Intention: This article intends to be simple, clear, concise and accurate. I encourage you to read further after this. Google is your friend. This is targeted at an audience with little or no knowledge whatsoever about internet security infrastructure but is stuck in a sorry state of dealing with keytool and digital certificates. Hope this article useful. Thank you for your time.

Some basics

Even before I dive into Java keytool utility, you need have a high level understanding of the following:

SSL – A way to secure internet communication from your browser to a secure website. The websites using SSL will have https:// to their name as shown below.

PKI or Public Key Infrastructure – SSL uses PKI to implement security. PKI uses two keys (keys are some kind of math functions) to secure communication between a browser and a secure website.

• Public key – A key which is made made public (published online and given away) to anyone and everyone who wishes to communicate with the secure website. It is used by the receiver of the key to convert normal messages into cryptic messages. These cryptic messages are useless until it is converted back to normal messages.
• Private Key – This is a secret (hence private) key which is possessed and maintained only by the secure website. This key is used to convert the cryptic messages into normal messages.

When a message (say a text message) is passed between the browser and a secure website, public key is used to convert the text message into a cryptic form(processed is called encryption). This cryptic message can only be transformed to the normal text message by using the private key that the website owns. So other than the secure website, no one else can use this message as they don’t have the private key to convert the cryptic message to normal message.

Digital certificate – Consider this to be like a Driving License. Driving License is issued by the Government Authority certifying that you know how to drive. People trust this license as they trust the Government Authority. Similarly, for secure web transactions, Certificate Authority (Verisign or Thawte or Digicert etc…) is trusted by all computers and browsers. If a website presents a certificate issued by a Trusted CA, your browser trusts that the website is secure. The digital certificate contains a public key (with some information) of the secure website. This public key is used to encrypt (make the messages cryptic) the communication. The cryptic messages then need to be transformed into normal using the private key maintained only by the secure website.

Your browser has a list of Certification Authorities that it trusts like below.

Chrome Browser Trusted Certificates

Java Keytool utility

Keytool is a program to manage private key, public key and the digital certificates (provided to by the Certificate Authority like Verisign or Thawte) of the secure website. Keytool stores all the certificates and the digital certificates it manages in a container (which also a file) called a keystore. Using keytool, you can add, delete, and view different keys and certificates stored in a container.

The following are the different phases of implementing SSL security through keytool.

• Creating a keystore and a private key
• Creating Certificate Signing Request(CSR)
• Retrieving certificates from CA
• Importing Root certificates to your keystore
• Importing intermediate certificates to your keystore
• Importing the server certificates to keystore

Step 1 – Creating a keystore and a private key

Before generating keys and installing certificates, you ll need a container to store them. So the first step is to create that store called keystore.

The command to create a keystore with a Private Key is:

keytool –genkey –alias webserver.arunpc.com –keyalg RSA –keysize 2048 –keystore webserver.keystore

You ll be prompted to fill in details after which a keystore with a private key is created. It is important to provide the ‘hostname or FQDN’ of your webserver as the alias.

Below is what the command means:

-genkey is the command to generate a Private Key and create a keystore if there is none,

-alias is the tag which is used to identify the entry in the keystore. Consider this to be names that identify keystore entries. You can provide any name but we recommend using hostname or FQDN while generating the private key.

-keyalg is the algorithm used to encrypt keys. Usually RSA is what is used.

-keysize is the size in bits. Nowadays 2 bytes or 2048 bits is the standard

-keystore is the name of the keystore which in this case is webserver.keystore. If a keystore with this name does not exist in the system, keytool program will create one.

Important Notes

• If you don’t specify –keystore option, the system will take the default keystore. So make sure that you are not making modifications to the default keystore but instead to the newly created keystore. It may be a good practice to find out all the keystore files in the already in the system and move them to a different folder. You may find the location of the keystore file from the operating system documentation or searching the entire filesystem by “sudo find / -name “*keystore”“
• It is a good practice to provide the hostname of the server as the alias. Highly recommended. In the above case, the hostname is webserver.arunpc.com.

To view the Private Key stored in the keystore you may execute the following command:

keytool -list -v -keystore webserver.keystore

Step 2 – Creating Certificate Signing request

Using the above step you have created a keystore and a private key. Now you will need to apply to a Certificate Authority (like Verisign or Thawte) to issue your server a Digital Certificate. This request is called CSR or Certificate Signing Request.

