Hi there,
I recently dived onto the Java train and so far like every bit of it, last week I managed to complete my first "homework project" (a commandline calculator which basicly picks up 2 numbers and then performs the 4 major operations on them) and now I'm studying deployment. During this I stumbled upon the signing options and being rather familiar with openssl I gave it a try, but stumbled upon something weird...
I have my own CA certificate and decided to add this to the system-wide keystore after having looked over the currently present certificates and having changed the default password. Then I created a keypair for myself and decided to create a certificate signature request (csr) which would be signed using my own CA certificate.
While keytool seems to be able to pick up the presence of the CA certificate it refuses to pick it up in the chain of trust. Here is what happened:
linux:/home/peter $ keytool -import -file ./pl.pem
Enter keystore password: ----
keytool error: java.lang.Exception: Failed to establish chain from reply
linux:/home/peter $ keytool -alias mykey -import -file ./pl.pem
Enter keystore password: ----
keytool error: java.lang.Exception: Failed to establish chain from reply
linux:/home/peter $ keytool -import -trustcacerts -file /etc/ssl/certs/losoco.crt <
Enter keystore password: ----
Certificate already exists in system-wide CA keystore under alias <losoco>
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore
linux:/home/peter $ keytool -import -file ./pl.pem
Enter keystore password: ----
Certificate reply was installed in keystore
As you can see the keytool application was able to detect the already present CA certificate but wasn't able to use it to complete its chain of trust. Have I overlooked something here when I added the certificate to the system-wide keystore (using the same commandline as above, only pointed it to another keystore) or have I stumbled on a bug ?
The JDK being used here is Sun's jdk1.5.0_06 for Linux. On this system I completely removed the previously present GNU variants because they caused me much problems (programs which compliled cleanly using Sun's JDK used to trigger only exceptions using the GNU variant).
However, and this is why I wonder if I didn't hit a bug, I can reproduce the problem using the JDK 1.5.0-6 on my Solaris 10 1/6 installation. I think I've ruled out the option about possible "unsuitable" certificates since my CA certificate has the following options:
X509v3 Basic Constraints:
CA:TRUE, pathlen:1
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA
Whereas the generated certificate is clearly suited as well:
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
Code Signing
Because the certificates work as they should from the local keystore I somewhat rule out that option. Can anyone shed some light on this ? Thanks in advance.