Surely in one of your Java developments, you have had to deal with certificates to connect to third parties or to secure your application. We bring you a guide of SSL certificates guide for Java developers that will help you in your applications and better understand their operation.

What is an HTTPS connection?

One of the most important parts of the internet is security, creating a secure environment between client and server, in which the client can trust the server.

In this context of establishing secure connections, the https protocol (Hyper Text Transfer Protocol Secure) appears, in which an SSL certificate is needed to create an encrypted channel between the client and the server.

This system works with the public key and private key system. Which the server creates a public key certificate that is signed by a certification authority. So, when a website is secure, we will see a lock, and the browser will tell us that the website is secure.

The public and private keys are linked, meaning that one cannot be used without the other. For example, to send an encrypted message to a server, I have to encrypt it with its public key so that it can be decrypted with its private key.

What is an SSL certificate?

An SSL certificate is a component that will allow us to create a secure connection between client and server.

SSL certificates consist of a private key and a public key, both of which must work together to establish a secure connection. To create a certificate, we have two options: generate a self-signed certificate or generate a certificate signed by an authority. We will see both cases below.

Self-signed certificate

As the name suggests, a self-signed certificate is one that is signed by oneself. This means that it has not been signed by any known authority (CA), but rather by the server hosting the certificate. These certificates are called self-signed.

These types of certificates will allow you to connect via https, but as they are not signed by an authority stored in your browser, the browser itself will give you a warning that it may be dangerous.

Further down, we will see how to generate a certificate of this type.

Certificates signed by an authority

Unlike the previous certificates, this type of certificate will be generated to be signed by a known authority. This authority or CA can be from your organization, so it would only work locally, or it can be a globally known authority, allowing you to browse securely from the internet.

Remember, this type of security is necessary on the web, and a lock will appear when it is secure in your browser’s URL.

How are certificates managed using Java?

When working with Java, the concepts we need to know about certificates are:

• truststore
• keystore
• keytool that will help us generate certificates.

The certificate format used until the arrival of Java 8 was JKS. From Java 9 onwards, the format has changed, and PKCS12 has been the default format to use. The main difference between these formats is that JKS is unique to Java, while PKCS12 is a more standard format.

Java TrustStore

This will be a store that contains certificates to identify third parties. These certificates will be used to establish trust with the third party with whom we are going to communicate.

For example, if we as a client are talking to a server through an https connection, the server will show us the public key and certificate. At that point, we will search our trust store for the certificate or certification authorities. If they are not there, there will be a handshake error.

Java KeyStore

A Java keystore is responsible for storing all private key entries and certificates with public keys. Each one that is stored will be saved with an alias, so we can have as many as we want, always identified by that alias.

As we have mentioned before, we will use a keystore when we want to establish an HTTPS connection. At the moment we want to establish the connection, the server will search for the private key stored in the keystore. After that, the server will present the public key and certificate to the client that requested the connection. There is also mutual authentication (MTLS), and in this case, the client will also have its own keystore and will present its certificate and public key.

Java Keytool

Keytool is a tool that comes with the JRE and is responsible for managing and creating key and certificate pairs. It allows us to store keys and certificates in the keystore.

Examples of certificate generation using Keytool

We are going to see how generate SSL Certificates for Java Developers.

Creation of a self-signed certificate with Keytool

Imagine that we have a development environment where we have communication between our services. The first step will be to create a certificate to establish communication between the different services:

keytool -genkeypair -alias <alias> -keypass <keypass> -validity <validity> -keystore <keystore> -storetype <storetype> -storepass <storepass> 

To create the certificate, we will use -genkeypair with the following options:

• alias: The alias of the certificate we are creating, which will be stored in the keystore with that alias.
• keypass: The password of the certificate we are creating.
• validity: Duration and validity time of the certificate.
• storepass: Storepass is used to protect the integrity of the keystore; it is the keystore password.
• storetype: Type of PKCS12 or JKS certificate.
• keystore: You can specify the name and location of the certificate you are creating.

keytool -genkeypair -alias refactorizando-cert -keypass 123456 -validity 256 -storetype PKCS12  -keystore keystore.p12 -storepass 123456

This command has created the private key and its corresponding public key, which will be stored in the keystore. We have created it for a validity of 256 days and saved it with the name keystore.p12 in the same path where it was created.

If we want to list the certificates we have in our keystore, we can do:

keytool -list -keystore $JAVA_HOME/lib/security/cacerts

Certificate signed by a CA

If we want to work with a certificate signed by a CA, the first step will be to create a certificate signing request (CSR):

keytool -certreq -alias keyPairRefactorizando -storetype PKCS12
-keystore refactorizando_keystore.p12 -file -rfc -storepass changeit > refactorizando_certificate.csr

This file will be sent to an authority to sign it. Once it is signed, we will receive it in X.509 format. This public key will now be signed by an authority and can be delivered to the client.

Adding certificates to the truststore

If we need to add a certificate to our truststore that is signed by a CA, to be able to connect securely with third parties, we will use the following command:

keytool -import -trustcacerts -file [certificate] -alias [alias] -keystore $JAVA_HOME/lib/security/cacerts

Importing a certificate to the keystore

If you need to import a certificate to the keystore, you can use the following command:

$ keytool -import -alias <alias> -file <file> -keystore <keystore>

Conclusion

In this Guide to SSL Certificates for Java developers post, we have seen how we can create certificates. And the reason to use with our connections.