Apis‎ > ‎Tutorials‎ > ‎

Certificates

In order to secure the communication between a service and your app, GAMBAS relies on X509 certificates. In the following, we describe how to setup a certificate infrastructure for your service. Note that it is highly recommended that you use certificates to secure your services as this ensures authenticity and secrecy during communication.

In order to generate certificates, you will have to install OpenSSL. You can download OpenSSL from the OpenSSL website for different operating systems. As a first step, you will have to generate a certification authority (CA) which you can then use to generate the certificate for your service. In the following, we detail the necessary steps:

Creating an ECC Root Certificate

  • Open the attached file openssl.cfg and edit it
    • Especially focus on the [ req_distinguished_name ] section (create your own defaults, this eases certificate creation)
    • You can also edit other attributes like the "default_days"
  • Use the attached createCA.bat​ to create an ECC certificate authority
    • This will create a self-signed CA certificate
    • The GAMBAS SDK uses the ECC curve secp160r1
  • Warning: only distribute the CA certificate to your application, don't put the private key in your Android app!

Creating an ECC Service Certificate

Alternative 1: You can use OpenSSL to create a certificate (we used the current version, 0.9.8y)
  • First generate the certificate request
    • openssl req -nodes -new -x509 -keyout client-req.pem -out client-req.pem -days 365 -config openssl.cfg -newkey ec:ec_param.pem
    • You can change the validity by changing the -days parameter
    • openssl x509 -x509toreq -in client-req.pem -signkey client-req.pem -out client-tmp.pem
  • Then sign the created request with your root CA certificate (requires the password)
    • openssl ca -config openssl.cfg -out client-cert.pem -infiles client-tmp.pem
  • Create the certificate in the PKC12 format (useful for Windows; optional step)
    • openssl pkcs12 -export -in client-cert.pem -out client-cert.p12 -inkey client-req.pem -descert
  • Change the certificate format from PEM to DER (required step)
    • openssl x509 -in client-cert.pem -inform PEM -out client-cert.der -outform DER
  • Change the format of the private key from PEM to DER (required step)
    • openssl ec -in client-req.pem -inform PEM -out client-priv.der -outform DER
  • Tidy up
    • del client-req.pem
    • del client-tmp.pem
    • copy client-req.pem.priv private\client.priv

Alternative 2: You can also use the attached file createClient.bat​ which automates these steps.


Using an ECC Service Certificate

In order to use authentication and encryption you need to configure the middleware with a certificate. Do this generate an asymmetric key pair and sign it as described above.
  • Application-side:  In you Android app, use the method
    public void addCertificate(String certificate, String iri)
    from the AbstractService (in the API SDK for Android) to add a certificate as a trusted certificate.
  • Service-sideIn your J2SE service, you add the certificate with the method:
     public void setOwnCertificate(AbstractCertificate ownCertificate)
    from the GAMBASKeyStore and set the server's pseudonym to the certificate's fingerprint (using
    public static Pseudonym getPseudonym(InputStream certificate)
    of the CertificateUtils).