how would you rate the java xca-alternatives?

  • Ralf Hauser

    Ralf Hauser - 2003-06-15

    When doing SSL in the java enviroment, Sun suggests the use of the quite compliated keytools.exe (that also shows passwords typed on your console :(  )

    However, there are several java-based GUI alternatives:

       -- supposedly also able to sign zips and interact with the windows key store (both didn't work)
    4)  Sign-It or in its archives the XLRSecTool
             ---> didn't work upon installation...

    How do they compare to xca?

    • Christian Hohnstaedt

      I did not test any of this tools, but I only read the descriptions and documentations of the tools.
      (+) means "functionality XCA does not have"
      (-) means "missing functionality that is supported by XCA"

      Key TooL

      "Generate DSA and RSA key pair entires with self-signed Version 1 X.509 certificates."
      This sentence implies two constraints:
      - There are NO extensions possible, since they were introduced with Version 3
      - Signing of a request or creating a CA signed client cert is not possible. ??


      Support for certificate extensions: subjectAlternativeName, basicConstraints, extKeyUsage, keyUsage. Values can be specified during certificate generation.

      - No issuerAlternativeName, subjectKeyIdentifier, AuthorityKeyIdentifier and NetscapeExtensions.
      + Support for PKCS#11
      + Support of SPKAC
      + Signing/verification of JAR archives
      + Importing certificates via LDAP/HTTPS protocols
      ? Creation of CRLs (It is not mentioned, but i think they can, xca can too)

      Southgate Software keytool

      It seems that there are not very much possibilities to alter every nut, bolt and screw.
      What about V3 extensions ? CRLs ? PKCS#7 ?

      Sign It !
      Not very much information, but they do not focus on creating and handling certificates and CAs but rather on signing jar files with existing certificates and keys.

      If there is any wrong information here, please do not hesitate to correct me and tell me I'm wrong !

    • Mark Foster

      Mark Foster - 2004-04-01

      Hi - regarding keytool I is not so good. You cannot export the private key, and rebuilding certificate chains is painful. I do not think keytool can handle CA functionality, such as signing and generating CRLs.


Log in to post a comment.