This video helps you to understand SSL in the simplest way!!
An SSL certificate is necessary for more than just distributing the public key: if it is signed by a trusted third party, it verifies the identity of the server so clients know they aren’t sending their information to the wrong person.
So what is a self-signed certificate?
It is a certificate that is signed by itself rather than a trusted third party. Isn’t that bad? In most cases, yes. You will almost never want to use a self-signed certificate on a public apache server that requires anonymous visitors to connect to your site because they could easily become a victim of a man-in-the-middle attack. However, self-signed certificates have their place:
- Self-signed certificates can be used on an Apache development server. There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.
- Self-signed certificates can be used on an intranet. When clients only have to go through a local intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
- Self-signed certificates can be used on personal sites with few visitors. If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.
For example:
WebLogic Server is configured by default with Demo Identity and Demo Trust. To use these, you need to enable the SSL port under the General Tab of the server and generate a demo certificate using keytool utility of weblogic, and WLS will start listening over SSL on that port.
To generate the certificates, you need to use keytool. It is a standard java keystore utility. This is included with the Java SE JDK as well as the JRockit JDK.
A keystore is a database of key material. Key material is used for a variety of purposes, including authentication and data integrity.
There are two types of keystores:
identity keystores: An identity keystore contains the server's private key and is therefore referred to as the identity. This keystore can contain more than one private key.
trust keystores: A trust keystore contains the root and intermediate certificates which are trusted by the server.
However, using these demo certificates is not recommended in a production environment because they do not provide adequate security. Instead of using the demo certificates, we can either get our certificates signed by a third-party certifying authority or use self-signed certificates (use our own root ca which we can use to sign our own certificates).
since for demonstration purpose we cannot afford a certificate signing authority to sign our certificate, we use self signed certificate.
For instance, lets try to install one on a weblogic server
Step1: create a private key/identity store:
Organisation Unit=?
Organisation=?
City=?
State=?
County=?
after entering all the above details type 'yes'
Step2: being a self-signed, export the same cert into identity store (root cert)
Step3: import same cert into trust store which will be root.cert
this will list out your certificate request details
owner:
Issuer:
Serial number:
Validity:
certificate fingerprints:
Algorithms:
Version:
which will ask you to trust this certificate? : 'yes'
and it will add the certificate to your keystore
now after successful generation of certs, let weblogic know what have you generated
login to console & navigate to : servers > serverName > configuration > keystore
-custom identity keystore : path to your identity.jks
-custom identity keystore type: jks
-custom identity keypass : weblogic1
-custom identity identity store pass : weblogic1
-custom trust keystore: path to your trust.jks
-custom trust keystore type: jks
-custom trust keypass: weblogic1
-custom trust trust store pass: weblogic1
navigate to SSL tab and update following:
-private key alias: selfcert
-private key pass: weblogic1
enable SSL port by navigation to configuration > general and update the port number
restart the service for changes to take effect
now try to access the service on https://localhost:7002/console
(here I have installed cert on admin server of weblogic domain)
$JAVA_HOME/keytool -genkey -alias slefcert -keyalg RSA -keypass weblogic1 -keystore identity.jks -storepass weblogic1 -validity 365
you will be asked a few questions like:Organisation Unit=?
Organisation=?
City=?
State=?
County=?
after entering all the above details type 'yes'
Step2: being a self-signed, export the same cert into identity store (root cert)
$JAVA_HOME/keytool -export -alias mycert -file root.cer -keystore identity.jks -storepass weblogic1
Step3: import same cert into trust store which will be root.cert
$JAVA_HOME/keytool -import -alias selfcert -trustcacerts -file root.cer -keystore tust.jks -storepass weblogic1
this will list out your certificate request details
owner:
Issuer:
Serial number:
Validity:
certificate fingerprints:
Algorithms:
Version:
which will ask you to trust this certificate? : 'yes'
and it will add the certificate to your keystore
now after successful generation of certs, let weblogic know what have you generated
login to console & navigate to : servers > serverName > configuration > keystore
-custom identity keystore : path to your identity.jks
-custom identity keystore type: jks
-custom identity keypass : weblogic1
-custom identity identity store pass : weblogic1
-custom trust keystore: path to your trust.jks
-custom trust keystore type: jks
-custom trust keypass: weblogic1
-custom trust trust store pass: weblogic1
navigate to SSL tab and update following:
-private key alias: selfcert
-private key pass: weblogic1
enable SSL port by navigation to configuration > general and update the port number
restart the service for changes to take effect
now try to access the service on https://localhost:7002/console
(here I have installed cert on admin server of weblogic domain)
--
No comments:
Post a Comment