You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Andrew Kinard <ak...@cisco.com> on 2005/08/01 21:51:13 UTC
Self-signed certificates?
Hello all,
I'm having a bit of trouble getting WSS4J working with my self-signed
certificates. Does WSS4J only work with CA signed certs or is there
some trick I don't know about?
Regards,
Andrew Kinard
AK;-)
Re: Self-signed certificates? Using keys directory scripts
Posted by Guy Rixon <gt...@ast.cam.ac.uk>.
I have the same error with a certificate created formally by the UK e-Science
CA.
On Tue, 2 Aug 2005, Andrew Kinard wrote:
> Werner,
>
> I have attempted to create my own CA (never tried this before, so not
> sure I've done it right). Then tried using the scripts in the keys
> directory as a guide to creating a x.509 v3 cert.
>
> I'm still getting the following error from Axis:
> -----------
> Axis exception is AxisFault
> faultCode: {http://schemas.xmlsoap.org/soap/envelope/}
> Server.generalException
> faultSubcode:
> faultString: WSDoAllSender: Signature: error during message
> procesingorg.apache.ws.security.WSSecurityException: General security
> error (Unexpected number of X509Data: for Signature)
> ------------
>
>
> Here are the steps I followed to produce the keystore (executed from
> the keys directory):
> ------------
> $JAVA_HOME/bin/keytool -genkey -alias CommitArch_CA -keystore
> wss4j.keystore
> -dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"
>
> $JAVA_HOME/bin/keytool -selfcert -alias CommitArch_CA -keystore
> wss4j.keystore
> -dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"
>
> $JAVA_HOME/bin/keytool -export -alias CommitArch_CA -file cca_ca.crt -
> keystore
> wss4j.keystore -rfc
>
> java ExportPriv > cca_ca.key
>
> keytool -import -alias CommitArch_CA -file cca_ca.crt -keystore
> $JAVA_HOME/lib/security/cacerts -storepass changeit
>
> rm wss4j.keystore cert.*
>
> $JAVA_HOME/bin/keytool -genkey -alias wss4jcertdsa -keystore
> wss4j.keystore -dname "CN=CommitArchJ2EE,OU=STEP,O=Cisco
> Systems,L=RTP,ST=NC,C=US"
>
> $JAVA_HOME/bin/keytool -keystore wss4j.keystore -alias wss4jcertdsa -
> certreq -file cert.req
>
> openssl ca -config ca.config -policy policy_anything -days 365 -out
> cert.pem -infiles cert.req
>
> openssl x509 -outform DER -in cert.pem -out cert.crt
>
> $JAVA_HOME/bin/keytool -import -alias CommitArch_CA -file ca.crt -
> keystore wss4j.keystore
>
> $JAVA_HOME/bin/keytool -import -alias wss4jcertdsa -file cert.crt -
> keystore wss4j.keystore
> ------------
>
> Does anybody out there have any clue what I'm doing wrong?
>
> Regards,
> Andrew Kinard
> AK;-)
>
>
> On Aug 1, 2005, at 6:21 PM, Werner Dittmann wrote:
>
> > Andrew,
> >
> > can you gibe some more details about error messages or alike?
> >
> > WSDoAllReciver implements some sort of certificate path validation.
> > I'm not very familiar with this, but AFAIK you may create a "CA"
> > certificate first, then create other certificates and sign it with
> > your own CA certificates. This shall work, because during interop
> > testing we usually work this way.
> >
> > You may have a look at the keys" directory. There are some, very
> > ruimentary, shell files that deal with this topic: set up own
> > "CA" using openSSH, create certs, sign them, import into keystore,
> > etc.
> >
> > regards,
> > Werner
> >
> > Andrew Kinard schrieb:
> >
> >> Hello all,
> >> I'm having a bit of trouble getting WSS4J working with my self-
> >> signed certificates. Does WSS4J only work with CA signed certs
> >> or is there some trick I don't know about?
> >> Regards,
> >> Andrew Kinard
> >> AK;-)
> >
>
Guy Rixon gtr@ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
Re: Self-signed certificates? Using keys directory scripts
Posted by Andrew Kinard <ak...@cisco.com>.
Werner,
I have attempted to create my own CA (never tried this before, so not
sure I've done it right). Then tried using the scripts in the keys
directory as a guide to creating a x.509 v3 cert.
