Question

I am trying to configure a product called Hermes for a digital signature.

I have a file MyCert.pfx which I specified in its configuration as follows:

<component id="keystore-manager-for-signature" name="Key Store Manager for Digital Signature">
    <class>hk.hku.cecid.piazza.commons.security.KeyStoreManager</class>
    <parameter name="keystore-location" value="/opt/mycompany/certs/MyCert.pfx"/>
    <parameter name="keystore-password" value="12345678"/>
    <!-- parameter name="key-alias" value="joeblank"/-->
    <!-- parameter name="key-password" value="12345678"/-->
    <parameter name="keystore-type" value="PKCS12"/>
    <parameter name="keystore-provider" value="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
</component>

Hermes throws an exception like this:

hk.hku.cecid.ebms.spa.task.MessageValidationException: Cannot sign the ebxml message
    by hk.hku.cecid.ebms.pkg.SignatureException: [10204] Cannot sign message Exception: java.lang.NullPointerException Message: null
    Try to retreive key alias[null] from keystore[/opt/mycompany/certs/MyCert.pfx]
    by java.lang.NullPointerException

I don't have the alias for the pfx file. I didn't need to specify one when I used it in Tomcat's server.xml.

It was also suggested that I should use a command like this to import the certificate into a jsk store:

keytool -importkeystore -deststorepass [password] -destkeystore [JKS keystore file] -deststoretype JKS -destalias [alias] -srckeystore [p12 keystore file] -srcstoretype PKCS12 -srcstorepass [password] -srcalias [alias]

I had to remove the -srcalias portion since I didn't have that, which required me to remove the -destalias as well. So in this case, I don't have a known alias to reference in mycompany.jks

Either way I don't have an alias. I tried importing the pfx file using keytool -import, but that throws a " Input not an X.509 certificate".

What do you guys suggest I should try next?

Was it helpful?

Solution

It sounds like your application doesn't use a default alias when none is specified. It's quite common for applications/libraries (including Apache Tomcat) to pick the first alias they find when none is specified. However, yours seems to need one.

You can find it using keytool -list -storetype PKCS12 -keystore (if needed, use -v too to see the alias more clearly). The alias name should be the first part of the line that says something like 2, Jan 12, 2012, PrivateKeyEntry (here "2"), just before the fingerprint.

keystore -import is indeed just for certificates.

keytool -importkeystore could be used for converting the PKCS#12 store into a JKS store, but you shouldn't need it, since you're able to specify the PKCS12 type.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top