Question

I have this REST client in one server that will call the endpoints in another server. I understand that If I don´t have the certificates imported, calls will fail due to a SSL Handshake problem. I also understand that the certificates should be exported from my server and then imported in the client machine. So far so good.

  1. The problem is, what certificates should I export from my server? is there any kind of public certificate with a specific name? Should I create a self signed certificate in the server side, export it and then import it in the client side?

  2. What would be the required steps in order to generate the certificate (if this is the case) and export the certificate?

  3. For real world applications (in this case, one server talking to another) this(or these) certificate(s) should be self signed, public?

  4. What is the relation between the certificates and the JVM (keytool thing, keystore, etc)?

As you can see, my questions are more about basic concepts.

Thank you

Was it helpful?

Solution

Briefly,

  1. you can create your own self signed certificate. This won't protect your app from all kinds of attacks, but your communication will be encrypted. If you're running this in some intranet, I think this is a reasonable solution.
  2. see below
  3. see #1
  4. see #2

To generate a certificate in your server, you can do something like

/opt/jdk1.7.0_40/bin/keytool -genkey -alias tomcat -keypass mypassword -keystore keystore.key -storepass mypassword -keyalg RSA

And then you'll probably need to add some steps to configure your webserver. You haven't specified any, but if you were using tomcat, you'd add something like this to server.xml

    <Connector 
        port="8443" 
        SSLEnabled="true"
        maxThreads="150"  
        scheme="https" 
        secure="true"
        clientAuth="false" 
        sslProtocol="TLS"
        keystoreFile="/path.to.your.keystore/keystore.key"
        keystorePass="mypassword" />    

To import the certificate in the client side, you can open the login page using firefox, right-click on the page and open "view page info", then go to the "security" tab, then click on "view certificate", click on "details" and then "export".

Default is x.509 PEM, which is ok. Let's suppose that you've saved the file as "TomcatUser.pem.x509", you have to store the certificate in a keystore in the format java can understand, just like this

 /opt/jdk1.7.0_40/bin/keytool -import -file TomcatUser.pem.x509 -keystore ~yourUser/MyLocalKeypass -storepass xyz

Finally, your client will need something like this

System.setProperty("javax.net.ssl.trustStore","~yourUser/MyLocalKeypass");
System.setProperty("javax.net.ssl.trustStorePassword","xyz");
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top