Generate unencrypted key pair using openssl

$ openssl genrsa -out private.pem 2048

Generate encrypted key pair using openssl

$ openssl genrsa -des3 -out private.pem 2048

Convert private key to PKCS#8 in der format

$ openssl pkcs8 -topk8 -inform PEM -outform DER -in private.pem -out private.der -nocrypt

Export public key to DER format

$ openssl rsa -in private.pem -pubout -outform DER -out public.der
Posted in Uncategorized.

Security is an important topic in Information Technology. When writing code related to security, you should be conscious and fully understand what are you doing. This topic is not a topic which you can code without knowing exactly what you do. You should be careful and not just blindly copy paste code you don’t understand. The system is relying to your code, to feel safe and secure :)

This article does not teach you to understand Java security. This is just a pointer to kickstart your research. I have some reference to good articles from Oracle which will help you to start figuring out.

  1. Certificates and Certificate Revocation Lists
  2. Java Cryptography Architecture
  3. Java PKI Programmer’s Guide

You can start your research to follow those links above according to its order. Happy learning!

Posted in Uncategorized.

This article will show openssl parameters to generate CA certificate keypairs.
This command will generate private certificate “ca.key” under private folder, and public certificate “ca.crt” under certs folder.
In RedHat CentOS server, you can execute below command under /etc/pki/CA folder.

root@server.example.com [CA]# openssl req -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650
Generating a 2048 bit RSA private key
..........................+++
......................................................................................................................................................+++
writing new private key to 'private/ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:SG
State or Province Name (full name) []:Singapore
Locality Name (eg, city) [Default City]:Singapore
Organization Name (eg, company) [Default Company Ltd]:Example Ltd
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:webmaster@example.com
Posted in Uncategorized.

Most of the time, we don’t want to allow direct access to the port from outside our server.
We can configure this through iptables command.

In this example we want to configure port 8080 to be accessible from localhost only. These are the steps:
1. Execute this command to accept connection from localhost.

iptables -A INPUT -p tcp -s localhost --dport 8080 -j ACCEPT

2. Execute this command to drop any connection from other hosts.

iptables -A INPUT -p tcp --dport 8080 -j DROP

If we want to undo this changes, we can execute the same command by replacing -A with -D. From here we may reverse proxy our 8080 port using our apache http server.

Posted in Uncategorized.