Werner,
I have attempted to create my own CA (never tried this before, so not
sure I've done it right). Then tried using the scripts in the keys
directory as a guide to creating a x.509 v3 cert.
I'm still getting the following error from Axis:
-----------
Axis exception is AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}
Server.generalException
faultSubcode:
faultString: WSDoAllSender: Signature: error during message
procesingorg.apache.ws.security.WSSecurityException: General security
error (Unexpected number of X509Data: for Signature)
------------
Here are the steps I followed to produce the keystore (executed from
the keys directory):
------------
$JAVA_HOME/bin/keytool -genkey -alias CommitArch_CA -keystore
wss4j.keystore
-dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"
$JAVA_HOME/bin/keytool -selfcert -alias CommitArch_CA -keystore
wss4j.keystore
-dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"
$JAVA_HOME/bin/keytool -export -alias CommitArch_CA -file cca_ca.crt -
keystore
wss4j.keystore -rfc
java ExportPriv > cca_ca.key
keytool -import -alias CommitArch_CA -file cca_ca.crt -keystore
$JAVA_HOME/lib/security/cacerts -storepass changeit
rm wss4j.keystore cert.*
$JAVA_HOME/bin/keytool -genkey -alias wss4jcertdsa -keystore
wss4j.keystore -dname "CN=CommitArchJ2EE,OU=STEP,O=Cisco
Systems,L=RTP,ST=NC,C=US"
$JAVA_HOME/bin/keytool -keystore wss4j.keystore -alias wss4jcertdsa -
certreq -file cert.req
openssl ca -config ca.config -policy policy_anything -days 365 -out
cert.pem -infiles cert.req
openssl x509 -outform DER -in cert.pem -out cert.crt
$JAVA_HOME/bin/keytool -import -alias CommitArch_CA -file ca.crt -
keystore wss4j.keystore
$JAVA_HOME/bin/keytool -import -alias wss4jcertdsa -file cert.crt -
keystore wss4j.keystore
------------
Does anybody out there have any clue what I'm doing wrong?
Regards,
Andrew Kinard
AK;-)
On Aug 1, 2005, at 6:21 PM, Werner Dittmann wrote:
Andrew,
can you gibe some more details about error messages or alike?
WSDoAllReciver implements some sort of certificate path validation.
I'm not very familiar with this, but AFAIK you may create a "CA"
certificate first, then create other certificates and sign it with
your own CA certificates. This shall work, because during interop
testing we usually work this way.
You may have a look at the keys" directory. There are some, very
ruimentary, shell files that deal with this topic: set up own
"CA" using openSSH, create certs, sign them, import into keystore,
etc.
regards,
Werner
Andrew Kinard schrieb:
Hello all,
I'm having a bit of trouble getting WSS4J working with my self-
signed certificates. Does WSS4J only work with CA signed certs
or is there some trick I don't know about?
Regards,
Andrew Kinard
AK;-)
