About Certificate Files
Installation of the Application Server generates a digital certificate inJSSE (Java Secure Socket Extension) or NSS (Network Security Services) formatsuitable for internal testing. By default, the Application Server stores its certificateinformation in a certificate database in the domain-dir/config directory:
Jul 03, 2019 Example how to create PKCS#10 Certificate Signing Request (CSR) using Sun JDK, This example creates signature externally - suitable for Cryptographic devices such as Hardware Security Module (HSM).
- Java.lang.Object; java.security.KeyPair; All Implemented Interfaces: Serializable. Public final class KeyPair extends Object implements Serializable. This class is a simple holder for a key pair (a public key and a private key). It does not enforce any security, and, when initialized, should be treated like a PrivateKey. Constructs a key.
- Java SE only facilitates accessing native PKCS#11 implementations, it does not itself include a native PKCS#11 implementation. However, cryptographic devices such as Smartcards and hardware accelerators often come with software that includes a PKCS#11 implementation, which you need to install and configure according to manufacturer's instructions.
- C# (CSharp) Net.Pkcs11Interop.LowLevelAPI81 Pkcs11.CGenerateKeyPair - 2 examples found. These are the top rated real world C# (CSharp) examples of Net.Pkcs11Interop.LowLevelAPI81.Pkcs11.CGenerateKeyPair extracted from open source projects. You can rate examples to help us improve the quality of examples.
- Keystore file, key3.db, contains the Application Server's certificate, including its privatekey. The keystore file is protected with a password. Change the password usingthe asadmin change-master-password command. For more informationabout certutil, read Using the certutil Utility.Each keystore entry has a unique alias.After installation, the Application Server keystore has a single entry with alias s1as.
- Truststore file, cert8.db, contains the Application Server's trusted certificates, including publickeys for other entities. For a trusted certificate, the server has confirmedthat the public key in the certificate belongs to the certificate's owner.Trusted certificates generally include those of certification authorities(CAs).In the Platform Edition, on the server side, the Application Server usesthe JSSE format, which uses keytool to manage certificatesand key stores. In the Enterprise Edition, on the server side, the Application Server usesNSS, which uses certutil to manage the NSS database whichstores private keys and certificates. In both editions, the client side (appclientor stand-alone), uses the JSSE format.By default, the Application Server isconfigured with a keystore and truststore that will work with the exampleapplications and for development purposes. For production purposes, you maywish to change the certificate alias, add other certificates to the truststore,or change the name and/or location of the keystore and truststore files.
Changing the Location of Certificate Files
The keystore and truststore files provided for development are storedin the domain-dir/config directory.
Use the Admin Console to expand the server-config node> JVM Settings >JVM Options tab to add or modify the value field for the newlocation of the certificate files.
where NSS-database-directory is the locationof the NSS database.
Using Java Secure Socket Extension (JSSE) Tools
Use keytool to set up and work with JSSE (Java SecureSocket Extension) digital certificates. Inboth the Platform Edition and Enterprise Edition, the client side (appclientor stand-alone) uses the JSSE format.
The J2SE SDK ships with keytool, which enables theadministrator to administer public/private key pairs and associated certificates.It also enables users to cache the public keys (in the form of certificates)of their communicating peers.
To run keytool, the shell environment must be configuredso that the J2SE /bin directory is in the path, or thefull path to the tool must be present on the command line. For more informationon keytool, see the keytool documentationat http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.
Using the keytool Utility
The following examples demonstrate usage related to certificate handlingusing JSSE tools:
- Create a self-signed certificate in a keystore of type JKSusing an RSA key algorithm. RSA is public-key encryption technology developedby RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman,the inventors of the technology.Another example of creating a certificate is shown in Generating a Certificate Using the keytool Utility.
- Create a self-signed certificate in a keystore of type JKSusing the default key algorithm.An example of signing a certificate is shown in Signing a Digital Certificate Using the keytool Utility
- Display available certificates from a keystore of type JKS.
