Signed "Sub-Certificate" in different keystores
Hello,
I have a certificate signed by thawte to certify jar files. Now I'd like to create some "sub-certificates" from the signed one, each for a different developer.
These new certificates should allow the developer to certify their code.
Is it possible to create these certificates and put them into new keystores without the rootcertificate and if it is possible, how?
I already tried to use SignCertificate but it won't allow me to put the new certificate in a different keystore.
Sorry if my english is not perfect but I hope you understand what I mean.
Thanks Hans
Re: Signed "Sub-Certificate" in different keystores
Ok,
right now I'm only testing with a self created certificate because I don't have access to the one from thawte.
Right now I'm creating a new keystore with a "rootcertificate" which should resemble the thawte certificate.
Code:
keytool -genkey -v -alias rootCA -keyalg RSA -keystore kstore
then I create another certificate CA
Code:
keytool -genkey -v -alias CA1 -keyalg RSA -keystore kstore
and call SignCertificate
Code:
java SignCertificate kstore rootCA CA CAsigned
thus creating the certificate CAsigned.
I export CAsigned to CAsigned.crt and import it back as CA
Code:
keytool -export -alias CAsigned -keystore kstore -file CAsigned.crt
keytool -import -alias CA -keystore kstore -file CAsigned.crt
Now I use importkeystore
Code:
keytool -importkeystore -srckeystore kstore -destkeystore kstore2 -srcalias ca
With this new keystore and the certificate in it I am able to sign jars and then verify them with rootCA.
1. Is this correct or is there an error I don't see?
2. Would this work with the thawte certificate?
3. The whole process seems very cumbersome, is there a faster/easier/better way to do this?
