Setting up TCP/IP SSL authentication

With mutual authentication, the Server and Client authenticate each other. This is common in web services.

To set up TLS in Cloverleaf (HTTP Client or TCP):

  1. Use Portecle to create or manage a Java keystore and truststore.
    • The keystore contains the Server public/private key pair.
    • The truststore contains the trusted Client's public certificates.
  2. Use Portecle to create the PKCS12 keystore.
  3. Use OpenSSL to export the Client certificate and the private key.
    Curl uses the PEM format and cannot handle combined certificates. If necessary, then you can install OpenSSL.
  4. Open the JKS keystore in Portecle.
  5. Export the private key and head cert into a P12 file.
    • Export type: Private key and certificates
    • Export format: PKCS #12
  6. Use OpenSSL to extract the individual certs.
  7. Export the client public certificate into a PEM file. For example:
    openssl pkcs12 in client_keystore.p12 out public.pem clcerts nokeys
  8. Export the client private key into a PEM file. For example:
    openssl pkcs12 in client_keystore.p12 out private.pem nocerts
  9. Plug in the certificates created out of the Client keystore and the Server public certificate in the thread's SSL configuration.
    • If CN (Common Name) checking needs to be disabled, then add the cURL option: CURLOPT_SSLVERIFYHOST 0
    • CA Path: the path where the cert files are
    • CA File: the remote hosts public cert
    • Certificate File: our public cert
    • Private Key: our private key
    • Password: the private key password