The command to create a CSR is:

keytool -certreq -v -alias webserver.arunpc.com -file aruntest.pem -keystore webserver.keystore

Once this command is executed successfully, you ll get the message

Below is what the command means:

-certreq specifies that this is a certification request to be send to CA

-alias should be the same as the alias that you used in Step -1 for generating the Private Key.

-file is the certification request file that we want to create to be sent to CA.

-keystore is the keystore for which the certificate is being created.

You will need to ensure that above values are accurate and exactly matches the values of Step-1.

In the above example, aruntest.pem is the request that we created. The file when opened looks like this.

—–BEGIN NEW CERTIFICATE REQUEST—–

MIIC4DCCAcgCAQAwgZoxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdU

b3JvbnRvMTwwOgYDVQQKEzNDQU5BRElBTiBNVVNJQ0FMIFJFUFJPRFVDVElPTiBSSUdIVFMgQUdF

TkNZIExJTUlURUQxCzAJBgNVBAsTAklUMRwwGgYDVQQDExNjbXJyYS12ZGkxLmNtcnJhLmNhMIIB

IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk1gEjbg/goUjbbjHNrvr0jvCOwbsQjyAzKdL

vb/S5XwfhjEwyP1f6KNrdj/TKAqZdg9tA4coI/1J4++/XeIQI72imq08FJaixpjsUHk48nYTYWcp

a/DTWdk3gHWo45iKGCeU+2bmTE938na8rk9d67GBDwXCmbPHBWMUiKogUHAQN7OjVfNR7b6biT3s

CGB/sCTtEh6H5RwmvFeU+OKh9Bk4PLjUCcRemxMp97/5XiPZyFTBFZN5EsbY5FDe88SoZ4Ce+lkb

OcaKRuEjLN92khjdwonxJdEOFglSj1zRF5OyI4wgT8u/2HGLF52zWvX6tkWEFSf8aYf00f9KRMUP

BwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAInPQzEB/xpWebIhWAny7Xw5/sF6+LAzerxskBCT

zUzDaO5OKu7GULM8aMjNHgQliIJiKwYNnt53rcYk1N6iK1JWGW8TzEFZYAz/Uyg/b7em7T9OBKBN

5hm8I2fDxA1Szh9ysuxyaXMj3LCO/DhPrEJFQLdl0kxPMYjquA/1FLgD6Jsmr2knC2ytFLfx7j5H

cELH0Bqzoiu8qtoXg6XLzI1NOYk0+QH1CCnKJ/0z01rnTr27FNY4JPTk+MlGlUkD87sIJgx4UUoz

oAAavYZtLz0Y5PmWQWckwxBCbllcvftH9IvrHadK3VwO/RXqecUIFqkmC7CtOZWvgLvaJKFYDvQ=

—–END NEW CERTIFICATE REQUEST—–

Step 3- Retrieving certificates from CA

Now that you have created the certificate request for your webserver, it is time to go to the website of a CA for signing and endorsement. You can download the ROOTCA and the Intermediate certificates from the issuer’s website or by contacting their Tech Support. The CA usually gives 3 types of certificates:

• Server certificate for webserver,
• RootCA certificate,
• Intermediate certificate.

Server certificate is the one which contains your public key and which certifies your server. The below says that Issuer is Thawte which is reputed CA and is issued to mail.google.com

Then you have the RootCA certificate. This is the CA’s certificate and it has all the details of the CA like below. Notice the issued to and issue by.

Now you may also have another certificate called the Intermediate certificate. This is nothing but a certificate which comes between the server certificate and the RootCA certificate. This is like a bridge between RootCA certificate and the server certificate.

Step 4 – Importing Root certificates to your keystore

In Step 1, you have already created a keystore and it is populated with a Private Key. In Step 3, you have generated certificates for RootCA, your webserver and Intermediate CA. You now need to install these certficates.

The order in which the certificates are installed is important. First you ll need to install RootCA certificate and then you need to install the intermediate certificate and last the webserver certificate.

So as the first step, let us install the RootCA certificate. You may use the following command and may use any alias.

keytool -import -trustcacerts -alias root -file RootCertFileName.crt -keystore webserver.keystore.

where RootCertFileName.crt is the RootCA certificate and the keystore name is webserver.keystore

Step 5 – Importing Intermediate certificates to your keystore

After installing RootCA certificate, you need to then install intermediate certificate.

keytool -import -trustcacerts -alias intermediate -file Intermediate-Digicert.crt -keystore webserver.keystore

It is to be noted there may not be an intermediate certificate in some cases. In such cases, just a RootCA certificate will suffice.

