1

I'm implementing communication using X509Certificates and are struggling with validating the certificate.

I've gotten a "parent" certificate that is self-signed and used to sign all other certificates.

This has been done and I've gotten the certificate.

In the next step, the other part is signing my certificates and I'm to store them.

Here is the first problem: My certificates that is returned does not correspond to the once I've created, so the public key differs. How can I now update my keystore with the signed certificate? Hence I need the privatekey from my certificate but I need the signed version from the returned certificate.

Next problem: The signed certificates needs to be validated and checked against the parent certificate, but when doing this, like follows:

X509Certificate parent;
X509Certificate certToVerify;
parent.verify(certToVerify.getPublicKey());

It throws, signature error, java.security.SignatureException: Signature does not match.

Is there any other way that I should check the issuer or verify the certificate? Is there something I've missed?

best, Henrik

Hiny
  • 195
  • 7
  • 21

1 Answers1

2

For your 1st issue, you should be getting back a signed certificate in response to a certificate signing request (CSR). For example, you generated a private key, then created a CSR. You send that CSR (which contains your public key) to a Certificate Authority (CA). The CA verifies your identity and returns a signed certificate to you. This signed certificate should contain the SAME public key as was in your CSR. You can take the signed certificate and import it into your keystore. If you already had a self signed certificate for that private key, the imported signed cert should replace it.

For your 2nd issue, you need to switch the statements around. You need to verify the signed certificate with the parent's public key.

X509Certificate parent = ...;
X509Certificate certToVerify = ...;
certToVerify.verify(parent.getPublicKey());
gtrig
  • 12,550
  • 5
  • 28
  • 36
  • Thanks for the response @gtrig. The certificate verification is now working. But the signed public key is returned "not the same" when trying to update the keystore. `java.security.KeyStoreException: Public keys not equal` I have the privatekey, for the certificate mentioned and need to update it, hence the returned certificate does not contain it. – Hiny Sep 04 '13 at 08:27
  • @Hiny How are you creating your CSR? How are you getting it signed? – gtrig Sep 04 '13 at 16:21
  • I'm using the following @gtrig: 'PKCS10CertificationRequest kpGen = new PKCS10CertificationRequest(sigAlg, cert.getSubjectX500Principal(), cert.getPublicKey(), null, privateKey);' The public key/certificate is signed and sent back. – Hiny Sep 05 '13 at 05:49
  • Who is signing it? How are they signing it? Can you verify that the public key in CSR is the same? If so then the problem is with the signer. – gtrig Sep 05 '13 at 07:57
  • How can I verify that the public key are the same? Simply printing its code enough ? @gtrig – Hiny Sep 05 '13 at 08:43
  • @Hiny, see the answer to this other StackOverflow [question](http://stackoverflow.com/questions/11028932/how-to-get-publickey-from-pkcs10certificationrequest-using-new-bouncy-castle-lib) – gtrig Sep 05 '13 at 13:54
  • Thanks @gtrig, I've compared the public key before and after the request and it has changed... What could have changed it, a bit confused about that. – Hiny Sep 06 '13 at 06:27
  • Can you post more of your code, so we can see it all in context? – gtrig Sep 06 '13 at 16:40