Key Management
After the installation of the required software, the first step is to create and sign the keys of all servers (Commissioner, Ballot Distributors, Administrators, Anonymizers and Counters). To generate the keys we used the Java command line tool keytool. Create a Key To create a key type the following command in the command line: keytool -genkey -keystore kstore.ks -alias server -keyalg RSA -keysize 1024 -validity 365 This command creates a 1024 bits RSA key valid for 365 days. The key is stored in a keystore file named kstore.ks with the server alias. To find out more about keytool utility please check the Java documentation. Sign a key First we must create the signature request and submit it to a Certification Authority (CA) for signing. To create a signature request type the following command: keytool -certreq -keystore kstore.ks -alias server –file server.req This command will create a signature request for the key with the alias server and store it in the server.req file. The second step is to get the certificate request signed. You can get your keys signed by a certification authority such as VerySign or you can create your own CA. We used the OpenSSL tool to create our own CA. After installing OpenSSL properly we use the following command to sign the request: openssl x509 -req -in server.req -out server.crt -CA demoCA\cacert.crt -CAkey demoCA\private\cakey.crt -CAserial demoCA\serial This command will use the CA installed in the demoCA directory to sign our request, the cacert.crt contains the CA public key certificate and the cakey.crt contains the CA private key. The signed request is stored in the server.crt file. Import the signed certificate Before importing the signed public key certificate we should first import the CA public key certificate. keytool -import –file cacert.crt -keystore kstore.ks -alias ecca This command imports the CA public key certificate cacert.crt to the keystore using the alias ecca (electoral commission certification authority). Then we can import our signed certificate: keytool -import -file server.crt -keystore kstore.ks -alias server Since the CA certificate is already in the keystore, it is possible to verify the signature on it and construct a valid certificate chain. Note: use a different keystore file for each server.
|