>From the keytool man - it imports certificate chain, if input is given in PKCS#7 format, otherwise only the single certificate is imported. You should be able to convert certificates to PKCS#7 format with openssl, via openssl crl2pkcs7 command.
On 2015-04-07, 10:17, "[email protected]" <[email protected]> wrote: >Colm - > >This seems like it should be easier than it is, but can you point me to a >resource for properly building a truststore with a certificate chain? I >have separate keystores and trust stores for the STS, and the truststore >should have a chain something like: > >Root CA >>> Intermediate CA >>> Issuing CA > >I had thought that if I added them with keytool in the right order, that >keytool would establish a cert chain. Instead it just adds them as >individual certificates with no cert chain to be found. > >Stephen W. Chappell > >-----Original Message----- >From: Chappell, Stephen CTR (FAA) >Sent: Tuesday, April 07, 2015 8:21 AM >To: [email protected] >Cc: [email protected] >Subject: RE: Using a custom CertPathChecker > >Well, that must be the issue. I just ran it through the debugger, and >getCertificateChain is returning null each time. I¹ve added code in my >subclassed Merlin to be able to walk up the tree, but it¹d be more >efficient if the truststore was built properly so I¹ll try to figure that >out. > >Stephen W. Chappell > >From: Colm O hEigeartaigh [mailto:[email protected]] >Sent: Tuesday, April 07, 2015 8:12 AM >To: Chappell, Stephen CTR (FAA) >Cc: [email protected] >Subject: Re: Using a custom CertPathChecker > >Ok cool. Just bear in mind that WSS4J won't wire up the trust chain using >individual certs stored in the truststore, the intermediate cert must >have the issuing cert stored as part of the certificate chain entry. >Colm. > >On Tue, Apr 7, 2015 at 1:02 PM, ><[email protected]<mailto:[email protected]>> wrote: >Colm > >That is the case, at least I thought it was. The truststore has certs for >the issuer, intermediate, and root CA, plus a few other miscellaneous >certs. I¹ll run it through the debugger later this morning and see what >turns up. > >Stephen W. Chappell > >From: Colm O hEigeartaigh >[mailto:[email protected]<mailto:[email protected]>] >Sent: Tuesday, April 07, 2015 7:59 AM >To: Chappell, Stephen CTR (FAA) >Cc: [email protected]<mailto:[email protected]> >Subject: Re: Using a custom CertPathChecker > >"getX509Certificates" calls "getCertificates" which (first) calls >"getCertificateChain" on the keystore. Your intermediate CA should have >the issuing CA certs stored as part of the entry in the >keystore/truststore. Is this not the case? Can you debug into >getCertificates() and find out why it is only returning a single cert? >Colm. > >On Fri, Apr 3, 2015 at 3:34 PM, ><[email protected]<mailto:[email protected]>> wrote: >Colm - > >While I was mucking around in Merlin, I noted that in the "second step" >section of verifyTrust, only the immediate issuer of the cert to be >checked is added to the cert path (at least in my case, when >getX509Certificates only returns a single cert rather than a cert chain). >I have a requirement to validate all the certs in the cert path, which in >my case has an additional intermediate before getting to the trust >anchor. I'm able to loop there and get everything into the cert path, >which seems to get everything revocation checked so that is good. But I >was curious why only the immediate issuer was added to begin with - is >there some issue I should be considering that I'm not? > >There's also an open question (or rather, open disagreement) about >revocation checking the Root CA cert, but this list is probably not the >right place for that discussion. > >Stephen W. Chappell > >-----Original Message----- >From: Chappell, Stephen CTR (FAA) >Sent: Friday, April 03, 2015 9:56 AM >To: [email protected]<mailto:[email protected]>; >[email protected]<mailto:[email protected]> >Subject: RE: Using a custom CertPathChecker > >Colm - > >No, I don't have any better suggestions. In fact, subclassing Merlin and >adding a method to configure additional PKIX parameters is exactly what I >did. > >Thanx, >Stephen W. Chappell > >-----Original Message----- >From: Colm O hEigeartaigh >[mailto:[email protected]<mailto:[email protected]>] >Sent: Friday, April 03, 2015 9:47 AM >To: [email protected]<mailto:[email protected]> >Subject: Re: Using a custom CertPathChecker > >Hi Stephen, > >There is no way to add CertPathCheckers at the moment, beyond subclassing >Merlin and overriding the "verifyTrust" method. I could add a method to >customize the PKIXParameters object though, that could be overridden by a >subclass though which would be better. Or do you have any other >suggestions? > >Colm. > >On Tue, Mar 24, 2015 at 8:11 PM, ><[email protected]<mailto:[email protected]>> wrote: > >> I have a requirement to use a custom CertPathChecker in my code. With >> "bare" JVM, I can add the checker to my PKIXParameters and validate >>away. >> But, using Merlin (in WSS4J 1.6.17), there don't appear to be any >> hooks to add a custom checker or customize the PKIXParameters that are >>being used. >> Is there some other means for adding a custom checker to the list that >> isn't so obvious? I could subclass Merlin and sort of brute force it >> in if necessary, but if there's another way to set that up I would >> much rather do that. >> >> Stephen W. Chappell >> > > > >-- >Colm O hEigeartaigh > >Talend Community Coder >http://coders.talend.com > > > >-- >Colm O hEigeartaigh > >Talend Community Coder >http://coders.talend.com > > > >-- >Colm O hEigeartaigh > >Talend Community Coder >http://coders.talend.com
