0 Replies Latest reply on Mar 28, 2008 1:28 PM by sunnym_a

    Client Certificate using Keytool and OpenSSL



      Java 1.5.0_11
      OpenSSL 0.9.8g

      Is there a way to set Netscape Cert Type property to SSL Client while exporting it to PKCS12 certificate using OpenSSL?

      I created a client certificate using the following steps:
      a. Generated key pair using Keytool
      b. Generated CSR and got it signed by the CA (Verisign)
      c. Imported signed certificate and all Root + Intermediate authorities in client keystore for proper certificate chaining
      d Exported private key from the keystore
      e. Used OpenSSL command to export pkcs12 certificate:

      openssl pkcs12 - export -out client.p12 -inkey client.pem -in client.cer - passout pass:*********

      This certificate gets installed in both IE and Firefox successfully, however the Netscape Cert Type attribute shows: SSL Server Authentication This causes the following exception on the server side (Sun JVM) when passed through the browser:
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL client

      When I used a another pkcs12 certificate generated by IIS, that worked fine as its Netscape Cert Type attribute was set correctly to SSL Client.

      I came across nscerttype attribute but it seems it's only applicable to openssl commands: ca, req and x509.