I'm still getting the following error from Axis:
-----------
Axis exception is AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}
Server.generalException
faultSubcode:
faultString: WSDoAllSender: Signature: error during message
procesingorg.apache.ws.security.WSSecurityException: General security
error (Unexpected number of X509Data: for Signature)
------------
Here are the steps I followed to produce the keystore (executed from
the keys directory):
------------
$JAVA_HOME/bin/keytool -genkey -alias CommitArch_CA -keystore
wss4j.keystore
-dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"
$JAVA_HOME/bin/keytool -selfcert -alias CommitArch_CA -keystore
wss4j.keystore
-dname "CN=CommitArch_CA,OU=STEP,O=Cisco Systems,L=RTP,ST=NC,C=US"
$JAVA_HOME/bin/keytool -export -alias CommitArch_CA -file cca_ca.crt -
keystore
wss4j.keystore -rfc
java ExportPriv > cca_ca.key
keytool -import -alias CommitArch_CA -file cca_ca.crt -keystore
$JAVA_HOME/lib/security/cacerts -storepass changeit
rm wss4j.keystore cert.*
$JAVA_HOME/bin/keytool -genkey -alias wss4jcertdsa -keystore
wss4j.keystore -dname "CN=CommitArchJ2EE,OU=STEP,O=Cisco
Systems,L=RTP,ST=NC,C=US"
$JAVA_HOME/bin/keytool -keystore wss4j.keystore -alias wss4jcertdsa -
certreq -file cert.req
openssl ca -config ca.config -policy policy_anything -days 365 -out
cert.pem -infiles cert.req
openssl x509 -outform DER -in cert.pem -out cert.crt
$JAVA_HOME/bin/keytool -import -alias CommitArch_CA -file ca.crt -
keystore wss4j.keystore
$JAVA_HOME/bin/keytool -import -alias wss4jcertdsa -file cert.crt -
keystore wss4j.keystore
------------
Does anybody out there have any clue what I'm doing wrong?
Regards,
Andrew Kinard
AK;-)
On Aug 1, 2005, at 6:21 PM, Werner Dittmann wrote:
> Andrew,
>
> can you gibe some more details about error messages or alike?
>
> WSDoAllReciver implements some sort of certificate path validation.
> I'm not very familiar with this, but AFAIK you may create a "CA"
> certificate first, then create other certificates and sign it with
> your own CA certificates. This shall work, because during interop
> testing we usually work this way.
>
> You may have a look at the keys" directory. There are some, very
> ruimentary, shell files that deal with this topic: set up own
> "CA" using openSSH, create certs, sign them, import into keystore,
> etc.
>
> regards,
> Werner
>
> Andrew Kinard schrieb:
>
>> Hello all,
>> I'm having a bit of trouble getting WSS4J working with my self-
>> signed certificates. Does WSS4J only work with CA signed certs
>> or is there some trick I don't know about?
>> Regards,
>> Andrew Kinard
>> AK;-)
>
Re: Self-signed certificates?
Posted by Werner Dittmann <We...@t-online.de>.
Andrew,
can you gibe some more details about error messages or alike?
WSDoAllReciver implements some sort of certificate path validation.
I'm not very familiar with this, but AFAIK you may create a "CA"
certificate first, then create other certificates and sign it with
your own CA certificates. This shall work, because during interop
testing we usually work this way.
You may have a look at the keys" directory. There are some, very
ruimentary, shell files that deal with this topic: set up own
"CA" using openSSH, create certs, sign them, import into keystore,
etc.
regards,
Werner
Andrew Kinard schrieb:
> Hello all,
>
> I'm having a bit of trouble getting WSS4J working with my self-signed
> certificates. Does WSS4J only work with CA signed certs or is there
> some trick I don't know about?
>
> Regards,
> Andrew Kinard
> AK;-)
>
Re: Self-signed certificates?
Posted by Davanum Srinivas <da...@gmail.com>.
WSS4J does not distinguish between the two. please check the
properties files in your classpath and check if the keystore location
is correct.
-- dims
On 8/1/05, Andrew Kinard <ak...@cisco.com> wrote:
> Hello all,
>
> I'm having a bit of trouble getting WSS4J working with my self-signed
> certificates. Does WSS4J only work with CA signed certs or is there
> some trick I don't know about?
>
> Regards,
> Andrew Kinard
> AK;-)
>
--
Davanum Srinivas -http://blogs.cocoondev.org/dims/