Is it possible to access certificates stored in the Local Machine store (rather than Current User) from a Java Servlet? I've tried using the MSCAPI provider opening the "Windows-MY" and "Windows-ROOT" stores, but neither contain certificates from the Local Machine store.
A:
The certificates you are looking for are in the java keystore file or are passed into tomcat when starting the server
http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html
if you are trying to load them in your application, then look here for to make HTTPS requests, then the HTTPClient documentation will get you started
not sure if this helps you out, but if you can provide more details, then you might be able to get a more specific answer
public class KeyStoreLookup {
public static void main(String args[]) {
try {
KeyStore ks =
KeyStore.getInstance(KeyStore.getDefaultType());
String fname = System.getProperty("user.home") +
File.separator + ".keystore";
FileInputStream fis = new FileInputStream(fname);
ks.load(fis, null);
if (ks.isKeyEntry(args[0])) {
System.out.println(args[0] +
" is a key entry in the keystore");
char c[] = new char[args[1].length()];
args[1].getChars(0, c.length, c, 0);
System.out.println("The private key for" + args[0] +
" is " + ks.getKey(args[0], c));
Certificate certs[] = ks.getCertificateChain(args[0]);
if (certs[0] instanceof X509Certificate) {
X509Certificate x509 = (X509Certificate) certs[0];
System.out.println(args[0] + " is really " +
x509.getSubjectDN());
}
if (certs[certs.length - 1] instanceof
X509Certificate) {
X509Certificate x509 = (X509Certificate)
certs[certs.length - 1];
System.out.println(args[0] + " was verified by " +
x509.getIssuerDN());
}
}
else if (ks.isCertificateEntry(args[0])) {
System.out.println(args[0] +
" is a certificate entry in the keystore");
Certificate c = ks.getCertificate(args[0]);
if (c instanceof X509Certificate) {
X509Certificate x509 = (X509Certificate) c;
System.out.println(args[0] + " is really " +
x509.getSubjectDN());
System.out.println(args[0] + " was verified by " +
x509.getIssuerDN());
}
}
else {
System.out.println(args[0] +
" is unknown to this keystore");
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
Aaron Saunders
2010-08-31 20:38:31
I'm not looking to do SSL. I would like to access machine certificates and pull out their key pair to encrypt/decrypt certain settings in configuration files. I have done this with certificates in the Current User's Personal Certificate store, but I would like to pull (SSL) certificates out of the Local Machine store for the crypto instead.
Petey B
2010-08-31 20:58:22
This code is not at all what the OP is asking for.
Justin
2010-09-03 14:51:23
+1
A:
The default JDK implementation is fairly limited. AFAIK it will only bring back RSA keys and certificates. It is not a general purpose adapter to MSCAPI. I have been able to get some certs back using the mechanism you describe.
Justin
2010-08-31 20:38:40
All I want is the RSA key pair. You are right I can get the key pair from the Current User's Personal (Windows-MY) store, but instead I would like to get them from the Local Machine's Personal certificate store. I havn't found a way to specify which certificate store (Current User/Local Machine) to read from. It seems to only want to read from Current User.
Petey B
2010-08-31 21:00:05
I see what you want to do, but: Why should it let you read from the stores of other users? Does the local machine have key pairs in its store? -- if so your java process would need the permission to act as part of the OS.
Justin
2010-08-31 22:16:49
Yes the local machine has a key pair in its store; any idea how i could give my java process permission to act as part of the OS?
Petey B
2010-09-01 13:34:21
This is one of the difficult things about java, since java.exe is the binary you have to give it the permission (not the class file) if I remember correctly your process must actively claim the permission through native code. I should also mention that I am guessing about the OS permission you will need. Can you first put a trusted cert (not a key pair) into the Windows-ROOT and retrieve it?
Justin
2010-09-01 15:35:07
Yes I can retreive certificates from the Local Machine Windows-ROOT store fine, the Local Machine Windows-MY store however appears empty to Java.
Petey B
2010-09-02 17:55:32