TLS/SSL Certificates Part 2

Just a quick cheatsheet to add some clarity to SSL/TLS management.

certificate-workflow
Certificate Creation Workflow

Key Formats

*.key, *.der
Binary. Can be encrypted.

Certificate Signing Request Formats

PKCS#10: *.csr RFC 2986; Can be encrypted.

Certificate Formats

X.509 DER (binary): *.cer, *.crt, *.cert, *.der; single certificate.
PKCS#7: *.p7b, *.p7c, certificate only, no private key. RFC 2315. Used by Windows & Java
PKCS#12: *.p12, *.pfx, private key and certificate chain. Can be encrypted.
Used by Netscape, MSIE, MS Outlook, Java keystore.

All formats can be converted to PEM (base 64 encoding of binary file). RFC 1421, RFC 1424

Keystore/Truststore Formats (Java)


Java Keystore*.jks  proprietary Java format. Can be encrypted
PKCS#12: *.p12 private key and certificate chain. Can be encrypted

If encrypted, then password needs to be specified via command line or server.xml

Keystore and Truststore can be combined.
Default names:
keystore.jks
cacerts.jks

Stores have aliases for each entry

keytruststore
Keystore and Truststore Contents

File types and formats: http://www.zytrax.com/tech/survival/ssl.html

Certificate attributes: http://superuser.com/questions/619008/how-to-properly-setup-openssl-ca-to-generate-ssl-client-certificates

Certificate authentication: https://devcentral.f5.com/articles/ssl-profiles-part-8-client-authentication

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s