Storing an X.509 certificate to a Keystore using java code

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Storing an X.509 certificate to a Keystore using java code

abdelrahman almahmoud
Hi

Is it possible to store an X.509 certificate without its private key into a java keystore?

I create this certificate using the following code, then send it to a user via SOAP

ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider(PROVIDER).build(priv);
    
    Date startDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
    Date endDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000);
   
   
   JcaX509v1CertificateBuilder v1CertGen = new JcaX509v1CertificateBuilder(new X500Name("CN=Zeus Authentication Server"), 
              BigInteger.TEN, 
              startDate, endDate, 
              a, 
              pub);
   X509CertificateHolder certHolder = v1CertGen.build(sigGen);


I want the user to store the certificate in a Keystore using javacode so that it can be used with Axis2's Rampart, which uses a JKS keystore type



Sincerely,
Abdel
Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

Matthew Hall
Yes, you can store certs in there. Use KeyStore.setCertificateEntry. Where you run into trouble is storing a fresh private key, while waiting for a cert to be issued for it, this is a known broken use case in Java.
--
Sent from my mobile device.

abdelrahman almahmoud <[hidden email]> wrote:
Hi

Is it possible to store an X.509 certificate without its private key into a java keystore?

I create this certificate using the following code, then send it to a user via SOAP

ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider(PROVIDER).build(priv);
    
    Date startDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
    Date endDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000);
   
   
   JcaX509v1CertificateBuilder v1CertGen = new JcaX509v1CertificateBuilder(new X500Name("CN=Zeus Authentication Server"), 
              BigInteger.TEN, 
              startDate, endDate, 
              a, 
              pub);
   X509CertificateHolder certHolder = v1CertGen.build(sigGen);


I want the user to store the certificate in a Keystore using javacode so that it can be used with Axis2's Rampart, which uses a JKS keystore type



Sincerely,
Abdel
Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

abdelrahman almahmoud
Thanks for the reply,

How do I turn the certificate I generated into a .cert file?
About the broken use case, are you suggesting I will run into that use case or warning me to avoid it? It would be very troublesome if I ran into a dead end like that

I really appreciate the help thank you,


On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall <[hidden email]> wrote:
Yes, you can store certs in there. Use KeyStore.setCertificateEntry. Where you run into trouble is storing a fresh private key, while waiting for a cert to be issued for it, this is a known broken use case in Java.
--
Sent from my mobile device.


abdelrahman almahmoud <[hidden email]> wrote:
Hi

Is it possible to store an X.509 certificate without its private key into a java keystore?

I create this certificate using the following code, then send it to a user via SOAP

ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider(PROVIDER).build(priv);
    
    Date startDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
    Date endDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000);
   
   
   JcaX509v1CertificateBuilder v1CertGen = new JcaX509v1CertificateBuilder(new X500Name("CN=Zeus Authentication Server"), 
              BigInteger.TEN, 
              startDate, endDate, 
              a, 
              pub);
   X509CertificateHolder certHolder = v1CertGen.build(sigGen);


I want the user to store the certificate in a Keystore using javacode so that it can be used with Axis2's Rampart, which uses a JKS keystore type



Sincerely,
Abdel

Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

Matthew Hall
Just warning you about it. For storing a cert you can use X509Certificate.getEncoded, and FileOutputStream. The byte array you get has the right stuff for storage. If you want to store as ASCII instead of binary then use PEMWriter from Bouncy Castle.

The part about private keys without certs was just a warning because I ran into that problem with KeyStores a few weeks ago myself so I thought I should warn you about it.
--
Sent from my mobile device.

abdelrahman almahmoud <[hidden email]> wrote:
Thanks for the reply,

How do I turn the certificate I generated into a .cert file?
About the broken use case, are you suggesting I will run into that use case or warning me to avoid it? It would be very troublesome if I ran into a dead end like that

I really appreciate the help thank you,


On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall <[hidden email]> wrote:
Yes, you can store certs in there. Use KeyStore.setCertificateEntry. Where you run into trouble is storing a fresh private key, while waiting for a cert to be issued for it, this is a known broken use case in Java.
--
Sent from my mobile device.


abdelrahman almahmoud <[hidden email]> wrote:
Hi

Is it possible to store an X.509 certificate without its private key into a java keystore?

I create this certificate using the following code, then send it to a user via SOAP

ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider(PROVIDER).build(priv);
    
    Date startDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
    Date endDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000);
   
   
   JcaX509v1CertificateBuilder v1CertGen = new JcaX509v1CertificateBuilder(new X500Name("CN=Zeus Authentication Server"), 
              BigInteger.TEN, 
              startDate, endDate, 
              a, 
              pub);
   X509CertificateHolder certHolder = v1CertGen.build(sigGen);


I want the user to store the certificate in a Keystore using javacode so that it can be used with Axis2's Rampart, which uses a JKS keystore type



Sincerely,
Abdel

Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

Arshad Noor
Take a look at CSRTool:

http://sourceforge.net/projects/csrtool/

It does many of the things both of you are discussing.

