Date: Wed, 05 May 1999 11:20:18 +0200
From: Gilles Roussel <Gilles.Roussel@univ-mlv.fr>
To: java-security@java.sun.com, Roussel Gilles <roussel@univ-mlv.fr>
Subject: certreq Test problem
--------------msBD9208FC40EB958181F4A6B9
Content-Type: text/plain; charset="iso-8859-1"
X-Sun-Content-Length: 6185
I'm try to obtain a certificate chain from www.thawte.com.
So, first I generated the request :
keytool -certreq -alias moi -file moi.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICWjCCAhcCAQAwVTELMAkGA1UEBhMCRlIxDzANBgNVBAcTBkNoYW1wczENMAsGA1UEChMEVU1M
VjEMMAoGA1UECxMDSUdNMRgwFgYDVQQDEw9HaWxsZXMgUm91c3NzZWwwggG3MIIBLAYHKoZIzjgE
ATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow
9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVU
E1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps9
3su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbh
PBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVk
AUw7/s9JKgOBhAACgYBXrfnd/a3w3HifaiOsfIRfR4T4Ut7Yedr90WzBJ3H3UPdJn8tnKsOCIlRS
rQrIm3GfCTGGN/04JTcjfNrwfHJ4S44yJHBmzj/f0ypkhWhlCc86MPfajhUjm4XPJZFdqtYw/mFf
+4b8Q9LncqEehUAo7FzO1rWCM6kieHuPxc3mTKAAMAsGByqGSM44BAMFAAMwADAtAhRCZ7XvNIJH
eRdh7mCeUzND/gywFgIVAJO7uL25kmYYIUwOG6KNa0x5yOJh
-----END NEW CERTIFICATE REQUEST-----
Then I've copied this request in the following page :
https://www.thawte.com/cgi/server/test.exe
And choose the following options :
X Custom Cert (configure below)
X Use the "standard" format
This lowest-common-denominator format is a BASE64 encoding of an X.509 certificate.
X Generate an X.509v3 certificate
The newest version of X.509 is 3. It allows us to embed extensions into certificates and to do neat things like
certificate chaining and key rotation. The whole world is moving to v3, so we definitely want you to test your
stuff with this enabled. You need to enable v3 if you want to include most of the things described below.
Use an intermediate key-signing cert
Thawte gave me the following response :
Here is your certificate:
-----BEGIN CERTIFICATE-----
MIIDbTCCAtagAwIBAgIEAJYFATANBgkqhkiG9w0BAQQFADCBhzELMAkGA1UEBhMC
WkExIjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9OTFkxHTAbBgNVBAoT
FFRoYXd0ZSBDZXJ0aWZpY2F0aW9uMRcwFQYDVQQLEw5URVNUIFRFU1QgVEVTVDEc
MBoGA1UEAxMTVGhhd3RlIFRlc3QgQ0EgUm9vdDAeFw05OTA1MDUwODQ5NDJaFw05
OTA2MDUwODQ5NDJaMFUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQHEwZDaGFtcHMxDTAL
BgNVBAoTBFVNTFYxDDAKBgNVBAsTA0lHTTEYMBYGA1UEAxMPR2lsbGVzIFJvdXNz
c2VsMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdS
PO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVCl
pJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith
1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7L
vKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3
zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImo
g9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAV6353f2t8Nx4n2ojrHyEX0eE
+FLe2Hna/dFswSdx91D3SZ/LZyrDgiJUUq0KyJtxnwkxhjf9OCU3I3za8HxyeEuO
MiRwZs4/39MqZIVoZQnPOjD32o4VI5uFzyWRXarWMP5hX/uG/EPS53KhHoVAKOxc
zta1gjOpInh7j8XN5kwwDQYJKoZIhvcNAQEEBQADgYEAXDYdBvZwCfKiSrisdGUq
luXnKib1YN/X3aSJvPn0aUKVIvDaFLPo6RpU07nNCjyRcBHTe3XMPxHjHGeOHod6
F8sHIFU4ItJXOlAc7UpNg0x2KYjQHsJuQKqdJUO3gPJexxUjE1XOSPieEo0My8oA
Xr2XfgJngPrTJgQlevcNT+s=
-----END CERTIFICATE-----
keytool -printcert -file moithawte.cer
Owner: CN=Gilles Rousssel, OU=IGM, O=UMLV, L=Champs, C=FR
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Serial number: 960501
Valid from: Wed May 05 09:49:42 GMT+01:00 1999 until: Sat Jun 05 09:49:42 GMT+01:00 1999
Certificate fingerprints:
MD5: 28:33:E5:FB:9E:4A:ED:06:63:C1:5B:1B:89:EF:3D:FF
SHA1: 02:34:18:06:80:06:11:F7:E6:6A:6D:45:00:1E:EA:49:B0:6D:B0:54
Then if I try to import directly this cerificate, it logically fails because my keystore
does not contain thawte self-signed certificate, which is the next link in previous certificate.
