This discussion is archived
1 2 Previous Next 23 Replies Latest reply: Sep 13, 2011 3:01 PM by 888044 Go to original post RSS
  • 15. Re: Socket.startHandshake with PKCS11 token
    830591 Newbie
    Currently Being Moderated
    It must be possible to add the missing chain at run time. But how? Is this correct?
    Nothing is impossible, you can read the JSSE reference guide for a complicated solution. But from my understanding, none is as simple/straightforward as importing intermediate certificates into the smart card. It's a inter-operational problem of the smart card that does not include intermediate certificates in.
  • 16. Re: Socket.startHandshake with PKCS11 token
    EJP Guru
    Currently Being Moderated
    It must be possible to add the missing chain at run time.
    Why on earth would you want to do that? The whole idea of the card is to store your security information. So store it.
  • 17. Re: Socket.startHandshake with PKCS11 token
    user10878887 Newbie
    Currently Being Moderated
    EJP wrote:
    It must be possible to add the missing chain at run time.
    Why on earth would you want to do that? The whole idea of the card is to store your security information. So store it.
    Because other people that don't know how to add something on the token will use similar tokens.
    So I don't want to give them additional instructions about how to add the missing link for the chain.
    I just want the application to work out of the box.
    I will try to create a custom key store where I will add what is on the token and the missing link that I downloaded it from here [http://www.transsped.ro/cacerts/trans_sped_qca_ii.crt] .
    I'll give a reply here.
    Both of your instructions were very usefull.

    Thank you.
  • 18. Re: Socket.startHandshake with PKCS11 token
    830591 Newbie
    Currently Being Moderated
    Please refer to the blog about why the smart card vendor should store the intermediate certificate into the deployed smart card: http://simsmi.wordpress.com/2011/06/26/best-practice-to-include-the-compelete-certificate-chain-in-the-keystore/
  • 19. Re: Socket.startHandshake with PKCS11 token
    user10878887 Newbie
    Currently Being Moderated
    I tried 3 things.

    1) I tried to write the missing chain on the token but I don't have the software and it seems it is not free to use.
    I will phone tomorrow to the producer to ask about this.

    2) I tried to add from java the missing chain directly into the pkcs11 key store but the message is:
    "*java.security.KeyStoreException: java.lang.UnsupportedOperationException: trusted certificates may only be set by token initialization application*"

    3) I created a new key store and I tried to store in it the missing chain and the certificate from the token, but the attempt failed as expected.
    I can't move what is on the token on another key store because the private key cannot be moved.

    Solving this problem from java would be the best solution since the users would not need a third party software.
    Can this be done from java?
    I read a few things from JSSE reference guide but I'm not sure this is possible.
  • 20. Re: Socket.startHandshake with PKCS11 token
    user10878887 Newbie
    Currently Being Moderated
    This is a good argument.
    I will apply this solution. I just want to be done with this problem.
    But I must check first if I can do this as simple as it should be with Gemalto token.
    With the token I have 2 aplications: "Cove personalization tool(User)" and "EasySign" but none of them can import the intermediate certificate.
  • 21. Re: Socket.startHandshake with PKCS11 token
    user10878887 Newbie
    Currently Being Moderated
    I made it work with java wrapper for Microsoft CAPI.
    I installed here the intermediate certificate.
  • 22. Re: Socket.startHandshake with PKCS11 token
    830591 Newbie
    Currently Being Moderated
    2) I tried to add from java the missing chain directly into the pkcs11 key store but the message is:
    "java.security.KeyStoreException: java.lang.UnsupportedOperationException: trusted certificates may only be set by token initialization application"
    3) I created a new key store and I tried to store in it the missing chain and the certificate from the token, but the attempt failed as expected.
    I can't move what is on the token on another key store because the private key cannot be moved.
    OK, that's the correct behaviors of secure smart card. The trust materials should be initialized during the smart card burning. The smart card burner should import the intermediate certificate during initialization.
    Can this be done from java?
    I read a few things from JSSE reference guide but I'm not sure this is possible.
    I believe you can do it, by customizing the KeyManager, although it is not easy. I cannot help you more about a how-to, you'll have to research the pager by your team, or please contact Oracle consultant service.
  • 23. Re: Socket.startHandshake with PKCS11 token
    888044 Newbie
    Currently Being Moderated
    ******************************************
    In reply to:
    I made it work with java wrapper for Microsoft CAPI.
    I installed here the intermediate certificate.
    ******************************************


    Hello,

    I have the same problem here.. The certificate is not on the token.

    did u manage to solve this problem with Java Wrapper for Microsoft CAPI ?

    If yes , can you please give me more details .

    Thanks In Advance.
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points