You don't need to use keytool at all. You can set keystore type to pkcs12
in your crypto.properties and use openssl to manage your keystores.
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem \
-certfile cacert.pem -caname cacert -name "client" -out keystore.p12
We had to create a CA for internal testing, I have some notes here if
you're interested.
http://narawiki.umiacs.umd.edu/twiki/bin/view/Lab/CreateCertAuth
-Mike
On Tue, 30 Aug 2005, [ISO-8859-1] Jérôme PICARD wrote:
Hello,
Thank you for all your answers,
I try to generate a certificat with openssl (I read some tutorials about it),
when I import the certificat in the keystore with keytool I catch a new
Exception.
Can you give me some informations about the use of openssl an the keytool. Do
you have a good tutorial ?
Here my steps.
// Create autority.
openssl req -config openssl.cnf -new -newkey rsa:1024 -nodes -out ./ca.csr
-keyout ./ca.key
// Create autority's certificat.
openssl x509 -trustout -signkey ./ca.key -days 365 -req -in ./ca.csr -out
./ca.pem
// Create autority's serial number.
echo "02" > ./ca.srl
// Create java keystore.
keytool -genkey -alias serveur -keyalg RSA -keysize 1024 -keystore
serveur.jks -storetype JKS
// Create request of certificat.
keytool -certreq -keyalg RSA -alias serveur -file serveur.csr -keystore
serveur.jks
// Add autority to the certificat.
openssl x509 -CA ../ca/ca.pem -CAkey ../ca/ca.key -CAserial ../ca/ca.srl -req
-in ./serveur.csr -out ./serveur.crt -days 365
// Import certificat in the java keystore.
keytool -import -alias serveur -keystore ./serveur.jks -trustcacerts -file
./serveur.crt
Here I catch an Exception.
Thanks for your help.
Regards,
Jerome.
Werner Dittmann a écrit :
Jerome,
keytool cannot generate certificates that adhere to X.509 V3.
Only this version can support SKI. As a solution pls change
the keyidentifier in the WSDD to either Direct or issuername
issuer serial (refer to javadoc os WSHandlerConstants). In both
cases this extension is not needed.
If you are going to wirk with .Net WSE pls have a look in the
archives of the mail list - this topic was discussed some days
(2 weeks or so) ago.
Regards,
Werner
Jérôme PICARD wrote:
Hello,
I want to use "UsernameToken Encrypt" to secure my webservice.
When I use the "interop2.jks" keystore and the user "bob" all works. But
if I create my own keystore and a certificat, I catch an exception.
To create the certificat, I use "keytool".
// Create "ged" certificat in the "serveur" keystore.
keytool -genkey -alias ged -keyalg RSA -keypass password -storepass
serveur -keystore serveur.jks
// Export the public key to a file "gercertificat.cer".
keytool -export -keystore serveur.jks -alias ged -storepass serveur
-file gedcertificat.cer
// Import public key to the client keystore. Client of the WebService.
keytool -import -alias ged -file gedcertificat.cer -keystore client.jks
-storepass client
Do you have some idea about my problem ?
Thanks,
_This is the exception :_
AxisFault
faultCode:
{http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: WSDoAllSender: Encryption: error during message
processingorg.apache.ws.security.WSSecurityException: An unsupported
token was provided (Problem with SKI information: Wrong certificate
version (<3))
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:WSDoAllSender: Encryption:
error during message
processingorg.apache.ws.security.WSSecurityException: An unsupported
token was provided (Problem with SKI information: Wrong certificate
version (<3))
at
org.apache.ws.axis.security.WSDoAllSender.performENCRAction(WSDoAllSender.java:455)
at
org.apache.ws.axis.security.WSDoAllSender.invoke(WSDoAllSender.java:316)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:127)
at org.apache.axis.client.Call.invokeEngine(Call.java:2765)
at org.apache.axis.client.Call.invoke(Call.java:2748)
at org.apache.axis.client.Call.invoke(Call.java:2424)
at org.apache.axis.client.Call.invoke(Call.java:2347)
at org.apache.axis.client.Call.invoke(Call.java:1804)
at
localhost.ServeurWebService.services.WSGed.WSGedSoapBindingStub.putDocument(WSGedSoapBindingStub.java:106)
at TestWebService.main(TestWebService.java:54)
*** We scanned this email for malicious content ***
*** IMPORTANT: Do not open attachments from unrecognized senders ***
*** MailSystem ASTON ***
--
Jérôme PICARD - Consultant Technique
Tél. : 01 34 65 54 85 - Fax : 01 34 65 79 40
Email : [EMAIL PROTECTED]
ASTON, Architecte de votre système d'informations
PARIS LYON TOULOUSE
http://www.aston.fr
