2013/01/23

XCA Certificate Authority

After much searching and testing various Linux GUI certificate authority applications I finally found one that works consistently and gives me all of the options that I need.  I am not exactly sure how I missed it as it has been out for some time but XCA has turned out to be exactly what I was looking for.  The biggest issue I had was creating certificates for Windows Servers in order to setup LDAPS.  I had used TinyCA2, GnoMint, and various others.  Both were either limited in their capabilities or failed to work consistently.  I even tried to go setup full PKI systems like EJBCA and Windows Certificate Services but found them to be to difficult to pick up in the limited amount of time I had to learn how to use it.

XCA uses a Qt based GUI interface that is well organized and full featured.  I found the ability to create templates a great time saver when you have to crank out lots of certificates. Plus the ability to export to any format is also very handy as sometimes I never know what I need and I can never remember the correct openssl commands to convert to different formats.

Importing Key and Certificate into Java Keystore

For whatever reason I had a hell of a time trying to import the key and certificate from a third party CA into a Java keystore (JKS) that was used by a java web application.  I just kept finding incorrect steps on how to do it and then after about 3 days of monkeying around with it I finally found what worked.  

The first step was to export the key and certificate into PKCS12 format (either .pfx or .p12 file extension).  The keytool treats the PKCS12 file as a keystore.  If you are using Tomcat or some other Java application server you can actually use the file as a keystore without importing it into a JKS. The keytool gives you the ability to merge keystores which is what I ended up doing.  After several attempts the below command was what I ended up with.

keytool -importkeystore -destkeystore /certs/my.javakeystore -srckeystore certAndKey.p12  -srcstoretype PKCS12

I tried several times with the -alias option and it kept failing giving this error:

keytool error: java.lang.Exception: Alias <alias1> does not exist

I found that the alias that is used initially is in the PKCS12 file.  If the alias you are using does not match up to the alias, which I am assuming is the internal or friendly name, then it will fail.  So if you leave the alias option off then it will import using the default alias that is sees in the PKCS12 file.  In my case it was identical to one I had in my keystore already and it let me change the alias name during the import process.