Cyclades AlterPath BladeManager User Manual

Page 185

background image

Installing SSL Certificates

AlterPath BladeManager Manual

5-23

Be sure to check a certificate very carefully before importing it as a trusted
certificate! View it first (using the -printcert subcommand, or the -import
subcommand without the -noprompt option), and make sure that the
displayed certificate fingerprint(s) match the expected ones.

For example, suppose someone sends or emails you a certificate, and you put
it in a file named /tmp/cert. Before you consider adding the certificate to your
list of trusted certificates, you can execute a -printcert subcommand to view
its fingerprints, as in:

keytool -printcert -file /tmp/cert
Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
Serial Number: 59092b34
Valid from: Thu JUL 01 18:01:13 PDT 2004
until: Wed SEP 08 17:01:13 PST 2004
Certificate Fingerprints:
MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F
SHA1: 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37:1

Then call or contact the person who sent the certificate, and compare the
fingerprint(s) that you see with the ones that they show. Only if the
fingerprints are equal is it guaranteed that the certificate has not been replaced
in transit with somebody else’s (for example, an attacker’s) certificate. If such
an attack took place, and you did not check the certificate before you imported
it, you would end up trusting anything the attacker has signed (for example, a
JAR file with malicious class files inside).

Note: it is not required that you execute a -printcert subcommand prior to
importing a certificate, since before adding a certificate to the list of trusted
certificates in the keystore, the -import subcommand prints out the certificate
information and prompts you to verify it.

You then have the option of aborting the import operation. Note, however, this
is only the case if you invoke the -import subcommand without the
-noprompt option. If the -noprompt option is given, then there is no interac-
tion with the user.

If you are satisfied that the certificate is valid, then you can add it to your key
store as follows:

keytool -import -alias tomcat -file jcertfile.cer
This creates a trusted certificate entry in the keystore, with the data from the
file jcertfile.cer, and assigns the alias tomcat to the entry.