SAML Metadata profile uses x509 certificates (signing and/or encryption) at the IDP and/or SP side. It is represented in the metadata as <ds:X509Certificate/>
Exporting a Certificate from the KeyStore
You can read about Java KeyStore and the KeyTool utility at http://docs.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html
Assume you have a keystore. In my example, I am going to use a jbid_test_keystore.jks as my keystore.
Let us proceed to export a certificate from the keystore.
$ keytool -list -keystore jbid_test_keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry servercert, Jan 15, 2009, PrivateKeyEntry, Certificate fingerprint (MD5): 3E:A2:54:28:A3:21:A2:72:32:4B:08:E8:EE:30:0E:87 $ keytool -export -keystore jbid_test_keystore.jks -rfc -alias servercert Enter keystore password: -----BEGIN CERTIFICATE----- MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7 vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5 0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn 55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5 71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI -----END CERTIFICATE-----
In the first step, I listed the contents of the keystore. I see that there is a certificate with alias servercert. We can then export it as shown in the second command above.
Now we are ready with our metadata element.
<KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7 vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5 0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn 55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5 71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor>
You can use the similar step for an encryption key, if you desire.
Importing a Certificate into the Java KeyStore
In the previous step, we exported a certificate out of the key store and formed the <ds:x509Certificate/> element with it. Now assume you have been provided the IDP Metadata file or the SP Metadata file, you can locate a X509 Certificate either in the IDPSSODescriptor (for IDP) or the SPSSODescriptor (for SP).
You can then extract that element into a text file and surround it with the -----Begin Certificate--- and the --- End Certificate ---- lines.
In my example, I have a file called "somecert.txt" which is the same as what I exported above.
The file looks as:
-----BEGIN CERTIFICATE----- MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7 vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5 0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn 55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5 71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI -----END CERTIFICATE-----
As you can see the file has the begin and end certificate lines (this is an rfc format IETF RFC 1421 Certificate Encoding Standard)
Now I am going to use the keytool to import it under a separate alias:
$ keytool -import -file somecert.txt -keystore jbid_test_keystore.jks -alias theserver Enter keystore password: Certificate already exists in keystore under alias <servercert> Do you still want to add it? [no]: yes Certificate was added to keystore $ keytool -list -keystore jbid_test_keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries theserver, Feb 22, 2012, trustedCertEntry, Certificate fingerprint (MD5): 3E:A2:54:28:A3:21:A2:72:32:4B:08:E8:EE:30:0E:87 servercert, Jan 15, 2009, PrivateKeyEntry, Certificate fingerprint (MD5): 3E:A2:54:28:A3:21:A2:72:32:4B:08:E8:EE:30:0E:87
We have no successfully imported a certificate into our keystore.
Troubleshooting
- If you place the metadata in a file, just remember that there should be no space at the beginning of each of the lines containing the encoded x509 certificate. If not, the parsing of the metadata file may fail because a digitial representation of X509Certificate cannot be formed from the <ds:X509Certificate> xml element.
Comments