Hi!
I've been using java's keytool to create private PKIX ecosystems starting with
the CA certificate,
which is then used to sign server and client certificates. In order for this
to work, to validate a
server a client needs a trust file containing the CA certificate.
Currently I'm working on interconnectivity between a C++ application using
GnuTLS and
a java application using standard java ssl features. Mostly because of the
latter, the
easiest thing to do is use PKCS12 files. I generate the certificates in pem
format first.
I was curious about using certtool to do the same things as I use keytool
(creating the
public key infrastructure). I'm stuck on the trust file. Using keytool, this
goes:
keytool -importcert -file CAcertificate.pem
-keystore trust.p12 -storetype PKCS12
-alias ca_cert -storepass:file pword.txt
This creates "trust.p12" which works as a trust with both applications. I can
get to here using certtool
-- create the pem certs and keys, then the individual pkcs credential files.
To then create the trust, what I think should be the near equivalent of the
above:
certtool --to-p12 --load[-ca]-certificate CAcertificate.pem --outder --outfile
trust.p12
(The password is then entered manually.) The outcome seems the same whether
I use '-ca' in the '--load-' parameter or not.
Examining the file with certtool:
certtool --p12-info --infile=trust.p12 --inder
It looks pretty much the same as the keytool created equivalent, one certificate
in BAG #0. However, examining it with keytool, for the version created with
certtool,
I get:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
Trying to use the trust with the java client then fails:
Initialization failed: Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter
must be non-empty
Searching online most people who get this error get it because the file doesn't
exist (wrong path).
Is there a better way to create a PKCS12 trust with certtool?
Sincerely,
Mark Eriksen
_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help