# Certificates #

## CA and trust keystore

	keytool -genkeypair -keyalg RSA -keysize 2048 -validity 365 -alias ca -dname "CN=ca,O=HMS,S=SE" -keystore ca.jks -storepass password
	keytool -exportcert -rfc -alias ca -keystore ca.jks -storepass password > ca.pem
	cat ca.pem | keytool -importcert -alias ca -noprompt -keystore trust.jks -storepass password

## server cert

Notice that the CN must be equal to the DNS hostname!

	keytool -genkeypair -keyalg RSA -keysize 2048 -validity 365 -alias server -dname "CN=localhost.com,O=HMS,S=SE" -keystore server.jks -storepass password
	keytool -certreq -alias server -storepass password -keystore server.jks | keytool  -gencert -alias ca -rfc -keystore ca.jks -storepass password > server.pem
	cat ca.pem | keytool -importcert -alias ca -noprompt -keystore server.jks -storepass password
	cat ca.pem server.pem | keytool -importcert -alias server -keystore server.jks -storepass password

## client cert

The username of the client is the value of CN!

	keytool -genkeypair -keyalg RSA -keysize 2048 -validity 365 -alias client -dname "CN=client,O=HMS,S=SE" -keystore client.jks -storepass password
	keytool -certreq -alias client -keystore client.jks -storepass password | keytool -gencert -alias ca -rfc -keystore ca.jks -storepass password> client.pem
	cat ca.pem | keytool -importcert -alias ca -noprompt -keystore client.jks -storepass password
	cat ca.pem client.pem | keytool -importcert -alias client -keystore client.jks -storepass password


# Server authentication and authorization #

Tomcat and Jetty authenticates the client if the certificate if signed by a trusted CA. 
However, standard Java Web security is a mess to configure and I decided to use Spring Security to provide authorization.

## tomcat

In server.xml:

	<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
	           maxThreads="150" scheme="https" secure="true"
	           keystoreFile="server.jks" keystorePass="password"
	           truststoreFile="trust.jks" truststorePass="password"
	           clientAuth="want" sslProtocol="TLS" />

## Jetty

	SslContextFactory sslContextFactory = new SslContextFactory();
	sslContextFactory.setKeyStoreInputStream(new FileInputStream("server.jks"));
	sslContextFactory.setKeyStorePassword("password");
	sslContextFactory.setKeyManagerPassword("password");
	sslContextFactory.setTrustStoreInputStream(new FileInputStream("trust.jks"));
	sslContextFactory.setTrustStorePassword("password");
	sslContextFactory.setWantClientAuth(true);
	_connector = new SslSelectChannelConnector(sslContextFactory);

## Spring Security - authorization

	<x509 subject-principal-regex="CN=(.*)"/>

optionally user-service-ref="userDetailsService" 

# Client code #

## HttpClient

	final KeyStore truststore = KeyStore.getInstance(KeyStore.getDefaultType());
	truststore.load(new FileInputStream("trust.jks"), "password".toCharArray());

	final KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
	keystore.load(new FileInputStream("client.jks"), "password".toCharArray());

	Scheme httpsScheme = new Scheme("https", 443, new SSLSocketFactory(keystore, "password", truststore));

	SchemeRegistry schemeRegistry = new SchemeRegistry();
	schemeRegistry.register(httpsScheme);

	ClientConnectionManager cm = new SingleClientConnManager(schemeRegistry);
	return new DefaultHttpClient(cm);

# Jetty WebSocketClient

	factory.getSslContextFactory().setTrustAll(false);
	factory.getSslContextFactory().setTrustStore(truststore);
	factory.getSslContextFactory().setKeyStore(keystore);
	factory.getSslContextFactory().setKeyManagerPassword("password");