Arundel, Donal wrote:
Unless x.509v3 Certificates are present in your created certificate
there
is no requirement that the certificate version number is 3.
If either the X.509 issuerUniqueID or subjectUniqueID fields are present
the certificate must be at least version 2.
However there is nothing actually stopping somebody creating a
certificate with no x.509v3 extensions, and also no issuerUniqueID or
subjectUniqueID, ..and having a version of 3. A version of 1 would
strictly be more correct though.
Yes, I agree with you.
I don't know offhand if Keytool gives you explicit control over the version
number or whether it just calculates the version from the
logical certificate request data when creating the certificate.
I generated public key certificates and private keys from keytool only.
According to [1], It generates v1 certificates and can import/export v1,
v2, and v3 certificates..
But I am suspecting it because when while printing out the certificate,
I get following along with SerialNumber, Certificate fingerprints.
Owner: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
C=mycountry, [EMAIL PROTECTED]
Issuer: CN=dev, OU=mycompany, O=myorganization, L=mycity, ST=mystate,
C=mycountry, [EMAIL PROTECTED]
I guess, EMAILADDRESS, etc comes as v3 certificate extensions.
Is there any way through which I can verify whether my certificate is v3
certificate having no extension or v1 certificate?
Generally all CA certificates must have extensions indicating that they
are CAs, so they should have a version number of 3.
Application certs on the other hand may vary depending on their content
and anticipated usage.
Cheers,
Donal
With Regards,
Mayank
[1]. http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
-----Original Message-----
From: Mayank Mishra [mailto:[EMAIL PROTECTED]
Sent: 26 February 2008 10:44
To: cxf-user@incubator.apache.org
Subject: Usage of X509 certificates in WSS4J
G'day all,
I am using WSS4J 1.5.1. I created X509 public keys and certificates from
Sun Microsystems Keytool utility. AFAIK, it created X509v1 certificates.
Please let me know if it creates v3 certificates, which in my opinion
doesn't do.
Looking at the on the wire message sent from client to server or
otherwise, I observe Token Reference, the value of the "Valuetype"
attribute in the "KeyIdentifier" element is
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-prof
ile-1.0#X509v3"
AFAIK, In X.509 Certificate Token Profile 1.1, X509v1 certificates were
included in the spec, in X509 Certificate Token Profile 1.0, only X509v3
certificates were there to be used.
Also, AFAIK, WSS4J supports X.509 Certificate Token Profile 1.0. Please
clarify me if I am wrong.
Since, X509v3 certs have some more extension elements over X509v1. It
should give some error, when passing X509v1 for cryptos creation. Or, it
silently use X509v1, but then the valuetype should be "#x509v1" instead
of "#x509v3".
There is a bit of confusion. Kindly clarify.
With Regards,
Mayank
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
