3 Replies Latest reply: Aug 28, 2012 12:47 AM by handat RSS

    is Certificate a CA (authority) or an user's certificate

    916519
      Hello,

      Is there a simple way to know if a certificate (java.security.cert.Certificate or java.security.cert.X509Certificate) is an user certificate or an Authority certificate (CA) ?
      I want to list user's certificate stored with a private key from my Keystore.


      ...
      // load the keystore ("Windows-My" and "SunMSCAPI" on windows or "Apple" and "Keychainstore" on MAC OS)
      ...
      Enumeration<String> aliases = keyStore.aliases();
      X509Certificate c = null;
      while (aliases.hasMoreElements()) {
      String alias = aliases.nextElement();
      System.out.print("Certificate alias found : " + alias );
      c = getCertificate(alias);

      // Test I want to do :
      if( c is a CA ) continue ;

      // this method works on Windows to filter user certificates but doesn't on Mac OS one !
      if (keyStore.isKeyEntry(alias)) {

      }

      }

      Any help would be greatly appreciated !

      Thanks !
        • 1. Re: is Certificate a CA (authority) or an user's certificate
          sabre150
          user8249296 wrote:
          // this method works on Windows to filter user certificates but doesn't on Mac OS one !
          if (keyStore.isKeyEntry(alias)) {
          That can only work if the key store contains the private key associated with the ceretificate. If the keystore contains only certificates then it can't work. I would expect the behaviour to be the same on both Windows and a Mac; did you test this by copying the keystore on Windows to the Mac or were you working with a totally different keystore?
          • 2. Re: is Certificate a CA (authority) or an user's certificate
            916519
            Hi sabre150, thanks for your answer.

            I was working with different keystore :

            - the windows keystore "Windows-My" on windows. I used Internet Explorer to import certificates (.p12 file, private key associated with). The isKeyEntry method returns true and isCertificate return false for alias associated with given p12 file.
            - the Mac os keystore on MAC. Same certificates (.p12 file, private key associated with) are imported using "Keychain access". Each alias is shown twice (not on windows) : The isKeyEntry method returns true and isCertificate return false for the first alias and isKeyEntry method returns false and isCertificate return true for the second one (one of them has its alias suffixed with "1". E.g : for the same alias "my_alias", 2 alias are loaded : "my_alias" and "my_alias 1")

            Actually, my problem is particularly for certficate in usb smart card. I have installed usb smart card drivers on both MAC OS and windows and I can see certificates on them correctly. For this kind of certificate, isKeyEntry method returns true on windows. On MAC, alias is listed once (but not twice as p12 file) and isKeyEntry returns false (isCertificate always return true). If I remove isKeyEntry test on MAC, other certificates (root CA and subordinate CA) will be listed .... I don't want to show them ! But, I would like to list only user's certificate. Do you understand ? (sorry for my poor english).

            Thank you.
            • 3. Re: is Certificate a CA (authority) or an user's certificate
              handat
              Both scenarios you described are valid. The problem is that your concept and definition of a CA and "user certificate" is a bit flawed since you are assuming that it is always one or the other. For example, what if the certificate is a self signed certificate? It would be a "user" certificate and also be a CA. You could also have certificates that are not CAs, just trusted certificates without the private user key. Your problem is that what you describe as a "user certificate" is a key pair with a private key and a public certificate. Unfortunately for you, this is not consistently represented in the various keystore types. In windows, the key pair is grouped together with the same alias where in your mac environment, the two components can be referenced separately whereas that is hidden in windows. Nevertheless, both representations are correct. You will just have to deal with it yourself in your code, or use a third party library that abstracts this for you.