SSL Server/Client in Java Using JSSE
Abdelilah Essiari, Willie Chin
September 27, 2002
Introduction
There are three entities in our universe. The
"Test-CA" is the root Certificate Authority (CA). He issues
the certificates for the two end entities: "Test-Client" (client)
and "Test-Server" (server).
How the X509 Certificates were Generated Using the openssl
command.
-
Generating the CA's certificate.
> openssl req -new -x509 -days 1095 -keyout ca.key -out cas.pem
Where "cas.pem" is the file name used to store the CA's x509 certificate,
valid for about 3 years, and "ca.key" is file name for the CA's private
key encrypted with the passphrase testing.
-
Generating the client's key without encryption.
-
Generating the client's certificate request.
-
Have the Certificate Authority issue the certificate to the client.
> openssl x509 -req -in client.req -CA cas.pem -CAkey ca.key
-CAserial \
file.srl -out client.pem -days 1095
Where "client.pem" is the file name used to store the client's
certificate x509 certificate. The file.srl is a file that contains
the serial number starting with "00".
-
To view the certificate in ascii format.
> openssl x509 -in client.pem -text
Generating a P12 file.
-
This file consists of the client's private key and its certificate
chain. It is encrypted with the passphrse testing
> openssl pkcs12 -export -chain -CAfile cas.pem -out
\
client.p12 -inkey client.key -in client.pem
\
-name "Test Client"
-
To view the P12 in ascii format.
> openssl pkcs12 -in client.p12 -info
-
The steps above were repeated for the testServer.
To make sure that the p12 is generated correctly you can do the following:
(We use the defult DES encrypted key)
>openssl pkcs12 -in testClient.p12 -out testClientReadFromP12.pem
Compiling SSLServer and Client with Java1.3
-
SSLServer and Client are in Java 1.4. They both can work with Java 1.3 by changing some of the import statements. The following is an example statement needed to be changed to compile with Java 1.3:
Compiling with Java 1.4:
import javax.net.ssl.KeyManagerFactory;
Compiling with Java 1.3:
import com.sun.net.ssl.KeyManagerFactory;
(This class can be found in "/usr/local/java/jsse/lib/jsse.jar".)
Note: Java 1.4 SSL accepts pkcs12 files generated by openSSL. Java 1.3 SSL accepts pkcs12 files generated by Netscape, but not openSSL. To use Java 1.3 and pkcs12 files generated by openSSL, import the pkcs12 files into Netscape and export them out.
Simple SSL Server and Client Example
The source code consists of two java files
TestServer.java and TestClient.java.
After building them run make runServer
to start the server and
make runClient
to run the client.