On 3/06/2010 12:08 PM, Jeffrey Baker wrote:
> On Wed, Jun 2, 2010 at 5:46 PM, Jeffrey Baker<jwbaker@gmail.com> wrote:
>> I was interested in this[1] work on SSL client certs for JDBC, but I
>> see the author stopped working on your project. I hope the list can
>> give me a quick clue, because i've been banging my head against this
>> all day.
>
> Just to update the list, I did figure this out. Turns out I hadn't
> imported my private key into the keystore file. Which, in turn, is a
> ridiculous pain in the butt because keytool can only deal with private
> keys it generated, or those in PKCS#12 files, and in fact only in
> PKCS#12 files protected with passwords.
It's often easier to just point the keyStore directly at a PKCS#12 file
using the javax.net.ssl.trustStoreType=pkcs12 system property.
> Furthermore once the key is
> in the keystore it must also have a password there (keystore password
> as well as key password) or the implementation will refuse to use it!
And both passwords must be the SAME.
> # openssl pkcs12 -export -out client.pkcs12 -in client.cert -inkey client.key
> # keytool -importkeystore -deststorepass changeit -destkeystore
> client.jks -srckeystore client.pkcs12 -srcstorepass changeit
> -srcstoretype PKCS12 -alias 1 -destkeypass changeit
Generally, you are better off using keytool to generate the key and a
certificate request, getting that certificate request signed by the CA,
and importing the reply into your keystore.
--
Craig Ringer