Arshad Noor
StrongAuth, Inc.

On 04/25/2013 09:31 AM, Matthew Hall wrote:

> Just warning you about it. For storing a cert you can use
> X509Certificate.getEncoded, and FileOutputStream. The byte array you get
> has the right stuff for storage. If you want to store as ASCII instead
> of binary then use PEMWriter from Bouncy Castle.
>
> The part about private keys without certs was just a warning because I
> ran into that problem with KeyStores a few weeks ago myself so I thought
> I should warn you about it.
> --
> Sent from my mobile device.
>
> abdelrahman almahmoud <[hidden email]> wrote:
>
>     Thanks for the reply,
>
>     How do I turn the certificate I generated into a .cert file?
>     About the broken use case, are you suggesting I will run into that
>     use case or warning me to avoid it? It would be very troublesome if
>     I ran into a dead end like that
>
>     I really appreciate the help thank you,
>
>
>     On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>         Yes, you can store certs in there. Use
>         KeyStore.setCertificateEntry. Where you run into trouble is
>         storing a fresh private key, while waiting for a cert to be
>         issued for it, this is a known broken use case in Java.
>         --
>         Sent from my mobile device.
>
>
>         abdelrahman almahmoud <[hidden email]
>         <mailto:[hidden email]>> wrote:
>
>             Hi
>
>             Is it possible to store an X.509 certificate without its
>             private key into a java keystore?
>
>             I create this certificate using the following code, then
>             send it to a user via SOAP
>
>             ContentSigner sigGen = new
>             JcaContentSignerBuilder("SHA1withRSA").setProvider(PROVIDER).build(priv);
>                  Date startDate = new Date(System.currentTimeMillis() -
>             24 * 60 * 60 * 1000);
>                  Date endDate = new Date(System.currentTimeMillis() +
>             365 * 24 * 60 * 60 * 1000);
>                 JcaX509v1CertificateBuilder v1CertGen = new
>             JcaX509v1CertificateBuilder(new X500Name("CN=Zeus
>             Authentication Server"),
>                            BigInteger.TEN,
>                            startDate, endDate,
>                            a,
>                            pub);
>                 X509CertificateHolder certHolder = v1CertGen.build(sigGen);
>
>
>             I want the user to store the certificate in a Keystore using
>             javacode so that it can be used with Axis2's Rampart, which
>             uses a JKS keystore type
>
>
>
>             Sincerely,
>             Abdel
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

abdelrahman almahmoud
Thank you for the help
I just have one more question, is there no way to add the certificate to the keystore using a java code?  


On Thu, Apr 25, 2013 at 10:33 PM, Arshad Noor <[hidden email]> wrote:
Take a look at CSRTool:

http://sourceforge.net/projects/csrtool/

It does many of the things both of you are discussing.

Arshad Noor
StrongAuth, Inc.


On 04/25/2013 09:31 AM, Matthew Hall wrote:
Just warning you about it. For storing a cert you can use
X509Certificate.getEncoded, and FileOutputStream. The byte array you get
has the right stuff for storage. If you want to store as ASCII instead
of binary then use PEMWriter from Bouncy Castle.

The part about private keys without certs was just a warning because I
ran into that problem with KeyStores a few weeks ago myself so I thought
I should warn you about it.
--
Sent from my mobile device.

abdelrahman almahmoud <[hidden email]> wrote:

    Thanks for the reply,

    How do I turn the certificate I generated into a .cert file?
    About the broken use case, are you suggesting I will run into that
    use case or warning me to avoid it? It would be very troublesome if
    I ran into a dead end like that

    I really appreciate the help thank you,


    On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall <[hidden email]
    <mailto:[hidden email]>> wrote:

        Yes, you can store certs in there. Use
        KeyStore.setCertificateEntry. Where you run into trouble is
        storing a fresh private key, while waiting for a cert to be
        issued for it, this is a known broken use case in Java.
        --
        Sent from my mobile device.


        abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>> wrote:

            Hi

            Is it possible to store an X.509 certificate without its
            private key into a java keystore?

            I create this certificate using the following code, then
            send it to a user via SOAP

            ContentSigner sigGen = new
            JcaContentSignerBuilder("SHA1withRSA").setProvider(PROVIDER).build(priv);
                 Date startDate = new Date(System.currentTimeMillis() -
            24 * 60 * 60 * 1000);
                 Date endDate = new Date(System.currentTimeMillis() +
            365 * 24 * 60 * 60 * 1000);
                JcaX509v1CertificateBuilder v1CertGen = new
            JcaX509v1CertificateBuilder(new X500Name("CN=Zeus
            Authentication Server"),
                           BigInteger.TEN,
                           startDate, endDate,
                           a,
                           pub);
                X509CertificateHolder certHolder = v1CertGen.build(sigGen);


            I want the user to store the certificate in a Keystore using
            javacode so that it can be used with Axis2's Rampart, which
            uses a JKS keystore type



            Sincerely,
            Abdel




Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

Arshad Noor
Yes, there is- as a KeyStore.TrustedCertificateEntry:

http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html

Arshad Noor
StrongAuth, Inc.

