On 5/5/2010 9:49 AM, joabelfa wrote:
On May 5, 2:33 pm, David Stutzman<dstutz.m...@nospam.dstutz.com>
wrote:
On 5/5/2010 7:02 AM, joabelfa wrote:
ksfis = new
FileInputStream("./certificates/runa/keystore.jks");
KeyStore truststore = KeyStore.getInstance("JKS");
truststore.load(ksfis, "key123".toCharArray());
PrivateKey rootkey = (PrivateKey)
truststore.getKey("rootKey",
"key123".toCharArray());
You're mixing and matching providers. The private key you are
attempting to sign the cert with is coming from a java keystore (which,
IIRC, uses the JSSE provider) and feeding the key to JSS which uses the
"Mozilla-JSS" provider. Welcome to the wonderful world of mixed crypto
with Java!
Your best bet in getting this working is most likely going to be
creating a new security DB and importing the key from the JKS keystore
into it. You can export the key (and cert?) from the JKS keystore using
the Java command line tool "keytool" into a PKCS#12 file. You can then
import that key (and cert?) into the nss security DB using the NSS
command line tool pk12util. At that point you can fetch the private key
reference from the security db using the CryptoManager methods and you
should be past *that* hurdle.
Dave
Hi, thanks for you response!!
I tell my case. I 'm a new user in the world of security and
certificates (wonderful wolrd :S jiji).The case is that i use the Qpid
for my aplications, the
clients java for to connect with secure mode in Qpid are needed to
have a certificates imports in a keystore.
The certificates and keystores I can easily create with keytool and
certutil command, But I need to create them only with Java code.
How could I? I tested with the public api (java.security.cert) of java
but I could not do,so I have attempted to test the JSS library, but I
lost.
thank you very much.
It's a known limitation of the public Java API that you can't "create" a
cert, but the functionality is buried in their somewhere because of
things like keytool that can create certs.
If I'm reading you correctly, you need to make multiple JKS keystores
that each have cert+key in them and you want to do this solely from
code? Sounds like you're making a little CA. Obviously creating
keypairs and certificates for users and distributing them isn't the
recommended approach to PKI, but we all have our reasons...
In that case, I'd actually recommend using the BouncyCastle API (also
free and Java). I did this myself a little over a year ago for a
project. I'll shoot you an email off-list with some code that might
save you a lot of time.
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
