I am trying to configure a product called Hermes for a digital signature.
I have a file MyCert.pfx which I specified in its configuration as follows:
<component id="keystore-manager-for-signature" name="Key Store Manager for Digital Signature">
<class>hk.hku.cecid.piazza.commons.security.KeyStoreManager</class>
<parameter name="keystore-location" value="/opt/mycompany/certs/MyCert.pfx"/>
<parameter name="keystore-password" value="12345678"/>
<!-- parameter name="key-alias" value="joeblank"/-->
<!-- parameter name="key-password" value="12345678"/-->
<parameter name="keystore-type" value="PKCS12"/>
<parameter name="keystore-provider" value="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
</component>
Hermes throws an exception like this:
hk.hku.cecid.ebms.spa.task.MessageValidationException: Cannot sign the ebxml message
by hk.hku.cecid.ebms.pkg.SignatureException: [10204] Cannot sign message Exception: java.lang.NullPointerException Message: null
Try to retreive key alias[null] from keystore[/opt/mycompany/certs/MyCert.pfx]
by java.lang.NullPointerException
I don't have the alias for the pfx file. I didn't need to specify one when I used it in Tomcat's server.xml.
It was also suggested that I should use a command like this to import the certificate into a jsk store:
keytool -importkeystore -deststorepass [password] -destkeystore [JKS keystore file] -deststoretype JKS -destalias [alias] -srckeystore [p12 keystore file] -srcstoretype PKCS12 -srcstorepass [password] -srcalias [alias]
I had to remove the -srcalias portion since I didn't have that, which required me to remove the -destalias as well. So in this case, I don't have a known alias to reference in mycompany.jks
Either way I don't have an alias. I tried importing the pfx file using keytool -import, but that throws a " Input not an X.509 certificate".
What do you guys suggest I should try next?
It sounds like your application doesn't use a default
alias
when none is specified. It's quite common for applications/libraries (including Apache Tomcat) to pick the first alias they find when none is specified. However, yours seems to need one.You can find it using
keytool -list -storetype PKCS12 -keystore
(if needed, use-v
too to see the alias more clearly). The alias name should be the first part of the line that says something like2, Jan 12, 2012, PrivateKeyEntry
(here "2
"), just before the fingerprint.keystore -import
is indeed just for certificates.keytool -importkeystore
could be used for converting the PKCS#12 store into a JKS store, but you shouldn't need it, since you're able to specify thePKCS12
type.