Certificates were always a little fleeing mistery to me. I always wanted to know more about them and never found the time. Few weeks back I finally kicked myself and spend one day with the certificates, signatures, signing and all that jazz. Here is a list of excelent sources.
Excelent intro description into certificates can be found suprisingly on Oracle documentation website for keytool application under section certificates:
It contains definitions of elementary terms along with good explanation. It also shows you how the operations can be done using keytool … a command line utility for managing keys and key stores. Keytool is nice, but it’s a little cumbersome to use. Replace it with excelent GUI application Keystore Explorer:
Java in its basic installation package does not allow to create / handle keys with larger lengths using Java cryptography API. You need to install patch:
The Keystore Explorer guides you to install this patch step by step in a nice interactive drag and drop style.
Simple important things to remember:
- Certificate is a implementation of digital signature. I consists of private key which is used to sign messages and public key which is used to verify the signature.
- Signature in x509 certificate is represented by DN (distinquished name)
- Certificates can be issued (signed) by a third party (certificate authority).
- Certificate can also be self signed (Issuer DN = Certificate DN). How to validate self signed certificate:
- Generate a self signed certificate.
- Export certificate public key. Send it to recipient.
- Generate message, sign it with your private key.
- Send message to recipient
- Recipient verifies signature with public key