- Display certificate information from a keystore of type JKS.
- Import an RFC/text-formatted certificate into a JKS store.Certificates are often stored using the printable encoding format definedby the Internet RFC (Request for Comments) 1421 standard instead of theirbinary encoding. This certificate format, also known as Base 64encoding, facilitates exporting certificates to other applicationsby email or through some other mechanism.
- Export a certificate from a keystore of type JKS in PKCS7format. The reply format defined by the Public Key Cryptography Standards#7, Cryptographic Message Syntax Standard, includes the supporting certificatechain in addition to the issued certificate.
- Export a certificate from a keystore of type JKS in RFC/textformat.
- Delete a certificate from a keystore of type JKS.Another example of deleting a certificate from a keystore is shown in Deleting a Certificate Using the keytool Utility
Generating a Certificate Using the keytool Utility
Use keytool to generate, import, and export certificates.By default, keytool creates a keystore file in the directorywhere it is run.
- Change to the directory where the certificate is to be run.Always generate the certificate in the directory containing the keystoreand truststore files, by default domain-dir/config. Forinformation on changing the location of these files, see Changing the Location of Certificate Files.
- Enter the following keytool command togenerate the certificate in the keystore file, keystore.jks:Use any unique name as your keyAlias. Ifyou have changed the keystore or private key password from their default,then substitute the new password for changeit in the abovecommand.A prompt appears that asks for your name, organization,and other information that keytool uses to generate thecertificate.
- Enter the following keytool command toexport the generated certificate to the file server.cer (or client.cer if you prefer):
- If a certificate signed by a certificate authority is required,see Signing a Digital Certificate Using the keytool Utility.
- To create the truststore file cacerts.jks andadd the certificate to the truststore, enter the following keytool command:
- If you have changed the keystore or private key password fromtheir default, then substitute the new password for changeit inthe above command.The tool displays information about the certificateand prompts whether you want to trust the certificate.
- Type yes, then press Enter.Then keytool displays something like this:
- Restart the Application Server.
Signing a Digital Certificate Using the keytool Utility
After creating a digital certificate, the owner must sign it to preventforgery. E-commerce sites, or those for which authentication of identity isimportant can purchase a certificate from a well-known Certificate Authority(CA). If authentication is not a concern, for example if private secure communicationsis all that is required, save the time and expense involved in obtaining aCA certificate and use a self-signed certificate.
- Follow the instructions on the CA's Web site for generatingcertificate key pairs.
- Download the generated certificate key pair.Savethe certificate in the directory containing the keystore and truststore files,by default domain-dir/config directory. See Changing the Location of Certificate Files.
- In your shell, change to the directory containing the certificate.
- Use keytool to import the certificate intothe local keystore and, if necessary, the local truststore.If the keystore or private key password is not the default password,then substitute the new password for changeit in the abovecommand.
- Restart the Application Server.
Deleting a Certificate Using the keytool Utility
To delete an existing certificate, use the keytool -delete command,for example:
Using Network SecurityServices (NSS) Tools
In the Enterprise Edition, use Network Security Services (NSS) digitalcertificates on the server-side to manage the database that stores privatekeys and certificates. For the client side (appclient or stand-alone), usethe JSSE format as discussed in Using Java Secure Socket Extension (JSSE) Tools.
The tools for managing security with Network Security Services (NSS)include the following:
- certutil, a command-line utility for managingcertificates and key databases. Some examples using the certutil utilityare shown in Using the certutil Utility.
- pk12util, a command-line utility used toimport and export keys and certificates between the certificate/key databasesand files in PKCS12 format. Some examples using the pk12util utilityare shown in Importing and Exporting Certificates Using the pk12util Utility.
- modutil, a command-line utility for managingPKCS #11 module information within secmod.db files or withinhardware tokens. Some examples using the modutil utilityare shown in Adding and Deleting PKCS11 Modules using modutil.
