atom feed7 messages in org.foaf-project.lists.foaf-protocolsRe: [foaf-protocols] manually creatin...
FromSent OnAttachments
Pierre-Antoine ChampinMar 24, 2010 4:25 am 
Story HenryMar 24, 2010 5:08 am 
Pierre-Antoine ChampinMar 24, 2010 5:22 am 
Toby InksterMar 24, 2010 4:25 pm 
Pierre-Antoine ChampinMar 24, 2010 11:33 pm 
Story HenryMar 25, 2010 2:24 am 
Bruno HarbulotMar 25, 2010 6:25 am 
Subject:Re: [foaf-protocols] manually creating a webid
From:Story Henry (henr@bblfish.net)
Date:Mar 25, 2010 2:24:04 am
List:org.foaf-project.lists.foaf-protocols

You can also do it on the command line using the OpenJDK. A year ago a sun
engineer wrote the following:

[[ Grab the next OpenJDK build, and run

keytool -keystore x.jks -storepass chageit -keypass changeit -genkeypair -alias me -dname CN=Me -ext san=uri:http://romeo.net/#romeo

The entry generated would have a cert like this (in your familiar openssl x509 -text output):

Certificate: Data: Version: 3 (0x2) Serial Number: 1235619180 (0x49a60d6c) Signature Algorithm: dsaWithSHA1 Issuer: CN=Me Validity Not Before: Feb 26 03:33:00 2009 GMT Not After : May 27 03:33:00 2009 GMT Subject: CN=Me Subject Public Key Info: .... X509v3 extensions: X509v3 Subject Key Identifier: DD:BF:CE:42:A5:BB:E3:DA:37:6E:C7:4F:4A:A1:3C:4D:47:FA:EC:44 X509v3 Subject Alternative Name: URI:http://romeo.net/#romeo Signature Algorithm: dsaWithSHA1 .... ]]

He then pointed out the following

[[ Since JDK 6, keytool has a command -importkeystore which converts a keystore from one storetype to another. Using this command, you can convert a JKS keystore into a PKCS12 one. Then, I believe you will know how to play with the private key inside it. :)

Read the tooldoc for details: http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html ]]

On 25 Mar 2010, at 07:33, Pierre-Antoine Champin wrote:

Thanks Toby;

now I have both the quick & simple solution offered by Henry, *and* the satisfaction to understand what must be going on under the hood. :)

pa

On 25/03/2010 00:26, Toby Inkster wrote:

On Wed, 2010-03-24 at 12:25 +0100, Pierre-Antoine Champin wrote:

Especially, is there a way to tell openssl to ask for the "magic" field "Certificate Subject Alt Name" ??

No, openssl is an arse. It can't be done directly from the openssl command line.

What you need to do it open up your openssl.cnf file (or whatever it's called on your system), head for the "v3_ca" section and set the "subjectAltName" to whatever you like. Then create your cert using "openssl req", go back to openssl.cnf and comment out the subjectAltName.

Note that subjectAltName is a comma-separated list, so you can add other things to it, e.g.

subjectAltName=URI:http://example.com/joe#me,email:jo@example.com