Problem

• Product Name: VisiBroker for Java & C
• Product Version: All
• Tested Version: 6.5
• Product Component: VisiSecure (SSL)
• Platform/OS version: All

You have seen the \\examples\\vbe\\security\\bank_ssl example. In the SecureServer.java file, you notice there are 4 certificates used. You would like to know the following

1. Are the 4 certificates related?
2. Do you need to create 4 certificates for your secure server?
3. What is the signing sequence for the certificates?

You would like to know how to generate the X509 certificates and configure VisiSecure to use the certificates from a directory.

Resolution

In the \\examples\\vbe\\security\\bank_ssl example, the SecureServer.java intends to demonstrate the server can have 1 or many certificates forming a trusted chain for verification. The signing sequence for the certificate is as follows:

CA cert -> cert3 -> cert2 -> cert1 -> cert0

The SecureClient.java can have 1 or many certificates forming a trusted chain which is independent of the server.

You can generate the X509 certificates by following the steps below.

1. OpenSSL> genrsa -out key (To generate a private key).
2. OpenSSL> req -new -key key -out cert0.crt -config openssl.cnf
3. OpenSSL> req -x509 -key key -in cert0.crt -out cert0 -config openssl.cnf
4. Encrypt and change private key from RSA to PKCS8 format
   OpenSSL> pkcs8 -in key -topk8 -out enckey.pem –nocrypt
5. If you do not have a CA certificate, you can generate your own CA certificate by following the steps below:
   a. OpenSSL>genrsa -out ca.key
   b. OpenSSL> req -new -x509 -key ca.key -out ca_crt.pem -outform pem -config openssl.cnf
6. If you are going to use your CA certificate to sign your generated X509 certificate, you need to follow the additional step below:
   OpenSSL> x509 -req -in cert0.crt -CA ca_crt.pem -CAkey ca.key -out cert0.crt

When you place the generated X509 certificates in the identities directory, VisiSecure needs you to rename the files with the following file names. For X509 certificate chain, the file name needs to be “certn” where n start from 0. For the private key, the file name must be “key”.

If you are using a different CA certificate to sign your client certificate, you need to place the client CA certificate in the trustpoints directory for the SecureServer. Otherwise, the SecureServer will throws CORBA.NO_PERMISSION exception if you have configured the server to use vbroker.security.peerAuthenticationMode=REQUIRE_AND_TRUST.

 References
 

1. How to convert to PKCS8 format
2. Certificate Format Tutorial