The tools are located in the install-dir/lib/ directory.The following environment variables are used to point to the location of theNSS security tools:
- LD_LIBRARY_PATH =${install-dir}/lib
- ${os.nss.path}
In the examples, the certificate common name (CN) is the name of theclient or server. The CN is also used during SSL handshake for comparing thecertificate name and the host name from which it originates. If the certificatename and the host name do not match, warnings or exceptions are generatedduring SSL handshake. In some examples, the certificate common name CN=localhost is used for convenience so that all users can use that certificateinstead of creating a new one with their real host name.
The examples in the following sections demonstrate usage related tocertificate handling using NSS tools:
Using the certutil Utility
Before running certutil, make sure that LD_LIBRARY_PATH points to the location of the libraries required for this utilityto run. This location can be identified from the value of AS_NSS_LIB in asenv.conf (product wide configuration file).
The certificate database tool, certutil, is an NSScommand-line utility that can create and modify the Netscape Communicator cert8.db and key3.db database files. It can alsolist, generate, modify, or delete certificates within the cert8.db fileand create or change the password, generate new public and private key pairs,display the contents of the key database, or delete key pairs within the key3.db file.
The key and certificate management process generally begins with creatingkeys in the key database, then generating and managing certificates in thecertificate database. The following document discusses certificate and keydatabase management with NSS, including the syntax for the certutil utility: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
Each of the items in the list below gives an example using NSS and JSSEsecurity tools to create and/or manage certificates.
- Generate a self-signed server and client certificate. In thisexample, the CN must be of the form hostname.domain.[com|org|net|..].In this example, domain-dir/config. The serverseed.txtand clientseed.txt files can containany random text. This random text will be used for generating the key pair.Generate the client certificate. This certificate is also a self-signedcertificate.
- Verify the certificates generated in the previous bullet.
- Display available certificates.
- Import an RFC text-formatted certificate into an NSS certificatedatabase.
- Export a certificate from an NSS certificate database in RFCformat. https://hoffdeep.weebly.com/lego-minifigures-online-game-key-generator.html.
- Delete a certificate from an NSS certificate database.
- Move a certificate from an NSS database to JKS format
Importing and Exporting Certificates Using the pk12util Utility
The command-line utility used to import and export keys and certificatesbetween the certificate/key databases and files in PKCS12 format is pk12util. PKCS12 is Public-Key Cryptography Standards (PKCS) #12, PersonalInformation Exchange Syntax Standard. More description of the pk12util utilitycan be read at http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html.
Java Pkcs 11 Generate Key Pair Linux
- Import a PKCS12-formatted certificate into an NSS certificatedatabase.
- Import a PKCS12-formatted certificate into an NSS certificatedatabase token module. Virtual lab data recovery key generator free.
- Export a certificate from an NSS certificate database in PKCS12format.
- Export a certificate from an NSS certificate database tokenmodule in PKCS12 format (useful for hardware accelerator configuration).
- Convert a PKCS12 certificate into JKS format (requires a Javasource):
Adding and Deleting PKCS11 Modules using modutil
The Security Module Database Tool, modutil,is a command-line utility for managing PKCS #11 (Cryptographic Token InterfaceStandard) module information within secmod.db files orwithin hardware tokens. You can use the tool to add and delete PKCS #11 modules,change passwords, set defaults, list module contents, enable or disable slots,enable or disable FIPS-140-1 compliance, and assign default providers forcryptographic operations. This tool can also create key3.db, cert7.db, and secmod.db security database files.For more information on this tool, see http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html.
- Add a new PKCS11 module or token.
- Delete a PKCS11 module from an NSS store.
- List available token modules in an NSS store.
