-2

Is there way to make keytool generate version 3 certificates? I'm following this tutorial Tutorial and in the end i have version 1 certificates. But then in my application i get exception that is caused by :

Caused by: java.security.cert.CertPathValidatorException: Version 1 certificates can't be used as CA ones.

I use keytool from jdk8.

EDIT: Command 

openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca

changes version of certificate.

David S.
  • 242
  • 1
  • 15
  • I tried with JDK 8 and JDK8u131, got a v3 certificate with both of them using the same command as in the tutorial. Are you sure its JDK 8 you are using ? – Pallavi Sonal Jul 07 '17 at 10:03
  • Path to my keytool is C:\java\jdk1.8.0_66\bin\keytool.exe, so i guess i do. I can try to download exactly same version as you and try it. – David S. Jul 07 '17 at 10:19
  • I tried it with JDK8u131 and i still get Version 1 certificates. – David S. Jul 07 '17 at 10:59
  • @PallaviSonal Actually i guess that it may not be even problem of keytool or it may be just my machine. In the end ill get into project alredy done keystores but i need some for testing. If you were able to make them in version 3 could you upload them and send link? – David S. Jul 07 '17 at 11:02
  • It seems like it is job of the openssl, before i run openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca it is version 3 but after this command version changes to 1. – David S. Jul 07 '17 at 11:29
  • Please show your code. Since Stack Overflow hides the Close reason from you: *Questions seeking debugging help ("why isn't this code working?") must include the desired behavior, a specific problem or error and the shortest code necessary to reproduce it in the question itself. Questions without a clear problem statement are not useful to other readers. See: [How to create a Minimal, Complete, and Verifiable example](https://stackoverflow.com/help/mcve).* – jww Jul 08 '17 at 00:16
  • @jww Sure, I will add my comment that was above yours in edit, but according to java code there was nothing bad, this was pure problem of use of openssl x509 command. – David S. Jul 08 '17 at 09:01

1 Answers1

1

Solved, it was not problem in keytool, but in openssl changing version. I needed to specify -extfile v3.ext where v3.ext file contained

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

according to thist post.

David S.
  • 242
  • 1
  • 15