TechQA.

OpenSSL - Sign the certificate with own CA

1.3k views Asked by At

I hope you can help me. I'm about to sign jar-files with a self created certificate using OpenSSL. The jar-File contains an old Java-Applet which Java is blocking (as long as it is not signed) in the browser since version 7.51. Once it is signed, I just have to install the certificate (in the system / browser / JRE).

Right now I have a problem signing the certification request (see below "Step 7"): "unable to load certificate". What do I have to change to pass this step? In addition I am not sure about the further steps (which I also added below). Could you pls also tell me if these are right?

Thank you in advance for any help.

1.) Create folder structure

cd test
mkdir private certs newcerts conf export csr
echo '01' > serial
touch index.txt
export OPENSSL_CONF=/home/joerg/cacerts/myca/openssl.cnf

2.) Create the Certificate Authority

openssl req -new -x509 -days 3650 -keyform PEM -outform PEM -keyout test/private/cakey.pem -out test/cacert.pem

3.) Copy the CA into a format which can be managed by the Java-keystore:

openssl x509 -outform der -in test/cacert.pem -out test/cacert.crt

4.) Generate Keystore

keytool -genkey -keystore javakeystore.jks -alias test

5.) Check Keystore

keytool -list -keystore javakeystore.jks -storepass "whatever"

Keystore-Typ: JKS
Keystore-Provider: SUN

Keystore enthält 1 Eintrag

test, 13.11.2014, PrivateKeyEntry, 
Zertifikat-Fingerprint (SHA1): 38:D0:44:2A:35:C8:60:F1:CD:7F:0E:41:6D:E6:DC:23:7C:49:96:23

6.) Create certification request

keytool -certreq -v -file test/certs/caRequest.csr -alias "test" -keystore javakeystore.jks -storepass "whatever"

7.) Sign the certificate with the CA

openssl ca -days 365 -in test/certs/caRequest.csr -out test/newcerts/caRequest.pem -policy policy_anything
Using configuration from /home/joerg/cacerts/myca/openssl.cnf
Enter pass phrase for /home/joerg/cacerts/myca/test/private/cakey.pem:
unable to load certificate
140116933408416:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
~/cacerts/myca$

My plan is to continue like this:

8.)

openssl x509 -in test/newcerts/caRequest.pem -out test/newcerts/caRequest.pem -outform PEM

9.)

openssl x509 -outform der -in test/newcerts/caRequest.pem -out test/newcerts/caRequest.crt

10.) Concatenate the certificate chain

cat test/newcerts/caRequest.pem test/cacert.pem > test/newcerts/caRequest.chain

11.) Indicate that I trust this CA

keytool -import -trustcacerts -file test/cacert.pem -alias test -keystore javakeystore.jks -storepass "whatever"

12.) Import it into your keystore

keytool -import -file test\newcerts\caRequest.chain -alias test1 -keystore javakeystore.jks -storepass "whatever"

13.) Sign jar file

jarsigner -keystore javakeystore.jks TestApplet.jar test
java applet openssl ca jar-signing
Original Q&A
0

There are 0 answers

Related Questions in JAVA

Related Questions in APPLET

Related Questions in OPENSSL

Related Questions in CA

Related Questions in JAR-SIGNING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions