Errors:
C:\Documents and Settings\kanthi\Desktop\trail\testing>c:\bea9.23\jdk150_12\bin\
keytool.exe -import -alias privkey -keystore abc.jks -storepass storepass -trust
cacerts -file root.crt
Enter key password for <privkey>keypass
keytool error: java.lang.Exception: Public keys in reply and keystore don't matc
h
set path to
C:\Documents and Settings\kanthi\Desktop\trail\testing>c:\bea9.23\jdk150_12\bin\
keytool.exe -import -alias privkey -keystore abc.jks -storepass storepass -trust
cacerts -file root.crt
Enter key password for <privkey>keypass
keytool error: java.lang.Exception: Public keys in reply and keystore don't matc
h
Because you cannot install seperately all the certificates in to the jks( first time creating with private key) ie.. we cannnot import the certificates(root.serverm, intermediate) we need to put all these certs in to a file (server fisrt ,inter root) then import to jks.
set path to
C:\j2sdk1.4.2_04\bin; for java
C:\j2sdk1.4.2_04\jre\bin; for keytool
C:\Program Files\GnuWin32\bin for openssl
Root- it validates the entire chain. As this is a trial cert, its our trial root. Without the root, the domain certificate wont be trusted.Intermediate-is the subordinate of the root, its required as well. The intermediate signs the domain cert
Root > Intermediate > SSL cert
that is the certificate path
Domain\server\public certificate:the cert issued to your domainwhen u use customidentity and java trust we can use jdk based jks ie default we can find at :\bea9.23\JDK150~1\jre\lib\security\cacerts is the jks and the password for this is changeit.
If you want to use custom identity and custom trust they use your own jks
We have different types of certificates
A server certificate is nothing but the domain certificate ie ur url.
-Root Ceritificate, Intermediate Certificate, Chained Certificate:
The ceritificate authority issues certificate in the form of tree structure. A root certificate is the topmost of the tree.All the certificates below root are inherit the trust worthy of the root certificate. By default all the webbrowser will contains all the root certificates. Any certificate in between your certificate and root certificate is termed as intermediate or chain certificate.These intermediate certificate should be there in your webbrowser in order to link your certificate to a trusted authority.Most of the CA uses these intermediate certificate for security purpose and most of web server, browsers support them.
-CSR
The certificate signing request is a piece of text that is generated in the web server. The CA uses the info contained in the CSR and with some additional information(organization name, common name nothing but domain name....) to create a certificate. It also contains public key that will be included in your certificate and the private key that is generated at the time of creating CSR. We no need to send our private key to certificate authority. The certificate that was created using the CSR will only work with the private key that was genereated with the CSR. If you lost the private key the certificate is invalid.
A CSR contains:
Comman Name: The domain name of your server, this should be exactly same as what we typed in the browser or you will recieve name mismatch.
ex: www.xxxx.com
Organization: The name of the organization
ex: xxxx Inc.
Organization Unit: The division of the organization
ex: IT
City/Locality: The name of the city
ex: Bangalore
State/Country/Region: The state the company is located
ex: Karnataka
Country: Country name
ex: IN
Email Address: An email address to contact you
ex: kanthi@xxx.com
Public Key: The public key that will go in to the certificate
ex: It will automatically.
The format of CSR is in Base64 encoded format which includes --Begin Certificate Signing Request-- --End Certificate Sigining Request--
A key size of 512 is weak, if the private key is broken all the information will exposed who has the private key. We can user 1024 which is stronger and 2048 is pretty stronger.
The PrivateKey:
The private key is that much importantm, without this your certificate is useless. It is impossible to recover if your private key was lost, even the CA cant recover it as they dint know the private key. If you lost the certificate we need to create new private key and reissue the certificate.
The PublicKeys
The public key is the key used to encrypt the data and the private key is used to decrypt the data. The public key is sent to browser along with the digital certificate, the public key encrypt the data and sent to server the server decrypt the data using the private key that was stored in confidential area.
The publlic key is embeded in the digital ceritificate along with the owner name, street and email address.
A private key and digital certificate shows the identity of the server
The digital certificate is verified by the certificate autority and they will signed the certificate. So that the trusted CA certificate establishes the trusrt for a certificate.All the webservers, browsers support this digital cetificates signed by the ceritficate authority.
Comman Certificate Errors:
1) Certificate is untrusted:
There are several reasons for this error.
- The certificate is not signed by the CA authority.
- The link between your certifiacate and the root may be broken.
We can view the certificate chain in the web browser by cliking on the lock command.
2) certificate error navigation blocked:
These are prompted and displays There is a problem with website's security: continue to this website(not recommended)
- The reason for this error is the common name(domain name) in the certificate does not mathches with the address in the browser for example if you click directly xxxx.com if the domain name in the server may be www.xxxx.com then it may throw this namemismatcherror
3) Secure and nonSecure items:
This is because of the connection we are using is https but the data in the page ie images, javascripts may be developed using http. for example <img src="https://www.xxxx.com/image.gif" alt="" />, By chnging all the file which has written with http to htts <img src="https://www.xxxx.com/image.gif" alt="" /> we can erradicate these type of errors for all the images, javascript and frames.
How the SSL works:
- When we hit the url using https, the browser sends the requst to server
- In response the webserver sends its public key and certificate to the browser.
- The browser already consists of the trusted certificates validates the cetificate sent by server ie it check whether it was trustworthy, its comman name matches to the website that it requested to and it is expired?
- The browser encrypt the page with the help of public key and sent to the server .
- The server Decrypt the data with the help of private key, created at the time of CSR.
- The server send the page encrypted with the publcikey.
- The browser decrypts the page using the public key and displays the information.
No comments:
Post a Comment