Hello,

I have a certificate signed by thawte to certify jar files. Now I'd like to create some "sub-certificates" from the signed one, each for a different developer.
These new certificates should allow the developer to certify their code.

Is it possible to create these certificates and put them into new keystores without the rootcertificate and if it is possible, how?

I already tried to use SignCertificate (
h2kfl.pe.kr/40/attach/Creating%20Certificate%20Chain.doc) but it won't allow me to put the new certificate in a different keystore.

Sorry if my english is not perfect but I hope you understand what I mean.

Thanks Hans

Ok,

right now I'm only testing with a self created certificate because I don't have access to the one from thawte.

Right now I'm creating a new keystore with a "rootcertificate" which should resemble the thawte certificate.


keytool -genkey -v -alias rootCA -keyalg RSA -keystore kstore


then I create another certificate CA


keytool -genkey -v -alias CA1 -keyalg RSA -keystore kstore


and call SignCertificate


java SignCertificate kstore rootCA CA CAsigned


thus creating the certificate CAsigned.
I export CAsigned to CAsigned.crt and import it back as CA


keytool -export -alias CAsigned -keystore kstore -file CAsigned.crt
keytool -import -alias CA -keystore kstore -file CAsigned.crt


Now I use importkeystore


keytool -importkeystore -srckeystore kstore -destkeystore kstore2 -srcalias ca


With this new keystore and the certificate in it I am able to sign jars and then verify them with rootCA.



1. Is this correct or is there an error I don't see?
2. Would this work with the thawte certificate?
3. The whole process seems very cumbersome, is there a faster/easier/better way to do this?