Step 6 – Importing Server certificate to your keystore

After installing RootCA and Intermediate certificates, you need to then import server certificates.

keytool -import -trustcacerts -alias webserver.arunpc.com -file arunpccert.crt -keystore webserver.keystore

Imp Note: Make sure that you provide the same alias as your Private Key which in this example is the hostname

To view the keys in keystore, you may do it like this:

keytool -list -keystore webserver.keystore

Verifying the certificates are correctly installed

Once the keystore is populated with keys and certificates, you may verify that the certificate chain is established from the server certificate to intermediate certificate to the RootCA certificate.

If you run the command:

keytool -v -list -keystore webserver.keystore

It will list information of all the certificates. Look for the PrivateKey entry and see whether the Certificate Chain length is 2 or above. This will tell you that server certificate is able to establish a chain till the RootCA.

*******************************************

*******************************************

Alias name: webserver.arunpc.com

Creation date: May 9, 2012

Entry type: PrivateKeyEntry

Certificate chain length: 3

Configuring your SSL Connector

Tomcat will need an SSL Connector configured before it can accept secure connections.

Open the Tomcat server.xml file in a text editor (this is usually located in the conf folder of your Tomcat’s home directory). Find the connector that will be secured with the new keystore and uncomment it if necessary (it is usually a connector with port 443 or 8443 like the example below).

Specify the correct keystore filename and password in your connector configuration. When you are done your connector should look something like this:

<Connector port=”443″ maxHttpHeaderSize=”8192″ maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true” SSLEnabled=”true” clientAuth=”false” sslProtocol=”TLS” keyAlias=”server” keystoreFile=”/home/user_name/webserver.keystore” keypass=”your_keystore_password” />

Note: If you are using version 7 of Tomcat you will need to change “keypass” to “keystorePass”.

Save your changes to the server.xml file.

Restart Tomcat Server.

While you try to play a DVD in an RDP session or a Citrix HDX session, you get the following error:

The error message goes like this: Windows Media Player cannot play this DVD because it is not possible to turn on analog copy protection on the output display.

Synopsis

This is a limitation currently and is designed to be one. Such an error is usually because media such as DVD which is protected by DRM (Digital Rights Management) does not allow content to be redirected from the server (which is the Terminal services or Citrix machine) to the End point. This is more a legal or a regulation issue rather than technical issue.

Some more info

What is DRM?

Digital Right Management is a way copyright owners of the digital content exercise their muscle to prevent using their content in a way they have not authorized. Read more on Wikipedia.

In this context, DVD manufacturer would like to sell more copies of the DVD. They would like everyone who wants to watch a DVD to buy a copy. But when you play a DVD inside a RDS or a Citrix server, only one copy of the DVD is needed and all the end users can view the content through RDP or HDX without buying more copies. This is supposedly copyright violation and loss of business for them. Hence they don’t allow you to do so.

I tried editing registry settings in the machine to bypass the check but I have not been able to do so. So I guess this is a designed limitation.

More info can be found here and here.

Simple test to confirm this outside RDP or Citrix HDX

1. Insert a DRM protected DVD in your laptop drive .
2. Share your laptop drive and give permissions for anyone to access this DVD drive.

   

3. On another machine on the network, access this shared drive. (Type \\<IPAddress-of-the-latop>\E$ where E is the assigned share name)
4. Try to now play the DVD. If there is an error, it means that it cannot be played remotely. This means that it cannot be played in an RDP or a HDX session as well.

Thanks,

Arun.P.C

The other day at the lunch table, my colleague jokingly asked:

“Arun, being a Malayalee, have you started buying Gold for your daughter’s wedding?”

For those of you who don’t know the relationship between Gold and Malayalees, here it is:

Malayalees love gold. Especially when it comes to their daughters’ wedding.

I guess it originated from the logic that Gold can be an asset in the future and instead of wasting a lot of money on clothes, car and the wedding function, it might be wiser to spend it on Gold.

I don’t subscribe to this view at all but his question definitely got me thinking.

I know with globalization, travel, exposure, internet, etc… the definition of “asset” is changing. What we perceive as highly valuable today may not be that valuable in the future.

But the corollary is actually more interesting.

Some resources that could be cheap today can be of immense value tomorrow.

So I thought, what could be that thing my daughter may want when she is 16?

