[gnutls-help] Creating PKCS12 trust with certtool

Wed, 09 Jun 2021 07:56:44 -0700 


Hi!

I've been  using java's keytool to create private PKIX ecosystems starting with 
the CA certificate,
which is then used to sign server and client certificates.  In order for this 
to work, to validate a
server a client needs a trust file containing the CA certificate. 

Currently I'm working on interconnectivity between a C++ application using 
GnuTLS and
a java application using standard java ssl features.   Mostly because of the 
latter, the
easiest thing to do is use PKCS12 files.  I generate the certificates in pem 
format first.

I was curious about using certtool to do the same things as I use keytool 
(creating the
public key infrastructure).   I'm stuck on the trust file.  Using keytool, this 
goes:

 keytool -importcert -file  CAcertificate.pem
                -keystore trust.p12 -storetype PKCS12 
                -alias ca_cert -storepass:file pword.txt

This creates "trust.p12" which works as a trust with both applications.  I can 
get to here using certtool
-- create the pem certs and keys, then the individual pkcs credential files.  
To then create the trust, what I think should be the near equivalent of the 
above:

certtool --to-p12 --load[-ca]-certificate CAcertificate.pem --outder --outfile 
trust.p12

(The password is then entered manually.) The outcome seems the same whether 
I use '-ca' in the '--load-' parameter or not.

Examining the file with certtool:

certtool --p12-info --infile=trust.p12  --inder

It looks pretty much the same as the keytool created equivalent, one certificate
in BAG #0.  However, examining it with keytool, for the version created with 
certtool,
I get:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 0 entries

Trying to use the trust with the java client then fails:

Initialization failed: Unexpected error: 
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter 
must be non-empty

Searching online most people who get this error get it because the file doesn't 
exist (wrong path).

Is there a better way to create a PKCS12 trust with certtool?

Sincerely,
Mark Eriksen


_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Reply via email to