This week's book giveaway is in the OO, Patterns, UML and Refactoring forum.
We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line!
See this thread for details.
The moose likes Security and the fly likes Doubt about digital certificates and signatures Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

JavaRanch » Java Forums » Engineering » Security
Bookmark "Doubt about digital certificates and signatures" Watch "Doubt about digital certificates and signatures" New topic

Doubt about digital certificates and signatures

Alys Landle

Joined: May 18, 2011
Posts: 5
Good morning everyone,

I have no experience with digital certificates and signatures, but, currently being the only java programmer on my company, my boss asked me to handle an update on a project.

This project is already up and working fine today. It was made in Java 1.6.23 and runs on a Tomcat 6 environment. It uses a certificate to comunicate with a Web Service from another project (this other one not made buy us, it's a partner company).

It currently has two files (both inside the .war file, in WEB-INF/classes folder):

- truststore.jks

In the code, the certificate is passed using this configuration:

Ok, as I said, all this is working just fine today. But, the certificate will expire in one week, and I was requested to update the application to use the new one. My manager made the new contract with the Web Service company, then he send he me two files (our partner created these files):

tnt.cer: Said to be the "new certificate" Said to be the private key with password (is the same of the old one, as I was told).

Well, I know I can import the ".cer" file with keytool, just like this:

But, I think I should import the cer file with the private key, right? If it's the case, I wasn't able to do so. I tried to use it with the importkeystore parameter, but it gives the error:

Which I couldn't solve so far.

My other doubt is how I create the ".pfx" file? Or, a prior question, what is this file for, storing the public key? I googled it, and, it's "Personal Information Exchange" acronym, but, so far I didn't understand why/if I need it.

Finally, English is not my native language, please apologise for any misspelling.

Thanks for any help.
Winston Gutkowski

Joined: Mar 17, 2011
Posts: 8661

Alys Landle wrote:Finally, English is not my native language, please apologise for any misspelling.

Not at all. A very clearly explained problem. Well done.

I hate to say, but it's been an awfully long time since I did this stuff, so my knowledge is probably out-of-date.

My advice:
1. Get your manager to let you deal with this stuff next time. He/she clearly has no clue as to what they are dealing with.
2. Get a contact number for the cert provider, along with any proprietary details that might be needed to log onto their website for a specific query like this; and ask them. If it's a reputable one like Verisign or Thawte, they are fairly used to this.
3. Make a diary of the procedure you do follow, and file it securely for the next poor schmuck who has to deal with it.

Sorry I can't be more specific, but like I say...old fart.


Isn't it funny how there's always time and money enough to do it WRONG?
Articles by Winston can be found here
Alys Landle

Joined: May 18, 2011
Posts: 5
Winston Gutkowski wrote:
Alys Landle wrote:Finally, English is not my native language, please apologise for any misspelling.

Not at all. A very clearly explained problem. Well done.

Thanks. My English teacher will be soo proud

I did as you recomended, and, talked to people responsible for the certificate. Well, gotta say, I also wish management people just stick to managing projects, and let technical people handle this kind of things. I spent the last 12h reading a lot of foruns (that was a good thing, at least), and talking with our partner, and getting errors, and, I finally think I got somewhere.

Thing is, if I open the ".key" file (why the hell I didn't do that earlier??), this is what I see:

Which means, this file is in a PEM format. But, the certificate they send is a ".cer" file, so, it's in DER format, right? So, I think I have a incompatibility problem, and that this is what is causing the "toDerInputStream rejects tag type 45" exception. I need our partner to send me a certificate also in PEM format (or change the private key format, whichever is the best option).

I'll be sure to post here when I hopefully/finally get a solution
Alys Landle

Joined: May 18, 2011
Posts: 5
Finally, it's solved!

First: the PFX file is very important. It's the one with the certificate chain and the keys, and exactly what I need to make a conversation with the Web Service. So, what I did was to ask the support team to generate one (you only need the openssl and the certificate/keys, but, I couldn't make it work on my Windows), so, they created this file and sent it to me.

I only replaced the older pfx file with this new one, didn't do anything with the java keystore file (it exists just so I don't need to edit the cacerts file) or the code (it's the same password) and it's working again.
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link:
subject: Doubt about digital certificates and signatures
It's not a secret anymore!