Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
I want to make the web application accessible from https in java. I am newbie in this field. I have read from some blog that it can be make by producing some sort of certificate to identity. Is there have any site providing to produce free certificate?Can i have any blog or site to refer.
thanks
You need an SSL certificate approved by a CA (certificate authority) so your clients will not get a warning in their browsers when they use your webapp. For such a certificate to be obtained, you generally have to pay some money to the CA. However, for testing purposes you can use a self-signed certificate.
You can generate a self-signed certificate and put it on your server. Later you can replace it with a real certificate. If you already have the real certificate, just skip to step 2 of my answer. The methods for generating a self-signed certificate differ but basically you have to do the following (abstraction):
1. Generate a self signed certificate:
You can use numerous tools and programs for that but somehow I find the most popular ways to generate a self signed certificate are:
a) java's keytool - http://docs.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html
b) openssl - http://www.sslshopper.com/article-most-common-openssl-commands.html
Both methods are absolutely equivalent and it is a matter of preference which one you use (I use openssl)
2. Put this certificate in your servlet container/application server.
There are many servlet containers and application servers and the instructions for putting the certificate there vary even between different versions of the servers/containers and chosen configuration. Below I will list the ones I believe are most popular with youth nowadays...
a) tomcat 7 - http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
b) glassfish - http://artur.ejsmont.org/blog/content/how-to-generate-self-signed-ssl-certificate-for-glassfish-v3-and-import-it-into-java-keyring
c) jbossWeb (Servlet Container) - http://docs.jboss.org/jbossweb/3.0.x/ssl-howto.html
You will need an SSL certificate to serve an SSL application. The issue with an SSL certificate is that it needs to be trusted by the browser, so if you are having people use the application you need to get a real SSL certificate from a certificate provider, like Godaddy or many others. For testing purposes you can make a "self-signed" certificate which can be used, but the client using the browser will get warnings indicating problems with the certificate.
There is no way to get a real SSL certificate for free.
I trust from this answer you can make the appropriate google queries to get you on your way.
I realise this is very old thread, but you can get nowadays free certificates from a CA (Certificate Authority) called Let's Encrypt. Obtaining a certificate is quite easy using Certbot ACME protocol client (Automatic Certificate Management Environment) https://certbot.eff.org/. The client requires root access in your server.
1) Install Cerbot using certbot-auto script
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help
2) Fetch a license either using standalone plugin or webroot plugin. Standalone opens a small server to port 80 or 443 so either port must be free. Webroot uses an existing running server. With standalone run command
certbot-auto certonly --standalone --standalone-supported-challenges http-01 -d yourdomain.com
With both webroot plugin and standalone plugin the certonly option certbot will fetch a certificate and store it to /etc/letsencrypt/live/.
3) Certificates from Let's Encrypt are short lived (only 90 days) so remember to renew those
certbot-auto renew
4) After you have your certificate, you need to convert it to PKCS12 format and store it to Java keystore.
openssl pkcs12 -export -in /etc/letsencrypt/live/yourdomain.com/fullchain.pem -inkey /etc/letsencrypt/live/yourdomain.com/privkey.pem -out /etc/letsenscrypt/live/yourdomain.com/pkcs.p12 -name mytlskeyalias -passout pass:mykeypassword
keytool -keystore /path/to/my/keystore -delete -alias ‘mytlskeyalias’ -storepass ‘mystorepassword’
keytool -importkeystore -deststorepass mystorepassword -destkeypass mykeypassword -destkeystore /path/to/my/keystore -srckeystore /etc/letsencrypt/live/mydomain.com/pkcs.p12 -srcstoretype PKCS12 -srcstorepass mykeypassword -alias mytlskeyalias
All steps are described in more detail in https://vaadin.com/blog/-/blogs/enabling-https-in-your-java-server-using-a-free-certificate
Then follow Nikola Yovchev's links for specific Servlet Containers to enable SSL/TLS.
Related
My Java application needs to authenticate to Google cloud Mysql instance with SSL client authentication. Its client-key and certificate are provided by Google. I also need to setup JMX agent with SSL on same application whose certificates are provided by a private CA.
How to prevent Mysql from presenting JMX certificate and vice-versa in case I add both private certificates into single keystore provided to JVM at startup
Is there any other way to authenticate SSL certificates with Mysql beside putting then in 'javax.net.ssl.keyStore'? If not, are there any aliases that Mysql or JMX agent prefer over other names?
