Private Keys and PKCS12 Keystores

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Private Keys and PKCS12 Keystores

Simon Mottram

Hi all,

I'm slowly sinking into the deep ocean that is x509 certificate management, kinda floating but might be sinking without trace:

What I'm trying to do is setup a CA certificate (self signed) that I can then use to create user certificates at a later time.  These certificates will be used by browsers for SSL connection to my server.

For my starting point I have been using the PKCS12Example class hidden in the BC libraries.

I (think) I am creating the CA certificate successfully thus:

    Security.addProvider(new BouncyCastleProvider());
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "BC");
    SecureRandom random = new SecureRandom();
    keyGen.initialize(1024, random);
    // what is this intermediate cert of which they speak!  to keep the root key safe?
    KeyPair caKeyPair = keyGen.generateKeyPair();
    KeyPair intcaKeyPair = keyGen.generateKeyPair();
    Certificate[] chain = new Certificate[2];
    chain[1] = createMasterCert(caKeyPair);
    chain[0] = createIntermediateCert(intcaKeyPair.getPublic(), caKeyPair.getPrivate(), (X509Certificate)chain[1]);
    KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
    keyStore.load(null, null);

    keyStore.setCertificateEntry("CAINT", chain[0]);
    FileOutputStream fOut = new FileOutputStream("c:\\temp\\caid.p12");, "password".toCharArray());

My problem is getting the CA private key to sign a user ID.  I assume this is stored in the PKCS12 keystore.  But for the life of me I cannot see how.   Do I have to create a special key entry for it?  Currently I am using setCertificateEntry for the CA and the INtermediate (why do I need an intermediate?).  Would I need to use a setKeyEntry call with the private key? Sounds unlikely as the private key will be part of the certificate stored.... now there's an assumption...

Any help/comment greatfully received.