On 05/03/2013 09:13 AM, abdelrahman almahmoud wrote:

> Thank you for the help
> I just have one more question, is there no way to add the certificate to
> the keystore using a java code?
>
>
> On Thu, Apr 25, 2013 at 10:33 PM, Arshad Noor
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Take a look at CSRTool:
>
>     http://sourceforge.net/__projects/csrtool/
>     <http://sourceforge.net/projects/csrtool/>
>
>     It does many of the things both of you are discussing.
>
>     Arshad Noor
>     StrongAuth, Inc.
>
>
>     On 04/25/2013 09:31 AM, Matthew Hall wrote:
>
>         Just warning you about it. For storing a cert you can use
>         X509Certificate.getEncoded, and FileOutputStream. The byte array
>         you get
>         has the right stuff for storage. If you want to store as ASCII
>         instead
>         of binary then use PEMWriter from Bouncy Castle.
>
>         The part about private keys without certs was just a warning
>         because I
>         ran into that problem with KeyStores a few weeks ago myself so I
>         thought
>         I should warn you about it.
>         --
>         Sent from my mobile device.
>
>         abdelrahman almahmoud <[hidden email]
>         <mailto:[hidden email]>> wrote:
>
>              Thanks for the reply,
>
>              How do I turn the certificate I generated into a .cert file?
>              About the broken use case, are you suggesting I will run
>         into that
>              use case or warning me to avoid it? It would be very
>         troublesome if
>              I ran into a dead end like that
>
>              I really appreciate the help thank you,
>
>
>              On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall
>         <[hidden email] <mailto:[hidden email]>
>              <mailto:[hidden email]
>         <mailto:[hidden email]>>__> wrote:
>
>                  Yes, you can store certs in there. Use
>                  KeyStore.setCertificateEntry. Where you run into trouble is
>                  storing a fresh private key, while waiting for a cert to be
>                  issued for it, this is a known broken use case in Java.
>                  --
>                  Sent from my mobile device.
>
>
>                  abdelrahman almahmoud <[hidden email]
>         <mailto:[hidden email]>
>                  <mailto:firestorm5002@gmail.__com
>         <mailto:[hidden email]>>> wrote:
>
>                      Hi
>
>                      Is it possible to store an X.509 certificate
>         without its
>                      private key into a java keystore?
>
>                      I create this certificate using the following code,
>         then
>                      send it to a user via SOAP
>
>                      ContentSigner sigGen = new
>
>         JcaContentSignerBuilder("__SHA1withRSA").setProvider(__PROVIDER).build(priv);
>                           Date startDate = new
>         Date(System.currentTimeMillis(__) -
>                      24 * 60 * 60 * 1000);
>                           Date endDate = new
>         Date(System.currentTimeMillis(__) +
>                      365 * 24 * 60 * 60 * 1000);
>                          JcaX509v1CertificateBuilder v1CertGen = new
>                      JcaX509v1CertificateBuilder(__new X500Name("CN=Zeus
>                      Authentication Server"),
>                                     BigInteger.TEN,
>                                     startDate, endDate,
>                                     a,
>                                     pub);
>                          X509CertificateHolder certHolder =
>         v1CertGen.build(sigGen);
>
>
>                      I want the user to store the certificate in a
>         Keystore using
>                      javacode so that it can be used with Axis2's
>         Rampart, which
>                      uses a JKS keystore type
>
>
>
>                      Sincerely,
>                      Abdel
>
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

David Hook

Just one further point on this discussion, in the case of a private key
which doesn't yet have a certificate associated with it, use the BC API
to generate a self-signed certificate and store that with the private
key, replacing the self signed certificate with the certificate chain
sent by by your CA when it arrives (you can tell from the documentation
of the java keytool that it actually does something similar to this
under the hood).

