############################################################# # Copyright (C) 2005 VeriSign, Inc. # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA? 02111-1307? USA ############################################################# Certificates Description: ----------------- This directory contains the certificate files (Java KeyStore) for the Protocol Tool. The following should exist under this directory to support interfacing with each of the systems (OT&E, Production, EPP SDK): eppsdk.jks and eppsdk.pkcs12 - Java KeyStore containing the self-signed certificate used by the EPP SDK. The EPP SDK can be configured for SSL and the Protocol Tool can connect to the Stub Server using the eppsdk.[jks|pkcs12] file. The top-level directory file eppsdk-filter.properties references eppsdk.jks for both the KeyStore and the TrustStore with the ssl.keystore and ssl.truststore Ant properties. The pkcs12 file can be used by setting the ssl.keystore and ssl.truststore properties to ../certs/eppsdk.pkcs12, and by setting the ssl.keystore.type and the ssl.truststore.type properties to PKCS12. The Keystore passphrase is set to "passphrase". client-cert.jks - Default name for the client certificate Java KeyStore. This file needs to be created for using the Protocol Tool against the OT&E and Production systems. The ote-filter.properties and prod-filter.properties files only define the ssl properties for the KeyStore since the TrustStore included with the JDK can be used by default for validating the server certificate. A different password/passphrase can be used for the KeyStore and the Key by defining the -filter.properties ssl.keystore.password and ssl.keystore.key.password properties, respectively. Creating client-cert.jks from Key and Certificate .der or .pem Files: ----------------------------------------------------------------------- There are two methods for creating client-cert.jks from a Key and Certificate .der or .pem file, which includes: 1. Create pkcs12 Keystore using openssl 2. Create JKS Keystore using WebLogic 8.1 utility To create the client-cert.pkcs12 file using openssl, do the following. 1. cat client-key.pem client-cert.pem ca-cert.pem | openssl pkcs12 -export -out client-cert.pkcs12 -noiter -nomaciter -name client 2. Configure the -filter.properties file to use client-cert.pkcs12 with the following: a. Set ssl.keystore=../certs/client-cert.pkcs12 b. Set ssl.keystore.type=PKCS12 c. Set ssl.keystore.password and ssl.keystore.key.password to the values used when creating the Keystore d. Set the ssl.truststore properties. These can be empty to use the default JDK Trust Store. When using the JDK keytool, the -storetype pkcs12 must be specified. For example, "keytool -list -v -storetype pkcs12 -keystore client-cert.pkcs12" will display the contents of the Keystore. To create the client-cert.jks file using WebLogic 8.1 utility (ImportPrivateKey), do the following: # Convert .der files to .pem format java -cp $WL_HOME/server/lib/weblogic.jar utils.der2pem client-key.der java -cp $WL_HOME/server/lib/weblogic.jar utils.der2pem client-cert.der # Import client-key.pem and client-cert.pem into client-cert.jks # with the alias client-cert and the passphrases set to # "changeit". java -cp $WL_HOME/server/lib/weblogic.jar utils.ImportPrivateKey client-cert.jks changeit client-cert changeit client-cert.pem client-key.pem