Vishnu, I don't have a private key, that was my point. I'm trying to build a cert chain in a trust store from a root ca, an intermediary, and an issuing ca.
Stephen W. Chappell -----Original Message----- From: Vishnu Radhakrishnan [mailto:vis...@10point1.com] Sent: Tuesday, April 07, 2015 1:46 PM To: users@cxf.apache.org; cohei...@apache.org Subject: Re: Using a custom CertPathChecker As far as I know you can't do private keys with PKCS7 format. Try the PKCS12 format. Vishnu On 2015-04-07, 13:35, "stephen.ctr.chapp...@faa.gov" <stephen.ctr.chapp...@faa.gov> wrote: >So here is where I am at ... > >* If I cat the certificate pem files together, only one cert ever gets >imported no matter the order of cat'ing. Removing the ----- BEGIN and >---- END tags doesn't help at all >* If I use openssl crl2pkcs7 to create a pkcs7 file containing all the >certs, keytool won't import it (java.lang.Exception: Input not an X.509 >certificate) >* pkcs12 is not an option because there is no private keys - this is a >trust store only > >I'm about out of ideas for this, and from what I can see JKS files only >really want to have certificate chains when there is a private key >involved. I subclassed Merlin to build a trust chain, as I described in >the original email, so I guess I will stick with that solution. > >Stephen W. Chappell > >-----Original Message----- >From: Chappell, Stephen CTR (FAA) >Sent: Tuesday, April 07, 2015 12:22 PM >To: users@cxf.apache.org; cohei...@apache.org >Subject: RE: Using a custom CertPathChecker > >I thought I needed PKCS7, not PKCS12? > >Stephen W. Chappell >-----Original Message----- >From: Vishnu Radhakrishnan [mailto:vis...@10point1.com] >Sent: Tuesday, April 07, 2015 11:01 AM >To: users@cxf.apache.org; cohei...@apache.org >Subject: Re: Using a custom CertPathChecker > >keytool -list -storetype PKCS12 -file filename.pkcs12 -v see how many >certificates are listed before you import the keystore into JKS format. >Also check the alias on the certs if they are the same they won't be >imported by default mykey is assigned as alias. > >Vishnu > > >On 2015-04-07, 10:42, "stephen.ctr.chapp...@faa.gov" ><stephen.ctr.chapp...@faa.gov> wrote: > >>Thanx, Vishnu. I saw that, and spent most of the morning trying to >>build a cert chain that way. I started with PEM certs, cat'd them >>together in the correct order, converted them to PKCS7 with openssl >>crl2pkcs7, and imported the pkcs7 with keytool. In every case, keytool >>only imported one cert, not the whole chain. Maybe this is a Java >>issue (I'm using Java 6), but the man page says it should work. It >>also says that if you import a cert with a private key, that it'll >>build a cert chain ... when I tried that with a server cert I had, it >>built a cert chain of length 1 instead of 3. That's when I posted the >>question. >> >>Stephen W. Chappell >> >>-----Original Message----- >>From: Vishnu Radhakrishnan [mailto:vis...@10point1.com] >>Sent: Tuesday, April 07, 2015 10:28 AM >>To: users@cxf.apache.org; cohei...@apache.org >>Subject: Re: Using a custom CertPathChecker >> >>From the keytool man - it imports certificate chain, if input is given >>in >>PKCS#7 format, otherwise only the single certificate is imported. You >>should be able to convert certificates to PKCS#7 format with openssl, >>via openssl crl2pkcs7 command. >> >> >>On 2015-04-07, 10:17, "stephen.ctr.chapp...@faa.gov" >><stephen.ctr.chapp...@faa.gov> wrote: >> >>>Colm - >>> >>>This seems like it should be easier than it is, but can you point me >>>to a resource for properly building a truststore with a certificate >>>chain? >>>I have separate keystores and trust stores for the STS, and the >>>truststore should have a chain something like: >>> >>>Root CA >>> Intermediate CA >>> Issuing CA >>> >>>I had thought that if I added them with keytool in the right order, >>>that keytool would establish a cert chain. Instead it just adds them >>>as individual certificates with no cert chain to be found. >>> >>>Stephen W. Chappell >>> >>>-----Original Message----- >>>From: Chappell, Stephen CTR (FAA) >>>Sent: Tuesday, April 07, 2015 8:21 AM >>>To: cohei...@apache.org >>>Cc: users@cxf.apache.org >>>Subject: RE: Using a custom CertPathChecker >>> >>>Well, that must be the issue. I just ran it through the debugger, and >>>getCertificateChain is returning null each time. I¹ve added code in >>>my subclassed Merlin to be able to walk up the tree, but it¹d be more >>>efficient if the truststore was built properly so I¹ll try to figure >>>that out. >>> >>>Stephen W. Chappell >>> >>>From: Colm O hEigeartaigh [mailto:cohei...