on 2015 Feb 09 4:54 PM
12.0.1.4183
The CreateCert executable outputs malformed X.509 certificates that are unsupported by Java. The program previously output X.509v3 files with proper X.509v3 extensions, but an update has introduced a bug causing the application to output X.509v1 certificates with X.509v3 extensions in violation of the X.509 specification. This causes java’s strict parser to fail when interacting with these certificates with the error text “java.security.cert.CertificateParsingException: no more data allowed for version 1 certificate.” This is true for both Java’s use of the KeyTool, and when interacting with the server over TLS with Java as a client.
Sorry for the delay in responding. This is a bug in createcert that was created with the conversion to openssl (away from Certicom). We are working on a fix.
In the meantime, please use openssl directly to generate certificates:
# generate the private key $ openssl genrsa -des3 -out server.key 1024 # generate a signing request $ openssl req -new -key server.key -out server.csr # generate a certificate and sign it with the previous signing request $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt # inspect the certificate $ openssl x509 -text -in server.crt Certificate: Data: Version: 1 (0x0) Serial Number: 10385265624665396460 (0x901fe00fe84194ec) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CA, ST=Ontario, L=Waterloo, O=SAP, OU=SAP Canada, CN=sap.com/emailAddress=me@sap.com Validity Not Before: Mar 24 16:00:31 2015 GMT Not After : Mar 23 16:00:31 2016 GMT
If you want to use this in a SQL Anywhere server you have to create an identity file:
# create the identity file $ cat server.crt server.key >server.pem
Now, if you want to import into a Java keystore:
# convert to PKCS12 $ openssl pkcs12 -export -in server.crt -inkey server.key -name "sap.com" -out server.p12 # import into Java keystore $ keytool -importkeystore -deststorepass <store_password> -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
createcert has been fixed in 12.0.1.4247 and 16.0.0.2104.
In the meantime you can create self-signed certificates using Java's keytool. For example:
] keytool -genkeypair -keyalg RSA -keysize 2048 -keypass sample -validity 1825 -keystore mystore.jks -storepass STORE_PASSWORD_HERE -v -alias localhost
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]: SAPCanada
What is the name of your organization?
[Unknown]: SAP
What is the name of your City or Locality?
[Unknown]: Waterloo
What is the name of your State or Province?
[Unknown]: ON
What is the two-letter country code for this unit?
[Unknown]: CA
Is CN=Unknown, OU=SAPCanada, O=SAP, L=Waterloo, ST=ON, C=CA correct?
[no]: y
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 1,825 days
for: CN=Unknown, OU=SAPCanada, O=SAP, L=Waterloo, ST=ON, C=CA
[Storing mystore.jks]
You can also generate chained certificates.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
67 | |
8 | |
8 | |
6 | |
6 | |
6 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.