I was able to import both certs fine after I installed our
RSA provider:
---------------------------------------------------------------------
CMD: keytool -import -file ~/cacert.b64 -alias cacert
Enter keystore password: qazqaz
Owner: EmailAddress=support@corp.inprise.com, CN=Inprise Corporation Demo CA,
OU=Engineering, O=Inprise Corporation, L=San Mateo, ST=California, C=US
Issuer: EmailAddress=support@corp.inprise.com, CN=Inprise Corporation Demo CA,
OU=Engineering, O=Inprise Corporation, L=San Mateo, ST=California, C=US
Serial number: 0
Valid from: Fri May 01 16:30:26 PDT 1998 until: Mon Apr 28 16:30:26 PDT 2008
Certificate fingerprints:
MD5: D7:CD:90:B9:54:49:EB:4D:AD:9E:0E:A4:A1:0C:BD:FE
SHA1: 4A:53:D1:D9:37:73:85:E7:CC:FD:ED:86:4C:1F:8B:5E:66:1B:7B:85
Trust this certificate? [no]: yes
Certificate was added to keystore
---------------------------------------------------------------------
CMD: keytool -import -file ~/testcert.b64 -alias testcert
Enter keystore password: qazqaz
Owner: CN=Becky, OU=Engineering, O=Borland International, L=San Mateo,
ST=California, C=US
Issuer: EmailAddress=support@corp.inprise.com, CN=Inprise Corporation Demo CA,
OU=Engineering, O=Inprise Corporation, L=San Mateo, ST=California, C=US
Serial number: 1
Valid from: Fri May 01 17:36:09 PDT 1998 until: Tue Nov 02 16:36:09 PST 1999
Certificate fingerprints:
MD5: 33:8D:FF:B1:0B:8D:25:23:ED:20:88:3E:AB:46:D3:4C
SHA1: 83:82:78:1B:9C:46:7E:38:C2:7D:E5:10:2E:B0:2F:53:AE:7D:15:71
Trust this certificate? [no]: yes
Certificate was added to keystore
---------------------------------------------------------------------
The difference between the 2 certs is that one is self-signed (cacert),
whereas the other one is not.
When you import the self-signed cert, keytool attempts to verify
its signature (using the public key contained in the cert). This is
a sanity check.
For this to succeed, you need to install a provider that supports
MD5WithRSAEncryption (the algorithm under which the certificate
is signed). (Note that the default SUN provider does not
supply this algorithm.)
After a successful verification, keytool displays the 2 fingerprints
of the cert and asks you if you want to import it.
When you import the cert that is not self-signed, keytool
only displays the 2 fingerprints of the cert and asks you
if you want to import it. In this case, there is no signature
verification involved.
Jan
> Date: Tue, 10 Nov 1998 14:24:53 +0100
> From: Sabine Pham <spham@atos-group.com>
> MIME-Version: 1.0
> To: "java-security@java.Sun.COM" <java-security@java.Sun.COM>
> Subject: [Fwd: keytool question]
>
> Ooops, it seems the second certificate hasn't been sent! Try it again.