Two-way ssl using cURL

cURL - command line tool for transferring data using multiple protocols. 

To establish a two-way ssl communication between cURL and a apache tomcat web application, generate a self-signed certificate for server and client (machine cURL is running on).

Self-Signed certificate for client:

1. Create a private key for client.

     openssl genrsa -out clientprivatekey.pem 2048

2. Create an openSSL self-signed certificate for the client using the private key

     openssl req -new -x509 -key clientprivatekey.pem -out clientcert.pem -days 365.

  
 Self-Signed certificate for server:
1. Generate a private key for server

openssl genrsa -out serverprivatekey.pem 2048

2.Create an openSSL self-signed certificate for the server using the private key

      openssl req -new -x509 -key serverprivatekey.pem -out servercert.pem -days 1095

      
     This prompts you to enter a few pieces of information, use “.” to leave the field blank. When prompted for 'Common Name' specify the hostname of the machine the tomcat runs on.

3. Tomcat currently operates only on JKS format keystores. So generate a   keystore in JKS format from above certificate which involves creating a pkcs12 file

   openssl pkcs12 -export -out serverkeystore.pkcs12 -in servercert.pem -inkey serverprivatekey.pem    

     
      It asks for the export password, and it is recommended to provide a password.

4. Now convert serverkeystore.pkcs12 file to JKS format keystore using Java's keytool

 keytool -importkeystore -srckeystore serverkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

       Keytool asks you for a new password(keystore password) for the JKS keystore twice, and it will also ask you for the password you set for the PKCS12 keystore created earlier.

With cURL, the responsibility of verification of server's certificate lies with openSSL. As there is no Certificate Authority in our case of self-signed certificates, we add the server's certificate to openSSL's certificate store. This is explained later. For now generate a .crt file out of servercert.pem

openssl x509 -inform pem -in servercert.pem -out servercert.crt

Now this servercert.crt needs to be added to openSSL's store.

Using cURL for two-way ssl communication

Open a terminal and follow the following commands.

>curl  -E /path/to/client/certificate --key /path/to/client/private/key https://server/url/path

Ex:

>curl -E /home/../../clientcert.prm --key /home/../../clientprivatekey.pem https://commonName:8443/example/register

commonNmae in above server url is the one given while generating the server's certificate in step 2. 

Adding server's certificate to openSSL store

1. Identify openSSL installation directory using the command

> openssl version -d 

say  it is installed in /usr/lib/ssl

2. Change to that directory

> cd /usr/lib/ssl

3. This folder contains a 'certs' folder, move to that directory

> cd certs

4. List the directory contains using 'ls -la'. From the symlinks, it can be observed that the certificates are actually stored in /usr/share/ca-certificates. Move to that directory

> cd /usr/share/ca-certificates

5. Copy the server's .crt certificate to this folder.

6. Change to “/etc” directory and edit the file “ca-certificates.conf”.  Add server.crt to that file and save it. 

7. Now update the ca-certificate while being in /etc

:/etc# update-ca-certificates --fresh

Clearing symlinks in /etc/ssl/certs...done.

Updating certificates in /etc/ssl/certs....done.

Running hooks in /etc/ca-certificates/update.d....done.

Now, the server's certificate is added to openSSL certificates. Now go ahead and use cURL for two-way ssl communication.

References:

1. http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/ 

2. http://www.sslshopper.com/article-most-common-openssl-commands.html