificate is the MIT client certificate authority by finding the following line:
Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=Client CA V1
Also verify that the certificate is for your machine by finding your application certificate name in the certificate's Subject: line. It will be the CN entry and will be of the form <applicationName>.app.mit.edu
Finally verify the certificate's activation and expiration dates by looking at the two lines following Validity.
a) The Application Certificate must be converted from x509v3 format to a pkcs12 format. To do this, obtain the mitClient.cer (this is the MIT client CA V1 public key) and place it in the directory you created in 1a. You can get the mitClient.cer by going to http://ca.mit.edu/mitClient.crt
and saving the certificate to your working directory as mitClient.cer.
To convert the Application Certificate to a pkcs12 format, execute the following command line:
openssl pkcs12 -in [appname].pem -inkey [appname]-key.pem -export -out [appname].p12 -nodes -CAfile mitClient.cer
When prompted for a password, use a password that is well known to you. Don't forget this password because you will need it when configuring an application to use this keystore.
b) [appname].p12 now contains the new application certificate. This certificate must now be imported into a java keystore. To do this, execute the following command line:
keytool -importkeystore -srckeystore [appname].p12 -destkeystore [appname].jks -srcstoretype pkcs12 -deststoretype jks
When prompted for a password, use a password that is well known to you. Don't forget this password because you will need it when configuring an application to use this keystore.
For example: If your applicaiton certificate name is foo.app.mit.edu, the command line would be:
keytool -importkeystore -srckeystore foo.app.mit.edu.p12 -destkeystore foo.app.mit.edu.jks -srcstoretype pkcs12 -deststoretype jks
c) Change the alias of the certificate stored in the jks by executing the following command line:
keytool -changealias -keystore [appname].jks -alias 1 -destalias [appname]
For example: If your application certificate name is foo.app.mit.edu, the command line would be:
keytool -changealias -keystore foo.app.mit.edu.jks -alias 1 -destalias foo.app.mit.edu
d) Verify that the keystore was created successfully by executing the following command line:
keytool -list -keystore [appname].jks
If everything is correct, something similar to the following line should be displayed.
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
[appname].p12, Jan 8, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 66:C1:4E:0D:B1:59:FB:4C:99:E8:1A:49:7D:F6:EF:32
The [appname].jks keystore can now be used by your application as a Java keystore.
NOTE: the keystore that you have created must contain only 1 certificate.
3. Creating a server trust store for use with an application.
You will need to obtain an mitca certificate.
For the mitca.cer certificate, go to: http://ca.mit.edu/mitca.crt , down load and save the certificate.
To create the server trust store, use the following command line:
keytool -import -keystore serverTrustStore.jks -alias mitca -file mitca.cer
When prompted for a password, use a password that is well known to you. Don't forget this password because you will need it when configuring an application to use this keystore.
Answer yes when prompted for Trust this certificate? [no]:
The serverTrustStore,jks should now contain only the mitca certificate. You can verify this by using the following command line:
keytool -list -keystore serverTrustStore.jks
And you should get something similar to:
Your keystore contains 1 entry
mitclient, Sep 20, 2007, trustedCertEntry,
Certificate fingerprint (MD5): CF:41:AB:E1:03:6D:F8:21:37:55:62:C1:EF:18:71:96
mitca, Sep 20, 2007, trustedCertEntry,
Certificate fingerprint (MD5): F6:F0:04:3B:10:F9:5C:CE:0B:9E:0C:A0:DA:36:93:2A
4. Using the keystores with an application.
To use the application certificate and serverTrustStore keystore (created in the above sections) with a web application, add the following 4 lines of java code somewhere prior to making the first call to the web application.
System.setProperty("javax.net.ssl.keyStore", KeyStoreFile);
System.setProperty("javax.net.ssl.keyStorePassword",keyStorePasswor);
System.setProperty("javax.net.ssl.trustStore", ServerTrustStoreFile);
System.setProperty("javax.net.ssl.trustStorePassword",ServerTrustStorePassword);
o The KeyStoreFile is a string containing the path to and filename of the application certificate keystore file.
o The KeystorePassword is a string containing the application certificate keystore's password.
o The ServerTrustStoreFile is a string containing the path to and filename of the server trust store file.
o The ServerTrustStorePassword is a string containing the server trust store password.
If the application certificate is going to be used with and ISDA web service, the application certificate's CN must be entered into the web service access control list. Email ISDA application administrators at map-support@mit.edu. In the body for your email, give the CN of the application certificate, the web services for which you are requesting activation and the servers that you want access to (production or staging servers).