Regards,

David

On 04/05/13 03:55, Arshad Noor wrote:

> Yes, there is- as a KeyStore.TrustedCertificateEntry:
>
> http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html
>
> Arshad Noor
> StrongAuth, Inc.
>
> On 05/03/2013 09:13 AM, abdelrahman almahmoud wrote:
>> Thank you for the help
>> I just have one more question, is there no way to add the certificate to
>> the keystore using a java code?
>>
>>
>> On Thu, Apr 25, 2013 at 10:33 PM, Arshad Noor
>> <[hidden email] <mailto:[hidden email]>> wrote:
>>
>>     Take a look at CSRTool:
>>
>>     http://sourceforge.net/__projects/csrtool/
>>     <http://sourceforge.net/projects/csrtool/>
>>
>>     It does many of the things both of you are discussing.
>>
>>     Arshad Noor
>>     StrongAuth, Inc.
>>
>>
>>     On 04/25/2013 09:31 AM, Matthew Hall wrote:
>>
>>         Just warning you about it. For storing a cert you can use
>>         X509Certificate.getEncoded, and FileOutputStream. The byte array
>>         you get
>>         has the right stuff for storage. If you want to store as ASCII
>>         instead
>>         of binary then use PEMWriter from Bouncy Castle.
>>
>>         The part about private keys without certs was just a warning
>>         because I
>>         ran into that problem with KeyStores a few weeks ago myself so I
>>         thought
>>         I should warn you about it.
>>         --
>>         Sent from my mobile device.
>>
>>         abdelrahman almahmoud <[hidden email]
>>         <mailto:[hidden email]>> wrote:
>>
>>              Thanks for the reply,
>>
>>              How do I turn the certificate I generated into a .cert
>> file?
>>              About the broken use case, are you suggesting I will run
>>         into that
>>              use case or warning me to avoid it? It would be very
>>         troublesome if
>>              I ran into a dead end like that
>>
>>              I really appreciate the help thank you,
>>
>>
>>              On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall
>>         <[hidden email] <mailto:[hidden email]>
>>              <mailto:[hidden email]
>>         <mailto:[hidden email]>>__> wrote:
>>
>>                  Yes, you can store certs in there. Use
>>                  KeyStore.setCertificateEntry. Where you run into
>> trouble is
>>                  storing a fresh private key, while waiting for a
>> cert to be
>>                  issued for it, this is a known broken use case in Java.
>>                  --
>>                  Sent from my mobile device.
>>
>>
>>                  abdelrahman almahmoud <[hidden email]
>>         <mailto:[hidden email]>
>>                  <mailto:firestorm5002@gmail.__com
>>         <mailto:[hidden email]>>> wrote:
>>
>>                      Hi
>>
>>                      Is it possible to store an X.509 certificate
>>         without its
>>                      private key into a java keystore?
>>
>>                      I create this certificate using the following code,
>>         then
>>                      send it to a user via SOAP
>>
>>                      ContentSigner sigGen = new
>>
>> JcaContentSignerBuilder("__SHA1withRSA").setProvider(__PROVIDER).build(priv);
>>                           Date startDate = new
>>         Date(System.currentTimeMillis(__) -
>>                      24 * 60 * 60 * 1000);
>>                           Date endDate = new
>>         Date(System.currentTimeMillis(__) +
>>                      365 * 24 * 60 * 60 * 1000);
>>                          JcaX509v1CertificateBuilder v1CertGen = new
>>                      JcaX509v1CertificateBuilder(__new X500Name("CN=Zeus
>>                      Authentication Server"),
>>                                     BigInteger.TEN,
>>                                     startDate, endDate,
>>                                     a,
>>                                     pub);
>>                          X509CertificateHolder certHolder =
>>         v1CertGen.build(sigGen);
>>
>>
>>                      I want the user to store the certificate in a
>>         Keystore using
>>                      javacode so that it can be used with Axis2's
>>         Rampart, which
>>                      uses a JKS keystore type
>>
>>
>>
>>                      Sincerely,
>>                      Abdel
>>
>>
>>
>>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

abdelrahman almahmoud
Thanks, this is a great help

I do have one more questions. The situation is as follows, I create a public/private key pair using 

KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
keyGen.initialize(1024, random);
KeyPair pair = keyGen.generateKeyPair();
PrivateKey priv = pair.getPrivate();
PublicKey pub = pair.getPublic();

Then, I create an X.509 certificate using JcaX509v1CertificateBuilder

I send only this certificate to a client which will save it to a keystore and someone kindly explained how to do that.

Now, on the server that generated the certificate, I want to store the private key in a keystore using Java code or any other way. David explained that I need to create a self signed certificate and use it to store the key, can you kindly elaborate on how to do it? I have the self signed certificate in this case

I know this is not the best way to do this, but this is for testing purposes at the moment



On Sat, May 4, 2013 at 2:07 AM, David Hook <[hidden email]> wrote:

Just one further point on this discussion, in the case of a private key which doesn't yet have a certificate associated with it, use the BC API to generate a self-signed certificate and store that with the private key, replacing the self signed certificate with the certificate chain sent by by your CA when it arrives (you can tell from the documentation of the java keytool that it actually does something similar to this under the hood).

Regards,

David


On 04/05/13 03:55, Arshad Noor wrote:
Yes, there is- as a KeyStore.TrustedCertificateEntry:

http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html

Arshad Noor
StrongAuth, Inc.

On 05/03/2013 09:13 AM, abdelrahman almahmoud wrote:
Thank you for the help
I just have one more question, is there no way to add the certificate to
the keystore using a java code?


