Re: unable to import a trusted cert (CA cert other than Verisign)

Jan Luehe (luehe@laguna.eng.sun.com)
Mon, 30 Nov 1998 19:06:02 -0800 (PST)

Vamsee:

> I 'm having a little bit of a problem trying to add the certificate of my CA
> to my keystore as a trusted cert. I understand this is a prerequisite before
> adding my certificate reply from the CA to my keystore.
>
> ----------
> [D:/vamsee/security] keytool -printcert -file
> thawte-cacert-personal-freemail.crt
> Owner: EmailAddress=personal-freemail@thawte.com, CN=Thawte Personal
> Freemail CA, OU=Certification
> Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
> Issuer: EmailAddress=personal-freemail@thawte.com, CN=Thawte Personal
> Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape
> Town, ST=Western Cape, C=ZA
> Serial number: 0
> Valid from: Sun Dec 31 16:00:00 PST 1995 until: Thu Dec 31 15:59:59 PST 2020
> Certificate fingerprints:
> MD5: 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
> SHA1: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85
> [D:/vamsee/security] keytool -import -alias Thawte -file
> thawte-cacert-personal-freemail.crt -key
> store keystore
> Enter keystore password: password
> keytool error: Signature not available
> [D:/vamsee/security]
> -----------
>
> The thawte-cacert-personal-freemail.crt file is enclosed (can also be
> retreived from http://www.thawte.com/certs/trustmap.html first item in the
> table). What else do I need to supply to keep keytool happy? Appreciate any
> suggestions.

The certificate you attached is self-signed.

When you import a self-signed cert into your keystore,
keytool attempts to verify
its signature (using the public key contained in the cert). This is
a sanity check.

For this to succeed, you need to make sure that the algorithm
under which the certificate is signed (in this case:
"MD5WithRSAEncryption") is available, i.e., supplied by at least
one of your configured providers.

Note that the default SUN provider does not supply this algorithm.
This is why you get: "keytool error: Signature not available".

So you need to install a provider that supports
"MD5WithRSAEncryption" signatures. You can either purchase one
from RSA Data Security, Inc. (their provider is called "Jsafe")
or write your own.

Jan