You can look at using the Cloud SQL MySQL socket factory which uses temporary SSL certificates to authenticate to Cloud SQL (only supported for Second Generation instances):
https://github.com/GoogleCloudPlatform/cloud-sql-mysql-socket-factory
MySQL Connecting Securely Using SSL
For SSL support to work, you must have the following:
A JDK that includes JSSE (Java Secure Sockets Extension), like JDK-1.4.1 or newer. SSL does not currently work with a JDK that you can add JSSE to, like JDK-1.2.x or JDK-1.3.x due to the following JSSE bug: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=4273544
A MySQL server that supports SSL and has been compiled and configured to do so, which is MySQL 4.0.4 or later. For more information, see Building MySQL with Support for Secure Connections.
A client certificate (covered in this section)
How to work with multiple keystore?
The test certificates reside in keystores named node1.keystore … node100.keystore, which were created following the steps described in Creating Self-Signed Test Certificates.
Export the test certificate for node1.example.com:
$ keytool -exportcert -keystore node1.keystore -alias node1 \
-storepass changeme -file node1.cer
Import the test certificate into the custom truststore:
keytool -importcert -keystore custom.truststore -alias node1 \
-storepass trustchangeme -file node1.cer -noprompt
Here we specify the -noprompt option to suppress the prompt asking
you to confirm that the certificate is trustworthy. Since you
created the certificate yourself, this confirmation is unnecessary.
Repeat Steps 1 and 2 for node2.keystore … node100.keystore.
Resource Link:
Creating Java Keystores and Truststores
Keystore and truststore details:
A keystore is used in one of two distinct ways:
The keystore contains private keys and certificates used by TLS/SSL servers to authenticate themselves to TLS/SSL clients. By convention, such files are referred to as keystores.
When used as a truststore, the file contains certificates of trusted TLS/SSL servers, or of Certificate Authorities trusted to identify servers. There are no private keys in the truststore.
Because keystores contain private keys, while truststores do not, the security requirements for keystores are more stringent. In particular:
Hadoop TLS/SSL requires that truststores and the truststore password be stored, in plaintext, in a configuration file that is readable by all.
Keystore and key passwords are stored, in plaintext, in a file that is readable only by members of the appropriate group.
These considerations should inform your choice of which keys and certificates to store in the keystores and truststores you will deploy across your cluster.
Keystores should contain a minimal set of keys and certificates. A reasonable strategy would be to create a unique keystore for each host, which would contain only the keys and certificates needed by the Hadoop TLS/SSL services running on the host. In most cases, the keystore would contain a single key/certificate entry.
Modifying Keystores: CDH services and processes must be restarted in case changes are made to a keystore. However, this is relatively rare since keystores do not need to be updated when hosts are added or deleted from a cluster.
Because truststores do not contain sensitive information, it is reasonable to create a single truststore for an entire cluster. On a production cluster, such a truststore would often contain a single CA certificate (or certificate chain), since you would typically choose to have all certificates issued by a single CA.
Important: Do not use the same password for truststores and keystores/keys.
Since truststore passwords are stored in the clear in files readable by all, doing so would compromise the security of the private keys in the keystore.
I developed an application that uses Java Webstart. It needs write access to the disk so it has to be signed, but it would only be used by a limited group of users so I don't want to pay for a trusted certificate.
What is the easiest option to let the users trust my application/self signed certificate? I don't want them to use keytool because it is not really user friendly. I though about creating a certificate that can be imported via the Java Control Panel and first tried creating an importable certificate using the following commands:
keytool -genkeypair -keystore patrickgotthard.jks -alias patrickgotthard
keytool -exportcert -keystore patrickgotthard.jks -alias patrickgotthard -file patrickgotthard.cer
But it is not possible to import the generated .cer file. Then I found Cannot import certificate into java control panel and used the following command:
keytool -genkey -alias patrickgotthard -keystore patrickgotthard.p12 -storetype pkcs12
But as far as I understand, the .p12 file also contains my private key - I don't think that the private key should be shared?! Can you tell me how to create a self signed certificate that can be imported via Java Control Panel but does not contain my private key? Or do you know a better solution for my problem?
In this scenario, it may be sufficient to check the SHA1 fingerprint associated with the self-signed certificate used to sign the JAR:
Sign the JAR with your self-signed certificate.
Use keytool -v -list to determine your certificate's fingerprint.
Communicate the certificate's fingerprint in a mutually agreed way.
Instruct user's to add your secure site to the Exception Site List in the Security tab of the Java Control Panel; this allows the user to retain the minimum recommended security level setting, High.
