[jboss-user] [Security & JAAS/JBoss] - Client Certificate using Keytool and OpenSSL
do-not-reply at jboss.com
Fri Mar 28 13:28:52 EDT 2008
Is there a way to set Netscape Cert Type property to SSL Client while exporting it to PKCS12 certificate using OpenSSL?
I created a client certificate using the following steps:
a. Generated key pair using Keytool
b. Generated CSR and got it signed by the CA (Verisign)
c. Imported signed certificate and all Root + Intermediate authorities in client keystore for proper certificate chaining
d Exported private key from the keystore
e. Used OpenSSL command to export pkcs12 certificate:
openssl pkcs12 - export -out client.p12 -inkey client.pem -in client.cer - passout pass:*********
This certificate gets installed in both IE and Firefox successfully, however the Netscape Cert Type attribute shows: SSL Server Authentication This causes the following exception on the server side (Sun JVM) when passed through the browser:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL client
When I used a another pkcs12 certificate generated by IIS, that worked fine as its Netscape Cert Type attribute was set correctly to SSL Client.
I came across nscerttype attribute but it seems it's only applicable to openssl commands: ca, req and x509.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4139734#4139734
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4139734
More information about the jboss-user