Sure, assuming you mean from the command line then download the excellent openssl utility from www.openssl.org.
Then execute: "openssl x509 -in MyCertfile.pem -inform PEM -text" This will give a nice printout of the cert details, including a listing of the x.509v3 extensions rpesent. The above command line assume the cert is in PEM format (base 64 encoded), DER format is also supported (The Java language specific jks file format is not supported by openssl). (Aside: If you wanted to query certs programmatically then you could use the JDKs x.509 interface which gives you access to the extensions, and also to the version number of the certificate) The Email address data you refer to below appears to be just part of the distinguished name of both the Issuer and Subject. This by itself is not evidence of an x.509v43 extension being present. There is at least one defined X.509v3 extension that can be used for e-mail addresses (e.g. the emailAddress extension), but from the extract you have posted its not clear if this is specified in your cert. I suspect its unlikely base don what you have said so far. Anyway openssl will make this clear. If you are on Windows you could just download the pre built binaries executable from http://www.openssl.org/related/binaries.html I normally just build openssl myself, and haven't used that specific link personally - but it is listed on the main openssl.org webpage so hopefully should work. I could probably mail you a statically built version for one of the most popular Unix platforms if that's any use to you, and save you the hassle of building it.. >Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, >C=mycountry, [EMAIL PROTECTED] > >I guess, EMAILADDRESS, etc comes as v3 certificate extensions. > >Is there any way through which I can verify whether my certificate is v3 >certificate having no extension or v1 certificate? Cheers, Donal -----Original Message----- From: Mayank Mishra [mailto:[EMAIL PROTECTED] Sent: 26 February 2008 14:10 To: cxf-user@incubator.apache.org Subject: Re: Usage of X509 certificates in WSS4J Arundel, Donal wrote: > Unless x.509v3 Certificates are present in your created certificate > there > is no requirement that the certificate version number is 3. > > If either the X.509 issuerUniqueID or subjectUniqueID fields are present > the certificate must be at least version 2. > However there is nothing actually stopping somebody creating a > certificate with no x.509v3 extensions, and also no issuerUniqueID or > subjectUniqueID, ..and having a version of 3. A version of 1 would > strictly be more correct though. > Yes, I agree with you. > I don't know offhand if Keytool gives you explicit control over the version number or whether it just calculates the version from the > logical certificate request data when creating the certificate. > I generated public key certificates and private keys from keytool only. According to [1], It generates v1 certificates and can import/export v1, v2, and v3 certificates.. But I am suspecting it because when while printing out the certificate, I get following along with SerialNumber, Certificate fingerprints. Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry, [EMAIL PROTECTED] Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate, C=mycountry, [EMAIL PROTECTED] I guess, EMAILADDRESS, etc comes as v3 certificate extensions. Is there any way through which I can verify whether my certificate is v3 certificate having no extension or v1 certificate? > Generally all CA certificates must have extensions indicating that they > are CAs, so they should have a version number of 3. > Application certs on the other hand may vary depending on their content > and anticipated usage. > > Cheers, > Donal > With Regards, Mayank [1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html > > > -----Original Message----- > From: Mayank Mishra [mailto:[EMAIL PROTECTED] > Sent: 26 February 2008 10:44 > To: cxf-user@incubator.apache.org > Subject: Usage of X509 certificates in WSS4J > > G'day all, > > I am using WSS4J 1.5.1. I created X509 public keys and certificates from > > Sun Microsystems Keytool utility. AFAIK, it created X509v1 certificates. > > Please let me know if it creates v3 certificates, which in my opinion > doesn't do. > Looking at the on the wire message sent from client to server or > otherwise, I observe Token Reference, the value of the "Valuetype" > attribute in the "KeyIdentifier" element is > > "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof > ile-1.0#X509v3" > > AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates were > included in the spec, in X509 Certificate Token Profile 1.0, only X509v3 > > certificates were there to be used. > > Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0. Please > clarify me if I am wrong. > > Since, X509v3 certs have some more extension elements over X509v1. It > should give some error, when passing X509v1 for cryptos creation. Or, it > > silently use X509v1, but then the valuetype should be "#x509v1" instead > of "#x509v3". > > There is a bit of confusion. Kindly clarify. > > With Regards, > Mayank > > ---------------------------- > IONA Technologies PLC (registered in Ireland) > Registered Number: 171387 > Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland > > ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