Using Hardware Crypto Accelerator With Application Server
https://hoffdeep.weebly.com/generate-sha1-key-in-android-studio.html. You can use hardware accelerator tokens to improve the cryptographicperformance and to furnish a secure key storage facility. Additionally, youcan provide end users with mobile secure key storage through smart cards.
Sun Java System Application Server 8.1 and 8.2 Standard Edition or EnterpriseEdition when run on the Java 2 Platform, Standard Edition (J2SE platform)5.0, supports the use of PKCS#11 tokens for SSL or TLS communications andNetwork Security Services (NSS) tools for managing keys and PKCS#11 tokens.This section describes how Application Server provides that support and walks youthrough the procedures for the related configurations.
J2SE 5.0 PKCS#11 providers can be easily integrated with the Application Server runtime.Through these providers, you can use hardware accelerators and other PKCS#11tokens in Application Server to achieve fast performance and to protect the privatekey inherent in SSL or TLS communications.
This section contains the following topics:
About Configuring Hardware Crypto Accelerators
Java Pkcs 11 Generate Key Pair 1
Sun Java System Application Server 8.1 and 8.2 Standard Edition or EnterpriseEdition have been tested with Sun Crypto Accelerator 1000 (SCA-1000) and SCA-4000.
Application Server, when used in conjunction with J2SE 5.0, can communicatewith PKCS#11 tokens. Packaged with Application Server are an NSS PKCS#11 tokenlibrary (for the NSS Internal PKCS#11 Module, commonly known as the NSS softtoken) and NSS command-line management tools. For more details, see Using Network Security Services (NSS) Tools.
Use the NSS tools to create keys and certificates on PKCS#11 tokensand J2SE PKCS#11 providers to access token keys and certificates at runtime.A PKCS#11 provider is a cryptographic service provider that acts as a wrapperaround a native PKCS#11 library. A PKCS#11 token generally refers to all thehardware and software tokens with a native PKCS#11 interface. A hardware tokenis a PKCS#11 token implemented in physical devices, such as hardware acceleratorsand smart cards. A software token is a PKCS#11 token implemented entirelyin software.
Note – If you run Application Server on the J2SE 1.4.x platform, only onePKCS#11 token, the NSS soft token, is supported.
For the Microsoft Windows environment, add the location of NSS libraries AS_NSS and the NSS tools directory, AS_NSS_BIN tothe PATH environment variable. For simplicity, the procedures described inthis section use UNIX commands only. You should replace the UNIX variableswith the Windows variables, where appropriate.
Configuring the hardware crypto accelerators is divided into two mainprocedures:
Configuring PKCS#11 Tokens
This section describes how to configure PKCS#11 tokens with the NSSsecurity tool modutil. Use the following procedure to configurea PKCS#11 token.
Enter the following command (all on one line):
![Pair Pair](/uploads/1/2/6/5/126530303/550085735.png)
where, AS_NSS_DB is the NSS database directory(same as AS_DOMAIN_CONFIG when you use the Domain AdministrationServer (DAS))
For example, to configure a hardware accelerator token, enter the following(all on one line):
The hardware accelerator in this example is a SCA–1000 cryptographicaccelerator. The corresponding PKCS#11 library, by default, is located in /opt/SUNWconn/crypto/lib/libpkcs11.so.
The mechanisms must be a complete list of the cryptographicmechanisms that are available in the token. To use just a few of the availablecryptographic mechanisms, see Configuring J2SE 5.0 PKCS#11 Providers. For a list of all supported mechanisms, see the modutil documentation on the NSS Security Tools site at http://www.mozilla.org/projects/security/pki/nss/tools.
The examples that follow assume that the token name specified at tokeninstallation time is mytoken.
To verify that the hardware accelerator is configured properly, enterthe following command:
The standard output will look similar to the following:
Managing Keys And Certificates
This section describes a few common procedures for creating and managingkeys and certificates using certutil and pk12util.For details on certutil and pk12util,see Using Network Security Services (NSS) Tools anddocumentation on the NSS Security Tools site at http://www.mozilla.org/projects/security/pki/nss/tools.
