PicketLink::X509 Certificates in SAML Metadata

Version 4

    SAML Metadata profile uses x509 certificates (signing and/or encryption) at the IDP and/or SP side.  It is represented in the metadata as <ds:X509Certificate/>

     

    Exporting a Certificate from the KeyStore

     

    You can read about Java KeyStore and the KeyTool utility at http://docs.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html

     

     

    Assume you have a keystore.  In my example, I am going to use a jbid_test_keystore.jks as my keystore.

     

    Let us proceed to export a certificate from the keystore.

     

     

    $ keytool -list -keystore jbid_test_keystore.jks 
    Enter keystore password:  
    
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    servercert, Jan 15, 2009, PrivateKeyEntry, 
    Certificate fingerprint (MD5): 3E:A2:54:28:A3:21:A2:72:32:4B:08:E8:EE:30:0E:87
    
    
    
    
    
    $ keytool -export -keystore jbid_test_keystore.jks -rfc -alias servercert
    Enter keystore password:   
    
    -----BEGIN CERTIFICATE-----
    MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC
    b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX
    DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK
    Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7
    vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5
    0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn
    55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5
    71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ
    lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI
    -----END CERTIFICATE-----
    

     

    In the first step, I listed the contents of the keystore.  I see that there is a certificate with alias servercert.   We can then export it as shown in the second command above.

     

     

    Now we are ready with our metadata element.

     

    <KeyDescriptor use="signing">
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>
    MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC
    b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX
    DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK
    Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7
    vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5
    0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn
    55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5
    71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ
    lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI
              </ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
    </KeyDescriptor>
    

     

    You can use the similar step for an encryption key, if you desire.

     

    Importing a Certificate into the Java KeyStore

     

    In the previous step, we exported a certificate out of the key store and formed the <ds:x509Certificate/> element with it.  Now assume you have been provided the IDP Metadata file or  the SP Metadata file, you can locate a X509 Certificate either in the IDPSSODescriptor (for IDP)  or the SPSSODescriptor (for SP).

     

    You can then extract that element into a text file and surround it with the -----Begin Certificate--- and the --- End Certificate ---- lines.

     

    In my example,  I have a file called "somecert.txt"  which is the same as what I exported above.

     

    The file looks as:

     

    -----BEGIN CERTIFICATE-----
    MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpC
    b3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloX
    DTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVK
    Qm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7
    vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR5
    0BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn
    55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i5
    71zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQ
    lTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI
    -----END CERTIFICATE-----
    

    As you can see the file has the begin and end certificate lines (this is an rfc format  IETF RFC 1421 Certificate Encoding Standard)

     

    Now I am going to use the keytool to import it under a separate alias:

     

     $ keytool -import -file somecert.txt -keystore jbid_test_keystore.jks -alias theserver
    Enter keystore password:  
    Certificate already exists in keystore under alias <servercert>
    Do you still want to add it? [no]:  yes
    Certificate was added to keystore
    
    
    $ keytool -list -keystore jbid_test_keystore.jks 
    Enter keystore password:  
    
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 2 entries
    
    theserver, Feb 22, 2012, trustedCertEntry,
    Certificate fingerprint (MD5): 3E:A2:54:28:A3:21:A2:72:32:4B:08:E8:EE:30:0E:87
    servercert, Jan 15, 2009, PrivateKeyEntry, 
    Certificate fingerprint (MD5): 3E:A2:54:28:A3:21:A2:72:32:4B:08:E8:EE:30:0E:87
    

    We have no successfully imported a certificate into our keystore.

     

     

     

    Troubleshooting

    • If you place the metadata in a file,  just remember that there should be no space at the beginning of each of the lines containing the encoded x509 certificate.  If not, the parsing of the metadata file may fail because a digitial representation of X509Certificate cannot be formed from the <ds:X509Certificate> xml element.

     

    References