000022512 - How to create a PKCS #12 that has default attributes set consistent with RSA BSAFE Cert-J's expectation

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022512
Applies ToRSA BSAFE Cert-J 2.0.1
IssueHow to create a PKCS #12 that has default attributes set consistent with RSA BSAFE Cert-J's expectation
When importing a PKCS #12 message created by Cert-J the private key is not being found or loaded into the database.
Using the following constructor for the PKCS #12 message:  
              PKCS12(CertJ certJ,
                           Certificate[] certs,
                           CRL[] crls,
                           com.rsa.jsafe.JSAFE_PrivateKey[] keys,
                           X501Attributes[] certAttrs,
                           X501Attributes[] crlAttrs,
                           X501Attributes[] keyAttrs)
The caller sets the certAttrs and keyAttrs to null
CauseIf the attributes are not set correctly then Cert-J will not be able to correctly "link" the certificate with the private key.  Therefore when trying to find the private key that pertains to a given certificate the reader of the PKCS #12 message will not be able to correctly obtain the private key.
ResolutionThere is a bug fix that sets the localKeyId and friendlyName attributes if the attributes passed in are null.  You can obtain this patch for Cert-J 2.0.1 through SecureCare Online or through developer support.

To obtain the patch from SecureCare Online you can go to the following link: https://knowledge.rsasecurity.com/docs/utilities/pkcs12fix.zip

Another work-around is to set the localKeyId attribute for both the certificate and the private key.  (The localKeyId attribute must match for both these fields)


An alternative solution is to use one of the other constructors for PKCS #12.  If you use these constructors then the localKeyId and friendlyName attributes are set for you.  If you put the private keys, crls, and certificates in a pathCtx then you can use the following constructor:
                        PKCS12 (CertJ certJ,
                                      Certificate cert,
                                      CertPathCtx pathCtx);
See the Cert-J javadoc for more information.
Legacy Article IDa6684

Attachments

    Outcomes