Self-signed certificates?

[Andrew Kinard <ak...@cisco.com>]

Hello all,

I'm having a bit of trouble getting WSS4J working with my self-signed  
certificates.  Does WSS4J only work with CA signed certs or is there  
some trick I don't know about?

Regards,
Andrew Kinard
AK;-)

Re: Self-signed certificates? Using keys directory scripts

[Guy Rixon <gt...@ast.cam.ac.uk>]

I have the same error with a certificate created formally by the UK e-Science
CA.

On Tue, 2 Aug 2005, Andrew Kinard wrote:

> Werner,
>
> I have attempted to create my own CA (never tried this before, so not
> sure I've done it right).  Then tried using the scripts in the keys
> directory as a guide to creating a x.509 v3 cert.
>
> I'm still getting the following error from Axis:
> -----------
> Axis exception is AxisFault
>   faultCode: {http://schemas.xmlsoap.org/soap/envelope/}
> Server.generalException
>   faultSubcode:
>   faultString: WSDoAllSender: Signature: error during message
> procesingorg.apache.ws.security.WSSecurityException: General security
> error (Unexpected number of X509Data: for Signature)
> ------------
>
>
> Here are the steps I followed to produce the keystore (executed from
> the keys directory):
> ------------
> $JAVA_HOME/bin/keytool -genkey -alias CommitArch_CA -keystore
> wss4j.keystore
> -dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"
>
> $JAVA_HOME/bin/keytool -selfcert -alias CommitArch_CA -keystore
> wss4j.keystore
> -dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"
>
> $JAVA_HOME/bin/keytool -export -alias CommitArch_CA -file cca_ca.crt -
> keystore
> wss4j.keystore -rfc
>
> java ExportPriv > cca_ca.key
>
> keytool -import -alias CommitArch_CA -file cca_ca.crt -keystore
> $JAVA_HOME/lib/security/cacerts -storepass changeit
>
> rm wss4j.keystore cert.*
>
> $JAVA_HOME/bin/keytool -genkey -alias wss4jcertdsa -keystore
> wss4j.keystore -dname "CN=CommitArchJ2EE,OU=STEP,O=Cisco
> Systems,L=RTP,ST=NC,C=US"
>
> $JAVA_HOME/bin/keytool -keystore wss4j.keystore -alias wss4jcertdsa -
> certreq -file cert.req
>
> openssl ca -config ca.config -policy policy_anything -days 365 -out
> cert.pem -infiles cert.req
>
> openssl x509 -outform DER -in cert.pem -out cert.crt
>
> $JAVA_HOME/bin/keytool -import -alias CommitArch_CA -file ca.crt -
> keystore wss4j.keystore
>
> $JAVA_HOME/bin/keytool -import -alias wss4jcertdsa -file cert.crt -
> keystore wss4j.keystore
> ------------
>
> Does anybody out there have any clue what I'm doing wrong?
>
> Regards,
> Andrew Kinard
> AK;-)
>
>
> On Aug 1, 2005, at 6:21 PM, Werner Dittmann wrote:
>
> > Andrew,
> >
> > can you gibe some more details about error messages or alike?
> >
> > WSDoAllReciver implements some sort of certificate path validation.
> > I'm not very familiar with this, but AFAIK you may create a "CA"
> > certificate first, then create other certificates and sign it with
> > your own CA certificates. This shall work, because during interop
> > testing we usually work this way.
> >
> > You may have a look at the keys" directory. There are some, very
> > ruimentary, shell files that deal with this topic: set up own
> > "CA" using openSSH, create certs, sign them, import into keystore,
> > etc.
> >
> > regards,
> > Werner
> >
> > Andrew Kinard schrieb:
> >
> >> Hello all,
> >> I'm having a bit of trouble getting WSS4J working with my self-
> >> signed  certificates.  Does WSS4J only work with CA signed certs
> >> or is there  some trick I don't know about?
> >> Regards,
> >> Andrew Kinard
> >> AK;-)
> >
>

Guy Rixon 				        gtr@ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523

Re: Self-signed certificates? Using keys directory scripts

[Andrew Kinard <ak...@cisco.com>]

Werner,

I have attempted to create my own CA (never tried this before, so not  
sure I've done it right).  Then tried using the scripts in the keys  
directory as a guide to creating a x.509 v3 cert.

