Changes between Initial Version and Version 1 of dev/tls

Timestamp:

10/27/21 13:33:29 (4 years ago)

Author:

Mad Martian

Comment:

Initial introduction

dev/tls

@@ +1 @@
+= Mutual TLS Connectivity
+This page isn't strictly related to MadMartian Mod but it is necessary for JMX over TLS which we use to monitor MadMartian Mod remotely and securely.
+
+== Mutual Trust
+Both the client (Java Mission Control) and the server (JMX) require three things:
+* Self-signed certificate
+* Private key
+* Trust store
+
+Self-signed certificates come with a private key (standard PKI), that's the infamous pair right there (you hare).  The trust store is for storing the other side's public key.
+
+== Generate Self-Signed Certificate and Private Key Store
+Before we get started it is imperative that the store passwords match the private key passwords, otherwise you'll get unrecoverable key errors when trying to handshake.
+
+First step is to generate a private key:
+{{{#!sh
+openssl genrsa -out my.key 2048
+}}}
+
+Then create the certificate from it:
+{{{#!sh
+openssl req -x509 -new -nodes -key my.key -sha256 -days 1024 -out my.pem
+}}}
+
+Now create a PKCS12 store from the PKI pair (private key + public cert):
+{{{#!sh
+openssl pkcs12 -export -name my-side -in my.pem -inkey my.key -out my.p12
+}}}
+Replace ''my-side'' with the side that the certificate belongs to ('server' if it will reside on the server and be trusted by the client and vice versa for the client)
+
+Import the PKCS12 store into a local JKS:
+{{{#!sh
+keytool -importkeystore -destkeystore my.jks -srckeystore my.p12 -srcstoretype pkcs12 -alias my-side
+}}}
+
+== Trust The Other Side's Certificate
+Once you have completed generating certificates for both sides you must now create the trust relationship between them:
+
+Trust the ''other'' side's certificate:
+{{{#!sh
+keytool -import -alias other-side -file other.pem -keystore my.trust.jks
+}}}