Installing SSL Certificates

Be sure to check a certificate very carefully before importing it as a trusted certificate! View it first (using the -printcertsubcommand, or the -importsubcommand without the -nopromptoption), and make sure that the displayed certificate fingerprint(s) match the expected ones.

For example, suppose someone sends or emails you a certificate, and you put it in a file named /tmp/cert. Before you consider adding the certificate to your list of trusted certificates, you can execute a -printcertsubcommand to view its fingerprints, as in:

keytool -printcert -file /tmp/cert

Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll

Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll

Serial Number: 59092b34

Valid from: Thu JUL 01 18:01:13 PDT 2004 until: Wed SEP 08 17:01:13 PST 2004

Certificate Fingerprints:

MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F

SHA1: 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37:1

Then call or contact the person who sent the certificate, and compare the fingerprint(s) that you see with the ones that they show. Only if the fingerprints are equal is it guaranteed that the certificate has not been replaced in transit with somebody else’s (for example, an attacker’s) certificate. If such an attack took place, and you did not check the certificate before you imported it, you would end up trusting anything the attacker has signed (for example, a JAR file with malicious class files inside).

Note: it is not required that you execute a -printcertsubcommand prior to importing a certificate, since before adding a certificate to the list of trusted certificates in the keystore, the -importsubcommand prints out the certificate information and prompts you to verify it.

You then have the option of aborting the import operation. Note, however, this is only the case if you invoke the -importsubcommand without the -nopromptoption. If the -nopromptoption is given, then there is no interac- tion with the user.

If you are satisfied that the certificate is valid, then you can add it to your key store as follows:

keytool -import -alias tomcat -file jcertfile.cer

This creates a trusted certificate entry in the keystore, with the data from the file jcertfile.cer, and assigns the alias tomcat to the entry.

AlterPath BladeManager Manual

5-23

Page 185
Image 185
Cyclades AlterPath BladeManager user manual Keytool -import -alias tomcat -file jcertfile.cer