I'm still getting the following error from Axis:
-----------
Axis exception is AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/} 
Server.generalException
  faultSubcode:
  faultString: WSDoAllSender: Signature: error during message  
procesingorg.apache.ws.security.WSSecurityException: General security  
error (Unexpected number of X509Data: for Signature)
------------


Here are the steps I followed to produce the keystore (executed from  
the keys directory):
------------
$JAVA_HOME/bin/keytool -genkey -alias CommitArch_CA -keystore  
wss4j.keystore
-dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"

$JAVA_HOME/bin/keytool -selfcert -alias CommitArch_CA -keystore  
wss4j.keystore
-dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"

$JAVA_HOME/bin/keytool -export -alias CommitArch_CA -file cca_ca.crt - 
keystore
wss4j.keystore -rfc

java ExportPriv > cca_ca.key

keytool -import -alias CommitArch_CA -file cca_ca.crt -keystore  
$JAVA_HOME/lib/security/cacerts -storepass changeit

rm wss4j.keystore cert.*

$JAVA_HOME/bin/keytool -genkey -alias wss4jcertdsa -keystore  
wss4j.keystore -dname "CN=CommitArchJ2EE,OU=STEP,O=Cisco  
Systems,L=RTP,ST=NC,C=US"

$JAVA_HOME/bin/keytool -keystore wss4j.keystore -alias wss4jcertdsa - 
certreq -file cert.req

openssl ca -config ca.config -policy policy_anything -days 365 -out  
cert.pem -infiles cert.req

openssl x509 -outform DER -in cert.pem -out cert.crt

$JAVA_HOME/bin/keytool -import -alias CommitArch_CA -file ca.crt - 
keystore wss4j.keystore

$JAVA_HOME/bin/keytool -import -alias wss4jcertdsa -file cert.crt - 
keystore wss4j.keystore
------------

Does anybody out there have any clue what I'm doing wrong?

Regards,
Andrew Kinard
AK;-)


On Aug 1, 2005, at 6:21 PM, Werner Dittmann wrote:

> Andrew,
>
> can you gibe some more details about error messages or alike?
>
> WSDoAllReciver implements some sort of certificate path validation.
> I'm not very familiar with this, but AFAIK you may create a "CA"
> certificate first, then create other certificates and sign it with
> your own CA certificates. This shall work, because during interop
> testing we usually work this way.
>
> You may have a look at the keys" directory. There are some, very
> ruimentary, shell files that deal with this topic: set up own
> "CA" using openSSH, create certs, sign them, import into keystore,
> etc.
>
> regards,
> Werner
>
> Andrew Kinard schrieb:
>
>> Hello all,
>> I'm having a bit of trouble getting WSS4J working with my self- 
>> signed  certificates.  Does WSS4J only work with CA signed certs  
>> or is there  some trick I don't know about?
>> Regards,
>> Andrew Kinard
>> AK;-)
>

Re: Self-signed certificates?

[Werner Dittmann <We...@t-online.de>]

Andrew,

can you gibe some more details about error messages or alike?

WSDoAllReciver implements some sort of certificate path validation.
I'm not very familiar with this, but AFAIK you may create a "CA"
certificate first, then create other certificates and sign it with
your own CA certificates. This shall work, because during interop
testing we usually work this way.

You may have a look at the keys" directory. There are some, very
ruimentary, shell files that deal with this topic: set up own
"CA" using openSSH, create certs, sign them, import into keystore,
etc.

regards,
Werner

Andrew Kinard schrieb:
> Hello all,
> 
> I'm having a bit of trouble getting WSS4J working with my self-signed  
> certificates.  Does WSS4J only work with CA signed certs or is there  
> some trick I don't know about?
> 
> Regards,
> Andrew Kinard
> AK;-)
> 

Re: Self-signed certificates?

[Davanum Srinivas <da...@gmail.com>]

WSS4J does not distinguish between the two. please check the
properties files in your classpath and check if the keystore location
is correct.

-- dims

On 8/1/05, Andrew Kinard <ak...@cisco.com> wrote:
> Hello all,
> 
> I'm having a bit of trouble getting WSS4J working with my self-signed
> certificates.  Does WSS4J only work with CA signed certs or is there
> some trick I don't know about?
> 
> Regards,
> Andrew Kinard
> AK;-)
> 


-- 
Davanum Srinivas -http://blogs.cocoondev.org/dims/