At the security prompt, click on More Information to compare the communicated fingerprint with the one received.
This approach does not confer trust, but it reduces the risk of the user accepting an altered JAR.
Addendum: The article Self-signed certificates for a known community discusses how to export a self-signed certificate. Members of the community can then import the certificate as warranted.
I was developing Java Web Start app years ago with NetBeans. It did everything for me automatically.
You just have to put permissions tags in JNLP file.
Also 6 month after I had problems to create a new self-signed certificate.
But self signed app still works. (many years after, no modification, certs to install)
Clients do not have to install any certificates.
It just warns everytime when it starts that is signed with self signed cert.
Another option is to have this "limited group of users" lower the security level for Java. In Windows, you go to the Control Panel->Java and then one of the tabs is for Security (sorry on my mac right now and it is not quite the same). I believe that if you push that security level lower to Medium, you can get away with the self-signed certificate.
I have created a java webservice that is going to be communicating with iPads using restlet on the server side that communicates over HTTPS with mutual authentication. I have generated two .jks keystores using this guide
http://www.herongyang.com/JDK/ssl_client_auth.html
I have implemented a client for testing purpose in java and everything worked out fine.
I assume that it isn't possible to use the format .jks in ios so should I convert the client.jks to a pkcs12 file in order to make it compatible with ios?
I am having trouble finding information about this.
Thanks!
If I understand your situation correctly, and I may not, you shouldn't need to change the .jks at all. The KeyStore for your application is just a container of certificates used by your system. To achieve certificate integration on IOS you may have to add the client and ca certs to your local system key chain ( check out : iOS: Pre install SSL certificate in keychain - programmatically ) but the JKS itself should transfer to the other platform with no modifications required.
Also, here is an example of using a keystore on IOS to do apple push notifications. iOS Push Notification - JavaPNS - keystore.p12 file security If you want to do it exactly the same way that this person did (using a local p12 rather than a loaded store) just follow the instructions over here: Converting .jks to p12
For more information about the differences between these files check out: Difference between .keystore file and .jks file
Best of luck with your project.
Converting the .jks to pkcs12 sounds like a good bet. The certificates generated by iOS provisioning portal can be exported (by KeyChain Access) to pkcs12 format, so it's safe to assume this format is compatible with iOS.
You can use keytool to convert your jks to pkcs12. I used it in the opposite direction (converted a pkcs12 file obtained from Apple to jks), and it should work with no problems in your case too.
This command should do the trick :
keytool -importkeystore -srckeystore input.jks -destkeystore output.p12 -srcstoretype JKS -storetype PKCS12
I need to send a POST request to a server that uses some levels of security. Unfortunately I don't know much about self signed certificates, I never used or studied it.
In the developer guide of the service it sais that the server uses a "public 1024-bit self signed certificate".
What does it mean? I've to create a certificate or I've to ask for it?
If i've to create a certificate, then how I should use it?
I'm implementing the client in Java
You need to download the certificate e.g. with your internet browser. Click through the security information and export the certificate.
Then you need to import it into your local java keystore so that the JVM can find it. For import use the keytool which you find in your jre/bin directory. Documentation for the keytool: http://docs.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html
The default keystore is jre/lib/security/cacerts.
Then you can import the downloaded certificate:
jre/bin/keytool -import -keystore jre/lib/security/cacerts -alias mycertificate -file downloads/mycertificate.cer
Hope this helps.
P.S. If it is self signed or verified its not important at this point. Just you (your client) must trust it.
Is it possible to use a server certificate to sign a java web start app? What I want to know is if will it work. I have a trusted certificate for my server, and I would like to reuse the same certificate to sign an app.
Right now, I have this warning:
This jar contains entries whose signer certificate's ExtendedKeyUsage
extension doesn't allow code signing. This jar contains entries whose
signer certificate's NetscapeCertType extension doesn't allow code
signing.
Will I be able to launch my app without the warning that the certificate is not trusted?
You will get warning if you don't use a code signing certificate. For most CA, code signing cert costs more than the server cert. In my opinion, this is just a marketing scheme to make you to pay for another cert. There is no technical difference between two certs. Some CA may provide combo deals with usage for both.
I assume you have created the JKS file using the KEY and CRT of your SSL and hence you get the error..
I have a simple solution here:
As you know you can create a JKS using the following command
keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias
and when you use this JKS you get self signed certification message which is absolutely fine to make the app live at Google play store.. But buying code signing certificate is good if you can afford it ..