This discussion is archived
6 Replies Latest reply: Oct 2, 2012 5:24 AM by user10070648 RSS

Singed using my own CA

user10070648 Newbie
Currently Being Moderated
Dear ALL,

I'm trying to simulate some environment (VISA chip processing ) in my office. So I have few clarifications regarding key crypto keys. Before that let me explain exact simulation what I'm going to do.

I want to simulate VISA CA at my office

First I generate issue key pairs as bellow.

keytool -genkey -alias TestIssueEpic -keyalg RSA -keysize 1152 -keypass privatepassword -keystore TestIssueEpic.jks -storepass password
keytool -export -alias TestIssueEpic -file TestIssueEpic.cer -keystore TestIssueEpic.jks

After I generate csr file
keytool -certreq -alias TestIssueEpic -keystore TestIssueEpic.jks

Now I have csr information

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICADCCAVkCAQAwcDELMAkGA1UEBhMCOTQxEDAOBgNVBAgTB0NvbG9tYm8xEDAOBgNVBAcTB0Nv
bG9tYm8xHTAbBgNVBAoTFEVwaWMgTGFua2EgKFBWVCkuTFREMQswCQYDVQQLEwJJVDERMA8GA1UE
AwwIRXBpY19jbXMwga8wDQYJKoZIhvcNAQEBBQADgZ0AMIGZAoGRAJvm96rrGLETqmXhwacf0Rbz
1nZdvAdvP91+CS38aJLz7C9+OZQCJTSbIWdKVW4CcjjCJJjhxtN0xRceoog02FayTMBL+tez4iVH
WAzxm0mJl+l59hexYhj+Aw1x+PYK0WdfXTdVjMEfB2Lo1asxqzq43rUridBLYb+dP79+SpQUND3t
IT3uEXmNPpYk3nZf3QIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQUMX5Iqz/gCqGA
PFhGT5DYef1zxMcwDQYJKoZIhvcNAQELBQADgZEAXpwpgxMjcAyvFaEuNy6iRnyBRB8AZ4OfeebH
fsYlZWY0Iiz/Btmtg4eQH1g76P5psa/BaRgbkkFRaOJ2tWZ6Bv8ZIqkgTAmHPPW1rBTauIJWNZgn
eAUqmmQlGBWE7Zvhu9H4hoEY1kXujyOX5I2waM7XzPHWaEvCXH51nrj0/Txpvwb1ZarA/1l2uZzs
UBcT
-----END NEW CERTIFICATE REQUEST-----




Second I generate VISA key pair so that simulate CA

keytool -genkey -alias TestVisaCA -keyalg RSA -keysize 1152 -keypass privatepassword -keystore TestVisaCA.jks -storepass password
keytool -export -alias TestVisaCA -file TestVisaCA.cer -keystore TestVisaCA.jks


Further I read some information, it's required visa.crt and visa.pem file to continue


Let me know that how to singe above csr using VISA CA ? Please more appriciate guide me to success this because I'm really new to crypto subject.

Thanks
  • 1. Re: Singed using my own CA
    sabre150 Expert
    Currently Being Moderated
    I know nothing about "VISA chip processing" but I suspect you can't do what you want using 'keytool'. 'openssh' has a set of scripts based on 'openssl' under the heading of 'easy-rsa' that I think will make what you want to do fairly painless. Google for openssh.
  • 2. Re: Singed using my own CA
    EJP Guru
    Currently Being Moderated
    You can't use the keytool as a private CA.
  • 3. Re: Singed using my own CA
    user10070648 Newbie
    Currently Being Moderated
    Thanks a lot

    I got step up now, it's bellow

    //Generate key pair
    keytool -genkey -alias TestIssueEpic -keyalg RSA -keysize 1152 -keypass password -keystore TestIssueEpic.jks -storepass password

    //Generate the Certificate Signing Request.
    keytool -certreq -alias TestIssueEpic -keystore TestIssueEpic.jks -keyalg RSA -file TestIssueEpic.csr



    CA
    //Creating a Sample CA Certificate
    openssl req -config /etc/pki/tls/openssl.cnf -newkey rsa:1152 -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 1825

    //Generate a signed certificate for the associated Certificate Signing Request
    openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem -in TestIssueEpic.csr -out TestIssueEpicsinged.cer -days 1825 -CAcreateserial

    //Use the keytool to import the CA certificate into the client keystore.
    keytool -import -keystore TestIssueEpic.jks -file ca-certificate.pem -alias theCARoot

    //Use the keytool to import the signed certificate for the associated client alias in the keystore.
    keytool -import -keystore TestIssueEpic.jks -file TestIssueEpicsinged.cer -alias TestIssueEpic




    So now, I have singed certificate (TestIssueEpicsinged.cer).

    Let me know that how to get client private and public key TestIssueEpic.jks ? because other party is required TestIssueEpicsinged.cer and client public key.

    Thanks
  • 4. Re: Singed using my own CA
    sabre150 Expert
    Currently Being Moderated
    Did you actually read either my reply or EJP's ?
  • 5. Re: Singed using my own CA
    EJP Guru
    Currently Being Moderated
    //Generate key pair
    Correct.
    //Generate the Certificate Signing Request.
    Correct.
    //Creating a Sample CA Certificate
    openssl req -config /etc/pki/tls/openssl.cnf -newkey rsa:1152 -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 1825
    I don't think so. All this does is create another CSR.
    //Generate a signed certificate for the associated Certificate Signing Request
    openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem -in TestIssueEpic.csr -out TestIssueEpicsinged.cer -days 1825 -CAcreateserial
    Could be.
    //Use the keytool to import the CA certificate into the client keystore.
    Correct.
    //Use the keytool to import the signed certificate for the associated client alias in the keystore.
    Correct. However the signed client certificate should include its signer chain so the previous step may be redundant.
    Let me know that how to get client private
    The client private key is in the keystore and that's where it should stay. It should specifically not be provided to anybody else. It's private, innit?
    and public key
    The client's public key is in the signed certificate.
    because other party is required TestIssueEpicsinged.cer and client public key.
    Just provide them with the signed certificate and possibly the signed CA certificate.
  • 6. Re: Singed using my own CA
    user10070648 Newbie
    Currently Being Moderated
    Thanks

    Is there any way to export client private key (private.pem) from key storage ?


    Let me know that the way of bellow is correct ?

    keytool -importkeystore -srckeystore TestIssueEpic.jks -destkeystore privateKey.p12 -deststoretype PKCS12 -srcalias TestIssueEpic

    openssl pkcs12 -in privateKey.p12 -out privateKey.pem

    Regards

    Edited by: user10070648 on Oct 2, 2012 5:24 AM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points