how would you rate the java xca-alternatives?

2003-06-15
2004-04-01
  • Ralf Hauser

    Ralf Hauser - 2003-06-15

    When doing SSL in the java enviroment, Sun suggests the use of the quite compliated keytools.exe (that also shows passwords typed on your console :(  )

    However, there are several java-based GUI alternatives:

    1) http://homepage.ntlworld.com/wayne_grant/keytool.html
    2) http://www.alphaworks.ibm.com/tech/keyman
       -- supposedly also able to sign zips and interact with the windows key store (both didn't work)
    3) http://southgatesoftware.com/products/sskeytool/index.html
    4) http://www.xlreader.com/products/_prod_id_4.html  Sign-It or in its archives the XLRSecTool
             ---> didn't work upon installation...

    How do they compare to xca?

     
    • Christian Hohnstaedt

      I did not test any of this tools, but I only read the descriptions and documentations of the tools.
      (+) means "functionality XCA does not have"
      (-) means "missing functionality that is supported by XCA"

      Key TooL
      -----------

      "Generate DSA and RSA key pair entires with self-signed Version 1 X.509 certificates."
      This sentence implies two constraints:
      - There are NO extensions possible, since they were introduced with Version 3
      - Signing of a request or creating a CA signed client cert is not possible. ??

      KeyMan
      ------------

      Support for certificate extensions: subjectAlternativeName, basicConstraints, extKeyUsage, keyUsage. Values can be specified during certificate generation.

      - No issuerAlternativeName, subjectKeyIdentifier, AuthorityKeyIdentifier and NetscapeExtensions.
      + Support for PKCS#11
      + Support of SPKAC
      + Signing/verification of JAR archives
      + Importing certificates via LDAP/HTTPS protocols
      ? Creation of CRLs (It is not mentioned, but i think they can, xca can too)

      Southgate Software keytool
      ----------------------------

      It seems that there are not very much possibilities to alter every nut, bolt and screw.
      What about V3 extensions ? CRLs ? PKCS#7 ?

      Sign It !
      -----------------
      Not very much information, but they do not focus on creating and handling certificates and CAs but rather on signing jar files with existing certificates and keys.

      --------------------------------
      If there is any wrong information here, please do not hesitate to correct me and tell me I'm wrong !

       
    • Mark Foster

      Mark Foster - 2004-04-01

      Hi - regarding keytool I is not so good. You cannot export the private key, and rebuilding certificate chains is painful. I do not think keytool can handle CA functionality, such as signing and generating CRLs.

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks