[jboss-user] [Security & JAAS/JBoss] - Client Certificate using Keytool and OpenSSL

sunnym_a do-not-reply at jboss.com
Fri Mar 28 13:28:52 EDT 2008


Java 1.5.0_11
OpenSSL 0.9.8g

Is there a way to set Netscape Cert Type property to SSL Client while exporting it to PKCS12 certificate using OpenSSL? 

I created a client certificate using the following steps:  
       a. Generated key pair using Keytool
        b. Generated CSR and got it signed by the CA (Verisign) 
        c. Imported signed certificate and all Root + Intermediate authorities in client keystore for proper certificate chaining
        d Exported private key from the keystore 
        e. Used OpenSSL command  to export pkcs12 certificate:
 openssl pkcs12 - export -out client.p12 -inkey client.pem -in client.cer - passout pass:********* 

This certificate gets installed in both IE and Firefox successfully, however the Netscape Cert Type attribute shows: SSL Server Authentication  This causes the following exception on the server side (Sun JVM) when passed through the browser: 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL client 

When I used a another pkcs12 certificate generated by IIS, that worked fine as its Netscape Cert Type attribute was set correctly to SSL Client. 

I came across nscerttype attribute but it seems it's only applicable to openssl commands: ca, req and x509.  


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4139734#4139734

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4139734

More information about the jboss-user mailing list