Re: Possibly silly question. . .

Jan Luehe (Jan.Luehe@eng.sun.com)
Fri, 12 Mar 1999 18:02:27 -0800 (PST)

Date: Fri, 12 Mar 1999 18:02:27 -0800 (PST)
From: Jan Luehe <Jan.Luehe@eng.sun.com>
Subject: Re: Possibly silly question. . .
To: java-security@java.sun.com, Frank.Yellin@eng.sun.com

Frank:

> #1)
> I could visit www.verisign.com, and get them to generate a signature for
> me. Netscape happily did the hard work for me.
> But I couldn't figure out how to get either verisign or netscape
> to print this out in a format that could then be imported by keytool.

Netscape exports the certificate as a PKCS#12 encoded blurb,
which we currently do not support.

> #2)
> I could use keytool to create a key pair, and then print a
> self-signed certificate. But what am I supposed to do with it? How do
> I get Verisign (or someone else) to sign a signature that I've generated?
> I couldn't figure out how to do this. . . .

You can use keytool (option: -certreq) to generate a PKCS#10 certificate signing
request (CSR). This is a standard format for requesting a certificate
from a CA.

If you go to "https://digitalid.verisign.com/TestGetCSR.html"
or "https://www.thawte.com/cgi/server/test.exe",
you can paste your CSR (that was generated by keytool) into
the provided space, and request a certificate chain which will
be sent to you, which you can then import into your
keystore. We've tested this with both VeriSign and Thawte CAs.
The certificate chain replies are encoded as PKCS#7 messages.

When using the above URLs, you will get a (server) test certificate
for use in SSL. It's free. Thawte will also accept your CSR for
codesigning certificates, but will charge you.

We are working with VeriSign so that they will also issue
codesigning certificates for us.

Note that there was a bug in JDK 1.2 (regarding indefinite-length
encoding), which prevented us from parsing some of the
certificate chain replies produced by VeriSign.
This is fixed in the latest 1.2.1.

Jan