NJC: Day 5
Tuesday, July 5th, 2011At this point, I’ve been doing the new job for a week and routines are forming.
I started the morning using a company card to pay for SSL certificates and then spent the rest of the day making them work with JBoss and Apache. The Apache part was the easy part, as the certificates were already in the correct form. Using Subject Alternate Names with the wildcard certificate meant that I could secure a variety of systems using it, with varying depths of subdomains.
But JBoss was a problem and here’s why. All the examples I could find on the web gloss over using a real certificate. They assume that it’s good enough to show you the syntax for a self-signed certificate you generate using keytool. In my case, it wasn’t. The process for using a CA-signed certificate turned out to be very different.
So here’s the key thing to know if you try this craziness. Keytool is a vicious betrayer of hope and will quietly do the wrong thing if you don’t fully grok what it does/wants. You need to turn to something else, in this case, openssl. This command will take your private key and put it in a form keytool can use:
openssl pkcs8 -topk8 -nocrypt -in /your/private/ssl.key -inform PEM -out /someplace/safe/key.der -outform DER
Then this command will turn your SSL certificate into something keytool can use:
openssl x509 -in /your/private/ssl.crt -inform PEM -out /someplace/safe/cert.der -outform DER
Then you run those files through a program someone else wrote. Not entirely excited about it but I read the source and it didn’t seem too dire.
import java.security.*;
import java.io.IOException;
import java.io.InputStream;
import java.io.FileInputStream;
import java.io.DataInputStream;
import java.io.ByteArrayInputStream;
import java.io.FileOutputStream;
import java.security.spec.*;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Collection;
import java.util.Iterator;
/**
* ImportKey.java
*
*
This class imports a key and a certificate into a keystore
* ($home/keystore.ImportKey). If the keystore is
* already present, it is simply deleted. Both the key and the
* certificate file must be in DER-format. The key must be
* encoded with PKCS#8-format. The certificate must be
* encoded in X.509-format.
*
*
Key format:
*
openssl pkcs8 -topk8 -nocrypt -in YOUR.KEY -out YOUR.KEY.der
* -outform der*
Format of the certificate:
*
openssl x509 -in YOUR.CERT -out YOUR.CERT.der -outform
* der*
Import key and certificate:
*
java comu.ImportKey YOUR.KEY.der YOUR.CERT.der
*
*
Caution: the old keystore.ImportKey-file is
* deleted and replaced with a keystore only containing YOUR.KEY
* and YOUR.CERT. The keystore and the key has no password;
* they can be set by the keytool -keypasswd-command for setting
* the key password, and the keytool -storepasswd-command to set
* the keystore password.
*
The key and the certificate is stored under the alias
* importkey; to change this, use keytool -keyclone.
*
* Created: Fri Apr 13 18:15:07 2001
* Updated: Fri Apr 19 11:03:00 2002
*
* @author Joachim Karrer, Jens Carlberg
* @version 1.1
**/
public class ImportKey {
/**
*
Creates an InputStream from a file, and fills it with the complete
* file. Thus, available() on the returned InputStream will return the
* full number of bytes the file contains
* @param fname The filename
* @return The filled InputStream
* @exception IOException, if the Streams couldn’t be created.
**/
private static InputStream fullStream ( String fname ) throws IOException {
FileInputStream fis = new FileInputStream(fname);
DataInputStream dis = new DataInputStream(fis);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
return bais;
}
/**
*
Takes two file names for a key and the certificate for the key,
* and imports those into a keystore. Optionally it takes an alias
* for the key.
*
The first argument is the filename for the key. The key should be
* in PKCS8-format.
*
The second argument is the filename for the certificate for the key.
*
If a third argument is given it is used as the alias. If missing,
* the key is imported with the alias importkey
*
The name of the keystore file can be controlled by setting
* the keystore property (java -Dkeystore=mykeystore). If no name
* is given, the file is named keystore.ImportKey
* and placed in your home directory.
* @param args [0] Name of the key file, [1] Name of the certificate file
* [2] Alias for the key.
**/
public static void main ( String args[]) {
// change this if you want another password by default
String keypass = “importkey”;
// change this if you want another alias by default
String defaultalias = “importkey”;
// change this if you want another keystorefile by default
String keystorename = System.getProperty(“keystore”);
if (keystorename == null)
keystorename = System.getProperty(“user.home”)+
System.getProperty(“file.separator”)+
“keystore.ImportKey”; // especially this 
// parsing command line input
String keyfile = “”;
String certfile = “”;
if (args.length < 2 || args.length>3) {
System.out.println(“Usage: java comu.ImportKey keyfile certfile [alias]“);
System.exit(0);
} else {
keyfile = args[0];
certfile = args[1];
if (args.length>2)
defaultalias = args[2];
}
try {
// initializing and clearing keystore
KeyStore ks = KeyStore.getInstance(“JKS”, “SUN”);
ks.load( null , keypass.toCharArray());
System.out.println(“Using keystore-file : “+keystorename);
ks.store(new FileOutputStream ( keystorename ),
keypass.toCharArray());
ks.load(new FileInputStream ( keystorename ),
keypass.toCharArray());
// loading Key
InputStream fl = fullStream (keyfile);
byte[] key = new byte[fl.available()];
KeyFactory kf = KeyFactory.getInstance(“RSA”);
fl.read ( key, 0, fl.available() );
fl.close();
PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
PrivateKey ff = kf.generatePrivate (keysp);
// loading CertificateChain
CertificateFactory cf = CertificateFactory.getInstance(“X.509″);
InputStream certstream = fullStream (certfile);
Collection c = cf.generateCertificates(certstream) ;
Certificate[] certs = new Certificate[c.toArray().length];
if (c.size() == 1) {
certstream = fullStream (certfile);
System.out.println(“One certificate, no chain.”);
Certificate cert = cf.generateCertificate(certstream) ;
certs[0] = cert;
} else {
System.out.println(“Certificate chain length: “+c.size());
certs = (Certificate[])c.toArray();
}
// storing keystore
ks.setKeyEntry(defaultalias, ff,
keypass.toCharArray(),
certs );
System.out.println (“Key and certificate stored.”);
System.out.println (“Alias:”+defaultalias+” Password:”+keypass);
ks.store(new FileOutputStream ( keystorename ),
keypass.toCharArray());
} catch (Exception ex) {
ex.printStackTrace();
}
}
}// KeyStore
As found at Agent Bob.
Then the last remaining tricky bit is getting it out of the keystore this program creates and in to the one you intend to use. That could be as easy as just pointing jboss at this keystore but I made it harder and did this to copy from one keystore into another.
keytool -importkeystore -srckeystore /the/keystore/made/by/importkey.java/keystore.ImportKey -srcstorepass importkey -destkeystore /the/one/you/use/jboss.keystore -deststorepass somethingclever -alias importkey -destalias production -srckeypass importkey -destkeypass somethingclever
Then I edited /usr/local/java/jboss-VERSION/server/default/deploy/jboss-web.deployer/server.xml to modify the 8443 SSL connector they ship to do this:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
address="${jboss.bind.address}"
keystoreFile="/usr/local/java/jboss-VERSION/server/default/conf/ark.keystore"
keyAlias="production"
keystorePass="somethingclever"
clientAuth="false" sslProtocol="TLS" />
During this day I also got my hands on the 12G file which is a Windows virtualbox image in use by my nearest IT group. This doesn’t reveal some deep latent desire to be using Windows after all this time, this was me attempting to solve an issue for the people around me without taking on administration of Windows systems. It very nearly worked.
ETA: the key has its own password separate from the keystore. You can change it when you import that key into the new keystore, so I updated the command to reflect that.
