Newer
Older
labs / tiddlers / content / labs / lab13 / _Labs_13_Create the Server Certificate.md
  1. We can now create certificates that are signed by the mkcert CA. We need to create a certificate for the web server that hosts the web service. The server is running on the localhost host, so we need to create a certificate for that host. Run the following command.

    Windows

    $env:CAROOT = pwd; .\mkcert.exe  -pkcs12 localhost

    Linux

    CAROOT=$(pwd) ./mkcert -pkcs12 localhost

    Mac

    CAROOT=$(pwd) ./mkcert -pkcs12 localhost

    PKCS12 is a package format for X.509 certificates that allows us to bundle the certificate and the private key together into a single encrypted file.

  2. You should see a new file in the mkcert folder named localhost.p12.

    As mentioned, this is a PKCS12 file that contains both the certificate and the private key. Although TLS uses X.509 certificates which can be used for public key (asymmetric) encryption, TLS uses symmetric encryption. The client and server perform a handshake to negotiate a shared session key which is then used by both sides for encrypting and decrypting the messages. The private key that is generated is used as part of the handshake but is not used for the encryption of HTTP messages.

  3. Copy the localhost.p12 file into the resources folder of your NetBeans project. You might be able to drag and drop from the file manager into the <> folder in the projects pane (this usually works on Windows and Linux. Macs are always a problem). If the drag and drop doesn't work, then use the openProjectFolder Gradle task to open the project folder, and then navigate to <>.

  4. We need to create the configuration file for Jooby. Right click the <> source folder in the project pane and select <

    Other > Other > Empty File">>.

    Name the file application.conf.

  5. We need to tell Jooby where to find the certificate and key so add the following to the application.conf file.

    application.tmpdir: build/tmp
    
    server {
    
        port : 8080,
        securePort: 8443,
    
        ssl {
            type: PKCS12,
            cert: localhost.p12,
            password: changeit
        }
    }

    This also sets the port that will be used for both HTTP and HTTPS connections, and defines a temporary directory that Jooby will use to cache the keys while the server is running. The password is the default password that mkcert used to encrypt the PKCS12 file.

  6. The application.conf file is now providing the server options, so comment out the setServerOptions call in the the Server class since it will override the settings in the configuration file.

  7. Run your application. You should now see two URLs being displayed in the output console when Jooby starts. Click the one that starts with https://.

    You should see the padlock icon in the browser's location bar to indicate that the connection is encrypted. Your web pages should still work as per normal.

Note that we did not need to write any JavaScript or Java code to encrypt the HTTP request. We have added the encryption at a layer below where our application resides --- the browser and the web server are doing all of the hard work for us --- our application should not even be aware that the encryption is taking place.

Network sniffing is a significant threat as it is very easy to do. A malicious attacker does not even need to be inside a building in order to sniff a network. There are small and inconspicuous devices that can be plugged into a wall socket, or dropped somewhere out of the way that can capture and re-transmit data from wireless networks to a malicious attacker. There are equivalents for wired networks too. See the following article for an example:

https://www.wired.com/2012/03/pwnie/