Menu
▾
▴
Re: [Ejbca-develop] Server Certificate Keystore Add
|
From: 32567 <ram...@gm...> - 2008-01-27 20:14:46
|
Hi Johan, Thanks a lot for all you help. I am able to create create the digital signature with your given steps. I really appreciate your help. Thanks, Ramesh Johan Eklund wrote: > > Hi Ramesh, > > You can't use the testserver.jks directly to create the signature > instead? As keystore.jks is used by tomcat to create SSL-session, it > would be very strange to use the same keystore for holding a > signature-key. It is very easy to load a JKS keystore from a file in > Java and > http://java.sun.com/javase/6/docs/api/java/security/KeyStore.html has a > great example of how you do this. > > Importing the tomcat server-cert to testserver.jks is easy > Export cert: "keytool -exportcert -keystore keystore.jks -file cert ...." > Import cert: "keytool -importcert -keystore testserver.jks -file cert > ...." > > If you still want to merge 2 JKS-files you can either use keytool > -importkeystore or this with Java code, if you need to have the same > password for all the entrie in the JKS.. > Something like: > - Load testserver.jks to KeyStore using its password(s) > - Extract cert and private key > - Load keystore.jks to another KeyStore using its password(s) > - Store the 2 extracted posts from testserver.jks to keystore.jks using > keystore.jks password > > Hope this helps, > Johan > > 32567 skrev: >> Hi, >> >> Yes. I have created a code to generate XML Signature with keystore.jks >> and >> tyring to test my xml signature part wtih one more certificate where I am >> struck in importing my testserver.jks into keystore.jks. Is there anyway >> I >> can import my testservercert to jboss keystore.jks along with the >> exisiting >> tomcat localhost private key. Can you provide some info how to create new >> keystore with with my server certificate. >> >> Thanks, >> Ramesh >> >> >> >> Tomas Gustavsson wrote: >> >>> Hi ramesh, >>> It's still har to understand what you mean. You have already created >>> code that uses keystore.jks to generate a message with XML Signature? >>> >>> In order to generate a signature you need both a private key and a >>> certificate. If you import the new certificate into keystore.jks, that >>> can not be used to generate a signature, because the private key in >>> keystore.jks does not match the new certificate. >>> >>> You can generate a completely new jks file for your user instead, and >>> replace keystore.jks with this new jks file. Simply set keystore type to >>> JKS when editing your user (testservercert). >>> >>> Regards, >>> Tomas >>> >>> 32567 wrote: >>> >>>> Hi, >>>> >>>> Thanks for your reponse. I have created the user as "testservercert" >>>> and >>>> CN >>>> as "ramesh-pc". I followed the same steps as you mentioned. To be more >>>> clear >>>> onthis, I want to send my server certificate as an XML Signature using >>>> XML-Security API to a client. I am able to test with Tomcat user which >>>> has >>>> CN=localhost and able to generate the XML Signature with Tomcat server >>>> certificate. I am trying with new certificate where the certificate key >>>> is >>>> not getting imported to jboss/.../conf/keystore/keystore.jks. But I >>>> currently having the Tomcat localhost CN in Jboss Keystore. Now I am >>>> not >>>> able to import my current "testservercert"(CN=ramesh-pc) to >>>> jboss/../conf/keystore/keystore.jks. Please help on this. >>>> >>>> Thanks, >>>> Ramesh >>>> >>>> Johan Eklund wrote: >>>> >>>>> Hi Ramesh, >>>>> >>>>> I couldn't find any specifications of a "XML Digital Certificate" >>>>> standard, but "ant -Dca.name=SomeCaName javatruststore" is used for >>>>> installing a CA-certificate as trusted for client SSL-certificates >>>>> accessing the EJBCA Admin GUI. >>>>> >>>>> I assume you need a keystore with a private key and a certificate in >>>>> JKS-format and that you have a tool for extracting the certificate. To >>>>> create this keystore: >>>>> 1. Add a new user "ramesh-pc" in the EJBCA Admin GUI with >>>>> CN=ramesh-pc, >>>>> set a password, check "batch generation" and change token to "JKS" >>>>> 2. Run "$EJBCA_HOME/bin/ejbca.sh batch" >>>>> 3. You now now have a "$EJBCA_HOME/p12/ramesh-pc.jks" keystore >>>>> protected >>>>> with the password you set for the user. >>>>> >>>>> Please let me know if I misunderstood the problem, >>>>> Johan >>>>> >>>>> 32567 skrev: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have created a Server Certficate with ramesh-pc as CN. I am trying >>>>>> to >>>>>> add >>>>>> the server certificate into my server keystore >>>>>> jboss/.../conf/keystore/keystore.jks file using ant javatruststore >>>>>> -Dca.name=ramesh-pc. But the keystore already has a >>>>>> tomcat(cn=localhost) >>>>>> jks >>>>>> which gets generted at time the inital ejbca deploy. Can some help me >>>>>> how >>>>>> to >>>>>> add my server certificate to keystore. I need to create XML Digital >>>>>> Certificate from this. >>>>>> >>>>>> Thanks, >>>>>> Ramesh >>>>>> >>>>>> >>>>> >>>>> ------------------------------------------------------------------------- >>>>> This SF.net email is sponsored by: Microsoft >>>>> Defy all challenges. Microsoft(R) Visual Studio 2008. >>>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >>>>> _______________________________________________ >>>>> Ejbca-develop mailing list >>>>> Ejb...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>> >>>>> >>>>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Microsoft >>> Defy all challenges. Microsoft(R) Visual Studio 2008. >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >>> >>> >> >> > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > -- View this message in context: http://www.nabble.com/Server-Certificate-Keystore-Add-tp15058800p15123430.html Sent from the EjbCA - Dev mailing list archive at Nabble.com. |