@apache.org] >>>Sent: Tuesday, April 07, 2015 8:12 AM >>>To: Chappell, Stephen CTR (FAA) >>>Cc: users@cxf.apache.org >>>Subject: Re: Using a custom CertPathChecker >>> >>>Ok cool. Just bear in mind that WSS4J won't wire up the trust chain >>>using individual certs stored in the truststore, the intermediate >>>cert must have the issuing cert stored as part of the certificate >>>chain entry. >>>Colm. >>> >>>On Tue, Apr 7, 2015 at 1:02 PM, >>><stephen.ctr.chapp...@faa.gov<mailto:stephen.ctr.chapp...@faa.gov>> >>>wrote: >>>Colm >>> >>>That is the case, at least I thought it was. The truststore has certs >>>for the issuer, intermediate, and root CA, plus a few other >>>miscellaneous certs. I¹ll run it through the debugger later this >>>morning and see what turns up. >>> >>>Stephen W. Chappell >>> >>>From: Colm O hEigeartaigh >>>[mailto:cohei...@apache.org<mailto:cohei...@apache.org>] >>>Sent: Tuesday, April 07, 2015 7:59 AM >>>To: Chappell, Stephen CTR (FAA) >>>Cc: users@cxf.apache.org<mailto:users@cxf.apache.org> >>>Subject: Re: Using a custom CertPathChecker >>> >>>"getX509Certificates" calls "getCertificates" which (first) calls >>>"getCertificateChain" on the keystore. Your intermediate CA should >>>have the issuing CA certs stored as part of the entry in the >>>keystore/truststore. Is this not the case? Can you debug into >>>getCertificates() and find out why it is only returning a single cert? >>>Colm. >>> >>>On Fri, Apr 3, 2015 at 3:34 PM, >>><stephen.ctr.chapp...@faa.gov<mailto:stephen.ctr.chapp...@faa.gov>> >>>wrote: >>>Colm - >>> >>>While I was mucking around in Merlin, I noted that in the "second step" >>>section of verifyTrust, only the immediate issuer of the cert to be >>>checked is added to the cert path (at least in my case, when >>>getX509Certificates only returns a single cert rather than a cert >>>chain). >>>I have a requirement to validate all the certs in the cert path, >>>which in my case has an additional intermediate before getting to the >>>trust anchor. I'm able to loop there and get everything into the cert >>>path, which seems to get everything revocation checked so that is >>>good. But I was curious why only the immediate issuer was added to >>>begin with - is there some issue I should be considering that I'm not? >>> >>>There's also an open question (or rather, open disagreement) about >>>revocation checking the Root CA cert, but this list is probably not >>>the right place for that discussion. >>> >>>Stephen W. Chappell >>> >>>-----Original Message----- >>>From: Chappell, Stephen CTR (FAA) >>>Sent: Friday, April 03, 2015 9:56 AM >>>To: users@cxf.apache.org<mailto:users@cxf.apache.org>; >>>cohei...@apache.org<mailto:cohei...@apache.org> >>>Subject: RE: Using a custom CertPathChecker >>> >>>Colm - >>> >>>No, I don't have any better suggestions. In fact, subclassing Merlin >>>and adding a method to configure additional PKIX parameters is >>>exactly what I did. >>> >>>Thanx, >>>Stephen W. Chappell >>> >>>-----Original Message----- >>>From: Colm O hEigeartaigh >>>[mailto:cohei...@apache.org<mailto:cohei...@apache.org>] >>>Sent: Friday, April 03, 2015 9:47 AM >>>To: users@cxf.apache.org<mailto:users@cxf.apache.org> >>>Subject: Re: Using a custom CertPathChecker >>> >>>Hi Stephen, >>> >>>There is no way to add CertPathCheckers at the moment, beyond >>>subclassing Merlin and overriding the "verifyTrust" method. I could >>>add a method to customize the PKIXParameters object though, that >>>could be overridden by a subclass though which would be better. Or do >>>you have any other suggestions? >>> >>>Colm. >>> >>>On Tue, Mar 24, 2015 at 8:11 PM, >>><stephen.ctr.chapp...@faa.gov<mailto:stephen.ctr.chapp...@faa.gov>> >>>wrote: >>> >>>> I have a requirement to use a custom CertPathChecker in my code. >>>>With "bare" JVM, I can add the checker to my PKIXParameters and >>>>validate away. >>>> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any >>>>hooks to add a custom checker or customize the PKIXParameters that >>>>are being used. >>>> Is there some other means for adding a custom checker to the list >>>>that isn't so obvious? I could subclass Merlin and sort of brute >>>>force it in if necessary, but if there's another way to set that up >>>>I would much rather do that. >>>> >>>> Stephen W. Chappell >>>> >>> >>> >>> >>>-- >>>Colm O hEigeartaigh >>> >>>Talend Community Coder >>>http://coders.talend.com >>> >>> >>> >>>-- >>>Colm O hEigeartaigh >>> >>>Talend Community Coder >>>http://coders.talend.com >>> >>> >>> >>>-- >>>Colm O hEigeartaigh >>> >>>Talend Community Coder >>>http://coders.talend.com >> >> > >