Wednesday, June 30, 2010

Using KeyMan To Generate Keys and Certs

This post continues my series around Jetty. Previous posts discuss setting up a basic embedded Jetty application, and then some adjustments to repeat that exercise in a Cygwin environment. My next step is to configure SSL...now, I recall earlier adventures using Java's keytool to manage this, and have hoped for something better. Jetty's documentation pointed me to KeyMan, which is by far a nicer way to go - it provides a decent intuitive GUI to help create, delete, and otherwise manage keys and certificates, among other things. Here's an outline of how to use KeyMan to create a PKCS#12 keystore with a self-signed certificate and public-private key pair:

  • Download, install (unpack zip, etc.), read the README.txt. I did nothing with the km.setup file, but did edit the km.bat as instructed. Turns out that, since I'm on cygwin, that wasn't needed; instead, I execute the km program. Click on the "New" icon to create a new "token" (i.e. repository for keys, certs, etc.):



  • Choose the PKCS#12 Token from the next dialog, and hit the checkmark ("Complete Dialog") to proceed:



  • Next, you need to store a key and a certificate in this token. Select "Actions -> Generate Key" from the token management window that appears:



  • The default algorithm is RSA-1024; that's strong enough for my needs. Click the Complete Dialog checkmark...this takes a second to complete, offering a cool little progress bar while you wait. The new key shows up in the All Certificate Items viewport of the token management window; now we need a certificate to go with it. Click "Actions -> Create Certificate...". Self-signed is good enough for my needs. Click checkmark and fill in the fields as needed (only "Your name" is required):




  • A verification appears when you check "Complete Dialog" here, with the option to label this certificate. Enter a label if you wish, and again move on with the checkmark:



  • Save the token to a file by selecting File -> Save. This first prompts you for a passphrase, then a file location.
Prove to yourself that the keystore (token, repository, whatever) is really there and that you can view it in human-friendly form by first exiting the program, restarting it and selecting the "Open existing..." icon, then "Local resource..." and "Open a file...". Browse to the file location you just saved to, enter the passphrase, and you should see your token listed in the Private Certificates category (in the dropdown). Click right on that item and you'll see all the informational details entered when you created the certificate.

Next, I'll see about using that keystore for my Jetty SSL setup. Meanwhile, here are some useful links around KeyMan, SSL and Jetty's SSL instructions:

Solaris Keytoolhttp://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html
Windows Keytoolhttp://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
KeyManhttp://www.alphaworks.ibm.com/tech/keyman
OpenSSLhttp://www.openssl.org/docs/HOWTO/
OpenSSL FAQhttp://www.openssl.org/support/faq.html
Jetty SSLhttp://docs.codehaus.org/display/JETTY/How+to+configure+SSL

1 comment:

  1. Hi there very cool ωeb&X73;ite!!
    Μan .. Excellent .. Wo&X6e;derful .. I will bookmark
    your web site a&X6E;d tаke the feeԁs als&X6F;?
    Ӏ am glаd to seek outt numеrоus us&X65;ful in&X66;ormatiоn
    right here in thee poѕt, we neеd develop
    more stra&X74;egies on this regard, thanκ you foг sharing.
    . . . . .

    L&X6F;oκ at my web sіte ... what is
    a vps ()

    ReplyDelete