1

I have a .Net SAML implementation that verifies assertions' signatures against a PKCS 7 certificate in a .p7b file.

I have a customer who have a Java based identity provider. They can only provide their certificate in a Java key store .jks file.

I can verify the assertions that their identity provider sends, but I can't check that those assertions were signed by a trusted provider without verifying them against the certificates in the Java key store.

I can find lots online on how to add a .p7b certificate to a .jks file, but nothing on how to reverse the process.

How do I get a .p7b certificate (that .Net and Windows can open) from a supplied .jks file?

Alternatively I'm loading the .p7b into .Net using the native X509Chain implementation. If I can't convert the .jks is there any way to load it in .Net in a way that lets me check the assertions' signatures?

Community
  • 1
  • 1
Keith
  • 150,284
  • 78
  • 298
  • 434

1 Answers1

1

It turns out that there is a command line utility in Java that do what I need. In the Java runtime directory (C:\Program Files (x86)\Java\jre7\bin on my machine) there is a utility called keytool (my newlines for readability):

>keytool -importkeystore 
         -srckeystore clientStore.jks -srcstoretype JKS 
         -destkeystore outputStore.p12 -deststoretype PKCS12

This produces an output store called outputStore.p12 that I can load in .Net with X509Certificate2Collection.Import()

Keith
  • 150,284
  • 78
  • 298
  • 434