Re: using pfx / pkcs12 as keystore - correction

[Felix Joussein]

Hello Ambarish, Thanke you for the 2 links. The first one I knew already, but the second brought some light into it: My openssl command as below     openssl pkcs12 -export -out my.pfx -in cert.pem -inkey key.pem -certfile cacert.pem failed, because I packed the cacert.pem within the .p12. running the command     openssl pkcs12 -export -out my.pfx -in cert.pem -inkey key.pem without the  -certfile option results in suitable pkcs12 keystores! Thank's for the 2 links! Maybe Paulo could add a section: "How to create pkcs12 keystores with openssl" And put the one-liner "openssl pkcs12 -export -out my.pfx -in cert.pem -inkey key.pem" below... So thank you again for your help! Regards, Felix Joussein Ambarish Mitra schrieb: Hi Felix, Have you tried these: http://mark.foster.cc/kb/openssl-keytool.html http://forum.java.sun.com/thread.jspa?forumID=2&tstart=15&threadID=161578&tr ange=15 These pages describe the ways to convert certs/keys from openssl format to Java keystore format (and vice versa). I hope these are helpful. Please let us know. Best regards, Ambarish. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Felix Joussein Sent: Wednesday, October 04, 2006 11:33 AM To: openssl-users@openssl.org Subject: Re: using pfx / pkcs12 as keystore - correction I have to correct my last post: Thanks for your answer. Unfortunatly it did not work out as excpeted. I have the choice of using either blackdown-jdk-1.4.2 or sun-jdk-1.5. Any of those versions REFUSES TO accepts my .p12 key. Maybe you could be so kind and write me a brief step- by- step of the required openssl commands, which bring success on your machine. That would be very kind of you! Many thanks in advanced! Regards, Felix Joussein Ambarish Mitra schrieb: "Unknown key spec: Invalid RSA modulus size" from JVM is due to outdated JVM version. JVM should be 1.4 or upwards. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Felix Joussein Sent: Wednesday, October 04, 2006 2:56 AM To: openssl-users@openssl.org Subject: using pfx / pkcs12 as keystore Hello List, Note: The following message has also been posted in java - itext library mailing list! I'm struggling now for almost one day with using an openssl generated .p12 file as my java keystore. I tried a lot of things with openssl and no doubt - I learned a lot, but at the end I found out the following: By the way - I'm using TinyCA as openssl frontend - maybe this is the problem but I don't think so... Anyway: I create a certificate + private key, then export it to a .p12 file - I do this on the openssl shell. Then I run: /usr/local/bin/pdfsigner.sh -c=/tmp/my.pfx -p=12345 -i=/var/spool/pdfprint/smbprn.00000199.eGZuqx.pdf -o=/var/spool/pdfprint/Unbenannt1.pdf -v=0 Exception in thread "main" java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size. at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1679) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:173) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java :90) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory .java:389) at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.a(DashoA12275) at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(DashoA12275) at java.security.KeyStore.load(KeyStore.java:652) at pdfsigner.sign(pdfsigner.java:109) at pdfsigner.main(pdfsigner.java:72) Caused by: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size. at sun.security.x509.X509Key.parse(X509Key.java:155) at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:58) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:706) at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:153) ... 9 more after importing my .p12 file into Windows XP's certificates, and exporting it again to a pfx, my java program, which just has thrown a few exceptions and of course did not work, now it does. Her an excerpt of the relevant code: KeyStore ks = KeyStore.getInstance("pkcs12"); try{ ks.load(new FileInputStream(pfxNameVal), pfxPassVal.toCharArray()); } catch (Exception ex) { System.out.println("Error while reading the certificate - possible cause: Invalid password\nBelow is the detailed error message:");throw ex;} String alias = (String)ks.aliases().nextElement(); PrivateKey key = (PrivateKey)ks.getKey(alias, pfxPassVal.toCharArray()); java.security.cert.Certificate[] chain = ks.getCertificateChain(alias); PdfReader reader = new PdfReader(inPDFVal); FileOutputStream fout = new FileOutputStream(outPDFVal); Is there a way to skip the windows part in the process of creating Java-suitable pfx's ? Thank you all for your help in advanced, Felix Joussein -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.