Resources about PKI infrastructure + SSL/TLS, standards, tools(keytool, openssl)

І.      PKI infrastructure
ІІ.    PKI-related standards
ІІІ.  PKI-related tools (keytool, openssl)
ІV.  Configuration of Apache Server, Tomcat , SSL
V.     Notes

І. PKI infrastructure

1) !!! Deploying a Public Key Infrastructure, IBM Redbooks –> (link-pdf)
2) PKI infrastructure + SSL/TLS (Apache Server 2.2 Documentation) –> (link)

3) (on Bulgarian language)

3.1) Nakov’s presentation –>  (link-pdf)
3.2) Nakov’s book (chapter 1)–>  List of keystores types –> (link-pdf)

ІІ. PKI-related standards

1)  !!! Deploying a Public Key Infrastructure, IBM Redbooks (chapter 5)–> (link-pdf)
2) standars overview (pmilosev’s blog)  –> (link)
3) X.509 standard (wiki) –> (link)

The X.509 standard defines what information can go into a certificate, and describes how to write it down (the data format). All the data in a certificate is encoded using two related standards called ASN.1/DER. Abstract Syntax Notation 1 describes data. The Definite Encoding Rules describe a single way to store and transfer that data.

Abstract Syntax Notation One, or ASN.1, is a standard notation for describing data structures . You can think of ASN.1 as the language (independent of the alphabet) used to describe data structures.

Distinguished Encoding Rules, or DER, is a message transfer syntax and is one of the most popular formats for writing certificate data. You can think of the DER as the alphabet used to write the data.

Certificates have 2 types of encoing: binary or text(Base64) encoding.

Common filename extensions for X.509 certificates are:

 .pem – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“

.cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)

.p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)

.p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)

.pfx – PFX, predecessor of PKCS#12

4) ASN.1 standard (wiki) –> (link)
5) List of some keystores types –> (link)
6) keystore vs. truststore

A keystore contains private keys, and the certificates with their corresponding public keys.
A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties.

6.1)  Generating a KeyStore and TrustStore (Oracle documentation)  –> (link)
6.2) JKS and JCEKS keystores      –> (link)
JCEKS keystore (Oracle documentation) –> (link)
6.3) Creating a key and trust store with JSSE in Java( client and server) –> (link)
6.4) keystore vs. truststore (victor-jan’s blog) –> (link)
6.5) Step by step tutorial to create Keystore and Truststore file (techbrainwave’s website) –> (link)

ІІІ. PKI-related Tools (keytool, openssl)

1) keytool Oracle documentation –> (link)
2) openssl homepage –> (link) , (howto-s)
3) !!! conshell wiki (keytool, openssl, convertion between them)–> (link)
4) convert ssl-certificate to different formats (Mohan Cheema’s blog) –> (link)

5) Tool examples

5.1) keytool documentation examples –> (link)
5.2) tool examples (Misho’s blog) –> (link)
5.3) tool examples (informst) –> (link)
5.4) tool examples – keytool (mobilefish) –> (link)
5.5) tool examples – openssl (mobilefish) –> (link)
5.6) tool examples (hansonchar’s blog) –> (link)
5.7) tool examples (startux website) –>  (link)
5.8) tool examples (sslshopper website) –>  (link)

6) Cryptography Tutorials (Herong Yang) –> (link)
7) KeyStore Explorer –> (link)
KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool, jarsigner and jadtool.


ІV.  Configuration of Apache Server, Tomcat , SSL

1) Configuration of Apache Tomcat 7 with SSL –> (Apache documentation) , (mkyong-tutorial)

2) Configuration of Apache Server 2 with Tomcat –> (great NTU’s howto) ,( in doc-file)

3) Configuration of Apache Server 2 with SSL –> (doc-file)

4) Configuration of Apache Server 2 with Tomcat on SSL –> the same as 3), just remove “keystoreFile” and “keystorePass” from JSSE’s Connector-tag in Tomcat’s config file “server.xml”.

V. Notes:

1) Check your server certificate installation  (sslshopper) –> (link) & ( –>(link)
2)The default keystore of the JDK/JRE is located in the JDK installation directory “%JDK_ROOT%/jre/lib/security” in the “cacerts”-file.

3) My pitfalls during the configuration of Apache Tomcat with SSL:

– the path to keystore-file should be correct. Use ${user.home} as it is done in Apache Tomcat’s documentation.

–  sometimes it is necessary to put in comments the tag for ARP Listener, which is declared in the default “server.xml” file (you will use the default Tomcat’s JSSE Connector for SSL).

4) Misho’s website:

(1)selfsign certificate
(2) root CA
(3) rootCA’s signing of request
(4) importing the rootCA’s replied certificate in the selfsign certificate


About tsvetanv

Friends, Books, Music, Math, Programming.
This entry was posted in Java and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s