Can we load multiple Certificates & Keys in a Key Store?
Is it always required to load only Pairs (i.e. Certificates & Keys together)?
If a Key Store has multiple Certificates and Keys, which one will get selected when Java SSL tries to establish connection as a Server?
Although this depends on the KeyStore type, generally, you can store multiple private keys and certificates in a single store.
Which key and certificate combination is used for a Java-based server will depend on how the application was implemented. A number of applications let you select a given certificate using the alias name. The key and certificate getters in KeyStore take an alias parameter to make this choice. Usually, when this is not specified in the configuration, the application or framework will use the first suitable one it finds based on the KeyStore.aliases() enumeration.
Tomcat, for example, uses the keyAlias attribute in its Connector configuration:
keyAlias: The alias used to for the server
certificate in the keystore. If not
specified the first key read in the
keystore will be used.
Regarding key pairs, some KeyStores (again, depending on the type) can be used to store SecretKeys (e.g. DES), that is shared keys, as well as public-private key pairs.
You can have a keystore with as many certificates and keys as you like.
If there are multiple certificates in a keystore a client uses as its truststore, all certificates are being looked at until one is found that fits. You can look at the preinstalled certificates, they are in /lib/security/cacerts. It's just a big collection of root CAs' certificates.
Regarding the keys I don't know. I'd reckon the client uses a key that is signed by the same CA as the certificate that is provided by the server and if there are multiple, the first is used. But I can't say that for sure.
Related
I'm implementing a mutual authentication with a web server in Java on Windows.
I have a certificate on a SmartCard which is supposed to be used to authenticate me (or other user).
So far I've figured out that I can access the certificates using Windows-MY key store.
I do it like that:
KeyStore keyStore = KeyStore.getInstance("Windows-MY");
keyStore.init(null, null);
This works. I can see all certificates inside keystoreSpi (in debugger). One of them is the one which I need to use - I confirmed that.
The problem is as follows:
KeyStore api allows me to get a certificate only by using it's alias. e.g. keyStore.getCertificate("alias") or keystore.getCertificateChain("alias")
I noticed that there are multiple different certificates with the same alias in this keystore. I cannot change the aliases. I just physicaly got the smartcard with given certificates.
When I call one of the mentioned methods, keystore returns just the first certificate in the list with given alias. (generally, in the implementation there is a map where aliases are it's keys, so all duplicated aliases are ignored).
Unfortunately first certificate's purpose is "email encryption", etc. The second certificate's purpose is "SmartCard Logon" and this one I need to use. I confirmed that by going into debugger and manually hacking the list of certificates.
The question is: how do I get a proper certificate using the API (eg. the second one) when there are duplicated aliases?
If this can be done by external libraries, I can opt for that.
More details which may be useful:
I use KeyStore, then create KeyStoreManager.
I initialize SSLContext with given keyStoreManager sslContext.init(keyManagerFactory.getKeyManagers(), ...)
I create HttpsUrlConnection with given ssl context, which is my objective.
This has been fixed a while ago. Just update to a recent JRE. For more information see here: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=6483657
I've been working with certificates, symmetric and asymmetric keys, and things related to web application security. I am developing a web application in Tomcat 7, and I must perform a secure exchange of data between client and server using TLS. In my research, I found the KeyStore Explorer (V. 5.1).
I have some questions related to the use of this program. I know that here may not be the appropriate place to make these types of questions, because the site owner of KeyStore Explorer has a forum. However, the forum does not allow me to create new topics.
When we create a new key pair, we face a window which asks us to choose the algorithm used for the pair generation. After choosing, key generation is made, and then a new window is displayed to the user with the strange name "Generate Key Pair Certificate":
It is on this screen that comes some doubts. In this new screen, the program request the user to choose a signature algorithm, a validity period, and the name, where data from user entity's key pair must be filled.
What does it mean? Am I creating a Digital Certificate signed by myself? And if I am, is there a way to create only a key pair? I was not supposed to create a pair, and from that create a CSR to send it to a Certificate Authority with CSR containing (then) the details of the entity requesting the digital certificate (in case, me)?
With the keytool, I believe we can create a key pair only. But the funny thing is that when we create a keystore with a key pair with the keytool, we open the generated file with the KeyStore Explorer and the pair seems to have been signed by the creator himself, as a digital certificate, for instance:
(Note that we have two fields, "subject" and "Issuer"...)
