Thanks for your help,
I finally found out what was going on: the implementation of RSA
algorithm in the Java Security API supports key sizes <= 2048 (at least
until jdk 1.4)
I had the CA certificate generated with an RSA key of size 4096 ... that
is why I could import it in my keystore.
By the way, do you know if there is a way to change the CA certificate
of an OpenCA installation ... I had to re-install the whole thing with a
CA certificate based on an smaller RSA keypair.
Thanks again for your help,
Nicolas
Georg Lippold wrote:
Hi Nicolas,
I have another idea that may be helpful although I didn't test it.
First, try downloading the "Unlimited Strength jurisdiction files" from Sun:
http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=22&PartDetailId=7503-jce-1.4.2-oth-JPR&SiteId=JSC&TransactionId=noreg
and install it. If that doesn't fix your problem, you may try the
Bouncycastle API to create a different keystore, i.e. PKCS#12 (which is
compatible with all certificates, as far as I am informed). You can find
the Bouncycastle API here:
http://www.bouncycastle.org/
Installation Instructions (how to make it your default JAVA security
provider) are here:
http://www.bouncycastle.org/specifications.html#install
Then, if it still doesn't work, try using the keytool GUI. It seems to
have gone commercial, but I still have a decentral backup of a GPL'ed
version. You can download it from:
ftp://ftp.informatik.uni-bremen.de/home/lippold/ktg-17.jar
With that it should be possible to examine existing keystores as well as
import certificates into new or existing ones.
If you want to check the order of your Java security providers, use this
small java program:
ftp://ftp.informatik.uni-bremen.de/home/lippold/ProviderInformation.java
I take it that you are greek, but if you speak german, you can read a
paper of mine where we used the bouncycastle api with tomcat and
jcetaglib to generate certificates. In the paper the process of
installing the bouncycastle api and using the keytool is explained in
detail (starting at page 11):
http://www.informatik.uni-bremen.de/~lippold/pdf/krypto/javasec.pdf
HtH,
Georg
Massimiliano Pala wrote:
Nicolas Vahlas wrote:
I have recently installed OpenCa on a Linux RedHat 9 for testing
[...]
Am I doing something wrong ? Can anybody help me ?
Thanks in advance.
MMMmmm... very very strange. It seems like that java is expecting the
certificate
to be in a PKCS#7 structure, which is not. You can try this:
$ openssl crl2pkcs7 -certfile $ca_file -nocrl -out $new_file
and then use the java tool on the "$new_file". Let me know if you have
results...
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
begin:vcard
fn:Vahlas Nicolas
n:Nicolas;Vahlas
org:Quality & Reliability
adr;quoted-printable;quoted-printable:;;=CE=9A=CE=BF=CE=BD=CE=AF=CF=84=CF=83=CE=B7=CF=82 11=CE=92;=CE=9C=CE=B1=CF=81=CE=BF=CF=8D=CF=83=CE=B9;;151 25;Greece
email;internet:[EMAIL PROTECTED]
tel;work:210 80 29 409 (270)
x-mozilla-html:FALSE
version:2.1
end:vcard
