storing a certificate chain in a key store
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
storing a certificate chain in a key store
by Abhijit Menon-Sen
::
Rate this Message:
Hi.
I cryptKeysetOpen() a CRYPT_KEYSET_FILE store. I cryptAddPrivateKey() a suitably-labelled RSA private key. Then I cryptImportCert() from a .crt file, and cryptAddPublicKey() to the keyset, and all is well. All of that works well. Now here's the complication: I want to store not only the certificate that corresponds to the private key, but the chain of certificates leading to it as well. I have two files, foo.crt and cabundle.crt, that represent this chain. Running "openssl verify -verbose -CAfile cabundle.crt foo.crt" says OK, so I know that all the certificates I need are in those two files. Google tells me that some Java programs in this situation interoperate with openssl by exporting the key and certificate chain into a PKCS#12 file and importing from that. While I can export my certificates thus, cryptlib won't read PKCS#12 files; and the FAQ explains why not. Fine. What should I be doing instead? How should I import a certificate chain? (The manual has examples of how to sign, verify, and export chains, but doesn't say how to import them that I can see.) Once I have the chain imported, will cryptAddPrivateKey() do the right thing when I try to store it? Any help would be very greatly appreciated. -- ams _______________________________________________ Cryptlib mailing list Cryptlib@... via Mail: cryptlib-request@... Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/ http://news.gmane.org/gmane.comp.encryption.cryptlib Posts from non-subscribed addresses are blocked to prevent spam, please subscribe in order to post messages. |
|
|
Re: storing a certificate chain in a key store
by Peter Gutmann
::
Rate this Message:
Abhijit Menon-Sen <ams@...> writes:
>What should I be doing instead? How should I import a certificate chain? With a standard cryptImportCert(). Then when you do a cryptAddPublicKey() it'll add all the relevant certs in the chain to the keyset. It doesn't make any difference whether you use a single cert or a whole chain, the API is the same. Peter. _______________________________________________ Cryptlib mailing list Cryptlib@... via Mail: cryptlib-request@... Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/ http://news.gmane.org/gmane.comp.encryption.cryptlib Posts from non-subscribed addresses are blocked to prevent spam, please subscribe in order to post messages. |
|
|
Re: storing a certificate chain in a key store
by Abhijit Menon-Sen
::
Rate this Message:
At 2009-10-17 17:21:34 +1300, pgut001@... wrote:
> > With a standard cryptImportCert() That's what I thought, but I must be doing something wrong. I have three certificates in bundle.crt and one in server.crt; both are in text format, i.e. base64 wrapped in BEGIN CERTIFICATE/END CERTIFICATE lines. I put all four certificates into all.crt, read the file contents, and call cryptImportCert(). The result has a CRYPT_CERTINFO_CERTTYPE of CRYPT_CERTFORMAT_CERTIFICATE, not CRYPT_CERTFORMAT_CERTCHAIN. (That was with the server certificate first and the others following it in the file. If instead I put the three bundle.crt certificates first, cryptAddPublicKey() fails.) Do I need to export the chain in some other format? (PKCS #7?) I tried "openssl crl2pkcs7 -nocrl -certfile bundle.crt -certfile server.crt -out all.p7" and using all.p7 in place of all.crt, but then cryptImportCert() fails with CRYPT_ERROR_BADDATA. What am I missing? -- ams _______________________________________________ Cryptlib mailing list Cryptlib@... via Mail: cryptlib-request@... Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/ http://news.gmane.org/gmane.comp.encryption.cryptlib Posts from non-subscribed addresses are blocked to prevent spam, please subscribe in order to post messages. |
|
|
Re: storing a certificate chain in a key store
by Peter Gutmann
::
Rate this Message:
Abhijit Menon-Sen <ams@...> writes:
>I have three certificates in bundle.crt and one in server.crt; both are in >text format, i.e. base64 wrapped in BEGIN CERTIFICATE/END CERTIFICATE lines. >I put all four certificates into all.crt, read the file contents, and call >cryptImportCert(). The result has a CRYPT_CERTINFO_CERTTYPE of >CRYPT_CERTFORMAT_CERTIFICATE, not CRYPT_CERTFORMAT_CERTCHAIN. If you put four separate encoded certificates into a single file in base64 format that you've got four distinct certs, not a certificate chain. cryptlib reads the first cert and then imports it, giving you a CRYPT_CERTFORMAT_CERTIFICATE. >Do I need to export the chain in some other format? (PKCS #7?) I tried >"openssl crl2pkcs7 -nocrl -certfile bundle.crt -certfile server.crt -out >all.p7" and using all.p7 in place of all.crt, but then cryptImportCert() >fails with CRYPT_ERROR_BADDATA. You need to export it as a PKCS #7 certificate chain. What does dumpasn1 tell you about the chain? Peter. _______________________________________________ Cryptlib mailing list Cryptlib@... via Mail: cryptlib-request@... Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/ http://news.gmane.org/gmane.comp.encryption.cryptlib Posts from non-subscribed addresses are blocked to prevent spam, please subscribe in order to post messages. |
| Free embeddable forum powered by Nabble | Forum Help |
