Generating a Server Certificate
Server certificates can be generated with a single keytool
command. I used the following command to create an RSA certificate,
referenced by the alias of
jamie, and stored in a
keystore named certs.
keytool -genkey -keystore certs -keyalg rsa -alias jamie -storepass serverkspw -keypass serverpw
The keytool then prompted me for information to put into the
certificate. My answers are shown in
What is your first and last name?
What is the name of your organizational unit?
[Unknown]: Software Development
What is the name of your organization?
What is the name of your City or Locality?
[Unknown]: Chula Vista
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is <CN=enpower, OU=Software Development, O=Toolery.com, L=Chula Vista, ST=CA, C=US> correct?
Note that I used a keystore password of serverkspw and a key password of serverpw. Go ahead and use these same values for the time being. You can use a different alias if you like. Also, enter your own information for the certificate. I used my machine name (enpower) for the first and last name of the certificate. You should do the same. If your machine does not have a name, use it's IP address. The enpower name is the name of my laptop's manufacturer.
A Secure Web Server
Now that we have a server certificate, all we need is a Java web server to take advantage of the certificate. Listing 4 provides an HTTP server that I've used in a few of my Java books. It is a fairly primitive server. I don't recommend using it for production systems. But it is small and works for simple HTTP-related examples.
Listing 5 provides a class named SecureServer that extends HTTPServer to provide support for SSL. As you can see, it is only about 50 lines. By following this example, you'll be able to see how easy it is to add SSL support to an existing HTTP application.
Compiling and Running SecureServer
HTTPServer from within your working
directory. (The same one that contains cacerts.) Then compile
SecureServer. Next, create an HTML file named
index.htm to be served in your directory. You can use the
one shown in Listing 6 if you want.
Now start the server by entering
from a console window. You may have to wait about a minute or two for
the server to begin taking requests. The seeding of the secure random
number generator slows things down. If you have a server currently
running on port 443 (the HTTPS port), you'll have to disable it in
order to get
SecureServer to work.
When you run
SecureServer, it will generate the
SecureServer version 1.0 SecureServer is listening on port 443.
Now use a browser to establish an SSL connection to
SecureServer. Since my machine name is enpower, I'll enter
https://enpower/ in the Internet Explorer 5.5 address
bar. Internet Explorer contacts SecureServer and tries to set up an
SSL connection. SecureServer then sends IE its certificate. Because
the certificate is not signed by a valid certificate authority,
Internet Explorer displays the following popup.
When I click on the View Certificate button, this dialog box appears.
The above dialog explains why Internet Explorer balked at the certificate. If you click the Details tab, you can view the information that is contained in the certificate.
If you click the Certification Path tab, you'll see that the certificate is self-signed.
After clicking the OK button and accepting the certificate, Internet Explorer displays the following content.
That's all there is to setting up server-side SSL. Next I'll
SecureServer works and then show you how to
set up SSL on the client side.