I'm trying to build a simple client-server application using Netty which uses SSL certificates .
I looked around and I could only find the secure chat example [here]. It uses bogus certificates.
How to do a proper implementation of SSL certificates (self-signed) in Netty?
I would recommend against self signed certificates. It's not worth the trouble. You can get signed certificate for free from StartSSL. Check out the link below on how to convert a signed certificate into PKCS12 format and use it in SSLContext to be used with Netty.
http://blog.hintcafe.com/post/33709433256/https-server-in-java-using-netty-and-keystore
Related
I need a clarity for two-way SSL, if I Create Client self-sign certificate, using OpenSSL then save it in Pkcs12 file and Server self-sign certificate using Java keytool then save it in Jks file. Can both certificate work for two-way SSL?
Which TLS version openssl used?
The structure of a certificate is a standard and independent of a specific tool. This means it does not matter what tool is used to create certificates as long as it creates proper certificates. Also, the TLS protocol version used inside a connection has nothing to do with the certificate used for the connection and what tool was used to create the certificate.
I've to enable both server and client certificates. My plan is to use Let's encrypt for server and OpenSSL for the client certificate. The reason is that Let's encrypt only provide server certificates. I know that some commercial providers like DigiCert or GlobalSign provide both server and client certificates but that is not the option.
I haven't tried yet but I guess CA doesn't necessarily have to be the same for both certificates. Can anyone suggest a better idea?
If you use OpenSSL you will either have to establish a trusted internal CA or else use self-signed certificates, and ensure that whichever you use is trusted by the server(s). In the end it's cheaper to pay an external CA, then you don't have to overcome any trust issues.
I wouldn't say that Let's Encrypt only issues server certificates. There is no difference between a server certificate and a client certificate. However their authentication method requires a web server.
I'm trying to check a specific IIS configuration, which should reject weak SSL certificates.
How would I go about creating an SSL certificate with either RC4 or DES encryption?
I've tried using openssl with the -des flag, but it seems to still create a sha256 cert.
The choice of the symmetric cipher used in TLS (i.e. RC4, DES, AES...) does not depend on the certificate. This means that any certificate you'll create can be used together with RC4, DES, ... . Instead of trying to enforce a strong cipher using the certificate you have to do this in the server configuration. See Mozilla: Security/Server Side TLS for examples on how to configure common web servers with strong ciphers.
I'm wondering why we need SSL certificate ? Because the moment we generate the keystore, it does the same functionality. It gives SSL platform.
May I know please why we need certificate and if it really needs then how it works (Certificate merged with keystore) when a third party sends a request to access web-server's website ?
To use the SSL certificate in a web server, you configure your web server software (Apache, NGINX, etc...) to read the certificate. Tutorials on this topic abound; here is a sample set of instructions from DigiCert, who sells SSL certificates: https://www.digicert.com/ssl-certificate-installation-ubuntu-server-with-apache2.htm
Letsencrypt is fantastic because it lets users generate valid (not self-signed) SSL certificates for free. I'm using bip as an IRC proxy. Bip can use an SSL certificate for encryption, but the documentation is a bit fuzzy on this.
I know how to generate certificates with letsencrypt. I guess I must concatenate some of the letsencrypt generated files, among cert.pem, chain.pem, fullchain.pemandprivkey.pem` to get a valid bip certificate. But which ones?
If you're asking how to configure bip to use the Let's Encrypt certificate so that clients can connect to it via SSL, the documentation provides the following:
client_side_ssl (default: false)
When true, clients will need to connect to BIP using SSL. You'll also need to
generate a SSL cert/key pair in <bipdir>/bip.pem (usually ~/.bip/bip.pem or
/var/lib/bip/bip.pem) or <client_side_ssl_pem> if defined.
client_side_ssl_pem (default: <bipdir>/bip.pem)
Set this to the full path of the cert/key pair bip should use to accept clients
SSL connections
So from that I gather you will need to cat privkey.pem cert.pem > bip.pem and enable client_side_ssl and point client_side_ssl_pem to bip.pem if it's not in one of the specified locations.
I don't believe you'll need to add the CA chain as Let's Encrypt is a trusted CA and the clients should be able to reconstruct the chain themselves. If that's not the case, you can add chain.pem to bip.pem as well.
I also found a handy guide that might be of use here: https://flexion.org/posts/2014-04-bip-irc-proxy/