In this post, I would like to document my learnings about what is SSL, how it works and how to create a SSL certificate?
What is SSL/TLS ?
I was recently assigned a task to setup an SSL certificate for our application which was developed using Spring boot and running on an embedded tomcat server. I had no idea how SSL/TLS works before apart from the information that it is a protocol to securely transmit data over the internet between two systems.
SSL ( Secure Sockets Layer) is a technology which makes sure that the internet communication between two systems is secure and it makes sure the information transmitted is not accessible to any other third party. The infromation transmitted is encrypted using different encryption algorithms, hence making it hard for the other users(hackers) to read / modify it.
SSL is actually a pretty old technology, which was developed by Netscape in 1993 and which lasted very long time until the Poodle attack, after that it was succeded by another protocol called TLS ( Transport Layer Security). SSL is actually an old and out-dated protocol which is no longer used, but people usually use the term SSL and TLS interchangebly.
How SSL/TLS works ?
When a client like a web-browser wants to communicate with a web-server over HTTPS, they begin the communication with something called as a TLS handshake. The process is as follows:
- The web-browser first starts the communication with the webserver and asks to identify itself.
- The webserver, recieves the requests and sends a copy of the SSL certificate to the client.
- The client( browser) checks the certificate received from the server and validates whether it is coming from a trusted party or not, and sends a message to the server if it is valid, if the certificate is not valid, then the communication is terminated.
- The server then sends a digitally signed acknowledgement to the browser to start the SSL session and encrypted data is shared between browser and the server.
How to create SSL certificates?
So we looked at how the browser communicates with the server over HTTPS, now lets have a look on how to actually create the SSL certificates.
NOTE: This tutorial creates the SSL certificates which are used as a Java keystore.
To create a SSL certificate we must first generate something called as a CSR( Certificate Signing Request) File and send it to a Certificate Authority (CA) which is a central authoritiy which is responsible for creating the digital certificates, there are multiple vendors who can generate digital certificates.
While generating the CSR we usually also generate a private key, which is used as a key-pair. We need not give the private key to the Certificate Authority(CA) to generate the certificate, but the certificate created with one CSR will only work with private key created with the CSR.
To create the CSR, type the following command:
openssl req -new -days 730 -nodes -newkey rsa:4096 -sha256 -keyout
<key-name>.key -out <csr-name>.csr -subj
The CSR requires information like, the geographical details eg: Country, State, Location.
the details of your organization eg: Organization name, Organizational Unit Name, and lastly your domain name or Comman Name (CN).
In the above command for example ,you can replace the above variables with the following:
C (Country) – Switzerland
ST(State) – Bern
L(Location) – Ittigen
O(Organization) – ABC AG
OU(Organization Unit) – ABC
CN(Common Name) – mydomain.com
Once you enter the above information, it generates a .key file which is our private key and a .csr file which is our CSR. Make sure to not loose your .key file as this is needed to generate the keystore.
If you are inside an organization and want to create a SSL certificate, you will get an internal certificate, without going directly to the CA and getting the certificate from them.
Once you have the certificate, you have to create a keystore using the digital certificate you have ordered (usually in .crt format), the private key and the Root Certificate. A root certificate is a public key certificate which is issued by a Trusted CA, which will make sure that the identity of the certificate is trustworthy. Whenever a browser access the certificate and validates it, it first checks whether its Root CA is actually one of the many trusted CA’s it has or not. This will help in building a Chain of Trust, which makes sure that the certificate is trustworthy. Once you have the Root Certificate, make sure it is in .pem format, if it is anyother format eg: .cer, type the following command to change it to .pem format.
openssl x509 -inform DER -in <your-old-root-certificate-name>.cer -out
So once you have all the three files ( the digital certificate, the private key and the Root Certificate) we can create the keystore by using the following command:
openssl pkcs12 -export -out <keystore-name>.pkcs12 -inkey
<your-private-key>.key -in <your-certificate>.crt -certfile
The above command will create a keystore with .pkcs12 format, if you want you can change it to a jks format keystore by using the following command:
keytool -v -importkeystore -srckeystore <src-keystore>.pkcs12 -srcstoretype
PKCS12 -destkeystore <des-keystore-name>.jks -deststoretype JKS
keytool -importkeystore -srckeystore <keystore-name>.jks -destkeystore
<keystore-name>.jks -deststoretype pkcs12
Now you should have your keystore in the .jks format. If you are using a java web application, specifically a Spring Boot application, you can follow this excellent tutorial on how to install this keystore.
P.S. After you install the certificate and start up the webapplication, if you see Chrome or any of your favourite web browser, complaining that the Certificate is not trustworthy, like the message in the below screenshot:
This usually means that the browser wont trust the host i.e. it donot fulfil the Chain of Trust, it needs to know that the certificate is coming from a trusted Root CA. This usually happens if you create the keystore WITHOUT including the Root Certificate, so be cautious about it.