Signed "Sub-Certificate" in different keystores

[Bob1955]

Hello,

I have a certificate signed by thawte to certify jar files. Now I'd like to create some "sub-certificates" from the signed one, each for a different developer.
These new certificates should allow the developer to certify their code.

Is it possible to create these certificates and put them into new keystores without the rootcertificate and if it is possible, how?

I already tried to use SignCertificate but it won't allow me to put the new certificate in a different keystore.

Sorry if my english is not perfect but I hope you understand what I mean.

Thanks Hans

[Bob1955]

Ok,

right now I'm only testing with a self created certificate because I don't have access to the one from thawte.

Right now I'm creating a new keystore with a "rootcertificate" which should resemble the thawte certificate.

Code:

keytool -genkey -v -alias rootCA -keyalg RSA -keystore kstore

then I create another certificate CA

Code:

keytool -genkey -v -alias CA1 -keyalg RSA -keystore kstore

and call SignCertificate

Code:

java SignCertificate kstore rootCA CA CAsigned

thus creating the certificate CAsigned.
I export CAsigned to CAsigned.crt and import it back as CA

Code:

keytool -export -alias CAsigned -keystore kstore -file CAsigned.crt
keytool  -import -alias CA -keystore kstore -file CAsigned.crt

Now I use importkeystore

Code:

keytool -importkeystore  -srckeystore kstore -destkeystore kstore2 -srcalias ca

With this new keystore and the certificate in it I am able to sign jars and then verify them with rootCA.



1. Is this correct or is there an error I don't see?
2. Would this work with the thawte certificate?
3. The whole process seems very cumbersome, is there a faster/easier/better way to do this?