Hi,
I am not 100% sure on the question you are asking.
The private key and public key components are all the same.
An X.509 certificate is the public key component + additional information
like X.500 names ( Issuer, Subject, Key Usage etc.. ).
The X.509 certificate data is stored in the an industry standard BER ( Basic
Encoding Rules ) format.
X.509 certificate files can normally be used anywhere because Windows, Java
can read this format and well as PEM.
The keystores are a way of password protecting your private keys and
certificates. ( JKS keystore certifcates can read without using the keystore
password )
Each private key in the keystore is password protected, normally the private
key password and the keystore password are the same.
The most common keystores are
BKS - Bouncy Castle Keystore
JKS - Java Keystore
JCEKS - JCE (Java Cryptography Extension) keystore
PKCS12 - PCKS12 keystore
PKCS8 - private key
These keystores can store more than ( one private key + certificate chain )
and X.509 certificates in a single file.
The encrpyted PKCS8 format is used for storing just the one private key. (
No certificate chain or certificates )
>From the point of using the private key and certificates to sign or encrpyt
a messages it does not matter what keystore you are using.
The choice of keystore type depends on what your application can use.
Windows - PKCS12
Java - JKS
JCEKS offers Triple DES protection on the keystore contents.
Encoding Format
All the data in a certificate is encoded using two related standards called
ASN.1/DER. Abstract Syntax Notation 1 describes data. The Definite Encoding
Rules describe a single way to store and transfer that data.
In the X.500, X.509 and X.520 standards the structures are specified with
Abstract Syntax Notation 1 (ASN.1) and are encoded for transport using the
Basic Encoding Rules (BER) that encode ASN.1 as 8-bit binary data.
In addition, when they represent data to be signed, as they do within
certificate management, the signature is calculated on the data encoded
using Distinguished Encoding Rules (DER: a subset of BER which has the
property that the same data always encodes to the same binary
representation).
Information stored in a certificate is a sequence of ASN.1 Objects each
labeled with an object Identifier (OID).
An object identifier is a string of numbers identifying a unique object, for
example, a certificate extension or a company's certificate practice
statement.
OIDs are controlled by the International Standards Organization (ISO)
registration authority.
In some cases, this authority is delegated by ISO to regional registration
authorities.
The OID is a unique sequence of hierarchical numbers in a dot notation.
PEM format is a BASE64 encoding of the binary format (DER) with begin and
end line markers.
X509 certificate in PEM format:
-BEGIN CERTIFICATE-
MIIDBjCCAe6gAwIBAgIISlmOxw+N3SgwDQYJKoZIhvcNAQEEBQAwQzELMAkGA1UE
-END CERTIFICATE-
Certificate request in PEM format:
-BEGIN NEW CERTIFICATE REQUEST-
MIIBejCB5AIBADA7MQswCQYDVQQGEwJBdTEMMAoGA1UECBMDbnN3MQ4wDAYDVQQK
-END NEW CERTIFICATE REQUEST-
-Original Message-
From: José Ferreiro [mailto:[EMAIL PROTECTED]
Sent: Saturday, 3 March 2007 3:15 AM
To: axis-user@ws.apache.org; wss4j-dev@ws.apache.org
Subject: [AXIS 1.4 WSS4J] - Keystore interop
HELLO,
I have a key store from Java in the JKS format that was created with
KEYTOOL.
I programmed a .net client.
As the .net client, more specifically Windows keystores do not support JKS I
successfully exported a key for my client to the format PFX (PKCS12), which
is a format recognized by the Windows Keystores.
Then, I have the public key of the client in the java keystore (format JKS).
I have the public and private key in the windows keystore (format PFX
[PKCS12]).
This is my question:
Does the inteoperability work like this for the x509 certificates?
That is to say if a key is in JKS format in the server and the client has a
PFX key (generated from the one in the server).
Thank you for any hint or tip.
Regards,
José
