November 13, 2014

How to modify the friendly name attribute in a SSL certifcate

Recently I have been investigating the cause of the exception which started to show up after switching to a new SSL certifacate:
Exception in thread "main" org.apache.ws.security.WSSecurityException: General security error (No certificates for user john were found for signature)
at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:314)
at org.apache.ws.security.message.WSSecSignature.build(WSSecSignature.java:755)
the code responsibile for the above exception:
1| WSSecSignature builder = new WSSecSignature();
2| builder.setUserInfo("john", "secret");
3| builder.build(document, crypto, secHeader);
where:
  • builder is an instance of org.apache.ws.security.message.WSSecSignature
  • crypto is an instance of org.apache.ws.security.components.crypto.Crypto
  • document is an instance of org.w3c.dom.Document
  • secHeader is an instance of org.apache.ws.security.message.WSSecHeader

The crucial line in the above snippet is line 2, where the username (john) and password (secret) are provided. The username must match the friendly name attribute in the certificate.

To check if a certificate contains the friendly name attribute run:
openssl pkcs12 -info -nodes -in cert.p12
For the new certificate I got:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: B4 CA ...
subject=/C=PL/O=organization/CN=name
issuer=/C=PL/O=organization/CN=user
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    localKeyID: B4 CA ...
Key Attributes: 
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
The cause of the issue was the friendly name attribute missing in the new certificate.

I did some Googling and I came across this great page that contains a list of steps how to modify a certficate:

  1. export the certifcate
  2. openssl pkcs12 -info -nodes -in cert.p12 > cert.p12.pem
    
  3. extract the private key
    • copy cert.p12.pem to key.pem
    • delete the private key from cert.p12.pem
    • delete everything from key.pem except the private key
  4. extract the user certificate
    • copy cert.p12.pem to mycert.pem
    • delete the user certificate from cert.p12.pem
    • delete everything from mycert.pem except the user certificate
  5. modify cert.p12.pem
    • add a new attribute friendlyName
  6. run:
  7. openssl pkcs12 -export -in mycert.pem -inkey key.pem -name user -out cert.p12.new 
    
VoilĂ ! inside cert.p12.new there is the new certificate with the friendly name attribute set.
openssl pkcs12 -info -nodes -in cert.p12.new
returns now:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    friendlyName: user
    localKeyID: B4 CA ...
subject=/C=PL/O=organization/CN=name
issuer=/C=PL/O=organization/CN=user
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    friendlyName: user
    localKeyID: B4 CA ...
Key Attributes: 
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

No comments:

Post a Comment