Note – By configuring a PKCS#11 provider in the java.security propertiesfile (located in the JAVA_HOME/jre/lib/security directory of the Java runtime), you can also use the J2SE keytool utility to manage keys and certificates.
This section describes the following topics:
Listing Keys and Certificates
- To list the keys and certificates in the configured PKCS#11tokens, run the following command:For example, to list the contents of the default NSS soft token, type:The standard output will be similar to the following:The output displays the name of the token in the left column and a setof three trust attributes in the right column. For Application Server certificates,it is usually T,c,c. Unlike the J2SE java.security.KeyStore API, which contains only one level of trust, the NSS technologycontains several levels of trust. Application Server is primarily interested inthe first trust attribute, which describes how this token uses SSL. For thisattribute:T indicates that the Certificate Authority (CA)is trusted for issuing client certificates.u indicates that you can use the certificates (andkeys) for authentication or signing.The attribute combination of u,u,u indicates thata private key exists in the database.
- To list the contents of the hardware token, mytoken,run the following command:You will be prompted for the password for the hardware token. The standardoutput is similar to the following:
Working With Private Keys and Certificates
Use certutil to create self-signed certificates andto import or export certificates. To import or export private keys, use the pk12util utility. For more details, see Using Network Security Services (NSS) Tools
Caution – In Application Server, do not modify the NSS password directlywith the NSS tools certutil and modutil.If you do so, security data in Application Server might be corrupted.
Configuring J2SE 5.0 PKCS#11 Providers
Application Server relies on J2SE PKCS#11 providers to access keys and certificatesthat are located in PKCS#11 tokens at runtime. By default, Application Server configuresa J2SE PKCS#11 provider for the NSS soft token. This section describes howto override the default configuration for the J2SE PKCS#11 provider.
In Application Server, the following default PKCS#11 configuration parametersare generated for each PKCS#11 token.
- Configuration for the default NSS soft token:
- Configuration for the SCA 1000 hardware accelerator:
These configurations conform to the syntax described in the Java PKCS#11Reference Guide.
Note – The name parameter has no requirements other than that it mustbe unique. Certain older versions of J2SE 5.0 support alphanumeric charactersonly.
You can override the default configuration parameters by creating acustom configuration file. For example, you can explicitly disable the RSACipher and RSA Key Pair Generator in SCA–1000. For details on disablingthe RSA Cipher and RSA Key Pair Generator, see http://www.mozilla.org/projects/security/pki/nss/tools.
To create a custom configuration file:
- Create a configuration file called install-dir/mypkcs11.cfg with the following code and save the file.
- Update the NSS database, if necessary. In this case, updatethe NSS database so that it will disable RSA.Run the followingcommand :The name of the algorithm on the mechanisms listdiffers from the one in the default configuration. For a list of valid mechanisms in NSS, see the modutil documentation on theNSS Security Tools site at http://www.mozilla.org/projects/security/pki/nss/tools.
- Update the server with this change by adding a property inthe appropriate location, as follows:The location for the property could be one of the following:
- If the provider is for a DAS or server instance, add the propertyunder the associated <security-service>.
- If the provider is for a node agent, add the property underthe associated <node-agent> element in the domain.xml file.
- Restart the Application Server.The customized configurationswill be in effect after the restart.
