I have the same error with a certificate created formally by the UK e-Science
CA.
On Tue, 2 Aug 2005, Andrew Kinard wrote:
> Werner,
>
> I have attempted to create my own CA (never tried this before, so not
> sure I've done it right). Then tried using the scripts in the keys
> directory as a guide to creating a x.509 v3 cert.
>
> I'm still getting the following error from Axis:
> -----------
> Axis exception is AxisFault
> faultCode: {http://schemas.xmlsoap.org/soap/envelope/}
> Server.generalException
> faultSubcode:
> faultString: WSDoAllSender: Signature: error during message
> procesingorg.apache.ws.security.WSSecurityException: General security
> error (Unexpected number of X509Data: for Signature)
> ------------
>
>
> Here are the steps I followed to produce the keystore (executed from
> the keys directory):
> ------------
> $JAVA_HOME/bin/keytool -genkey -alias CommitArch_CA -keystore
> wss4j.keystore
> -dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"
>
> $JAVA_HOME/bin/keytool -selfcert -alias CommitArch_CA -keystore
> wss4j.keystore
> -dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"
>
> $JAVA_HOME/bin/keytool -export -alias CommitArch_CA -file cca_ca.crt -
> keystore
> wss4j.keystore -rfc
>
> java ExportPriv > cca_ca.key
>
> keytool -import -alias CommitArch_CA -file cca_ca.crt -keystore
> $JAVA_HOME/lib/security/cacerts -storepass changeit
>
> rm wss4j.keystore cert.*
>
> $JAVA_HOME/bin/keytool -genkey -alias wss4jcertdsa -keystore
> wss4j.keystore -dname "CN=CommitArchJ2EE,OU=STEP,O=Cisco
> Systems,L=RTP,ST=NC,C=US"
>
> $JAVA_HOME/bin/keytool -keystore wss4j.keystore -alias wss4jcertdsa -
> certreq -file cert.req
>
> openssl ca -config ca.config -policy policy_anything -days 365 -out
> cert.pem -infiles cert.req
>
> openssl x509 -outform DER -in cert.pem -out cert.crt
>
> $JAVA_HOME/bin/keytool -import -alias CommitArch_CA -file ca.crt -
> keystore wss4j.keystore
>
> $JAVA_HOME/bin/keytool -import -alias wss4jcertdsa -file cert.crt -
> keystore wss4j.keystore
> ------------
>
> Does anybody out there have any clue what I'm doing wrong?
>
> Regards,
> Andrew Kinard
> AK;-)
>
>
> On Aug 1, 2005, at 6:21 PM, Werner Dittmann wrote:
>
> > Andrew,
> >
> > can you gibe some more details about error messages or alike?
> >
> > WSDoAllReciver implements some sort of certificate path validation.
> > I'm not very familiar with this, but AFAIK you may create a "CA"
> > certificate first, then create other certificates and sign it with
> > your own CA certificates. This shall work, because during interop
> > testing we usually work this way.
> >
> > You may have a look at the keys" directory. There are some, very
> > ruimentary, shell files that deal with this topic: set up own
> > "CA" using openSSH, create certs, sign them, import into keystore,
> > etc.
> >
> > regards,
> > Werner
> >
> > Andrew Kinard schrieb:
> >
> >> Hello all,
> >> I'm having a bit of trouble getting WSS4J working with my self-
> >> signed certificates. Does WSS4J only work with CA signed certs
> >> or is there some trick I don't know about?
> >> Regards,
> >> Andrew Kinard
> >> AK;-)
> >
>
Guy Rixon [EMAIL PROTECTED]
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
