I'm trying to Convert a X509CertImpl to a X509CRLEntry so I can generate my X509CRLImpl but I can't find a way of doing this, isn't is supposed to be easy? The CRL should be made of revoked X509 Certificates so it has to be an easy way!
I'm using sun.security.x509 and java.security.cert packages
Thank you for the Help!
CRLs don't contain certificates consequently you can't get a certificate from the CRL.
Related
I have certificate from GlobalSign.com ( .pem file). This file consists of 2 certificates inside (I've examined it with Portecle). Using Portecle I created BKS keystore and tried to use it in the app. I have read many different tutorials with similar topic. I've tried:
Security with HTTPS and SSL
One more solution
Using a Custom Certificate Trust Store on Android
Android: Trusting SSL certificates
others
Any solution didn't work, and I still have "Error: Not trusted server certificate". Maybe You have any idea what I'm doing wrong.
P.S. There are a lot of trust-all 'solutions', but I need proper solution
It is difficult to say exactly why you are having the issue but it sounds like you do not have the private key, the certificate you received from GlobalSign, I presume you generated the CSR? If so you will need to import the .pem file that you received back from GlobalSign the same method, if you did not generate the CSR from a private key within you BKS keystone then it would not be a trusted certificate.
That is what I think is going on anyway
Problem was solved. I have asked technical support of GlobalSign about certificates. They made some tests and took recommendations how to configure certificates on server side. Android part wasn't changed
I'm successfully signing a x509v3 certificate from a CSR using BouncyCastle in Java, but I have a problem: the string format from some of the certificate fields (Subject in this case) is UTF8_STRING and I need it to be PRINTABLE_STRING
When generating the certificate I use an X509v3CertificateBuilder and a CertificateFactory objects plus a JcaX509ExtensionUtils to add some extensions to it.
Any help on how to do this?
Thanks in advance.
I am trying to store a proxy X.509 certificate into a keystore. The certificate is generated using bouncycastle library, the problem is that I do not have the secret key for the certificate and from what I understand is that to store it in a Java key store I need the secret key. Furthermore I can't seem to convert the certificate into Java's own implementation of it.
I want to store it in a keystore so that Axis2's Rampart could attach it to SOAP messages according to our own security architecture.
IF anyone can kindly explain to me if there is a way to do this or if I am missing something important I would be thankful
from what I understand is that to store it in a Java key store I need the secret key
No. You don't need the private key to store a certificate. You only need that for your own certificate. Just use keytool -import.
Suppose I have an application which in some way retrieves a client certificate (private/public key pair) at runtime via a secure channel (so I don't have this client certificate at build time).
How can I use this client certificate for client authentication without using keytool and not using some on persistent/ondisk keystore. So I do not want (actually I can't) to import it using a command line keytool?
Actually I want to replicate the functionality done in libcurl. You just set the client certificate (with private key) and your done. It doesn't involve a keystore.
All this has to be done in Java/Android.
You can do it in Java by defining your own KeyManager as described in the JSSE Reference Guide. I can't speak for Android.
I just got this working and I dont think you'll be very happy with my answer but it does work :)
So the hard part is to get the pkcs12 certificate you need to perform client authentication, if your certificate is already in pkcs12 then you've got all the hard stuff out of the way and you can refer to the second answer on SSL client authentication in Android to see how to use that certificate.
if you just have a public private key pair and not a pkcs12 certificate then you will need to make one. As far as I could tell there is no way in java/android to create this certificate so you need to use the android NDK and openssl.
if you download the openssl-android project from https://github.com/guardianproject/openssl-android you can use it to build openssl. By default it compiles as a .so shared object but only some of the android devices I tried to run this code on were able to link against libcrypto, so, although im sure there is a better way I went into the Android.mk files and replaced include $(BUILD_SHARED_LIBRARY) with include $(BUILD_STATIC_LIBRARY) in a few places so that I could compile a .a static library.
I then used the info from Android NDK: Link using a pre-compiled static library to link the libcrypto.a I compiled to my native code.
This native code uses openssl to first create an X509 certificate and then uses it to create a PKCS12 file which can be used in the manner I mentioned before located at SSL client authentication in Android
first you need to get your public and private keys into native land as EVP_PKEY pointers which can happen in a variety of ways based on what format your keys are in then you can use the following code to create an X509 certificate
X509 *public_key_cert = X509_new();
X509_gmtime_adj(X509_get_notBefore(public_key_cert),0);
X509_gmtime_adj(X509_get_notAfter(public_key_cert), (long) 60*60*24*365);
X509_set_pubkey(public_key_cert,evp_pub_key);
This creates the most minimally valid X509 certificate which is valid for 1 year. You may want to do other stuff like sign the certificate if you are going to run your own certificate authority, or set any of a large set of headers which contain various bits of information.
next you need to create the pkcs12 certificate using the X509 cert like this:
PKCS12 *pkcs12 = PKCS12_create(password, "Some Sort of Friendly Name", evp_priv_key, public_key_cert, NULL, 0, 0, 0, 0, 0);
password is a char* containing the password which will be used to encrypt the private key using triple-DES
Now that you have a pkcs12 certificate you can go over to SSL client authentication in Android and get client authentication going.
Good Luck!
I'm using self-signed certificates for testing, how can I generate certificate revocation list to test cert verification? Has keytool in JDK provided such functionalities?
Thanks!
OpenSSL http://www.openssl.org/
The CA (included) is excellent for testing simple PKIs. Perhaps a little bit daunting at first, but there is plenty of info around.
For CRLs, the out of the box setup should do the trick for you:
https://www.openssl.org/docs/manmaster/man1/ca.html#CRL-OPTIONS
All the best.