keytool - backdating a self-signed certificate

Have you ever had to deal with clock-skew across machines? When distributing self-signed certificates to create a network of trust between machines, clock-skew can be a real problem if one machine thinks that the other machine's certificate isn't yet valid... your certificate won't be accepted.

Here's a new feature in Java 7 that can help you to create self-signed certificates that are immune to this...

Using keytool to generate a key and self-signed certificate pair

A self-signed key and its certificate is really easy to generate using the Java CLI called keytool:

$ date
Mon Nov 19 13:39:48 MET 2007
$ keytool -genkey -alias myKey -keyalg RSA -keysize 1024 \\
-keystore keystore.ks -dname "CN=localhost" -validity 7304  

You can also inspect the certificate:

$ keytool -list -v -alias myKey -keystore keystore.ks
Alias name: myKey
Creation date: Nov 19, 2007
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost
Issuer: CN=localhost
Serial number: 4741831d
Valid from: Mon Nov 19 13:39:52 MET 2007 until: Thu Nov 18 13:39:52 MET 2027
Certificate fingerprints:
         MD5:  C7:8C:94:24:16:35:A0:00:61:6F:91:FB:7B:C7:D3:2D
         SHA1: FC:64:60:BD:97:77:67:6D:FE:AA:6D:19:CE:4C:96:3E:72:6E:86:5E
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 36 A9 D1 CC 1B D6 37 9A   A0 65 F3 9A AA D6 C0 C2  6.....7..e......
0010: 66 FF 9F E7                                        f...
]
]

This private key and its certificate can be used for many things, in particular, these are often used for HTTPS and TLS connections.

The validity period of the self-signed certificate 

... In the above, you can see the validity of this certificate is from the moment that the key was created through to 20 years later (7304 days), this is fine for the usual case.

The problem with clock skew 

However, there can be a problem - what happens if a client system connects to your server but its clock is running slow - this can be due to the system being mis-configured, or having drifted backwards, or the battery on the battery-backed clock being dead and the machine thinking that it is 1970 again!

Well, what happens is that this badly configured machine, if it attempts to connect over HTTPS or TLS to your server, will refuse to accept the certificate for the private key you have just generated, because it thinks that the certificate isn't yet valid... in the worst case, it still thinks that it's Jan 1 1970, and your certificate's validity start date is in 2007!

How to backdate self-signed certificates using Java 7

As of Java 7, keytool supports a new option to allow you to warp the clock when creating a new self-signed certificate, this lets you set the clock back so that the start date on your certificate can take into account client systems connecting with clock skew.

Here's an example of using keytool from Java 7 to create a certificate that's valid from 1970 onwards... note that I've also increased the validity period from 20 years to still go beyond today's date:

$ keytool -genkey -alias myKey -keyalg RSA -keysize 1024 \\
-keystore keystore.ks -dname "CN=localhost" \\
-validity 32767 -startdate "1970/01/01 00:00:00"
$ keytool -list -alias myKey -v -keystore keystore.ks
Alias name: myKey
Creation date: Nov 19, 2007
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost
Issuer: CN=localhost
Serial number: -e10
Valid from: Thu Jan 01 00:00:00 MET 1970 until: Thu Sep 18 01:00:00 MEST 2059
Certificate fingerprints:
MD5: 18:71:25:B4:3E:BB:F5:D5:2B:B1:73:06:FA:10:3D:0F
SHA1: 03:B1:47:6B:20:5C:AC:CF:0C:57:8A:59:48:DB:F0:CC:CD:CB:A6:BC
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8C CE 94 A7 64 78 AD 13 C0 CE 77 A6 32 39 60 2D ....dx....w.29`-
0010: 20 D8 DC 82 ...
]
]

Note that in the above the certificate is now valid from 1 Jan 1970 to September 2059... ...so if a client tries to connect to this server, even if its clock is set back to 1970, it will be able to successfully connect.

 


Comments:

Post a Comment:
Comments are closed for this entry.
About

nickstephen

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today