• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Liutauras Vilda
  • Paul Clapham
  • Bear Bibeault
  • Jeanne Boyarsky
  • Ron McLeod
  • Tim Cooke
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Jj Roberts
  • Stephan van Hulst
  • Carey Brown
  • salvin francis
  • Scott Selikoff
  • fred rosenberger

Certificate chain...

Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I have created a keystore in my webserver. In this keystore i putted:
1st - My own self signed certificate

keytool -genkey -alias vbvsign -keyalg RSA -keysize 1024 -keystore .keystoreCV -storepass vbvsignpass -storetype jks -dname "CN=, OU=Development, O=SISP, L=Praia, ST=Praia, C=CV"

keytool -certreq -v -alias vbvsign -keystore .keystoreCV -storepass vbvsignpass -file vbvCSR.pem

2nd - CA Certificatekeytool -import -alias MPIclientCA -keystore .keystoreCV -trustcacerts -file pitroot.der

3rd - Client Certificate received by email
keytool -import -alias MPIclientCertificate -keystore .keystoreCV -trustcacerts -file
keytool -import -alias vbvsign -keystore .keystoreCV -trustcacerts -file MPIclient_certificate.der

When i received the last one (3rd), they also send a PKCS#7 certificate chain. Now, i need to validate a XML File, signed, and i dont know what or how can i validate that... Now, i am validating the three certificates (it looks well), but when validating the signature it return a validation error:
"javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key"

I think that possibly maybe i need to import or do something else with the PKCS#7 certificate chain that i received by email, but i dont know what to do...

Can you help me please!

Thanks a lot,
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am not familiar with the XML security APIs, but I'm sure the concepts are the same as for other PKI applications. First, you must understand that the certified keypair that you have stored at alias vbvsign is used by you to sign documents, not to verify them. To verify a document that someone else has signed, you must have their certified public key. Most APIs, and probably also the XML APIs you are using, allow for this public key certificate to be included in the message itself. All that is required on your part is that you have the root CA that signed their public key in your trusted certificate store.
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    Bookmark Topic Watch Topic
  • New Topic