Hi guys,
I've a question related to the digital certificates, where can I import a digital certificate?
I've searched the tool but I couldn't find anything about certificates.
There's only the one which is given by the tool....
If I want to add a new one, where should it be located, should it be on the $MEC_DIRECTORY$/as2 directory next to all the others?
Thanks
m-e-c as2 has no graphical interface to manage the certificates. I would recommend portecle for that http://portecle.sourceforge.net/.
Using portecle you could simple add or import new certificates and keys to the keystore. All used keys for digital signatures and encryption are hold in one keystore.
The certificates and keys are stored in the file called "certificates.p12" in the installation directory of m-e-c as2. The keystore format is PKCS#12 (You cannot open this file using the javakey tool, it doesn't support this format).
The keystore password is by default "test". Keys don't have a password in PKCS#12. You could change the password for the keystore in the preferences after you started m-e-c as2.
Please don't mix up this certificate keystore with the keystore that is needed if you use SSL. The SSL keystore is located at jetty/etc/keystore, it's password is set also in the preferences GUI and also in the servlet containers configuration file jetty/etc/yetty.xml.
Regards
Heller
Hello,
that is a good question. I have to solve this problem in further tests.
I think that the certificates are manages by Java Keytool (Keystore), but I just found on keystore at
$MEC_DIRECTORY/jetty/etc/. In this keystore only one Certificate is stored, I think this will be the one for the SSL encryption.Best regards
Tobias Hergenroether
Hello,
so Heller, do I get you right, that I'm able to create keys with OpenSSL an export this keys to PKCS12-Format?
You told us that the password to
$MEC-DIRECTORY/certificates.p12is test, but if I will create a new file with an other password where am I able to tell mec as2 the new password?Best regards
Tobias Hergenroether
Tobias,
PKCS12 is a very portable format. Whenever you create a key and store it in this format you could add it to an existing keystore later.
I think OpenSSL could do this, too. The command for that is something similar to
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "name"Regards
Heller
Tobias,
sorry, I didn't recognize your last question.
The passwords for the used keystores (SSL, encryption/descryption and digital signatures) are set in the preferences (tab security) after you started up the m-e-c as2.
Regards
Heller
Hi Heller,
I've tested Portecle and it's really user-friendly. I've added personal keys to the keystore and they seem to appear on as2. :)
Just got to test it with two network pc's.
Thanks a lot.
Gonçalo Vaz
Hi Heller,
after using the portecle and added to the certificates.p12 a test key pair generated by it, I imported the new certificates.p12 file on the other machine and used it.
On both applications I modified the certified alias to the one generated earlier and sent a test message.
What I got on my machine was
[12:44:18 PM] mecAS2-1149853458810-12613@test_roff_test_roff: Outgoing message signed using keystore alias "mouro vaz".
[12:44:18 PM] mecAS2-1149853458810-12613@test_roff_test_roff: Outgoing message encrypted using keystore alias "mouro vaz".
[12:44:18 PM] mecAS2-1149853458810-12613@test_roff_test_roff: Outgoing message packed.
[12:44:19 PM] mecAS2-1149853458810-12613@test_roff_test_roff: Sending message to http://172.22.245.248:8080/mec_as2/HttpReceiver, sync MDN requested.
[12:44:19 PM] mecAS2-1149853458810-12613@test_roff_test_roff: Message sent successfully (HTTP 200).
[12:44:19 PM] mecAS2-1149853458810-12613@test_roff_test_roff: Incoming transmission is a AS2 message.
[12:44:19 PM] mecAS2-1149853458810-12613@test_roff_test_roff: AS2 message is encrypted.
[12:44:19 PM] mecAS2-1149853458810-12613@test_roff_test_roff: MDN is signed.
[12:44:19 PM] mecAS2-1149853458810-12613@test_roff_test_roff: Using certificate "mouro vaz" to verify signature.
[12:44:20 PM] mecAS2-1149853458810-12613@test_roff_test_roff: Digital signature verified successful.
[12:44:20 PM] mecAS2-1149853460102-63065@test_roff_test_roff: MDN created, state set to [processed].
[12:44:20 PM] mecAS2-1149853460102-63065@test_roff_test_roff: Synchonous MDN sent as answer to message mecAS2-1149853458810-12613@test_roff_test_roff.
[12:44:20 PM] mecAS2-1149853458810-12613@test_roff_test_roff: AS2 communication successful, payload has been moved to "C:\mec\as2\messages\Localhost\inbox\mecAS2-1149853458810-12613@test_roff_test_roff".
But at the other machine I got something of the kind
"No personal key for mouro vaz certificate"
I thought that importing the certificate was it...Am I forgetting something?
Sorry guys...
I've tested again and it seems to be a refresh problem.... :D meaning, after closing and opening the application, it works fine....
Thanks
Mourovaz,
We didn't recognize this problem before and will add it to the tracker, thanks.
Regards
Heller
Heller,
I am trying touse portecle folling you guid from your posting.
After install m-e-c-as2, the there is a file called keystore under as2_root/jetty/etc. So this file stores the certificate?!
I assume it is. So I was trying to open this file form portecle GUI, and give it password as test. It Fails.
Please correct me.
Thanks,
dfds2006
Heller,
I think I mix up certificate keystore and keystore that i sused with ssl in my about posting. I am in figuring out hwo certificate is created, an will keep posing ..
jetty's keystore file = SSL keystore
certificates.p12 = certificate keystore
Hope this helps with the confusion
Heller,
your answer is clear. It correcs my mix up. I had use portcle generate a certificate and insert it into certificates.p12 successfully. thx!
Now I am facing another issue. My partner passes me a certificate that has extension der. I was trying to use portecle to open their der fine and insert certificates.p12. Before I do it, I just have a basic question as following.
Jetty currently setting is picking up certificate from certificates.p12. Is it possible to add an entry that it is parallel to certificates.p12?
Does mec as2 support use certificate with extension with der?
Thanks,
dfds2006
dfds2006,
Certificates are mainly stored in pkcs#7 format or PEM format. The file extensions are mainly .cer or .der (but it's just a filename).
For SSL you have to import these keys into the JKS format keystore found in jetty/etc/keystore. This could be done by portecle, openSSL or any other certificate program.
The keystore to encrypt and to sign messages (certificates.p12) is in pkcs#12 format. Extensions are .p12 or .pfx (but its just a filename, too).
If you are using the same certificates/keys for SSL, message encryption and digital signatures just import them into both keystores, this works.
Regards
Heller
Heller,
thanks fro your instruction, When get a ssl key with extension der, do you means that two things need todo.
1. import the key to keystore under jetty/ect
2. import the key into certificates.p12
or just one.
using portcle, I open certificate.p12 and import ssl key.
I can't open keystore as it ask me the password.
am I in right way?
thanks,
dfds2006,
ssl keys should go into the JKS keystore under jetty/etc/keystore. This keystore is by default a dummy keystore and should be set up before the first use.
The signature/encryptions keystore certificates.p12 password is "test".
Regards
Heller
Heller,
Thanks, when I got certificate, how can I know if they have ssl key that is not in current jetty\etc\keystore?
Also, in my previous email, i menas that can't open jetty/etc/keystore. What is the password?
dfds2006,
I dont know the password of the keystore jetty\etc\keystore. Please set up a new one, this is only a dummy keystore.
Regards
Heller