You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Vibhor_Sharma <vs...@gryphonnetworks.com> on 2007/04/27 20:54:38 UTC
Setting up the key store for Rampart
Hi Ruchith
I was referring to your article available at the following link.
http://wso2.org/library/174
and
http://wso2.org/library/255
One thing that i need clarification on was that why do we need to import the client certifcate in to our key store when the consumer of the web service would provide it's certifcate in soap message itself.
I looked at the certifcates also which have been provided along with the samples of rampart and when i used the following command
keytool -list -v -keystore service.jks -storepass apache
i saw that there are three enteries
Alias name: service
Creation date: Jul 21, 2006
Entry type: keyEntry
Certificate chain length: 2
Alias name: ca
Creation date: Jul 21, 2006
Entry type: trustedCertEntry
Alias name: client
Creation date: Jul 21, 2006
Entry type: trustedCertEntry
so it shows that there exists a client certifcate too.
The key store still has the private key but it is hidden right?
what does Certificate chain length: 2 mean?
Now coming to the main question
We are getting our testing certificates from comodo (www.comodo.com)
they have mentioned the instructions to generate the key pair as follows
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=3&nav=0,1
This article talks about using an openssl to create the key pair
now if i have to maintain a key store in the similar fashion described in your article how should we go about doing that?
I looked at the keytool utility provided by JDK and it does not show how to import the private key into the key store that would be generated from the link specified above. Any help would really be appreciated.
Thanks
Vibhor
Re: Setting up the key store for Rampart
Posted by Sukma Agung Verdianto <sa...@gmail.com>.
Hi Vibhor,
Rampart also support the PKCS12 keystore. So, instead of using JKS,
you could use PKCS12 to store private keys (.p12/.pfx) & trusted
certs(.crt/.cer).
Afaik, OpenSSL cannot manage PKCS keystore to have more than one cert.
I have tried software called "IBM keyman" that will allow you to
import more than one cert in a keystore.
Hope this will help.
Regards,
Sukma
On 4/28/07, Vibhor_Sharma <vs...@gryphonnetworks.com> wrote:
> Hi Ruchith
> I was referring to your article available at the following link.
>
> http://wso2.org/library/174
>
> and
>
> http://wso2.org/library/255
>
> One thing that i need clarification on was that why do we need to import the
> client certifcate in to our key store when the consumer of the web service
> would provide it's certifcate in soap message itself.
> I looked at the certifcates also which have been provided along with the
> samples of rampart and when i used the following command
>
> keytool -list -v -keystore service.jks -storepass apache
>
> i saw that there are three enteries
>
> Alias name: service
> Creation date: Jul 21, 2006
> Entry type: keyEntry
> Certificate chain length: 2
>
> Alias name: ca
> Creation date: Jul 21, 2006
> Entry type: trustedCertEntry
>
> Alias name: client
> Creation date: Jul 21, 2006
> Entry type: trustedCertEntry
>
> so it shows that there exists a client certifcate too.
> The key store still has the private key but it is hidden right?
> what does Certificate chain length: 2 mean?
>
> Now coming to the main question
>
> We are getting our testing certificates from comodo (www.comodo.com)
>
> they have mentioned the instructions to generate the key pair as follows
>
> https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=3&nav=0,1
>
> This article talks about using an openssl to create the key pair
>
> now if i have to maintain a key store in the similar fashion described in
> your article how should we go about doing that?
>
> I looked at the keytool utility provided by JDK and it does not show how to
> import the private key into the key store that would be generated from the
> link specified above. Any help would really be appreciated.
>
>
> Thanks
> Vibhor
>
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org