Setting up TCP/IP SSL authentication
With mutual authentication, the Server and Client authenticate each other. This is common in web services.
To set up TLS in Cloverleaf (HTTP Client or TCP):
-
Use Portecle to create or manage a Java keystore and truststore.
- The keystore contains the Server public/private key pair.
- The truststore contains the trusted Client's public certificates.
- Use Portecle to create the PKCS12 keystore.
-
Use OpenSSL to export the Client certificate and the private key.
Curl uses the PEM format and cannot handle combined certificates. If necessary, then you can install OpenSSL.
- Open the JKS keystore in Portecle.
-
Export the private key and head cert into a P12 file.
- Export type: Private key and certificates
- Export format: PKCS #12
- Use OpenSSL to extract the individual certs.
-
Export the client public certificate into a PEM file. For example:
openssl pkcs12 in client_keystore.p12 out public.pem clcerts nokeys
-
Export the client private key into a PEM file. For example:
openssl pkcs12 in client_keystore.p12 out private.pem nocerts
-
Plug in the certificates created out of the Client keystore and the Server
public certificate in the thread's SSL configuration.
- If CN (Common Name) checking needs to be disabled, then add the cURL option: CURLOPT_SSLVERIFYHOST 0
- CA Path: the path where the cert files are
- CA File: the remote hosts public cert
- Certificate File: our public cert
- Private Key: our private key
- Password: the private key password