Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Signing Certificates

Reply
Thread Tools

Signing Certificates

 
 
Tim Wong
Guest
Posts: n/a
 
      08-23-2005
I'm running a development weblogic server and have setup both the
server Identity and trust keystores. However...I would like to
configure my WL server to (Request and Enforce Client Certificates).

Does anyone know how to use either the SUN keytool or weblogic
utils.CertGen to use a CSR to generate a certificate that a test client
can import into his/her browser?

Thanks...

 
Reply With Quote
 
 
 
 
Roedy Green
Guest
Posts: n/a
 
      08-23-2005
On 23 Aug 2005 11:24:44 -0700, "Tim Wong" <(E-Mail Removed)>
wrote or quoted :

>I'm running a development weblogic server and have setup both the
>server Identity and trust keystores. However...I would like to
>configure my WL server to (Request and Enforce Client Certificates).


this is the first time I have heard of client SSL certs.

What is unusual about your application that requires them?
--
Canadian Mind Products, Roedy Green.
http://mindprod.com
 
Reply With Quote
 
 
 
 
Kenneth P. Turvey
Guest
Posts: n/a
 
      08-24-2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Roedy Green wrote:

> this is the first time I have heard of client SSL certs.
>
> What is unusual about your application that requires them?


They are for secure authentication. I'm not the OP so I can't answer the
specific question.

- --
Kenneth P. Turvey <(E-Mail Removed)>

Currently seeking employment as a Java developer in the St. Louis area.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD4DBQFDC+qK3naBnF2rJNURAvBtAJY6naqvc62PHF6uzSbSl8 RdXK4jAKCP97ZH
bOFihF2VUCkg9rMLa8JEyg==
=pXgl
-----END PGP SIGNATURE-----
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      08-24-2005
On Wed, 24 Aug 2005 03:33:19 +0000, "Kenneth P. Turvey"
<(E-Mail Removed)> wrote or quoted :

>They are for secure authentication. I'm not the OP so I can't answer the
>specific question.


If that is so, he has to get the clients to generate private keys and
send him the cert requests containing only the private key. He signs
them and sends them back. He is acting like a miniature CA.

If this is for secure authentication, you don't want to be emailing
certs around complete with private and public key.

My experience is with code signing certs, but principles should be the
same.

There is a little information in the book Digital Certificates:
Applied Internet Security at
http://mindprod.com/jgloss/certifica...l#LEARNINGMORE about client
authorisation SSL, and how you can get Verisign to generate test certs
for you.

I don't see any sign of SSL certificate support in JCE either in Sun's
or BouncyCastle. However, there is Diffie Hellman and DES.

Further I don't see anything about keystore support for something that
holds SSL certs.

However, I found some SSL support in
http://jce.iaik.tugraz.at/products/index.php
which is a commercial suite of JCE providers.

Perhaps this is why CA's can get away with charging such outrageous
prices for SSL certs.

--
Canadian Mind Products, Roedy Green.
http://mindprod.com
 
Reply With Quote
 
Tim Wong
Guest
Posts: n/a
 
      08-24-2005
I guess I am using the incorrect terminology.

What I am trying to do is setup Client Authentication via 2-Way SSL on
weblogic.

E.G. - A client hits my webserver https://www.123test.com. The server
presents it's cert saying who it is. Afterwards it asks the client for
his/her cert (this is what I was refering to when I said client cert)
in order for this person to access the website. If the client's
certificate (I guess this is a personal certificate in IE when you
click on "Internet Options" -> "Content" -> "Certificates...") was
issued by a CA that is in the Weblogic Server's CA trust
keystore....they should be allowed to access the site.

What I am asking for is if SUN's keytool (or another free app) can
generate both a CA Cert (self signed cert I'm guessing?) and sign
cert's based upon the CA cert for a client. I would only be using
these certs for testing.....

Thanks

 
Reply With Quote
 
Rogan Dawes
Guest
Posts: n/a
 
      08-24-2005
Tim Wong wrote:
> I guess I am using the incorrect terminology.
>
> What I am trying to do is setup Client Authentication via 2-Way SSL on
> weblogic.
>
> E.G. - A client hits my webserver https://www.123test.com. The server
> presents it's cert saying who it is. Afterwards it asks the client for
> his/her cert (this is what I was refering to when I said client cert)
> in order for this person to access the website. If the client's
> certificate (I guess this is a personal certificate in IE when you
> click on "Internet Options" -> "Content" -> "Certificates...") was
> issued by a CA that is in the Weblogic Server's CA trust
> keystore....they should be allowed to access the site.
>
> What I am asking for is if SUN's keytool (or another free app) can
> generate both a CA Cert (self signed cert I'm guessing?) and sign
> cert's based upon the CA cert for a client. I would only be using
> these certs for testing.....
>
> Thanks
>


Easiest is probably to use OpenSSL, and one of the "easy CA" tools. e.g.
see FreshMeat

http://freshmeat.net/search/?q=certi...&Go.x=0&Go.y=0

I would suggest 1,2,5,7,10,11,12,13,17 all offer something . . .

