6 Replies Latest reply: Oct 2, 2012 7:24 AM by user10070648 RSS

    Singed using my own CA

    user10070648
      Dear ALL,

      I'm trying to simulate some environment (VISA chip processing ) in my office. So I have few clarifications regarding key crypto keys. Before that let me explain exact simulation what I'm going to do.

      I want to simulate VISA CA at my office

      First I generate issue key pairs as bellow.

      keytool -genkey -alias TestIssueEpic -keyalg RSA -keysize 1152 -keypass privatepassword -keystore TestIssueEpic.jks -storepass password
      keytool -export -alias TestIssueEpic -file TestIssueEpic.cer -keystore TestIssueEpic.jks

      After I generate csr file
      keytool -certreq -alias TestIssueEpic -keystore TestIssueEpic.jks

      Now I have csr information

      -----BEGIN NEW CERTIFICATE REQUEST-----
      MIICADCCAVkCAQAwcDELMAkGA1UEBhMCOTQxEDAOBgNVBAgTB0NvbG9tYm8xEDAOBgNVBAcTB0Nv
      bG9tYm8xHTAbBgNVBAoTFEVwaWMgTGFua2EgKFBWVCkuTFREMQswCQYDVQQLEwJJVDERMA8GA1UE
      AwwIRXBpY19jbXMwga8wDQYJKoZIhvcNAQEBBQADgZ0AMIGZAoGRAJvm96rrGLETqmXhwacf0Rbz
      1nZdvAdvP91+CS38aJLz7C9+OZQCJTSbIWdKVW4CcjjCJJjhxtN0xRceoog02FayTMBL+tez4iVH
      WAzxm0mJl+l59hexYhj+Aw1x+PYK0WdfXTdVjMEfB2Lo1asxqzq43rUridBLYb+dP79+SpQUND3t
      IT3uEXmNPpYk3nZf3QIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQUMX5Iqz/gCqGA
      PFhGT5DYef1zxMcwDQYJKoZIhvcNAQELBQADgZEAXpwpgxMjcAyvFaEuNy6iRnyBRB8AZ4OfeebH
      fsYlZWY0Iiz/Btmtg4eQH1g76P5psa/BaRgbkkFRaOJ2tWZ6Bv8ZIqkgTAmHPPW1rBTauIJWNZgn
      eAUqmmQlGBWE7Zvhu9H4hoEY1kXujyOX5I2waM7XzPHWaEvCXH51nrj0/Txpvwb1ZarA/1l2uZzs
      UBcT
      -----END NEW CERTIFICATE REQUEST-----




      Second I generate VISA key pair so that simulate CA

      keytool -genkey -alias TestVisaCA -keyalg RSA -keysize 1152 -keypass privatepassword -keystore TestVisaCA.jks -storepass password
      keytool -export -alias TestVisaCA -file TestVisaCA.cer -keystore TestVisaCA.jks


      Further I read some information, it's required visa.crt and visa.pem file to continue


      Let me know that how to singe above csr using VISA CA ? Please more appriciate guide me to success this because I'm really new to crypto subject.

      Thanks
        • 1. Re: Singed using my own CA
          sabre150
          I know nothing about "VISA chip processing" but I suspect you can't do what you want using 'keytool'. 'openssh' has a set of scripts based on 'openssl' under the heading of 'easy-rsa' that I think will make what you want to do fairly painless. Google for openssh.
          • 2. Re: Singed using my own CA
            EJP
            You can't use the keytool as a private CA.
            • 3. Re: Singed using my own CA
              user10070648
              Thanks a lot

              I got step up now, it's bellow

              //Generate key pair
              keytool -genkey -alias TestIssueEpic -keyalg RSA -keysize 1152 -keypass password -keystore TestIssueEpic.jks -storepass password

              //Generate the Certificate Signing Request.
              keytool -certreq -alias TestIssueEpic -keystore TestIssueEpic.jks -keyalg RSA -file TestIssueEpic.csr



              CA
              //Creating a Sample CA Certificate
              openssl req -config /etc/pki/tls/openssl.cnf -newkey rsa:1152 -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 1825

              //Generate a signed certificate for the associated Certificate Signing Request
              openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem -in TestIssueEpic.csr -out TestIssueEpicsinged.cer -days 1825 -CAcreateserial

              //Use the keytool to import the CA certificate into the client keystore.
              keytool -import -keystore TestIssueEpic.jks -file ca-certificate.pem -alias theCARoot

              //Use the keytool to import the signed certificate for the associated client alias in the keystore.
              keytool -import -keystore TestIssueEpic.jks -file TestIssueEpicsinged.cer -alias TestIssueEpic




              So now, I have singed certificate (TestIssueEpicsinged.cer).

              Let me know that how to get client private and public key TestIssueEpic.jks ? because other party is required TestIssueEpicsinged.cer and client public key.

              Thanks
              • 4. Re: Singed using my own CA
                sabre150
                Did you actually read either my reply or EJP's ?
                • 5. Re: Singed using my own CA
                  EJP
                  //Generate key pair
                  Correct.
                  //Generate the Certificate Signing Request.
                  Correct.
                  //Creating a Sample CA Certificate
                  openssl req -config /etc/pki/tls/openssl.cnf -newkey rsa:1152 -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 1825
                  I don't think so. All this does is create another CSR.
                  //Generate a signed certificate for the associated Certificate Signing Request
                  openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem -in TestIssueEpic.csr -out TestIssueEpicsinged.cer -days 1825 -CAcreateserial
                  Could be.
                  //Use the keytool to import the CA certificate into the client keystore.
                  Correct.
                  //Use the keytool to import the signed certificate for the associated client alias in the keystore.
                  Correct. However the signed client certificate should include its signer chain so the previous step may be redundant.
                  Let me know that how to get client private
                  The client private key is in the keystore and that's where it should stay. It should specifically not be provided to anybody else. It's private, innit?
                  and public key
                  The client's public key is in the signed certificate.
                  because other party is required TestIssueEpicsinged.cer and client public key.
                  Just provide them with the signed certificate and possibly the signed CA certificate.
                  • 6. Re: Singed using my own CA
                    user10070648
                    Thanks

                    Is there any way to export client private key (private.pem) from key storage ?


                    Let me know that the way of bellow is correct ?

                    keytool -importkeystore -srckeystore TestIssueEpic.jks -destkeystore privateKey.p12 -deststoretype PKCS12 -srcalias TestIssueEpic

                    openssl pkcs12 -in privateKey.p12 -out privateKey.pem

                    Regards

                    Edited by: user10070648 on Oct 2, 2012 5:24 AM