Working with Digital Certificates

<< Verifying SSL Support | Creating a Server Certificate >>

Working with Digital Certificates

the domain names do not match, these browsers will display a warning to the client. In general,
only address-based virtual hosts are commonly used with SSL in a production environment.

Working with Digital Certificates

Digital certificates for the Application Server have already been generated and can be found in
the directory domain-dir/config/. These digital certificates are self-signed and are intended for
use in a development environment; they are not intended for production purposes. For
production purposes, generate your own certificates and have them signed by a CA.

The instructions in this section apply to the developer and cluster profiles of the Application
Server. In the enterprise profile, the certutil utility is used to create digital certificates. For
more information, see the Sun Java System Application Server 9.1 Administration Guide.

To use SSL, an application or web server must have an associated certificate for each external
interface, or IP address, that accepts secure connections. The theory behind this design is that a
server should provide some kind of reasonable assurance that its owner is who you think it is,
particularly before receiving any sensitive information. It may be useful to think of a certificate
as a "digital driver's license" for an Internet address. It states with which company the site is
associated, along with some basic contact information about the site owner or administrator.

The digital certificate is cryptographically signed by its owner and is difficult for anyone else to
forge. For sites involved in e-commerce or in any other business transaction in which
authentication of identity is important, a certificate can be purchased from a well-known
certificate authority (CA) such as VeriSign or Thawte. If your server certificate is self-signed,
you must install it in the Application Server keystore file (keystore.jks). If your client
certificate is self-signed, you should install it in the Application Server truststore file
(cacerts.jks).

Sometimes authentication is not really a concern. For example, an administrator might simply
want to ensure that data being transmitted and received by the server is private and cannot be
snooped by anyone eavesdropping on the connection. In such cases, you can save the time and
expense involved in obtaining a CA certificate and simply use a self-signed certificate.

SSL uses public key cryptography, which is based on key pairs. Key pairs contain one public key
and one private key. If data is encrypted with one key, it can be decrypted only with the other
key of the pair. This property is fundamental to establishing trust and privacy in transactions.
For example, using SSL, the server computes a value and encrypts the value using its private key.
The encrypted value is called a digital signature. The client decrypts the encrypted value using
the server's public key and compares the value to its own computed value. If the two values
match, the client can trust that the signature is authentic, because only the private key could
have been used to produce such a signature.

Digital certificates are used with the HTTPS protocol to authenticate web clients. The HTTPS
service of most web servers will not run unless a digital certificate has been installed. Use the

Establishing a Secure Connection Using SSL

The Java EE 5 Tutorial · September 2007

788