keytool questions

J

js

http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html

I have a client certificate issued by a non-standard CA ( that is, the CA is self-signed by an external entity and is not part of the cacerts file ).
This client certificate is in my keystore ( with entry type as keyEntry ).

Alias name: < .... ALIAS BLAH ... >
Creation date: 5/01/2004
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:
Owner: < ....BLAH .....>
Issuer: < ....ISSUER BLAH .....>
Serial number: 279d
Valid from: Thu Jan 02 21:00:00 EST 2003 until: Sun May 18 11:42:29 EST 2008
Certificate fingerprints:
MD5: 94:D1:60:A9:07:A1:30:76:3D:10:5B:5B:07:6E:D4:1B
SHA1: F7:C3:4E:05:35:33:6F:83:FB:11:C7:8C:BD:6D:D3:7B:E5:79:AB:87
Certificate[2]:
Owner: < ....ISSUER BLAH .....>
Issuer: < ....ISSUER BLAH .....>
Serial number: 0
Valid from: Mon Jul 01 10:00:00 EST 1996 until: Sat Jul 01 10:00:00 EST 2006
Certificate fingerprints:
MD5: 1A:AB:4D:57:0A:3F:D8:76:AF:7B:76:CF:E7:FC:33:C5
SHA1: 86:54:C1:3E:0D:44:62:38:1F:A8:59:26:51:DC:B1:B9:F4:BD:C6:0F


Now the self-signed ( by an external entity ) CA certificate in that chain has expired as shown above, and a new self-signed ( by an external entity ) CA certificate was issued.

Owner: < ....ISSUER BLAH .....>
Issuer: < ....ISSUER BLAH .....>
Serial number: 0
Valid from: Mon Jul 01 10:00:00 EST 1996 until: Fri Jul 01 10:00:00 EST 2016
Certificate fingerprints:
MD5: A6:41:B9:09:43:F0:08:42:B1:80:79:D5:A3:97:5B:5D
SHA1: 25:6E:C2:24:CB:24:CD:70:68:55:EA:98:1E:E4:9D:88:A1:F8:78:D9


If I import the new self-signed ( by an external entity ) CA certificate into cacerts file, the SSL connection to the remote HTTPS host will eventually still use the expired CA instead of using the new CA cert.


So my question is, can you actually "remove" the expired-CA in the chain in the keyentry in the keystore ?

I tried exporting the keyEntry, which only exported the client certificate in the chain. So I guess I found the solution ( or so I thought ).
However, if I import it back, it is being imported as a "trustedCert" entry instead of a "keyEntry".
Thus, if I then delete the keyEntry that had the expired CA in its chain, the "trustedCert" entry is not used ... since JSSE uses entries of type "keyEntry".
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,982
Messages
2,570,186
Members
46,739
Latest member
Clint8040

Latest Threads

Top