Private Keys and PKCS12 Keystores

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Private Keys and PKCS12 Keystores

Simon Mottram

Hi all,

I'm slowly sinking into the deep ocean that is x509 certificate management, kinda floating but might be sinking without trace:

What I'm trying to do is setup a CA certificate (self signed) that I can then use to create user certificates at a later time.  These certificates will be used by browsers for SSL connection to my server.

For my starting point I have been using the PKCS12Example class hidden in the BC libraries.

I (think) I am creating the CA certificate successfully thus:

<<
    Security.addProvider(new BouncyCastleProvider());
   
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "BC");
    SecureRandom random = new SecureRandom();
    keyGen.initialize(1024, random);
   
    // what is this intermediate cert of which they speak!  to keep the root key safe?
    KeyPair caKeyPair = keyGen.generateKeyPair();
    KeyPair intcaKeyPair = keyGen.generateKeyPair();
   
    Certificate[] chain = new Certificate[2];
   
    chain[1] = createMasterCert(caKeyPair);
    chain[0] = createIntermediateCert(intcaKeyPair.getPublic(), caKeyPair.getPrivate(), (X509Certificate)chain[1]);
   
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
    keyStore.load(null, null);

    keyStore.setCertificateEntry("CA",chain[1]);
    keyStore.setCertificateEntry("CAINT", chain[0]);
   
    FileOutputStream fOut = new FileOutputStream("c:\\temp\\caid.p12");

    keyStore.store(fOut, "password".toCharArray());
>>

My problem is getting the CA private key to sign a user ID.  I assume this is stored in the PKCS12 keystore.  But for the life of me I cannot see how.   Do I have to create a special key entry for it?  Currently I am using setCertificateEntry for the CA and the INtermediate (why do I need an intermediate?).  Would I need to use a setKeyEntry call with the private key? Sounds unlikely as the private key will be part of the certificate stored.... now there's an assumption...

Any help/comment greatfully received.

Cheers

Simon