• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Certificate chain...

 
Cristovao Santos
Greenhorn
Posts: 11
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi.

I have created a keystore in my webserver. In this keystore i putted:
1st - My own self signed certificate

keytool -genkey -alias vbvsign -keyalg RSA -keysize 1024 -keystore .keystoreCV -storepass vbvsignpass -storetype jks -dname "CN=172.29.145.110-172.29.145.119, OU=Development, O=SISP, L=Praia, ST=Praia, C=CV"

keytool -certreq -v -alias vbvsign -keystore .keystoreCV -storepass vbvsignpass -file vbvCSR.pem

2nd - CA Certificatekeytool -import -alias MPIclientCA -keystore .keystoreCV -trustcacerts -file pitroot.der

3rd - Client Certificate received by email
keytool -import -alias MPIclientCertificate -keystore .keystoreCV -trustcacerts -file
keytool -import -alias vbvsign -keystore .keystoreCV -trustcacerts -file MPIclient_certificate.der


When i received the last one (3rd), they also send a PKCS#7 certificate chain. Now, i need to validate a XML File, signed, and i dont know what or how can i validate that... Now, i am validating the three certificates (it looks well), but when validating the signature it return a validation error:
"javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key"

I think that possibly maybe i need to import or do something else with the PKCS#7 certificate chain that i received by email, but i dont know what to do...

Can you help me please!

Thanks a lot,
Cristovao
 
greg stark
Ranch Hand
Posts: 220
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am not familiar with the XML security APIs, but I'm sure the concepts are the same as for other PKI applications. First, you must understand that the certified keypair that you have stored at alias vbvsign is used by you to sign documents, not to verify them. To verify a document that someone else has signed, you must have their certified public key. Most APIs, and probably also the XML APIs you are using, allow for this public key certificate to be included in the message itself. All that is required on your part is that you have the root CA that signed their public key in your trusted certificate store.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic