Hi Herwig, I believe I already have certificate with SKI extension, because my cert is digitally signed by CA and I can see SKI extension X509ExtensionCollection for this certificate...
-----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, October 12, 2010 12:13 PM To: [email protected] Subject: Antwort: RE: Antwort: RE: WCF interoperatibility AXIS: signature or decryption was invalid Hi Tom, I don't know how you create the certificate. I have generated the WCF certifcate by coding, It's a X509 certificate version 3. " X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); // self-signed certGen.SetIssuerDN(dnName); certGen.SetPublicKey(keyPair.Public); certGen.SetSignatureAlgorithm("SHA1withRSA"); // add extensions certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, true, new AuthorityKeyIdentifierStructure(keyPair.Public)); certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, true , new SubjectKeyIdentifierStructure(keyPair.Public)); certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage .KeyEncipherment | KeyUsage.DataEncipherment | KeyUsage .NonRepudiation )); ArrayList extKeyUsages = new ArrayList(); extKeyUsages.Add(KeyPurposeID.IdKPClientAuth); extKeyUsages.Add(KeyPurposeID.IdKPTimeStamping); certGen.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(extKeyUsages)); " The certificate in the keystore.jks looks like this, here in German :-) " Aliasname: testapojava1 Erstellungsdatum: 08.07.2010 Eintragstyp: trustedCertEntry Eigner: [email protected], CN=TestApoJava1, OU=OrgUnit, O=company, L=Merzig, C=DE Aussteller (Issuer): [email protected], CN=TestApoJava1, OU=OrgUnit, O=company, L=Merzig, C=DE Seriennummer: fb1302e937b79a09 Gültig von: Thu Jul 08 08:47:06 CEST 2010 bis: Sun Jul 05 08:47:06 CEST 2020 Digitaler Fingerabdruck (thumbprint) des Zertifikats: MD5: 49:EE:56:34:1D:3E:53:FA:EC:0E:83:AD:DE:65:07:B8 SHA1: 5A:74:83:5C:94:1C:2C:71:90:14:00:3A:FD:6C:91:25:95:B1:97:45 Unterschrift-Algorithmusname: SHA1withRSA Version: 3 Erweiterungen (Extensions): #1: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 76 C3 16 C3 79 4C DF 63 44 97 97 03 70 9E EE AE v...yL.cD...p... 0010: 03 C6 DD E1 .... ] ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth timeStamping 1.3.6.1.4.1.311.10.3.3 2.16.840.1.113730.4.1 ] #4: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] " See also: https://community.emc.com/docs/DOC-8153 http://www.netframeworkdev.com/windows-communication-foundation/wcf-client-c ant-handle-response-from-axis2-service-68206.shtml Regards, Herwig Von: "Tomasz Sienkiewicz" <[email protected]> An: <[email protected]> Datum: 12.10.2010 11:28 Betreff: RE: Antwort: RE: WCF interoperatibility AXIS: signature or decryption was invalid Hi, Could you please provide more details? You did change to KeyInfo element, right? Regards Tom -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, October 12, 2010 7:48 AM To: [email protected] Subject: Antwort: RE: WCF interoperatibility AXIS: signature or decryption was invalid I had the same problem with WCF clients. Finally I've solved the issue with adding the extension "Subject Key Identifier" to the server key and client key. Regards, Herwig David EDV-Entwicklung kohlpharma GmbH Im Holzhau 8, 66663 Merzig Tel.: 06867/920-3526 eMail: [email protected] Von: "Tomasz Sienkiewicz" <[email protected]> An: <[email protected]> Datum: 11.10.2010 16:56 Betreff: RE: WCF interoperatibility AXIS: signature or decryption was invalid Unfortunately no, I'm not an owner of Web service, I tried to force owner to use 1.5 but without success (they cannot change rampart version). Regards Tom kohlpharma GmbH Geschaeftsfuehrer: Prof. Edwin Kohl, Dr. Dadja Altenburg-Kohl, Dipl.-Kfm. Jörg Geller Im Holzhau 8 66663 Merzig Amtsgericht Saarbruecken HRB 63210