On Thu, Apr 25, 2013 at 10:33 PM, Arshad Noor
<[hidden email] <mailto:[hidden email]>> wrote:

    Take a look at CSRTool:

    http://sourceforge.net/__projects/csrtool/
    <http://sourceforge.net/projects/csrtool/>

    It does many of the things both of you are discussing.

    Arshad Noor
    StrongAuth, Inc.


    On 04/25/2013 09:31 AM, Matthew Hall wrote:

        Just warning you about it. For storing a cert you can use
        X509Certificate.getEncoded, and FileOutputStream. The byte array
        you get
        has the right stuff for storage. If you want to store as ASCII
        instead
        of binary then use PEMWriter from Bouncy Castle.

        The part about private keys without certs was just a warning
        because I
        ran into that problem with KeyStores a few weeks ago myself so I
        thought
        I should warn you about it.
        --
        Sent from my mobile device.

        abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>> wrote:

             Thanks for the reply,

             How do I turn the certificate I generated into a .cert file?
             About the broken use case, are you suggesting I will run
        into that
             use case or warning me to avoid it? It would be very
        troublesome if
             I ran into a dead end like that

             I really appreciate the help thank you,


             On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall
        <[hidden email] <mailto:[hidden email]>
             <mailto:[hidden email]
        <mailto:[hidden email]>>__> wrote:

                 Yes, you can store certs in there. Use
                 KeyStore.setCertificateEntry. Where you run into trouble is
                 storing a fresh private key, while waiting for a cert to be
                 issued for it, this is a known broken use case in Java.
                 --
                 Sent from my mobile device.


                 abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>
                 <mailto:[hidden email]__com
        <mailto:[hidden email]>>> wrote:

                     Hi

                     Is it possible to store an X.509 certificate
        without its
                     private key into a java keystore?

                     I create this certificate using the following code,
        then
                     send it to a user via SOAP

                     ContentSigner sigGen = new

JcaContentSignerBuilder("__SHA1withRSA").setProvider(__PROVIDER).build(priv);
                          Date startDate = new
        Date(System.currentTimeMillis(__) -
                     24 * 60 * 60 * 1000);
                          Date endDate = new
        Date(System.currentTimeMillis(__) +
                     365 * 24 * 60 * 60 * 1000);
                         JcaX509v1CertificateBuilder v1CertGen = new
                     JcaX509v1CertificateBuilder(__new X500Name("CN=Zeus
                     Authentication Server"),
                                    BigInteger.TEN,
                                    startDate, endDate,
                                    a,
                                    pub);
                         X509CertificateHolder certHolder =
        v1CertGen.build(sigGen);


                     I want the user to store the certificate in a
        Keystore using
                     javacode so that it can be used with Axis2's
        Rampart, which
                     uses a JKS keystore type



                     Sincerely,
                     Abdel









Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

David Hook

Use KeyStore.PrivateKeyEntry, in this case the chain is just your self signed certificate.

Regards,

David

On 05/05/13 17:54, abdelrahman almahmoud wrote:
Thanks, this is a great help

I do have one more questions. The situation is as follows, I create a public/private key pair using 

KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
keyGen.initialize(1024, random);
KeyPair pair = keyGen.generateKeyPair();
PrivateKey priv = pair.getPrivate();
PublicKey pub = pair.getPublic();

Then, I create an X.509 certificate using JcaX509v1CertificateBuilder

I send only this certificate to a client which will save it to a keystore and someone kindly explained how to do that.

Now, on the server that generated the certificate, I want to store the private key in a keystore using Java code or any other way. David explained that I need to create a self signed certificate and use it to store the key, can you kindly elaborate on how to do it? I have the self signed certificate in this case

I know this is not the best way to do this, but this is for testing purposes at the moment



On Sat, May 4, 2013 at 2:07 AM, David Hook <[hidden email]> wrote:

Just one further point on this discussion, in the case of a private key which doesn't yet have a certificate associated with it, use the BC API to generate a self-signed certificate and store that with the private key, replacing the self signed certificate with the certificate chain sent by by your CA when it arrives (you can tell from the documentation of the java keytool that it actually does something similar to this under the hood).

Regards,

David


On 04/05/13 03:55, Arshad Noor wrote:
Yes, there is- as a KeyStore.TrustedCertificateEntry:

http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html

Arshad Noor
StrongAuth, Inc.

On 05/03/2013 09:13 AM, abdelrahman almahmoud wrote:
Thank you for the help
I just have one more question, is there no way to add the certificate to
the keystore using a java code?


On Thu, Apr 25, 2013 at 10:33 PM, Arshad Noor
<[hidden email] <mailto:[hidden email]>> wrote:

    Take a look at CSRTool:

    http://sourceforge.net/__projects/csrtool/
    <http://sourceforge.net/projects/csrtool/>

    It does many of the things both of you are discussing.

