1

I have an application (Cognos) which delivers web pages through two mechanisms: via IIS, and via a Java application. We need to enable SSL for both of these. IIS has been done. We are working on the Java applet now.

The IIS cert was generated by creating a cert request in IIS, sending that to the CA. They returned a certificate which we installed into IIS and thats fine - we can access these pages in the browser using HTTPS.

I tried importing this same certificate into the java applications certificate store. However I received an application specific errors.

This was done using the applications special command line tool.

But basically it looks like it's trying to replace the existing unsigned certificate under the alias encryption with a signed certificate.

Here's the page that shows the process using the provided GUI tool

http://www-01.ibm.com/support/docview.wss?uid=swg22004239

My problem is that the certificate has already been returned from the CA and I didn't not generate a request in this tool.

I have a valid certificate, but I can't follow these instructions because they assume the request was generated from this keystore.

Going through the process, it seems like we need to generate a CSR from the Cognos certificate store, send that to the CA and get another certificate for the same host, but different originating CSR.

This would mean we have two certificates for the same host, which doesn't make sense to me.

Primarily:

  1. Is it OK to have two or more active certificates for the same host?
  2. If I have a certificate generated from a CSR from keystore A, is there any way I can import and use it in keystore B on the same server? Do I need anything from the original request to do this?

EDIT:

As I continue to research this I realise that when the request is generated it saves a private key in the keystore. So I think the problem isn't really that I have two keystores, the problem is that I don't know how reuse the private key from the original keystore in the second keystore

Nick.Mc
  • 193

3 Answers3

1

A CA can approve a request for multiple client accesses or a single certificate for each domain on a single host (demonstrates how to assign each using virtual hosts)

To answer your second question, see this response to another similar question with how to export and import certificates.

Ian
  • 71
1

You will need to export both the key and certificate from IIS. You should be able to export this into a PKCS7 file. Use keytool to import this into your Java keystore. (It is also possible to use the PKCS7 file if you wish.)

If IIS is delivering the applet, you don't need a server certificate for the applet. If you are using a different server to deliver the applet you will need to import the key into that server.

I expect your issue is with signing the applet. Your key may not be flagged as usable for code signing. Use a tool like keytool or a browser to display the flags on the certificate. It is possible to have a certificate that is useful for both a server and code signing.

EDIT: It appears you have a certificate that is good for both code signing (You should sign your applet.) and for encryption (HTTPS). If you wish to use it for HTTPS, it should have a Subject Alternate Name for every domain you wish to use it with. This will allow validation that the certificate is for the domain.

Normally, you would not use an applet to access a server. It may open connections to the server from which it was loaded to look for additional classes. It could also be opening additional connections to other servers. Modern browsers will want you to specify the access the applet needs so that the user can verify whether or not to grant them.

BillThor
  • 28,293
  • 3
  • 39
  • 70
0
keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 
-destkeystore clientcert.jks -deststoretype JKS

This should import your pfx to the keystore. It was what i used the last time i had to import pfx

BANJOSA
  • 398