Reputation: 480
Chaining two certs with the same subject
I am trying to generate specific chain of certificate to use as certs for Corda node. The certs structure is following
cert_0 -> Subject: Node DN (Legal identity cert)
cert_1 -> Subject: Node DN (Node CA cert)
cert_2 -> Subject: Doorman CA
cert_3 -> Subject: Network Root CA
I have generated all certs and then trying to chain them in two steps:
openssl pkcs12 -export -chain -CAfile nodedoormanrootca.pem -in identity-cert.pem -inkey identity-key.pem -out identity.p12 -name identity-private-key -passout pass:changeit
Step 1 works correctly and as the result I am getting certs bundle consisting of all 4 certs.
Next step is to export it to Java Keystore using keytool.
keytool -v -importkeystore -providerpath bcprov-jdk15on-1.66.jar -provider org.bouncycastle.jce.provider.BouncyCastleProvider -srckeystore identity.p12 -srcstoretype PKCS12 -destkeystore nodekeystore.jks -deststorepass changeit -srcstorepass changeit -alias "identity-private-key"
(I use Bouncy Castle provider because cert_0 uses ed25519 key)
The problem is that after keytool import I have only 1 entry identity-private-key without the rest of the chain.
The cause is that cert_0 and cert_1 have the same subject and keytool thinks that cert_0 is self-signed and thus stops after adding only first cert in the keystore.
So, any idea on how to create such chain of certs in JKS format where two certs will have the same subject (with different public key of course) ?
What comes in mind is to try create some small kotlin program based on Corda sources, but is there any easier solution? Maybe some hack for keytool or smth
Upvotes: 1
Views: 514
Answers (1)
Reputation: 1053
There's some important aspects of this to be aware of as currently rolling your own certs isn't supported in certain kinds of corda networks.
if you're doing this on your own machine with a bootstrapped network I'd recommend against it as you can just use the bootstrapper's corda developer certificates.
If you're doing this for production or using your own PKI you should be able to do that with CENM (link here: https://docs.corda.net/docs/cenm/1.3/pki-tool.html)
There are no sample projects that demonstrate creating these certificates. However, if you download the Corda source code and look at X509Utilities.kt(https://github.com/corda/corda/blob/master/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt) and CertificatesUtils.kt (https://github.com/corda/corda/blob/master/node/src/main/kotlin/net/corda/node/utilities/CertificatesUtils.kt) you’ll find what is effectively a toolkit for creating certificates.
good luck !
Upvotes: 2
Related Questions
- How to add subject alternative name to ssl certs?
- How to Merge 2 Certificate Files To Create Certificate Of Chain Files
- Can I create a chain of certificates from Root CA
- How to add multiple key usages to a certificate when using Java keytool
- Load multiple certificates into PKCS12 with openssl
- Two certificates and CSR file
- How to chain a SSL server certificate with the intermediate and root CA certificates?
- Multiple certificates in TLS handshake "certificate" message
- How to create an X509Certificate2 that is signed by another (self-signed) certificate?
- How to chain a SSL certificate