What I really want is to be able to create a key pair and from that pair generated I want to create a CSR. I know in the program itself comes with documentation. I researched and read the part named "Key Pairs" (the "Generate Key Pair" topic and etc.), but unfortunately I could not solve this confusion. Would someone please explain to me what am I doing wrong and what this all mean?
As always, I thank you all for your attention and time.
bibliography:
https://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html
https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
http://ruchirawageesha.blogspot.com.br/2010/07/how-to-create-clientserver-keystores.html
http://keystore-explorer.sourceforge.net/releases.php
As described on the following web page, key pairs can only exist in a Java key store together with at least one certificate. That is why KeyStore Explorer (and keytool as well) always generate a self-signed certificate for a new key pair:
http://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html
After you have created the new key pair, simply right-click on the entry and select "Generate CSR".
After the CA has signed a certificate for the CSR, right-click on the key pair again and select "Import CA reply". The self-signed certificate is then replaced by the one from the CA.
I have a keystore which has multiple keys and certificates added to it
I want to used a certificate based on the aliases from the key store and use it for SSL
I tried to set the following System properties but nothing helped
System.setProperty("javax.net.ssl.keyAlias", "abcd");
System.setProperty("javax.net.ssl.keyStoreAlias", "abcd");
It always uses the first certificate from the keystore instead of matching the key aliases
If you look at the Customization section of the JSSE Reference Guide (or the entire guide), there's no javax.net.ssl.keyAlias or javax.net.ssl.keyStoreAlias property.
It's up to the application to have a way to select which certificate it wants, using its alias name, but it has to load it explicitly itself. Some frameworks use their own properties or configuration options.
I read this article on how to use keytool to generate CSRs for your organization. It was simple and easy, but left me with a few questions that I couldn't find clear, descriptive answers to:
What is Java's concept of a CSR alias and why would you want to use one? Where is this alias field stored and what other tools/APIs have access to it?
What is the difference between a key and a keystore?
What is Java's concept of a CSR alias and why would you want to use one? Where is this alias field stored and what other tools/APIs have access to it?
First of all, java uses keystores to keep keys (and certificates) inside. Single keystore can hold many certificates, so you need a way to differentiate them. That's what aliases are for. Having a keystore, an alias (and a password if needed) you can get the certificate from the keystore using Java Crypto API (specifically classes like Keystore). Here, you have a an example of how the Crypto API can be used to load a key from keystore
What is the difference between a key and a keystore?
The keystore is a container. The keys are kept inside keystores.
A keystore is a file format used to hold certificates and private keys, and alias is used to identify each entry in the keystore.
Is there a security issue when using the same keystore for the trust store (certificates used for authenticating clients) and server store (private keys used by the server)? I ask this because I know that there is a recommendation to have two separate files (and I wonder why this is).
I know that there is a recommendation to have two separate files (for the trust store and the server store)
The reason for such a recommendation is that you typically store only public keys and the related certificates of trusted CAs in the truststore, while the keystore is meant to store private-keys and the associated public keys (along with the related certificates).
When you start managing both as a single file, it is quite possible for any agent (a user or even application code) that has knowledge of the truststore password to read and modify the private keys of the keystore as well. This is not what you want, for private keys ought to be private by nature, and known only to a single entity (the one that owns the key).
Likewise, it is also possible for an agent to modify the truststore through the knowledge of the keystore password, to add certificates to the truststore. On it's own, this may appear benign, but usually multiple clients can use the same truststore (like the cacerts file of the JRE), resulting in the scenario where one agent can poison the trust relationship (by adding the certificate of a malicious CA into the truststore) between a client and a server.
In reality, the recommendation is more of a defense-in-depth practice, unless your agents aren't trustworthy (in which case you ought to be adopting several other practices).
There is one security concern, but I think most of the reason for the recommendation is a logical separation of responsibilities. From Keystores and Truststores:
Using two different files instead of a single keystore file provides for a cleaner separation of the logical distinction between your own certificates (and corresponding private keys) and others' certificates. You could provide more protection for your private keys if you store them in a keystore with restricted access, while providing the trusted certificates in a more publicly accessible keystore if needed.
The key security point here is that by separating the trusted (public) certificates from your own certificates that contain your private keys, you can use whatever level of restriction you deem necessary to protect your own private keys, while keeping trusted certificates public.