SSL/TLS - Secure Sockets Layer/Transport Layer Security

Description: wiki

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols are widely used in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers

Versions of SSL/TLS

SSL 1.0 >  SSL 2.0 > SSL 3.0 > TLS 1.0 > TLS 1.1 > TLS 1.2 > TLS 1.3

==========================================================

Setup Environment

1. Keytool in JDK

Windows:

JAVA_HOME=<jdk_dir>

$keytool

==========================================================

Creating the JKS keystore
Ref: Create Keystore

$keytool -genkey -alias <alias_name> -validity <days of valid> -keyalg RSA -keystore keystore
ex: keytool -genkey -alias server -validity 365 -keyalg RSA -keystore keystore

Enter keystore password: strongKeystorePassword

Re-enter new password: strongKeystorePassword

Or

What is your first and last name?

  [Unknown]:  app23.example.com

Note: 
The Common Name is typically composed of Host + Domain Name. 
The Common Name must be the same as the Web address you will be accessing when connecting to a secure site.
For the Endeca Server certificate, you can use the name of the server, including its full domain name. This procedure will use app23.example.com as the Common Name. After enabling SSL, you can specify the same Common Name with the --host option of the endeca-cmd commands. 

What is the name of your organizational unit?

  [Unknown]:  Apps Department

What is the name of your organization?

  [Unknown]:  example.com

What is the name of your City or Locality?

  [Unknown]:  Cambridge

What is the name of your State or Province?

  [Unknown]:  Massachusetts

What is the two-letter country code for this unit?

  [Unknown]:  US

Is CN=app23.example.com, OU=Apps Department, O=example.com, L=Cambridge, 

ST=Massachusetts, C=US correct?

  [no]:  yes

Enter key password for <server>

        (RETURN if same as keystore password): <RETURN>

When you answer the last prompt, keytool writes the keystore file in the current directory. The keystore contains a private key and a self-signed public key.

Generate a Certificate Signing Request (CSR)

$ keytool -certreq -alias server -keyalg RSA -file endeca.csr -keystore keystore

Send endeca.csr to CA for signing.

Import sign certificate to keystore.

$ keytool -import -file rootCA.pem -keystore keystore -trustcacerts

List all keys on keystore

$ keytool -list -v -keystore path_to_keystore_file

Creating a Self-Signed Certificate

$ keytool -genkeypair -alias alias_name -keyalg RSA -validity #_of_days -keysize 2048 -keystore path_to_keystore_file

Export certificate to another one use

$ keytool -export -alias alias_name -keystore path_to_keystore_file -rfc -file path_to_certificate_file

Installing the Self-Signed Certificate on the Client

$ keytool -importcert -alias alias_name -file path_to_certificate_file -keystore truststore_file

=============================================

Tips:

1. Install Self-Sign for Nginx
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /vicare/programz/ssl/nginx-selfsigned.key -out /vicare/programz/ssl/nginx-selfsigned.crt

2. Check CA SSL correct or not

Ref: https://www.namecheap.com/support/knowledgebase/article.aspx/9771/2238/apache-error-x509_check_private_keykey-values-mismatch/

$ openssl x509 -in /path/to/certificate.crt -noout -modulus | openssl sha1

$ openssl rsa -in /path/to/private.key -noout -modulus | openssl sha1

Check output between private key/public key same or not.