Of course, I have no clue and this surely cannot be predicted, but I am certainly going to take a shot at it. Here I go.

Everyone today has digital presence. Everyone has an email address for communication, Skype ID for chat, Facebook ID for social networking, LinkedIn ID for career etc…This is given.

So I think buying a domain name “snehaarun” is a good idea and will be of immense value in the future. Think about it:

• Good Domain names are on the verge of extinction. They are very hard to get and even if you get, it will be at a very high price.
• If you want to start a blog, want to publish anything, start a project, or a movement, voice your opinion, it is always best to do it on your own domain than www.someone.wordpress.com
• Some of you may have already realized this. When it comes to employment, your online personal brand is more important than anything else right now. So, the online brand called “You” is much better built on your own domain name.
• Most importantly, it is nice to have url www.myname.com.

Hence, I go to GoDaddy and purchase www.snehaarun.com for $80 which is valid for the next 10 years.

Today Sneha turns 1. Hopefully she will appreciate her Daddy’s 1^st birthday gift J

Thanks,

Arun.P.C

Today I complete 3 months of NOT using my BlackBerry.

Here is my story. I have been a BlackBerry addict. The first thing I do in the morning is to half open an eyelid and skim through my BlackBerry emails. The last thing I do at night is to watch for red light blinking and make sure that that there are no unread messages. If I stop at traffic signal, I check for new emails. If I am in the loo and I have my phone in my pocket, I check emails. Even when I have my daughter on my lap and my wife besides me, my mind unconsciously wanders to my “BB”.

This has never bothered me that much and I love my emails and blog subscriptions. But I ve always had this feeling that I don’t have control over my temptation to check my BlackBerry messages.

So I chose to do an experiment for 3 months. Just 3 months, no big deal. Not to carry my smartphone. The idea initially occurred like a simple thing to do. But then, when I started contemplating, it appeared very hard.

I have very strong reasons to use my Smartphone. Some of them are:

• My BlackBerry handset and monthly bills are free. Sponsored by my company. The company pays for the handset, monthly bills and undertakes repairs if any. I don’t need to spend one rupee on it. Conventional thinking tells me, it’s free, so enjoy it when you can.
• My work requires me to be plugged in and that’s the reason my company provides me with BlackBerry. As an Escalation Engineer, my work usually involves firefighting IT issues and pacifying angry customers.
• Most importantly, I love checking stock tickers, latest blog updates and responding to email threads.

On Nov, 18^th 2011, I choose NOT to carry my smartphone for the next 3 months. Since I knew it would soon turn out to be a really hard thing to do, I tied an incentive to it. That is, after 3 months I am going to buy a Samsung Galaxy SII. Let this be a good way to move to the Android world.

Its been 3 months without carrying my BlackBerry and I feel accomplished J

The following are what I have discovered:

• If you don’t respond to an email or message immediately, nothing is going to happen. Absolutely nothing. People might be accustomed to getting fast responses; I let them know my responses are going to be delayed. I promised my boss and my colleagues that my responses will be complete, factual and exactly to the question when I respond. People appreciate this much more.
• Lots and lots of freedom. I don’t know why, but maybe it is because I don’t need to respond immediately and my information hunger has now reduced,
• I started to reading books. Real books. I completed “Snow Storm” by Alexander Pushkin,
• When I spend time with people, I give 100% attention. No fiddling with my phone, no emails, nothing. Undivided attention.

This is my story and I am not righteous about it. It worked for me and it may work for you. Try it. Just a suggestion.

Btw, the Samsung Galaxy SII, it is still on my list, but I ll buy it later J

I want to thank Leo Babauto of ZenHabits for all the inspiration.

Thanks,

Arun.P.C

This is more of an annoyance than an actual issue.

At the time of DNS reservation, I found this error when I am providing perfectly valid MAC address and IP address.

It turns out this is nothing but Windows telling you that it doesn’t like the colon (:) in the MAC address. Removing colons like below get things working perfectly.

Thanks,

Arun.P.C

Unlike Linux which has lots of GNU utilities like ‘maxdepth’, ‘depth’ etc… Solaris(and perhaps other flavors of Unix) doesnt have a similar utility to specify the depth of the ‘find’ command. After some Googling I found a way to do this on Solaris.

Find below -

To find all in a directory(to just list you can use the ‘ls’ command of course)

I wanted to find the all the zero KB files in the current directory, so it is:

Then, I wanted to delete them:

Thanks,

Arun.P.C