    Arshad Noor
    StrongAuth, Inc.


    On 04/25/2013 09:31 AM, Matthew Hall wrote:

        Just warning you about it. For storing a cert you can use
        X509Certificate.getEncoded, and FileOutputStream. The byte array
        you get
        has the right stuff for storage. If you want to store as ASCII
        instead
        of binary then use PEMWriter from Bouncy Castle.

        The part about private keys without certs was just a warning
        because I
        ran into that problem with KeyStores a few weeks ago myself so I
        thought
        I should warn you about it.
        --
        Sent from my mobile device.

        abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>> wrote:

             Thanks for the reply,

             How do I turn the certificate I generated into a .cert file?
             About the broken use case, are you suggesting I will run
        into that
             use case or warning me to avoid it? It would be very
        troublesome if
             I ran into a dead end like that

             I really appreciate the help thank you,


             On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall
        <[hidden email] <mailto:[hidden email]>
             <mailto:[hidden email]
        <mailto:[hidden email]>>__> wrote:

                 Yes, you can store certs in there. Use
                 KeyStore.setCertificateEntry. Where you run into trouble is
                 storing a fresh private key, while waiting for a cert to be
                 issued for it, this is a known broken use case in Java.
                 --
                 Sent from my mobile device.


                 abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>
                 <mailto:[hidden email]__com
        <mailto:[hidden email]>>> wrote:

                     Hi

                     Is it possible to store an X.509 certificate
        without its
                     private key into a java keystore?

                     I create this certificate using the following code,
        then
                     send it to a user via SOAP

                     ContentSigner sigGen = new

JcaContentSignerBuilder("__SHA1withRSA").setProvider(__PROVIDER).build(priv);
                          Date startDate = new
        Date(System.currentTimeMillis(__) -
                     24 * 60 * 60 * 1000);
                          Date endDate = new
        Date(System.currentTimeMillis(__) +
                     365 * 24 * 60 * 60 * 1000);
                         JcaX509v1CertificateBuilder v1CertGen = new
                     JcaX509v1CertificateBuilder(__new X500Name("CN=Zeus
                     Authentication Server"),
                                    BigInteger.TEN,
                                    startDate, endDate,
                                    a,
                                    pub);
                         X509CertificateHolder certHolder =
        v1CertGen.build(sigGen);


                     I want the user to store the certificate in a
        Keystore using
                     javacode so that it can be used with Axis2's
        Rampart, which
                     uses a JKS keystore type



                     Sincerely,
                     Abdel










Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

abdelrahman almahmoud
In reply to this post by Arshad Noor
Sorry to revive this topic but I am having a bit of a problem still


When using KeyStore.setCertificateEntry(String, Certificate). I try to do the following 
KeyStore.setCertificateEntry(name, x509certificateholder.toASN1Structure());

But I get the following error "The method setCertificateEntry(String, Certificate) in the type KeyStore is not applicable for the arguments (String, Certificate)"

So I assume the method toASN1Structure produces a different format that cant be used here, is there a way to do this? I think I am missing something here?


On Fri, May 3, 2013 at 9:55 PM, Arshad Noor <[hidden email]> wrote:
Yes, there is- as a KeyStore.TrustedCertificateEntry:

http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html

Arshad Noor
StrongAuth, Inc.


On 05/03/2013 09:13 AM, abdelrahman almahmoud wrote:
Thank you for the help
I just have one more question, is there no way to add the certificate to
the keystore using a java code?


On Thu, Apr 25, 2013 at 10:33 PM, Arshad Noor
<[hidden email] <mailto:[hidden email]>> wrote:

    Take a look at CSRTool:

    http://sourceforge.net/__projects/csrtool/

    <http://sourceforge.net/projects/csrtool/>

    It does many of the things both of you are discussing.

    Arshad Noor
    StrongAuth, Inc.


    On 04/25/2013 09:31 AM, Matthew Hall wrote:

        Just warning you about it. For storing a cert you can use
        X509Certificate.getEncoded, and FileOutputStream. The byte array
        you get
        has the right stuff for storage. If you want to store as ASCII
        instead
        of binary then use PEMWriter from Bouncy Castle.

        The part about private keys without certs was just a warning
        because I
        ran into that problem with KeyStores a few weeks ago myself so I
        thought
        I should warn you about it.
        --
        Sent from my mobile device.

        abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>> wrote:

             Thanks for the reply,

             How do I turn the certificate I generated into a .cert file?
             About the broken use case, are you suggesting I will run
        into that
             use case or warning me to avoid it? It would be very
        troublesome if
             I ran into a dead end like that

             I really appreciate the help thank you,


             On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall
        <[hidden email] <mailto:[hidden email]>
             <mailto:[hidden email]

        <mailto:[hidden email]>>__> wrote:

                 Yes, you can store certs in there. Use
                 KeyStore.setCertificateEntry. Where you run into trouble is
                 storing a fresh private key, while waiting for a cert to be
                 issued for it, this is a known broken use case in Java.
                 --
                 Sent from my mobile device.


                 abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>
                 <mailto:[hidden email]__com

        <mailto:[hidden email]>>> wrote:

                     Hi

                     Is it possible to store an X.509 certificate
        without its
                     private key into a java keystore?

