Doubt about digital certificates and signatures

Good morning everyone,

I have no experience with digital certificates and signatures, but, currently being the only java programmer on my company, my boss asked me to handle an update on a project.

This project is already up and working fine today. It was made in Java 1.6.23 and runs on a Tomcat 6 environment. It uses a certificate to comunicate with a Web Service from another project (this other one not made buy us, it's a partner company).

It currently has two files (both inside the .war file, in WEB-INF/classes folder):

- truststore.jks
- ws.tnt.com.pfx

In the code, the certificate is passed using this configuration:

System.setProperty("javax.net.ssl.keyStoreType", "pkcs12"); System.setProperty("javax.net.ssl.keyStore", "/ws.tnt.com.pfx"); System.setProperty("javax.net.ssl.keyStorePassword", "password"); ... System.setProperty("javax.net.ssl.trustStoreType", "JKS"); System.setProperty("javax.net.ssl.trustStore", "/truststore.jks"); System.setProperty("javax.net.ssl.trustStorePassword", "password");

Ok, as I said, all this is working just fine today. But, the certificate will expire in one week, and I was requested to update the application to use the new one. My manager made the new contract with the Web Service company, then he send he me two files (our partner created these files):

tnt.cer: Said to be the "new certificate"
ws.tnt.com.key: Said to be the private key with password (is the same of the old one, as I was told).

Well, I know I can import the ".cer" file with keytool, just like this:

keytool -import -alias onealias -file tnt.cer -keystore truststore.jks

But, I think I should import the cer file with the private key, right? If it's the case, I wasn't able to do so. I tried to use it with the importkeystore parameter, but it gives the error:

keytool error: java.io.IOException: toDerInputStream rejects tag type 45

Which I couldn't solve so far.

My other doubt is how I create the ".pfx" file? Or, a prior question, what is this file for, storing the public key? I googled it, and, it's "Personal Information Exchange" acronym, but, so far I didn't understand why/if I need it.

Finally, English is not my native language, please apologise for any misspelling.

Thanks for any help.

Alys Landle wrote:Finally, English is not my native language, please apologise for any misspelling.

Not at all. A very clearly explained problem. Well done.

I hate to say, but it's been an awfully long time since I did this stuff, so my knowledge is probably out-of-date.

My advice:
1. Get your manager to let you deal with this stuff next time. He/she clearly has no clue as to what they are dealing with.
2. Get a contact number for the cert provider, along with any proprietary details that might be needed to log onto their website for a specific query like this; and ask them. If it's a reputable one like Verisign or Thawte, they are fairly used to this.
3. Make a diary of the procedure you do follow, and file it securely for the next poor schmuck who has to deal with it.

Sorry I can't be more specific, but like I say...old fart.

Winston

Winston Gutkowski wrote:

Alys Landle wrote:Finally, English is not my native language, please apologise for any misspelling.

Not at all. A very clearly explained problem. Well done.

Thanks. My English teacher will be soo proud

I did as you recomended, and, talked to people responsible for the certificate. Well, gotta say, I also wish management people just stick to managing projects, and let technical people handle this kind of things. I spent the last 12h reading a lot of foruns (that was a good thing, at least), and talking with our partner, and getting errors, and, I finally think I got somewhere.

Thing is, if I open the ".key" file (why the hell I didn't do that earlier??), this is what I see:

-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,1ECCA0E0DA60DE8A a lot of encrypted data -----END RSA PRIVATE KEY-----

Which means, this file is in a PEM format. But, the certificate they send is a ".cer" file, so, it's in DER format, right? So, I think I have a incompatibility problem, and that this is what is causing the "toDerInputStream rejects tag type 45" exception. I need our partner to send me a certificate also in PEM format (or change the private key format, whichever is the best option).

I'll be sure to post here when I hopefully/finally get a solution

Finally, it's solved!

First: the PFX file is very important. It's the one with the certificate chain and the keys, and exactly what I need to make a conversation with the Web Service. So, what I did was to ask the support team to generate one (you only need the openssl and the certificate/keys, but, I couldn't make it work on my Windows), so, they created this file and sent it to me.

I only replaced the older pfx file with this new one, didn't do anything with the java keystore file (it exists just so I don't need to edit the cacerts file) or the code (it's the same password) and it's working again.