I saw the code for creating a CSR using bouncy castle.
https://github.com/bcgit/bc-java/blob/master/misc/src/main/java/org/bouncycastle/jcajce/examples/PKCS12Example.java
How do I get this CSR authorized from a certification authority though? Can I choose to get it authorized from the company of my choice? If so, how can I do it through the code? Please advice.
I don't think there is a framework for doing this because signing requests varies from CA to CA. While the message (CSR) is the same for all, the protocol for submitting a CSR is (AFAIK) not specified. It's made more complicated by the fact that the CA needs proof that you own the domain you're trying to get a certificate for and by the fact that most CA's charge a fee for signing a certificate.
If you choose a specific CA, you could create an automated process for that CA. For example if you use Let's Encrypt, they have a bunch of clients that you can use to submit CSRs programmatically.
Related
I have searched on several topic but I don't really find what I need. The problem is : I'd like to sign file with digital certificate from my own writted program (desktop or web). Then I want to know:
If I can do that with CA certificate.
Which CA can issue me certificate I can use in my program. I mean CA certificate file with method to access to Algorithm, Key, and also to send verification request to server? A kind of API?
Does this kind of certificate exist ? Can I found it for free?
For as long as I understood your questions correctly, find below my answers:
1 - You can generate get you Digital Certificate by generating you key pair and then sign your public key by any CA (either your own CA or any Publicly trusted CA)
2 - You can make a request to a CA to get your Digital Certificate. Guessing that you want a publicly trusted certificate than you can use a wide range of CA's. I would suggest you to check the Let's Encrypt project, they release free certificates.
Using your digital certificate is a matter of your implementation. Basically you need to know what do you want to achieve with it (like confidentiality, authentication, integrity..). Usually you want to implement SSL to achieve any of these features.
For signing documents you need to encrypt with your private key associated with the public key that was used to get the digital certificate.
3 - As I also stated in the second answer, Yes there are free options for publicly trusted digital certificates
Here I need to verify the SSL certificates for https websites with the root certificate. I have tried extremely lot but it could not be done yet. If anyone have any Idea to write such a code in java that could verify the Certs with the root cert. Mean that I have to check the certificate hierarchy signature validation for particular certs.
Thanks....
You need all root and sub root certs for validation. There is two different technologies; CLR and OCSP. OCSP is new one but some certificates support it.
You need some basic check for validate certifcate (also there are more rules):
Date is valid,
Certificate has ssl encription support, domain, etc,
Certificate issuer is correct,
Certifate rewoked or cancalled (with CRL or OCSP)
Java has own library for this, example: How to get server certificate chain then verify it's valid and trusted in Java
I have created my own CA, and I want to use its certificates to communicate with a server using SSLSockets. I can do that with the truststore I am currently using, but I would like to be more restrictive, so that my server only accepts connections from the clients I explicitly decide, which must own certificates signed by my CA (right now, anyone with a certificate signed by my CA is granted access). The goal behind this is to be able to revoke certificates, by eliminating some certificates from the server's truststore.
Imagine there are two devices, A and B, both with signed certificates by my CA. I only want to grant access to A, not B. If I only have in the server's truststore A's certificate, I get a BadCertificate exception for both of the clients; the moment I add my CA's pem file both A and B are granted access, regardless of whether A's or B's certificates are explicitly added to the truststore.
Any ideas or alternatives to this approach? Thanks.
The revocation part of a PKI infrastructure (e.g. what you get if you have your own CA) is usually done with CRL (certificate revocation lists) or OCSP (online certificate status protocol).
If this is too much effort for a small PKI with only few clients you can also hard code the fingerprints of the certificates your accept (white list) or which got revoked (blacklist) into your application and check on each connect if the certificate you got matches the fingerprint. Of course you need to update the application on each revocation (blacklist) or whenever you issue a new certificate (white list) so this does not scale very well. But the same problems occurs with CRLs which need to be distributed to each client.
OCSP scales much better because the client try to retrieve the revocation status on connect, but then you need to setup an OCSP responder.
I hope this isn't a duplicate.
I'm currently working on client server game based on netty with a client on Android. I'm trying to make a secure login process so I tryed using ssl on top of java socket.
I managed to create a self-signed certificate and to use SSL. The problem is that the example source code i found use à custom TrustManagerFactory which doesn't make any check upon certificate validity. Since I don't wan't to allow Man In The Middle attack i searched for more information on SSL handshake and here is what i understood:
To initiate SSL session, the client send a request to the server.
The server which own the certificate(.jks or .bks) extract public informations into a X509 certificate and send it to the client.
The client check for the validity of the certificate ( In my current solution do nothing)
If check succed retrieve the server's public key from the certificate, generate a random key, encrypt it with the public key and sends it to the server.
The server use his private key to decrypt the randomly generated key.
Both client and server now share the same random key and they start a comunication using this key for symetric encryption ( like AES ).
I don't need to accept certificate from anyone else than my own server so i thought about 2 solution:
Save the X509 on client side and create à custom TrustManager witch only accept this certificate. This solution seems easy to implement but rather hard to maintain since every certificate change on server side would need to update X509 certificate on every client.
Create my own CA certificate sign my ssl certificate with this certificate and manage somehow to tel my client to only trust all certificate signed with my CA.
What i understood about CA authentification is this :
A CA root certificate is a normal certificate that contain a key pair.
signing a certificate with a CA mean adding at the end of the being-signed certificate a hash of the whole certificate encrypted with the CA private key.
this signature is contained in the X509 certificate along with some informations about CA.
To check certificate validity, the client generate certificate hash and compare it to the decrypted hash (using CA public key) contained in the X509 certificate.
So if i'm not mistaking in all of this, if i want to implement my second solution, I need to provide a CA certificate to the client so that he can check certificates. I've seen that it is possible to init à TrustManager with a truststore. I asume it must be a different certificate from the root CA one since the whole security of this depends on my CA private key 's confidentiality. So my questions are :
What should this client truststore contain and how to generate if from my root CA ??
I have red that ssl engine is broken for self signed certificate. So is my second solutions viable on android?
If this can work, how can i invalidate my certificate if i see that someone manage to get my private key somehow? I have red things about crl but i don't know how to generate/use them in my truststore?
thanks in advance.
I can only answer part of your questions:
The truststore should contain your CA, you can generate it with keytool:
http://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html
No problem you can implement this in android in the same way than in java using java.security.* and org.apache.http.* classes. One warning, for android versions <=2.3, you could need to implement a workaround as some public CA are missing and it doesn't support miss-ordered certificates chains. I can give you more details if needed.
I don't know
Edit:
A good turorial:
http://nelenkov.blogspot.com/2011/12/using-custom-certificate-trust-store-on.html
What steps should I take to obtain a CA signed certificate that verifies a public key used to do create digital signatures?
One constraint is whatever coding that's needed will need to be done in Java.
Depending on what kind of signatures is needed, you should be looking for different certificates, eg. code signing or office doc signing or other types they offer. By following the links you will learn all details about the procedure.
In brief - on your client computer (usually via browser) you generate a keypair that consists of the private key and a public key. Then the public key is embedded into Certificate Signing Request (CSR), which is sent to the CA (again usually via browser). And the CA sends you a signed certificate, which you then merge with your private key.
to create your own certificate you can use java keytool:
http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html
greets
You need to contact a Certificate Authority for that. Verisign, etc. They each have a process to acquire one of these. unless I am misunderstanding your question