                     I create this certificate using the following code,
        then
                     send it to a user via SOAP

                     ContentSigner sigGen = new

        JcaContentSignerBuilder("__SHA1withRSA").setProvider(__PROVIDER).build(priv);
                          Date startDate = new
        Date(System.currentTimeMillis(__) -

                     24 * 60 * 60 * 1000);
                          Date endDate = new
        Date(System.currentTimeMillis(__) +

                     365 * 24 * 60 * 60 * 1000);
                         JcaX509v1CertificateBuilder v1CertGen = new
                     JcaX509v1CertificateBuilder(__new X500Name("CN=Zeus

                     Authentication Server"),
                                    BigInteger.TEN,
                                    startDate, endDate,
                                    a,
                                    pub);
                         X509CertificateHolder certHolder =
        v1CertGen.build(sigGen);


                     I want the user to store the certificate in a
        Keystore using
                     javacode so that it can be used with Axis2's
        Rampart, which
                     uses a JKS keystore type



                     Sincerely,
                     Abdel





Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

Chris Oman
Not sure if this helps, but I just wrote up a blog entry about self-signed certificates and keystores. Maybe the sample code there will help.




On May 14, 2013, at 8:27 AM, abdelrahman almahmoud <[hidden email]> wrote:

Sorry to revive this topic but I am having a bit of a problem still


When using KeyStore.setCertificateEntry(String, Certificate). I try to do the following 
KeyStore.setCertificateEntry(name, x509certificateholder.toASN1Structure());

But I get the following error "The method setCertificateEntry(String, Certificate) in the type KeyStore is not applicable for the arguments (String, Certificate)"

So I assume the method toASN1Structure produces a different format that cant be used here, is there a way to do this? I think I am missing something here?


On Fri, May 3, 2013 at 9:55 PM, Arshad Noor <[hidden email]> wrote:
Yes, there is- as a KeyStore.TrustedCertificateEntry:

http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html

Arshad Noor
StrongAuth, Inc.


On 05/03/2013 09:13 AM, abdelrahman almahmoud wrote:
Thank you for the help
I just have one more question, is there no way to add the certificate to
the keystore using a java code?


On Thu, Apr 25, 2013 at 10:33 PM, Arshad Noor
<[hidden email] <mailto:[hidden email]>> wrote:

    Take a look at CSRTool:

    http://sourceforge.net/__projects/csrtool/

    <http://sourceforge.net/projects/csrtool/>

    It does many of the things both of you are discussing.

    Arshad Noor
    StrongAuth, Inc.


    On 04/25/2013 09:31 AM, Matthew Hall wrote:

        Just warning you about it. For storing a cert you can use
        X509Certificate.getEncoded, and FileOutputStream. The byte array
        you get
        has the right stuff for storage. If you want to store as ASCII
        instead
        of binary then use PEMWriter from Bouncy Castle.

        The part about private keys without certs was just a warning
        because I
        ran into that problem with KeyStores a few weeks ago myself so I
        thought
        I should warn you about it.
        --
        Sent from my mobile device.

        abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>> wrote:

             Thanks for the reply,

             How do I turn the certificate I generated into a .cert file?
             About the broken use case, are you suggesting I will run
        into that
             use case or warning me to avoid it? It would be very
        troublesome if
             I ran into a dead end like that

             I really appreciate the help thank you,


             On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall
        <[hidden email] <mailto:[hidden email]>
             <mailto:[hidden email]

        <mailto:[hidden email]>>__> wrote:

                 Yes, you can store certs in there. Use
                 KeyStore.setCertificateEntry. Where you run into trouble is
                 storing a fresh private key, while waiting for a cert to be
                 issued for it, this is a known broken use case in Java.
                 --
                 Sent from my mobile device.


                 abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>
                 <mailto:[hidden email]__com

        <mailto:[hidden email]>>> wrote:

                     Hi

                     Is it possible to store an X.509 certificate
        without its
                     private key into a java keystore?

