W3C home > Mailing lists > Public > www-jigsaw@w3.org > March to April 2005

HELP ! with keytool and pkcs11

From: Lapo TIN <lapolapolapo@tin.it>
Date: Fri, 29 Apr 2005 17:27:02 +0200
Message-ID: <02dc01c54ccf$e4f01e10$4200a8c0@LapoHP>
To: <www-jigsaw@w3.org>, <simon@w3.org>
I'm using jigsaw, and i'm using an usb token for server authentication.
I follo winstructions in http://www.w3.org/Jigsaw/Doc/User/ssl.html
"for using hardware tokens to store your server certificate, you must install the PKCS#11 driver software for your token and add the SUN PKCS#11 provider bridge to the security configuration file of your java runtime environment ..."
and it works !!!!

my problem now is that the certificate i have generated on my token is not SIGNED yet by a CA.
so I generated the request, i give to my CA and the give me back the signed certificate.

HOW CAN I IMPORT BACK ON THE TOKEN and update the certificate on the token ??
it gives me errrors

I did these steps:

1) generation of keypair on the usb token
"keytool -genkey -alias lapo -keystore NONE -storetype PKCS11 -keyalg 
"RSA" -validity 365"

2) request a certificate sign, it export a csr file on disk
"keytool -certreq -alias lapo -keystore NONE -storetype PKCS11 -file 
lapo_certreq.csr"

3) I give the file to the CA, CA signs with openssl, and generates the file 
lapo_cert.cer

4) then I would like to import the signed certificate on PKCS11 keystore to 
update it.... but it needs the root CA certificate in the PKCS11 Keystor to 
rebuild the chain.. in fact it says:
"keytool -import -alias lapo -keystore NONE -storetype PKCS11 -file 
lapo_cert.cer "
java error "impossibile stabilire la catena dalla risposta"

so first I try to import the CA certificate but it says  error again
"keytool -import -alias root -keystore NONE -storetype PKCS11 -file 
cacert.cer "
"trusted certificates may only be set by token initialization application"

I tried with many different model of usb token... same errors...

why ?!?!?

thanks in advanceeeeee
and sorry for my english


Ing. Lapo Consortini
Received on Friday, 29 April 2005 15:27:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 9 April 2012 12:13:37 GMT