Connecting a client to a Java-based server using OpenSSL socket, first part

The purpose of this tutorial is to show how create a client-server connection through a secure SSL socket. The client is an embedded system running an application (written in C) under embedded Linux. First, SSL certificates for authenticating both server and client will be created using Java’s keytool. My goal is to connect the client and server using self-signed certificates. The generated public keys could be signed by an authority like Verisign, but I’ll be taking the fast and free way.

The first part of the tutorial shows how to generate certificates in the formats supported by both Java and C.

The second part will give example source code for the server and client.

I strongly recommend reading the paper “Using JSSE for secure socket communication” (pdf) by IBM developerWorks for information about cryptography in Java. A large part of this tutorial is based on this material.

The commands and source are given for Java development environment openjdk-6 and openssl library version 0.9.8.

The first goal is to generate two public and private key pairs for the client and server. For my application it is important that both ‘ends’ are sure they are connected to a trusted device. The deployed client will contain its public and private keys and the server’s public key. The server will have its key pair and client’s public key. First, run keytool in command line to generate the private and public keys. Fill in the organization details carefully, especially if the keys were to be signed by a public authority company later. Use strong and different passwords when prompted (“clientpassword” and “serverpassword” will be used in the tutorial):

keytool -genkey -alias clientprivate -keystore client.private -storetype JKS -keyalg rsa
keytool -genkey -alias serverprivate -keystore server.private -storetype JKS -keyalg rsa

Then, extract the public keys to separate key stores. You will be asked to enter the passwords used during the key creation. I will use “public” as the password for the exported public key:

keytool -export -alias clientprivate -keystore client.private -file temp.key
keytool -import -noprompt -alias clientpublic -keystore client.public -file temp.key
keytool -export -alias serverprivate -keystore server.private -file temp.key
keytool -import -noprompt -alias serverpublic -keystore server.public -file temp.key

The temporary file ‘temp.key’ can be removed at this point. You should be left with the following four files: client.private, client.public, server.private and server.public.
Since the client is a C program using openssl library, the Java keystore format is not suitable. The keys for the client part have to be exported to a supported format. I’ll use PEM format in the example.

keytool -export -alias serverpublic -keystore server.public -file exported-der.crt
openssl x509 -out server_cert.pem -outform pem -in exported-der.crt -inform der

The client’s private/public key pair can be exported from its keystore to PEM format using the Portecle tool (it can be found at http://portecle.sourceforge.net/). Just open the keystore file client.private and export both keys to PEM format.