How can I introduce a cross signing certificate into a chain? -


i maintain java applet locally deployed. purchased code signing certificate go daddy (it inexpensive, , host our site). certificate chain follows (all files available @ https://certs.godaddy.com/anonymous/repository.pki):

  1. my company
  2. gdig2.cer
  3. gdroot-g2.crt

unfortunately, root not installed default on windows 7 (used ie) or windows jre (used other browsers, think). manually installing root certificate doable, requires users have administrator access or run unfamiliar commands (it doesn't make sense security standpoint "you can trust applet, , prove it, run command on computer").

i change certificate chain to

  1. my company
  2. gdig2.cer
  3. gdroot-g2_cross.crt
  4. gd-class2-root.crt

which seems more prevalent (for example, 1 in windows jre, , used validate https://www.godaddy.com, gets windows 7). go daddy not able me ("our support using 1 of our code signing certificates limited"), i'm left doing on own.

following this answer, promising approach has been following (on mac os x 10.6):

  1. convert certificate pem format:
    $ openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes
  2. use text editor open mycert.pem, delete gdroot-g2.crt, , paste in gdroot-g2_cross.crt , gd-class2-root.crt (openssl appears not care order of certificates, put them in order shown above)
  3. convert certificates p12 format:
    $ openssl pkcs12 -export -in mycert.pem -out combined.p12

unfortunately, doesn't quite work. calling
$ keytool -list -storetype pkcs12 -keystore combined.p12 -v
shows certificate chain extends through gdig2.cer, , stops. problem appears gdroot-g2_cross.cer doesn't certify gdig2.cer:

$ openssl verify -cafile gd-class2-root.cer gdroot-g2_cross.cer gdroot-g2_cross.cer: ok $ cat gd-class2-root gdroot-g2_cross.cer > gdrootcross.pem $ openssl verify -cafile gdrootcross.pem gdig2.cer gdig2.cer: /c=us/st=arizona/l=scottsdale/o=godaddy.com, inc./ou=http://certs.godaddy.com/repository//cn=go daddy secure certificate authority - g2   error 20 @ 0 depth lookup:unable local issuer certificate 

but looks ok me:

$ openssl x509 -in gdig2.cer -text -noout . . . issuer: c=us, st=arizona, l=scottsdale, o=godaddy.com, inc., cn=go daddy root certificate authority - g2 x509v3 authority key identifier: keyid:3a:9a:85:07:10:67:28:b6:ef:f6:bd:05:41:6e:20:c1:94:da:0f:de . . . $ openssl x509 -in gdroot-g2_cross.cer -text -noout . . . subject: c=us, st=arizona, l=scottsdale, o=godaddy.com, inc., ou=https://certs.godaddy.com/repository/, cn=go daddy root certificate authority - g2 x509v3 subject key identifier: 3a:9a:85:07:10:67:28:b6:ef:f6:bd:05:41:6e:20:c1:94:da:0f:de . . . 

this leads me think i'm not using cross certificate correctly, don't know i'm doing wrong. (i've tried appending 2 new certificates original chain, openssl verify says error 18 @ 0 depth lookup:self signed certificate.) i'm willing believe it's not possible change root certificate, seems entire point of cross certificates. how can introduce cross certificate certificate chain in order verified different root certificate authority?

you don't. have 1 certificate signed first authority; , 1 certificate signed second authority - both having same public key / fingerprint , subject line. that's it.


Comments

Popular posts from this blog

c++ - Function signature as a function template parameter -

algorithm - What are some ways to combine a number of (potentially incompatible) sorted sub-sets of a total set into a (partial) ordering of the total set? -

How to call a javascript function after the page loads with a chrome extension? -