SSL Configuration - Client perspective
Keystore is used for Authentication which is the process of verifying the identity of an entity to ensure that one entity verifies the identity of another entity. Below sections illustrate
Generating a Client Keystore
A keystore is a file that holds the public and private key pairs and certificates. The Keystore is a database of public and private keys. Java keytool is used to generate the public/private key pairs. Java keytool utility is present at %JAVA_HOME%/bin.
To generate a keystore, open the command prompt and type in the following command line and press the Enter key:
%JAVA_HOME%\bin\keytool -genkey -alias [alias name] -keystore [keystoreName] -keyalg [algorithm] -validity [days in integer] -storepass [store password] - keypass [key password] |
Here is a brief description of the options used in the keytool command:
- -genkey: Requests keytool to generate a key pair
- -alias: Identifies the new key pair within the keystore
- -storetype: Declares the type of the keystore. JKS is the default type
- -keyalg: Declares the algorithm to be used; we're using the RSA public key algorithm, which is the default
- -storepass: Specifies the password for the entire keystore
- -keypass: Specifies the password for the new key pair
- -Validity: It is the validity of the key pair in days
- -keystore: File that holds the public and private key pairs
For example, to generate the keystore in the directory D:\WorkStudio\keystore, then the command would be:
D:\WorkStudio\keystore>%JAVA_HOME%\bin\keytool -genkey -alias client1 -keystore client1.keystore -keyalg RSA -validity 365 -storepass cl1storepass -keypass cl1keypass |
Press the Enter key. The result of the command is shown in the figure below.
Figure 1: Running the keytool command
You will have to type in the answers to the questions that appear as shown above. The keystore file is generated in the specified directory. The next step is to create a truststore and add the server certificate in it.
Host Alias
In the above sample, "client1" is host alias and in configuring POP3 it should be provided in value for alias textbox in Signature Configuration panel.
Getting the Digital Certificate of Partner
Digital certificate contains the public key and are stored in a Truststore(a keystore file). The Truststore is a file where certificates of trusted sites/parties can be retreived for authentication. To generate a truststore, you will have to first export and save the public key of the partner you are going to communicate. Sample is provided below to add certificate to the truststore:
- Type in the address of the secure website on the address bar of your internet browser. As an example, you may type in https://adwords.google.com. The following dialog is displayed.
Figure 2: Security Alert dialog
- Click the View Certificate button. The Certificate dialog is displayed.
Figure 3: Certificate dialog
- Click the Details tab and highlight the public key.
Figure 4: Public Key
- Next, click the Copy to File button and save the certificate file in the directory where the keystore has been generated.
Figure 5: Certificate Export wizard
The process of copying and saving the digital certificate may differ from browser to browser. The concept is however the same. In the guide we have illustrated the process on Internet Explorer.
Once you have saved the digital certificate, you are now ready to create the truststore.
Creating the Client Truststore
Perform the following procedure to create a trust store:
Open the command prompt and type in the following command and press Enter:
Your directory>%JAVA_HOME%\bin\keytool -import -alias [alias name] -file [file name.cer] -keystore [truststorename.keystore] -storepass [storepassname]
If you want to generate the truststore in the directory D:\WorkStudio\keystore, then the command would be:
D:\WorkStudio\keystore>%JAVA_HOME%\bin\keytool -import -alias mailserver -file googlesrv.cer -keystore truststore.keystore -storepass trustpass
- Next press the Enter key. The result of the command is shown in the figure below.
Figure 6: Command Prompt
Once the keystore and the truststore have been created, you are now ready to use them in the configuration.
Partner Alias
In the above sample, "mailserver" is partner's alias and in configuring SMTP it should be provided in value for alias textbox in Encrypt/Decrypt Configuration panel.
Server connection can be tested from within the CPS by clicking the Test button in the Connection Properties panel.
If you were redirected from Jetty Security Management section, switch back to that section to continue with the configuration.