Self-signed certificates can be created using the keytool utility that is part of the Java runtime environment. In general the safety requirements that were defined for the application scenario must be considered when creating keys. This includes, for example, the choice of the random number generator for key generation, the used algorithms and the type of the key container with the private key. An example of such safety requirements is the technical guideline TR-02102 from the Federal Office for Information Security.
The certificate generation described in this chapter is based on the specifications of the Federal Office for Information Security and other recommendations (Ristic, 2014). As asymmetric encryption algorithm RSA with a key length of 3072 bits will be used. The certificates use as a signature algorithm RSA in combination with SHA-256. The generation of these keys is also possible without the usage of “Unlimited Strength Jurisdiction Policy” for the installation of the Java runtime environment, as there is no restriction on the export RSA key length from the US government.
This section describes the key generation based on a UNIX operating system. The instructions assume that keytool is included in the search path for executable program (environment variable PATH). The basic functionality of keytool is described in the reference documentation for the Java runtime environment.
A certificate must contain the correct key usage attributes. The extensions can be marked as “non-critical” in the certificate. See the table below for the required attributes:
|
Certificate |
KeyUsage |
ExtendedKeyUsage |
|---|---|---|
|
Server certificate |
digitalSignature |
serverAuth |
|
Client certificate |
digitalSignature |
clientAuth |
|
Table 335: Key usage for communication certificates |
||