Personalize
ADS

Setting up the keystore for Rampart

Submitted by vibsha on April 30, 2007 - 05:29. Forums :

I was referring to your article available at the following link.

http://wso2.org/library/174

and

http://wso2.org/library/255

One thing that i need clarification on was that why do we need to import the client certifcate in to our key store when the consumer of the web service would provide it's certifcate in soap message itself.
I looked at the certifcates also which have been provided along with the samples of rampart and when i used the following command

keytool -list -v -keystore service.jks -storepass apache

i saw that there are three enteries

Alias name: service
Creation date: Jul 21, 2006
Entry type: keyEntry
Certificate chain length: 2

Alias name: ca
Creation date: Jul 21, 2006
Entry type: trustedCertEntry

Alias name: client
Creation date: Jul 21, 2006
Entry type: trustedCertEntry

so it shows that there exists a client certifcate too.
The key store still has the private key but it is hidden right?
what does Certificate chain length: 2 mean?

Now coming to the main question

We are getting our testing certificates from comodo (www.comodo.com)

they have mentioned the instructions to generate the key pair as follows

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=3&nav=0,1

This article talks about using an openssl to create the key pair

now if i have to maintain a key store in the similar fashion described in your article how should we go about doing that?

I looked at the keytool utility provided by JDK and it does not show how to import the private key into the key store that would be generated from the link specified above. Any help would really be appreciated.

Thanks
Vibhor

Bookmark/Search this post with:
  • Delicious
  • Digg
  • Reddit
  • Newsvine
  • Facebook
  • Google
  • Yahoo
  • Technorati
‹ [Identity-dev] Another Apache Authentication Module for CardSpace ????? [Identity-dev] [jira] Created: (IDENTITY-18) Create Admin Services ›

[Identity-dev] Setting up the keystore for Rampart

Submitted by dimuthul on May 3, 2007 - 21:00.

Hi Vibor,

On Mon, 2007-04-30 at 06:29 -0700, vibsha wrote:
> I was referring to your article available at the following link.
>
> http://wso2.org/library/174
>
> and
>
> http://wso2.org/library/255
>
> One thing that i need clarification on was that why do we need to import the client certifcate in to our key store when the consumer of the web service would provide it's certifcate in soap message itself.

If the client provides the certificate in the SOAP message we don't have
to import client's certificate into the keystore.

However clients can send messages without including the certificate,
i.e. they can just indicate the Subject-Key-Identifier (SKI) of the
certificate in the SOAP message. If your web service is going to
supporting SKI for clients, their certificates must be in the keystore.

> I looked at the certifcates also which have been provided along with the samples of rampart and when i used the following command
>
> keytool -list -v -keystore service.jks -storepass apache
>
> i saw that there are three enteries
>
> Alias name: service
> Creation date: Jul 21, 2006
> Entry type: keyEntry
> Certificate chain length: 2
>
> Alias name: ca
> Creation date: Jul 21, 2006
> Entry type: trustedCertEntry
>
> Alias name: client
> Creation date: Jul 21, 2006
> Entry type: trustedCertEntry
>
> so it shows that there exists a client certifcate too.
> The key store still has the private key but it is hidden right?
"Entry type: keyEntry" - This is the private key

> what does Certificate chain length: 2 mean?
This means chain length is 2.

> Now coming to the main question
>
> We are getting our testing certificates from comodo (www.comodo.com)
>
> they have mentioned the instructions to generate the key pair as follows
>
> https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=3&nav=0,1
>
> This article talks about using an openssl to create the key pair
>
> now if i have to maintain a key store in the similar fashion described in your article how should we go about doing that?
>
> I looked at the keytool utility provided by JDK and it does not show how to import the private key into the key store that would be generated from the link specified above. Any help would really be appreciated.

I went through the article. Here the private key is in pem format, so
the question is how to import private keys in pem format into the
keystore. I think Ruchith will be able help you on this matter or I will
investigate the matter further and let you know.

Cheers,
Dimuthu

_______________________________________________
Identity-dev mailing list
Identity-dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev

»

[Identity-dev] Setting up the keystore for Rampart

Submitted by vibsha on May 4, 2007 - 05:39.

Thanks a lot Dimuthu
If you can please help in importing the PEM in th keystore that would really be helpfull.

Thanks
Vibhor

»

[Identity-dev] Setting

Submitted by dimuthul on May 15, 2007 - 20:00.

Hi Vibhor

I could not find a command to import the private key into jks, but I did
find another way. This article http://www.comu.de/docs/tomcat_ssl.htm
has a java program that will help you to import the private key and the
associated certificate into a java key store.

Cheers,
Dimuthu

On Fri, 2007-05-04 at 06:39 -0700, vibsha wrote:
> Thanks a lot Dimuthu
> If you can please help in importing the PEM in th keystore that would really be helpfull.
>
> Thanks
> Vibhor
>
> _______________________________________________
> Identity-dev mailing list
> Identity-dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/identity-dev

_______________________________________________
Identity-dev mailing list
Identity-dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev

»