X509 proxy certificate with bouncycastle

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

X509 proxy certificate with bouncycastle

Paul
Dear bouncycastle  developers,

we are trying to use bouncycastle at CERN for ALICE experiment software.
It works ok for X509 PEM user certificates.

However, when I try to use it with X509 proxy certificate I get this on server side:

main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: End user tried to act as a CA
main, IOException in getSession():  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: End user tried to act as a CA

and also some extensions unknown too.

Are X509 proxies supported by bouncycastle?

Best regards,
Pavlo Svirin.
Reply | Threaded
Open this post in threaded view
|

Re: X509 proxy certificate with bouncycastle

David Hook

Yes, you can certainly do this - the proxy certificate needs to have an
extension of the form given in https://www.ietf.org/rfc/rfc3820.txt
though, it's not just a matter of generating a regular X509 client
certificate.

Regards,

David

On 05/07/16 00:57, Paul wrote:

> Dear bouncycastle  developers,
>
> we are trying to use bouncycastle at CERN for ALICE experiment software.
> It works ok for X509 PEM user certificates.
>
> However, when I try to use it with X509 proxy certificate I get this on server side:
>
> main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: End user tried to act as a CA
> main, IOException in getSession():  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: End user tried to act as a CA
>
> and also some extensions unknown too.
>
> Are X509 proxies supported by bouncycastle?
>
> Best regards,
> Pavlo Svirin.
>