Pregunta
for a PKI client I need to obtain both non-repudiation and digital signature certificates. I have implemented this code to obtain those certificates:
https://stackoverflow.com/questions/21645869
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussiankeyStore.load(null, null);
Enumeration<String> aliases = keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
if (keyStore.isKeyEntry(alias)) {
java.security.cert.Certificate certificate = keyStore.getCertificate(alias);
}
}
the problem is that both digital and non repudiation certificates have the same alias. so when I call keystore.getCertificate the system will always return the first result, although in the certmgr.msc window I can see that there are 2 certificates exist and the LOOP block executes two time, but the system will always return duplicate result from the first certificate. How I can solve this problem?
Solución
You cannot really have two different entries with the same alias. But this is how you can get list of all first level certificates from the key store as a list
List<Certificate> certificates = new ArrayList<Certificate>();
Enumeration<String> aliases = keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
Certificate certificate = keyStore.getCertificate(alias);
if (certificate != null) {
certificates.add(certificate);
}
}
Otros consejos
Since you're talking about certmgr.msc and using keyStore.load(null, null), I presume you're using the WINDOWS-ROOT or WINDOWS-MY keystore, from the SunMSCAPI provider.
Unfortunately, there is an issue with this provider because it can re-used the same alias for multiple entries, thereby making it difficult or impossible to access some certificates.
The alias used by this keystore is in fact the "friendly name" of the certificate (in the MS-CAPI terminology). While the friendly name doesn't need to be unique in the Windows certificate store, the alias name needs to be.
Presumably, because you seem talking about two distinct certificates for the same entity but with different purposes, they're likely to use the same friendly name by default.
Once way to work around this problem is to identify your certificates with different friendly names in the Windows store: in certmgr.msc, select the certificate, right-click, choose "Properties" and change its "Friendly Name".
If you have two distinct certificates (for different key usages or any other reason) that have unique friendly names, they should show up with different alias names in your KeyStore then.