keytool -import -alias moi -file moithawte.cer
keytool error: Failed to establish chain from reply
So, I poke up Thawte's test root CA in text format at :
https://www.thawte.com/servertest.txt
-----BEGIN CERTIFICATE-----
MIICmTCCAgKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhzELMAkGA1UEBhMCWkEx
IjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9OTFkxHTAbBgNVBAoTFFRo
YXd0ZSBDZXJ0aWZpY2F0aW9uMRcwFQYDVQQLEw5URVNUIFRFU1QgVEVTVDEcMBoG
A1UEAxMTVGhhd3RlIFRlc3QgQ0EgUm9vdDAeFw05NjA4MDEwMDAwMDBaFw0yMDEy
MzEyMTU5NTlaMIGHMQswCQYDVQQGEwJaQTEiMCAGA1UECBMZRk9SIFRFU1RJTkcg
UFVSUE9TRVMgT05MWTEdMBsGA1UEChMUVGhhd3RlIENlcnRpZmljYXRpb24xFzAV
BgNVBAsTDlRFU1QgVEVTVCBURVNUMRwwGgYDVQQDExNUaGF3dGUgVGVzdCBDQSBS
b290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1fZBvjrOsfwzoZvrSlEH8
1TFhoRPebBZhLZDDE19mYuJ+ougb86EXieZ487dSxXKruBFJPSYttHoCin5qkc5k
BSz+/tZ4knXyRFBO3CmONEKCPfdu9D06y4yXmjHApfgGJfpA/kS+QbbiilNz7q2H
LArK3umk74zHKqUyThnkjwIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
SIb3DQEBBAUAA4GBAIKM4+wZA/TvLItldL/hGf7exH8/ywvMupg+yAVM4h8uf+d8
phgBi7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAP+nnStyhVHFIpKy3nsDO4J
qrIgEhCsdpikSpbtdo18jUubV6z1kQ71CrRQtbi/WtdqxQEEtgZCJO2lPoIW
-----END CERTIFICATE-----
keytool -printcert -file thawte.cer
Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Serial number: 0
Valid from: Thu Aug 01 01:00:00 GMT+01:00 1996 until: Thu Dec 31 22:59:59 GMT+01:00 2020
Certificate fingerprints:
MD5: 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA
And when I try to import the certificat it fails as follows :
keytool -import -alias thawte -file thawte.cer
keytool error: Signature not available
Finaly I've tried to import a verisign certificate for the jdk distribution and it fails as follows :
keytool -export -alias verisignclass3ca -keystore /usr/lib/jdk1.2/jre/lib/security/cacerts -rfc -file verisign.cer
keytool -import -alias verisign -file versign.cer
keytool error: Signature not available
I don't see what I'm doing wrong. Could you please help me.
Thanks
-----
Gilles Roussel
Batiment Copernic - Université de Marne-la-Vallée - Cité Descartes
5, boulevard Descartes - Champs sur Marne - 77454 Marne-la-Vallée Cedex 2 - FRANCE
Tel : 01-60-95-75-59 - Fax : 01-60-95-75-57
WWW : http://www-igm.univ-mlv.fr/~roussel
--------------msBD9208FC40EB958181F4A6B9
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
X-Sun-Content-Length: 3232
MIIJUwYJKoZIhvcNAQcCoIIJRDCCCUACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
B1UwggQfMIIDiKADAgECAhAq6rh+D96gWwE7FHdTbDdTMA0GCSqGSIb3DQEBBAUAMIHMMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp
dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MDUwNDAwMDAw
MFoXDTk5MDcwMzIzNTk1OVowggEHMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE
CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y
ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV
UGVyc29uYSBOb3QgVmFsaWRhdGVkMSYwJAYDVQQLEx1EaWdpdGFsIElEIENsYXNzIDEgLSBO
ZXRzY2FwZTEXMBUGA1UEAxQOR2lsbGVzIFJvdXNzZWwxIjAgBgkqhkiG9w0BCQEWE3JvdXNz
ZWxAdW5pdi1tbHYuZnIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA5cIeBlUNVFkP7duhKs+D
en/igmGwX3La0baTJL9d1HgEopkAXTG21yFkhqLtxCI30eXsw6bCCDiYxW1SVwWifQIDAQAB
o4IBBjCCAQIwCQYDVR0TBAIwADCBrAYDVR0gBIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjAo
BggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBggrBgEFBQcCAjBW
MBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29ycC4gYnkgcmVm
ZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEBBAQDAgeAMDMG
A1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJ
KoZIhvcNAQEEBQADgYEAqXfrY6h1PFbPyVm4f32uQSAkRIRjK+d2y6fiKglJMazhHUNNVSlX
VjDq8AQpEDXp5iYbzYkjHoBObrrCVISZIXK7Qlz4dxPybgPLzYSZE5jHT0kFFJLV0irSpEpl
DodFfPcETcynk0d9oCZHNo0lv22Hl8t8m0PR7wZ4Kr5lYCQwggMuMIICl6ADAgECAhEA0nYu
jRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMO
VmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEyMjM1OTU5WjCBzDEX
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv
cmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBC
eSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5k
aXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFB
cHqBS7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5
FegPh7Yc48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZIAYb4
QgEBBAQDAgEGMEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3
LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQE
AwIBBjANBgkqhkiG9w0BAQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ43BuY
DAeGW4UVag+5SYWklfEXfWe0fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1pElC
Y+zCphcPXVgaSTyQXFWjZSAA/Rgg5V+CprGoksVYasGNAzzrw80FopCubjGCAcYwggHCAgEB
MIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJ
bmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3Mg
MSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAq6rh+
D96gWwE7FHdTbDdTMAkGBSsOAwIaBQCgfTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw05OTA1MDUwOTIwMThaMB4GCSqGSIb3DQEJDzERMA8wDQYIKoZIhvcN
AwICASgwIwYJKoZIhvcNAQkEMRYEFOzEpN+VZKUu03pgEXkWqY6IgfSiMA0GCSqGSIb3DQEB
AQUABECLK1O+BrgRK49gDHKoNNAHqv0HCnZybxIKh5YQClljs3qri+K6ozRiap9FXlH5aR4/
ScPeQRyAcbNG1qtVMEY7
--------------msBD9208FC40EB958181F4A6B9--