I tested along a little bit further: If you have Bouncycastle as your first Java security provider, everything works.
Greetings, Georg Nicolas Vahlas wrote: > Thanks for your help, > I finally found out what was going on: the implementation of RSA > algorithm in the Java Security API supports key sizes <= 2048 (at least > until jdk 1.4) > I had the CA certificate generated with an RSA key of size 4096 ... that > is why I could import it in my keystore. > > By the way, do you know if there is a way to change the CA certificate > of an OpenCA installation ... I had to re-install the whole thing with a > CA certificate based on an smaller RSA keypair. > > Thanks again for your help, > Nicolas > > > Georg Lippold wrote: > >> Hi Nicolas, >> >> I have another idea that may be helpful although I didn't test it. >> >> First, try downloading the "Unlimited Strength jurisdiction files" >> from Sun: >> >> http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=22&PartDetailId=7503-jce-1.4.2-oth-JPR&SiteId=JSC&TransactionId=noreg >> >> >> and install it. If that doesn't fix your problem, you may try the >> Bouncycastle API to create a different keystore, i.e. PKCS#12 (which is >> compatible with all certificates, as far as I am informed). You can find >> the Bouncycastle API here: >> >> http://www.bouncycastle.org/ >> >> Installation Instructions (how to make it your default JAVA security >> provider) are here: >> >> http://www.bouncycastle.org/specifications.html#install >> >> Then, if it still doesn't work, try using the keytool GUI. It seems to >> have gone commercial, but I still have a decentral backup of a GPL'ed >> version. You can download it from: >> >> ftp://ftp.informatik.uni-bremen.de/home/lippold/ktg-17.jar >> >> With that it should be possible to examine existing keystores as well as >> import certificates into new or existing ones. >> >> If you want to check the order of your Java security providers, use this >> small java program: >> >> ftp://ftp.informatik.uni-bremen.de/home/lippold/ProviderInformation.java >> >> I take it that you are greek, but if you speak german, you can read a >> paper of mine where we used the bouncycastle api with tomcat and >> jcetaglib to generate certificates. In the paper the process of >> installing the bouncycastle api and using the keytool is explained in >> detail (starting at page 11): >> >> http://www.informatik.uni-bremen.de/~lippold/pdf/krypto/javasec.pdf >> >> HtH, >> >> Georg >> >> >> Massimiliano Pala wrote: >> >> >>> Nicolas Vahlas wrote: >>> >>> >>> >>>> I have recently installed OpenCa on a Linux RedHat 9 for testing >>> >>> [...] >>> >>> >>> >>>> Am I doing something wrong ? Can anybody help me ? >>>> Thanks in advance. >>>> >>> >>> MMMmmm... very very strange. It seems like that java is expecting the >>> certificate >>> to be in a PKCS#7 structure, which is not. You can try this: >>> >>> $ openssl crl2pkcs7 -certfile $ca_file -nocrl -out $new_file >>> >>> and then use the java tool on the "$new_file". Let me know if you have >>> results... >>> >>> >> >> >> >> ------------------------------------------------------- >> This SF.Net email is sponsored by the JBoss Inc. Get Certified Today >> Register for a JBoss Training Course. Free Certification Exam >> for All Training Attendees Through End of 2005. For more info visit: >> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click >> _______________________________________________ >> Openca-Users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openca-users >> >> >> ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
