{"id":15626669,"url":"https://github.com/neonidian/public-key-infrastructure","last_synced_at":"2025-06-15T14:36:08.537Z","repository":{"id":104228181,"uuid":"171941108","full_name":"neonidian/public-key-infrastructure","owner":"neonidian","description":"Create Keystore and Truststore for One way and Two way TLS using Java keytool","archived":false,"fork":false,"pushed_at":"2020-01-15T14:55:53.000Z","size":17,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-02-04T18:38:05.183Z","etag":null,"topics":["generate-key","keystore","keytool","tls","tls-certificate","truststore"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/neonidian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-21T20:34:23.000Z","updated_at":"2023-02-10T19:40:29.000Z","dependencies_parsed_at":null,"dependency_job_id":"7cd6f096-4893-4101-a32c-9ba469e4a914","html_url":"https://github.com/neonidian/public-key-infrastructure","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neonidian%2Fpublic-key-infrastructure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neonidian%2Fpublic-key-infrastructure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neonidian%2Fpublic-key-infrastructure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neonidian%2Fpublic-key-infrastructure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/neonidian","download_url":"https://codeload.github.com/neonidian/public-key-infrastructure/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246217379,"owners_count":20742183,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["generate-key","keystore","keytool","tls","tls-certificate","truststore"],"created_at":"2024-10-03T10:13:15.813Z","updated_at":"2025-03-29T17:25:07.304Z","avatar_url":"https://github.com/neonidian.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Public Key Infrastructure (PKI)\n\n\nPKI in [wikipedia]\n\n[wikipedia]: https://en.wikipedia.org/wiki/Public_key_infrastructure\n\n### Why PKI ?\n\nAs internet grows and devices communicate with each other, there arose a requirement for secure communication between \ndevices so that the data which passes through the internet cannot not be mis-used if intercepted. Data can be intercepted\nsince internet involves many devices like gateways and routers that relay the data. \n\nE.g., A user sitting in Iceland accessing a website that is hosted on a server in India has their data go through \nseveral gateways and routing and because of this, the data can be intercepted in those gateways and routers. \n\n**https**\n\nOn opening any website and if the URL of the website starts with _https_ like https://www.sample_site.com, it means that \nthe website uses [encryption] which means any information sent through the website is scrambled and anybody who intercepts \nthe information cannot view the actual information.\n\n**http**\n\nOn the other hand, if a website URL starts with _http_ like http://www.oh-my-gosh.com, any information which is sent through \nthe network is not encrypted and anybody like your ISPs can easily see the data that is transmitted which can lead to [spoofing].\n\n\nSo it is always good to check if the web pages where you enter sensitive information like Username/password, addresses, credit \ncard information have _https_ in the URL bar\n\n\n[encryption]: https://en.wikipedia.org/wiki/Encryption\n[spoofing]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack\n\n_**The PKI defines a framework for providing https where 's' stands for 'secured'.**_\n\n## TLS\n\nTLS provides a way of enabling https. It is a cryptographic protocol and succeeds it's predecessor - SSL(Secure Sockets Layer). \nThere are several versions of TLS and it is recommended to use the latest version since the older versions have vulnerabilities \nlike [heartbleed].\n\n[heartbleed]: http://heartbleed.com/\n\n#### One way TLS\n\nThe most common https that is used across the internet when you use any website that has https in the URL bar. An excerpt\nfrom the web show how TLS works:\n\n1. The Client browsers receives https://google.com in it’s address bar\n\n2. Client browsers knows based on https:// that this connection will require an SSL handshake and sends a CLIENT_HELLO \nto the destined web server (google). This includes other things like SSL/TLS version, acceptable ciphers, etc\n\n3. The web server receives the CLIENT_HELLO request and sends a SERVER_HELLO back to the client. SERVER_HELLO contains \nSSL version, acceptable ciphers, and the server certificate.\n\n4. The client receives the servers certificate and it is verified against a list of known Certificate Authorities.\n\n5. If the certificate is proven to be in good standing, the client sends back a pre-master secret is encrypted inside \nthe server’s certificate. Remember only the server can decrypt anything encrypted with it’s certificate because only the \nserver has the decryption key. Server Certificate encrypts, Server Key decrypt’s.\n\n6. At this point both client and server have the pre-master secret and can calculate a master secret to use to \nsymmetrically encrypt and decrypt data between them.\n\nIf you want to know what data packets are transferred and received, you can use packet capture softwares like [wireshark]\n\n[wireshark]: https://www.wireshark.org\n\nSee the sub-directory [one-way-tls-using-java-keytool] about generating keystore. This generation uses pkcs12 format\nwhich can be used for any applications which supports this format.\n\n[one-way-tls-using-java-keytool]:one-way-tls-using-java-keytool/\n\n#### Two way TLS\n\nIn case of two-way TLS, both client and server authenticate each other to ensure that both parties involved in the communication \nare trusted. \n\nBoth parties share their public certificates to each other and then verification/validation is performed based on that.\n\nBelow is the high level description of the steps involved in establishment of connection and transfer of data between a \nclient and server in case of two-way SSL:\n\n1. Client requests a protected resource over HTTPS protocol and the SSL/TSL handshake process begins.\n\n2. Server returns its public certificate to the client along with server hello. \n\n3. Client validates/verifies the received certificate. Client verifies the certificate through certification authority (CA) \nfor CA signed certificates.\n\n4. If Server certificate was validated successfully, client will provide its public certificate to the server.\n\n5. Server validates/verifies the received certificate. Server verifies the certificate through certification authority (CA) \nfor CA signed certificates.\n\n6. After completion of handshake process, client and server communicate and transfer data with each other encrypted with \nthe secret keys shared between the two during handshake. \n\nSee the sub-directory [two-way-tls-using-java-keytool] about generating keystore. This generation uses pkcs12 format\nwhich can be used for any applications which supports this format.\n\n[two-way-tls-using-java-keytool]:two-way-tls-using-java-keytool/\n\n##### Certificate Based Authentication\n\nCertificate based authentication is a feature that can be used on addition to Two way TLS so that a form login is not \nrequired. This requires configuring the application to be deployed in a server to use certificate based authentication \nand no extra step required if the two way TLS works already.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneonidian%2Fpublic-key-infrastructure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fneonidian%2Fpublic-key-infrastructure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneonidian%2Fpublic-key-infrastructure/lists"}