Installing SSL Certificates
Be sure to check a certificate very carefully before importing it as a trusted certificate! View it first (using the
For example, suppose someone sends or emails you a certificate, and you put it in a file named /tmp/cert. Before you consider adding the certificate to your list of trusted certificates, you can execute a
keytool
Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
Serial Number: 59092b34
Valid from: Thu JUL 01 18:01:13 PDT 2004 until: Wed SEP 08 17:01:13 PST 2004
Certificate Fingerprints:
MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F
SHA1: 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37:1
Then call or contact the person who sent the certificate, and compare the fingerprint(s) that you see with the ones that they show. Only if the fingerprints are equal is it guaranteed that the certificate has not been replaced in transit with somebody else’s (for example, an attacker’s) certificate. If such an attack took place, and you did not check the certificate before you imported it, you would end up trusting anything the attacker has signed (for example, a JAR file with malicious class files inside).
Note: it is not required that you execute a
You then have the option of aborting the import operation. Note, however, this is only the case if you invoke the
If you are satisfied that the certificate is valid, then you can add it to your key store as follows:
keytool -import -alias tomcat -file jcertfile.cer
This creates a trusted certificate entry in the keystore, with the data from the file jcertfile.cer, and assigns the alias tomcat to the entry.
AlterPath BladeManager Manual |