Generate unencrypted key pair using openssl
$ openssl genrsa -out private.pem 2048
Generate encrypted key pair using openssl
$ openssl genrsa -des3 -out private.pem 2048
Convert private key to PKCS#8 in der format
$ openssl pkcs8 -topk8 -inform PEM -outform DER -in private.pem -out private.der -nocrypt
Export public key to DER format
$ openssl rsa -in private.pem -pubout -outform DER -out public.der
This is the command to export private key to generate public key.
openssl genrsa -out key.pem 1024 openssl rsa -in key.pem -pubout > pub.pem
Security is an important topic in Information Technology. When writing code related to security, you should be conscious and fully understand what are you doing. This topic is not a topic which you can code without knowing exactly what you do. You should be careful and not just blindly copy paste code you don’t understand. The system is relying to your code, to feel safe and secure :)
This article does not teach you to understand Java security. This is just a pointer to kickstart your research. I have some reference to good articles from Oracle which will help you to start figuring out.
You can start your research to follow those links above according to its order. Happy learning!
This article will show openssl parameters to generate CA certificate keypairs.
This command will generate private certificate “ca.key” under private folder, and public certificate “ca.crt” under certs folder.
In RedHat CentOS server, you can execute below command under /etc/pki/CA folder.
root@server.example.com [CA]# openssl req -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650 Generating a 2048 bit RSA private key ..........................+++ ......................................................................................................................................................+++ writing new private key to 'private/ca.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:SG State or Province Name (full name) []:Singapore Locality Name (eg, city) [Default City]:Singapore Organization Name (eg, company) [Default Company Ltd]:Example Ltd Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, your name or your server's hostname) []:example.com Email Address []:webmaster@example.com
Most of the time, we don’t want to allow direct access to the port from outside our server.
We can configure this through iptables command.
In this example we want to configure port 8080 to be accessible from localhost only. These are the steps:
1. Execute this command to accept connection from localhost.
iptables -A INPUT -p tcp -s localhost --dport 8080 -j ACCEPT2. Execute this command to drop any connection from other hosts.
iptables -A INPUT -p tcp --dport 8080 -j DROPIf we want to undo this changes, we can execute the same command by replacing -A with -D. From here we may reverse proxy our 8080 port using our apache http server.