[gnutls-help] Creating PKCS12 trust with certtool

MK mk at cognitivedissonance.ca
Wed Jun 9 16:35:13 CEST 2021


I've been  using java's keytool to create private PKIX ecosystems starting with the CA certificate,
which is then used to sign server and client certificates.  In order for this to work, to validate a
server a client needs a trust file containing the CA certificate. 

Currently I'm working on interconnectivity between a C++ application using GnuTLS and
a java application using standard java ssl features.   Mostly because of the latter, the
easiest thing to do is use PKCS12 files.  I generate the certificates in pem format first.

I was curious about using certtool to do the same things as I use keytool (creating the
public key infrastructure).   I'm stuck on the trust file.  Using keytool, this goes:

 keytool -importcert -file  CAcertificate.pem
                -keystore trust.p12 -storetype PKCS12 
                -alias ca_cert -storepass:file pword.txt

This creates "trust.p12" which works as a trust with both applications.  I can get to here using certtool
-- create the pem certs and keys, then the individual pkcs credential files.  
To then create the trust, what I think should be the near equivalent of the above:

certtool --to-p12 --load[-ca]-certificate CAcertificate.pem --outder --outfile trust.p12

(The password is then entered manually.) The outcome seems the same whether 
I use '-ca' in the '--load-' parameter or not.

Examining the file with certtool:

certtool --p12-info --infile=trust.p12  --inder

It looks pretty much the same as the keytool created equivalent, one certificate
in BAG #0.  However, examining it with keytool, for the version created with certtool,
I get:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 0 entries

Trying to use the trust with the java client then fails:

Initialization failed: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Searching online most people who get this error get it because the file doesn't exist (wrong path).

Is there a better way to create a PKCS12 trust with certtool?

Mark Eriksen

More information about the Gnutls-help mailing list