> From: [email protected] On Behalf Of Tien Nguyen Thanh
> Sent: Monday, 24 January, 2011 04:19
> To: [email protected]
> Subject: using open SSL
Note: that's a poor subject line. All posts on this mail-list
are or should be about using OpenSSL. Be more specific.
> I have a problem with the certificate
> how can I make the keystore.jks look like the defaul keystore of the
glashfish jks ?
> I use the keytool but it does not have the extension section
I know little about Glassfish and don't have time to look,
but if it is using standard Java (JCE,JSSE) functionality:
Yes, Java keytool -genkeypair creates a selfsigned certificate
with no extensions.
The first 3 certs you showed are not selfsigned (issuer
CN=SUNCA, OU=JWS, O=SUN, ST=Some-State, C=AU
!= subjects and AKID all same) hence were created some other way.
The fourth is (apparently) selfsigned, but has SKID (no AKID),
and also much more recent.
OpenSSL can create certs with extensions (or not), several ways.
If you want something other than OpenSSL, this is the wrong place.
You can generate a key and CSR (certreq) in Java keytool,
then use OpenSSL to issue a cert which you can then import
back to JKS, using ca or x509 -req (given a CA key/cert).
Alternatively you can generate a key in OpenSSL, then
create a selfsigned cert from the key with req -new -x509,
or create a CSR with req -new and then issue a cert as above,
then put key+cert in a pkcs12 which Java keytool can import.
OpenSSL does support SKID-hash, AKID-hash, and BasicContraints
extensions; see the distro openssl.cnf.
2.16.840.1.113730.1.13 is apparently nsComment (netscape_comment)
which appears to take an IA5=ASCII value, but I see none
in your display. (I haven't used it myself.)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
