Posted By:
Andre_L
Posted On:
Tuesday, September 23, 2003 07:09 AM
Hi, i have a problem with importing certificates into my browser, that were generated with the keytool and from my own java code. I am really lost and any help is appreciated. what i want to do is: 1. use client authentication in a web application 2. generate client certificates automatically, so if i add a user to the system, some java code generates the certificate for me, which i can then import into the clients browser. here is what i did so far: 1.generate my own root certificate keytool -genkey -keyalg RSA -keystore ca.keystore -validity 300 -alias ca keytool -selfcert -alias ca -
More>>
Hi,
i have a problem with importing certificates into my browser, that were
generated with the keytool and from my own java code. I am really lost
and any help is appreciated.
what i want to do is:
1. use client authentication in a web application
2. generate client certificates automatically, so
if i add a user to the system, some java code generates
the certificate for me, which i can then import into the
clients browser.
here is what i did so far:
1.generate my own root certificate
keytool -genkey -keyalg RSA -keystore ca.keystore -validity 300 -alias ca
keytool -selfcert -alias ca -keystore ca.keystore
keytool -export -alias ca -keystore ca.keystore -file ca.cer
2.import the ca.cer file into windows or browser applications as a trusted authority
-> works without problems
3.generate client certificates through java
KeyStore keystore = KeyStore.getInstance( "JKS");
keystore.load( new FileInputStream("config/ca.keystore"),"password".toCharArray());
Certificate caCert = keystore.getCertificate("ca");
PrivateKey caPrivateKey = (PrivateKey)keystore.getKey("ca","password".toCharArray());
/*
* generate certificate for user
*/
KeyPairGenerator kpgen = KeyPairGenerator.getInstance("RSA");
kpgen.initialize(1024);
KeyPair keypair = kpgen.generateKeyPair();
X509V3CertificateGenerator x509gen = new X509V3CertificateGenerator();
x509gen.setSerialNumber( BigInteger.valueOf(sr.nextLong()) );
x509gen.setNotBefore( from );
x509gen.setNotAfter( to );
x509gen.setSubjectDN(new X509Name("CN="+username+", OU=Fachbereich Informatik, O=HAW Hamburg, L=Hamburg, ST=Hamburg, C=de"));
x509gen.setIssuerDN(new X509Name("CN=ca, OU=Fachbereich Informatik, O=HAW Hamburg, L=Hamburg, ST=Hamburg, C=de"));
x509gen.setSignatureAlgorithm("MD5WithRSAEncryption");
x509gen.setPublicKey( keypair.getPublic() );
X509Certificate cert = x509gen.generateX509Certificate( caPrivateKey );
OutputStream os = new FileOutputStream("i:\"+username+".cer");
Writer wr = new OutputStreamWriter(os, Charset.forName("UTF-8"));
wr.write("-----BEGIN CERTIFICATE-----
");
wr.write(new sun.misc.BASE64Encoder().encode(cert.getEncoded()));
wr.write("
-----END CERTIFICATE-----
");
wr.flush();
os.close();
4.import file into browser
does not work (neither internet explorer, opera, firebird)
error messages:
windows/ie: something like issuer for this certificate could not be found
opera: no matching private key found
firebird: complains, that the certificate is corrupt or not pkcs12 or password wrong
i then tried to change the keystore type to pkcs12, but it wasn't possible, because it is not
supported by the keytool.
like i said, i am lost and i really don't know what else to do.
best regards,
andre
ps: i am doing all this stuff on one machine right now, that's why i haven't posted
anything about seperate client/server certificate deployment.
<<Less