Example how to create PKCS#10 Certificate Signing Request (CSR) using Sun JDK, This example creates signature externally - suitable for Cryptographic devices such as Hardware Security Module (HSM)
CertificateSigningRequestUsingSunJDK.java
packagecom.ilirium.client; |
importjava.io.ByteArrayOutputStream; |
importjava.io.FileNotFoundException; |
importjava.io.FileOutputStream; |
importjava.io.IOException; |
importjava.io.PrintStream; |
importjava.math.BigInteger; |
importjava.security.InvalidKeyException; |
importjava.security.KeyPair; |
importjava.security.KeyPairGenerator; |
importjava.security.NoSuchAlgorithmException; |
importjava.security.PublicKey; |
importjava.security.SecureRandom; |
importjava.security.Signature; |
importjava.security.SignatureException; |
importjava.util.Base64; |
importsun.security.util.DerOutputStream; |
importsun.security.x509.AlgorithmId; |
importsun.security.x509.X500Name; |
/** |
* |
* @author [email protected] |
*/ |
publicclassCertificateSigningRequestUsingSunJDK { |
publicstaticvoidmain(String[] args) throwsNoSuchAlgorithmException, IOException, InvalidKeyException, SignatureException { |
// generate RSA key pair |
KeyPair keypair = generateKeyPair(); |
// create Certficate Request Info |
X500Name x500Name =newX500Name('CN=Test,OU=Test,O=Test,L=Test,S=Test,C=Test'); |
byte[] certReqInfo = createCertificationRequestInfo(x500Name, keypair.getPublic()); |
// generate Signature over Certficate Request Info |
String algorithm ='SHA1WithRSA'; |
Signature signature =Signature.getInstance(algorithm); |
signature.initSign(keypair.getPrivate()); |
signature.update(certReqInfo); |
byte[] certReqInfoSignature = signature.sign(); |
// create PKCS#10 Certificate Signing Request (CSR) |
byte[] csrDEREncoded = createCertificationRequestValue(certReqInfo, algorithm, certReqInfoSignature); |
String csrPEMEncoded = createPEMFormat(csrDEREncoded); |
// write to file |
writeToFile(csrDEREncoded, 'D:csr.der'); |
writeToFile(csrPEMEncoded.getBytes(), 'D:csr.pem'); |
} |
privatestaticKeyPairgenerateKeyPair() throwsNoSuchAlgorithmException { |
KeyPairGenerator keyGen =KeyPairGenerator.getInstance('RSA'); |
keyGen.initialize(2048, newSecureRandom()); |
KeyPair keypair = keyGen.generateKeyPair(); |
return keypair; |
} |
publicstaticStringcreatePEMFormat(byte[] data) { |
finalByteArrayOutputStream out =newByteArrayOutputStream(); |
finalPrintStream ps =newPrintStream(out); |
ps.println('-----BEGIN NEW CERTIFICATE REQUEST-----'); |
ps.println(Base64.getMimeEncoder().encodeToString(data)); |
ps.println('-----END NEW CERTIFICATE REQUEST-----'); |
return out.toString(); |
} |
publicstaticbyte[] createCertificationRequestInfo(X500Namex500Name, PublicKeypublicKey) throwsIOException { |
finalDerOutputStream der1 =newDerOutputStream(); |
der1.putInteger(BigInteger.ZERO); |
x500Name.encode(der1); |
der1.write(publicKey.getEncoded()); |
// der encoded certificate request info |
finalDerOutputStream der2 =newDerOutputStream(); |
der2.write((byte) 48, der1); |
return der2.toByteArray(); |
} |
publicstaticbyte[] createCertificationRequestValue(byte[] certReqInfo, StringsignAlgo, byte[] signature) throwsIOException, NoSuchAlgorithmException { |
finalDerOutputStream der1 =newDerOutputStream(); |
der1.write(certReqInfo); |
// add signature algorithm identifier, and a digital signature on the certification request information |
AlgorithmId.get(signAlgo).encode(der1); |
der1.putBitString(signature); |
// final DER encoded output |
finalDerOutputStream der2 =newDerOutputStream(); |
der2.write((byte) 48, der1); |
return der2.toByteArray(); |
} |
privatestaticvoidwriteToFile(byte[] data, Stringfile) throwsFileNotFoundException, IOException { |
try (FileOutputStream out =newFileOutputStream(file)) { |
out.write(data); |
} |
} |
} |
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment