Hello,

what are the steps to create and set a client certificate with setKeyAndChain?

Following the instructions from [URL]http://codeghar.wordpress.com/2008/03/17/create-a-certificate-authority-and-certificates-with-openssl/[/URL] I managed to create key, CA- and clientcerts …

1. Generate CA Key and Certificate
   [QUOTE]
   openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config conf/caconfig.cnf
   [/QUOTE]
2. Create Client Certificate
   [QUOTE]
   openssl req -new -nodes -out myfriend.req.pem -keyout private/myfriend.key.pem -days 365 -config conf/caconfig.cnf
   [/QUOTE]
3. Sign Client Certificate
   [QUOTE]
   openssl ca -out certs/myfriend.cert.pem -days 365 -config conf/openssl.cnf -infiles myfriend.req.pem
   [/QUOTE]
4. Transform CA Key to DER format
   [QUOTE]
   openssl rsa -inform PEM -outform DER -in private/cakey.pem -out private/cakey.der
   [/QUOTE]
5. Transform signed Client Certificate
   [QUOTE]
   openssl.exe x509 -in .pem -outform DER -out myfriend.der
   [/QUOTE]
6. Install signed Client Certificate myfriend.der to local windows “Trusted Root Certification Authorities”
7. setKeyAndChain
   [QUOTE]
   privKeyFile = private/cakey.der
   certfiles = myfriend.der
   [/QUOTE]

Unfortunately the partner doesn’t receive the Client Certificate and I get the error “java.io.IOException: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: certificate unknown”.

Because of firewall, proxy etc. settings I just can test on a productive environment. I.e. I cannot restart and enable SSL-logging.

What is the right combination of certs for the setKeyAndChain service? Is something wrong with the steps of creation?

Thanks in advance,
Daniel

Hey this is really very good stuff. You have explained it very well. I am definitely going to work on!!!

SEO Auckland

use clearchain srv before invoking the setter method. let me know if it works.