Regards,

Rogan
 
Reply With Quote
 
Rogan Dawes
Guest
Posts: n/a
 
      08-24-2005
Roedy Green wrote:
> On 23 Aug 2005 11:24:44 -0700, "Tim Wong" <(E-Mail Removed)>
> wrote or quoted :
>
>
>>I'm running a development weblogic server and have setup both the
>>server Identity and trust keystores. However...I would like to
>>configure my WL server to (Request and Enforce Client Certificates).

>
>
> this is the first time I have heard of client SSL certs.


Client side certs allow for mutual authentication - i.e. the server
identifies itself to the client, and the client identifies itself to the
server. This is significantly stronger than any username and password
could ever be, simply because of the amount of randomness in the private
key (1024/2048/4096 bits)

WebScarab supports using client side certs for authentication to "highly
secure" web servers. See:

<http://cvs.sourceforge.net/viewcvs.py/owasp/webscarab/src/org/owasp/webscarab/httpclient/URLFetcher.java?rev=1.32&view=markup>

and

<http://cvs.sourceforge.net/viewcvs.py/owasp/webscarab/src/org/owasp/webscarab/httpclient/HTTPClientFactory.java?rev=1.4&view=log>

for references to SSLContext.

Rogan
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      08-25-2005
On 24 Aug 2005 07:02:56 -0700, "Tim Wong" <(E-Mail Removed)>
wrote or quoted :

>What I am asking for is if SUN's keytool (or another free app) can
>generate both a CA Cert (self signed cert I'm guessing?) and sign
>cert's based upon the CA cert for a client. I would only be using
>these certs for testing.....


If you plan to get real certs for the clients in the end, it is
probably easiest just to go the verisign site and get some test free
client certs. They used to have them in 1999. I have not looked
recently.

As I said earlier I saw no sign of SSL support in free JCE providers,
but here was some in the commercial IAIK provider.
--
Canadian Mind Products, Roedy Green.
http://mindprod.com
 
Reply With Quote
 
Dag Sunde
Guest
Posts: n/a
 
      08-25-2005
"Roedy Green" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On 24 Aug 2005 07:02:56 -0700, "Tim Wong" <(E-Mail Removed)>
> wrote or quoted :
>
>>What I am asking for is if SUN's keytool (or another free app) can
>>generate both a CA Cert (self signed cert I'm guessing?) and sign
>>cert's based upon the CA cert for a client. I would only be using
>>these certs for testing.....

>
> If you plan to get real certs for the clients in the end, it is
> probably easiest just to go the verisign site and get some test free
> client certs. They used to have them in 1999. I have not looked
> recently.
>
> As I said earlier I saw no sign of SSL support in free JCE providers,
> but here was some in the commercial IAIK provider.


Download OpenSSL. The Un*x tool. It can (among other things)
be used to create your CA cert to use signing your test-certs.

If you're on a Un*x box you have it already, if not, download
CygWin and be sure to check off OpenSSL in during the
installation.

See these two pages for step-by-step instructions:
http://eal.us/blog/_archives/2003/6/2/25109.html
http://www.dylanbeattie.net/docs/ope...ssl_howto.html

--
Dag.


 
Reply With Quote
 
Kenneth P. Turvey
Guest
Posts: n/a
 
      08-25-2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Roedy Green wrote:

> If you plan to get real certs for the clients in the end, it is
> probably easiest just to go the verisign site and get some test free
> client certs. They used to have them in 1999. I have not looked
> recently.


I know that Thawte deals in them. They would probably be willing to provide
you with one for testing if you emailed them.

- --
Kenneth P. Turvey <(E-Mail Removed)>

Currently seeking employment as a Java developer in the St. Louis area.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDDcFn3naBnF2rJNURAozpAJ9CPa3oBSSiTKeISLuzP9 KeQIDDnwCdETHj
OWIXeHKZ2ieo1QmY51uAz1Y=
=GyHZ
-----END PGP SIGNATURE-----
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
update on Code Signing Certificates Roedy Green Java 0 12-27-2012 09:47 AM
Are SSL certificates and x.509 certificates the same? n33470 ASP .Net Web Services 0 12-14-2005 03:30 PM
Signing and bundling data using certificates Alan Fisher ASP .Net Security 5 06-23-2005 05:30 PM
Re: Here is $50 for signing up free Tom Betz Firefox 0 01-08-2005 05:34 AM
Self-issued certificates and commercial certificates. Lord Amoeba Computer Security 2 05-05-2004 01:40 PM



Advertisments