Suitable keystores and tools for certificates

[Christof Soehngen <Ch...@SYRACOM.DE>]

Hello everybody!
 
I'm looking for tools and keystores to use for certificates in combination with WSS4J.
 
My goals are:
 - Encryption (asymmetric enc. of symmetric key)
 - Signature
 - Authentication (by using installed certificates and CertificationPaths)
 
The tools I have identificated so far are:
 - Java keystore
 - OpenSSL
 
The problem is, that I want to use a "Mini-CA", so I need OpenSSL to sign certificate requests.
 
It might be possible, that I need to use the same keypair to sign and encrypt messages and to sign certificates. So I need a keystore format that allows me to import/export keypairs (public, private) and certificates, all compatible with openSSL (JKS cannot do that, as far as I've seen). WSS4J should be able to use this format (probably via BC provider).
 
Is PCKS12 what I am looking for? Are there any tools, comparable with the java "keytools", to create and manipulate it? Open Source ones? :-)
 
Thank you very much,
Christof
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.F-Secure.com/

Re: Suitable keystores and tools for certificates

[Yves Langisch <li...@langisch.ch>]

Christof,

Have a look at http://homepage.ntlworld.com/wayne_grant/keytool.html ... 
great tool

Yves

Christof Soehngen wrote:
> Hello everybody!
>  
> I'm looking for tools and keystores to use for certificates in 
> combination with WSS4J.
>  
> My goals are:
>  - Encryption (asymmetric enc. of symmetric key)
>  - Signature
>  - Authentication (by using installed certificates and CertificationPaths)
>  
> The tools I have identificated so far are:
>  - Java keystore
>  - OpenSSL
>  
> The problem is, that I want to use a "Mini-CA", so I need OpenSSL to 
> sign certificate requests.
>  
> It might be possible, that I need to use the same keypair to sign and 
> encrypt messages and to sign certificates. So I need a keystore 
> format that allows me to import/export keypairs (public, private) and 
> certificates, all compatible with openSSL (JKS cannot do that, as far 
> as I've seen). WSS4J should be able to use this format (probably via BC 
> provider).
>  
> Is PCKS12 what I am looking for? Are there any tools, comparable with 
> the java "keytools", to create and manipulate it? Open Source ones? :-)
>  
> Thank you very much,
> Christof
> ###########################################
> 
> This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
> For more information, connect to http://www.F-Secure.com/

Re: Suitable keystores and tools for certificates

[Yves Langisch <li...@langisch.ch>]

Christof,

Yes, PCKS12 is what you are looking for. You can convert a X509 cert 
(incl. private key) to PCKS12 with OpenSSL with following command: 
openssl pkcs12 -export -inkey client.key -in client.crt -out client.p12

The resulting file (client.p12) you can now import as key pair into a 
JKS with the keytool GUI.

Please note that AFAIK validation of the certification path is not 
implemented yet. Werner, please correct if I'm wrong.

Regards,
Yves

Christof Soehngen wrote:
> Hello everybody!
>  
> I'm looking for tools and keystores to use for certificates in 
> combination with WSS4J.
>  
> My goals are:
>  - Encryption (asymmetric enc. of symmetric key)
>  - Signature
>  - Authentication (by using installed certificates and CertificationPaths)
>  
> The tools I have identificated so far are:
>  - Java keystore
>  - OpenSSL
>  
> The problem is, that I want to use a "Mini-CA", so I need OpenSSL to 
> sign certificate requests.
>  
> It might be possible, that I need to use the same keypair to sign and 
> encrypt messages and to sign certificates. So I need a keystore 
> format that allows me to import/export keypairs (public, private) and 
> certificates, all compatible with openSSL (JKS cannot do that, as far 
> as I've seen). WSS4J should be able to use this format (probably via BC 
> provider).
>  
> Is PCKS12 what I am looking for? Are there any tools, comparable with 
> the java "keytools", to create and manipulate it? Open Source ones? :-)
>  
> Thank you very much,
> Christof
> ###########################################
> 
> This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
> For more information, connect to http://www.F-Secure.com/