                     I create this certificate using the following code,
        then
                     send it to a user via SOAP

                     ContentSigner sigGen = new

        JcaContentSignerBuilder("__SHA1withRSA").setProvider(__PROVIDER).build(priv);
                          Date startDate = new
        Date(System.currentTimeMillis(__) -

                     24 * 60 * 60 * 1000);
                          Date endDate = new
        Date(System.currentTimeMillis(__) +

                     365 * 24 * 60 * 60 * 1000);
                         JcaX509v1CertificateBuilder v1CertGen = new
                     JcaX509v1CertificateBuilder(__new X500Name("CN=Zeus

                     Authentication Server"),
                                    BigInteger.TEN,
                                    startDate, endDate,
                                    a,
                                    pub);
                         X509CertificateHolder certHolder =
        v1CertGen.build(sigGen);


                     I want the user to store the certificate in a
        Keystore using
                     javacode so that it can be used with Axis2's
        Rampart, which
                     uses a JKS keystore type



                     Sincerely,
                     Abdel







This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copy of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please immediately notify us by calling (877-207-3753).


Reply | Threaded
Open this post in threaded view
|

Re: Storing an X.509 certificate to a Keystore using java code

Matthew Hall
In reply to this post by abdelrahman almahmoud
You have to take certHolder.getEncoded() and feed it to the JDK CertificateFactory first. BC has a JcaX509CertificateFooBar utility class for this also.

Matthew.
--
Sent from my mobile device.

abdelrahman almahmoud <[hidden email]> wrote:
Sorry to revive this topic but I am having a bit of a problem still


When using KeyStore.setCertificateEntry(String, Certificate). I try to do the following 
KeyStore.setCertificateEntry(name, x509certificateholder.toASN1Structure());

But I get the following error "The method setCertificateEntry(String, Certificate) in the type KeyStore is not applicable for the arguments (String, Certificate)"

So I assume the method toASN1Structure produces a different format that cant be used here, is there a way to do this? I think I am missing something here?


On Fri, May 3, 2013 at 9:55 PM, Arshad Noor <[hidden email]> wrote:
Yes, there is- as a KeyStore.TrustedCertificateEntry:

http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html

Arshad Noor
StrongAuth, Inc.


On 05/03/2013 09:13 AM, abdelrahman almahmoud wrote:
Thank you for the help
I just have one more question, is there no way to add the certificate to
the keystore using a java code?


On Thu, Apr 25, 2013 at 10:33 PM, Arshad Noor
<[hidden email] <mailto:[hidden email]>> wrote:

    Take a look at CSRTool:

    http://sourceforge.net/__projects/csrtool/

    <http://sourceforge.net/projects/csrtool/>

    It does many of the things both of you are discussing.

    Arshad Noor
    StrongAuth, Inc.


    On 04/25/2013 09:31 AM, Matthew Hall wrote:

        Just warning you about it. For storing a cert you can use
        X509Certificate.getEncoded, and FileOutputStream. The byte array
        you get
        has the right stuff for storage. If you want to store as ASCII
        instead
        of binary then use PEMWriter from Bouncy Castle.

        The part about private keys without certs was just a warning
        because I
        ran into that problem with KeyStores a few weeks ago myself so I
        thought
        I should warn you about it.
        --
        Sent from my mobile device.

        abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>> wrote:

             Thanks for the reply,

             How do I turn the certificate I generated into a .cert file?
             About the broken use case, are you suggesting I will run
        into that
             use case or warning me to avoid it? It would be very
        troublesome if
             I ran into a dead end like that

             I really appreciate the help thank you,


             On Thu, Apr 25, 2013 at 8:13 PM, Matthew Hall
        <[hidden email] <mailto:[hidden email]>
             <mailto:[hidden email]

        <mailto:[hidden email]>>__> wrote:

                 Yes, you can store certs in there. Use
                 KeyStore.setCertificateEntry. Where you run into trouble is
                 storing a fresh private key, while waiting for a cert to be
                 issued for it, this is a known broken use case in Java.
                 --
                 Sent from my mobile device.


                 abdelrahman almahmoud <[hidden email]
        <mailto:[hidden email]>
                 <mailto:[hidden email]__com

        <mailto:[hidden email]>>> wrote:

                     Hi

                     Is it possible to store an X.509 certificate
        without its
                     private key into a java keystore?

                     I create this certificate using the following code,
        then
                     send it to a user via SOAP

                     ContentSigner sigGen = new

        JcaContentSignerBuilder("__SHA1withRSA").setProvider(__PROVIDER).build(priv);
                          Date startDate = new
        Date(System.currentTimeMillis(__) -

                     24 * 60 * 60 * 1000);
                          Date endDate = new
        Date(System.currentTimeMillis(__) +

                     365 * 24 * 60 * 60 * 1000);
                         JcaX509v1CertificateBuilder v1CertGen = new
                     JcaX509v1CertificateBuilder(__new X500Name("CN=Zeus

                     Authentication Server"),
                                    BigInteger.TEN,
                                    startDate, endDate,
                                    a,
                                    pub);
                         X509CertificateHolder certHolder =
        v1CertGen.build(sigGen);


                     I want the user to store the certificate in a
        Keystore using
                     javacode so that it can be used with Axis2's
        Rampart, which
                     uses a JKS keystore type



                     Sincerely,
                     Abdel