7 messages in org.foaf-project.lists.foaf-protocolsRe: [foaf-protocols] manually creatin...| From | Sent On | Attachments |
|---|---|---|
| Pierre-Antoine Champin | Mar 24, 2010 4:25 am | |
| Story Henry | Mar 24, 2010 5:08 am | |
| Pierre-Antoine Champin | Mar 24, 2010 5:22 am | |
| Toby Inkster | Mar 24, 2010 4:25 pm | |
| Pierre-Antoine Champin | Mar 24, 2010 11:33 pm | |
| Story Henry | Mar 25, 2010 2:24 am | |
| Bruno Harbulot | Mar 25, 2010 6:25 am |
| Subject: | Re: [foaf-protocols] manually creating a webid | |
|---|---|---|
| From: | Story Henry (henr...@bblfish.net) | |
| Date: | Mar 25, 2010 2:24:04 am | |
| List: | org.foaf-project.lists.foaf-protocols | |
You can also do it on the command line using the OpenJDK. A year ago a sun
engineer wrote the following:
[[ Grab the next OpenJDK build, and run
keytool -keystore x.jks -storepass chageit -keypass changeit -genkeypair -alias me -dname CN=Me -ext san=uri:http://romeo.net/#romeo
The entry generated would have a cert like this (in your familiar openssl x509 -text output):
Certificate: Data: Version: 3 (0x2) Serial Number: 1235619180 (0x49a60d6c) Signature Algorithm: dsaWithSHA1 Issuer: CN=Me Validity Not Before: Feb 26 03:33:00 2009 GMT Not After : May 27 03:33:00 2009 GMT Subject: CN=Me Subject Public Key Info: .... X509v3 extensions: X509v3 Subject Key Identifier: DD:BF:CE:42:A5:BB:E3:DA:37:6E:C7:4F:4A:A1:3C:4D:47:FA:EC:44 X509v3 Subject Alternative Name: URI:http://romeo.net/#romeo Signature Algorithm: dsaWithSHA1 .... ]]
He then pointed out the following
[[ Since JDK 6, keytool has a command -importkeystore which converts a keystore from one storetype to another. Using this command, you can convert a JKS keystore into a PKCS12 one. Then, I believe you will know how to play with the private key inside it. :)
Read the tooldoc for details: http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html ]]
On 25 Mar 2010, at 07:33, Pierre-Antoine Champin wrote:
Thanks Toby;
now I have both the quick & simple solution offered by Henry, *and* the satisfaction to understand what must be going on under the hood. :)
pa
On 25/03/2010 00:26, Toby Inkster wrote:
On Wed, 2010-03-24 at 12:25 +0100, Pierre-Antoine Champin wrote:
Especially, is there a way to tell openssl to ask for the "magic" field "Certificate Subject Alt Name" ??
No, openssl is an arse. It can't be done directly from the openssl command line.
What you need to do it open up your openssl.cnf file (or whatever it's called on your system), head for the "v3_ca" section and set the "subjectAltName" to whatever you like. Then create your cert using "openssl req", go back to openssl.cnf and comment out the subjectAltName.
Note that subjectAltName is a comma-separated list, so you can add other things to it, e.g.
subjectAltName=URI:http://example.com/joe#me,email:jo...@example.com
_______________________________________________ foaf-protocols mailing list foaf...@lists.foaf-project.org http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
_______________________________________________ foaf-protocols mailing list foaf...@lists.foaf-project.org http://lists.foaf-project.org/mailman/listinfo/foaf-protocols