Pankaj Kumar's Weblog: Accessing Windows Certificates from Java

February 01, 2004

Accessing Windows Certificates from Java

MS-Windows stores certificates and private keys in a registry-based certificate store which are accessed by applications such as IE, Outlook Express, MS-Outlook and so on. MS CryptoAPI lets any WIndows application to access these certificates.

Java programs, on the other hand, must maintain their own certificate store in different file -- one for trusted CAs and one for personal certificates.

Wouldn't it be nice if Java programs running on Windows could access the default certificate store and save the poor user from the trouble of maintaining multiple stores and allow him/her to work with much nicer Windows CertMgr Wizards than the crappy keytool.

Well, this is now possible, at least in theory, through Assembla JCE Provider, a JCE provider that exposes a number of MS CryptoAPI capabilities. The provider itself is a thin wrapper over the MS CryptoAPI.

I played with it a little bit. Comes with a good Windows based installer. However, I had to manually copy the jar file in J2SDK_HOME\jre\lib\ext and modify the java.security file. Nice to see that the provider jar class is signed by JCE Code Signing CA.

Once installed, using this from my very own JSTK was straight-forward.

But before you rush to download, install and use Assembla JCE provider let me warn you that

Although Assembla is free to use, it is not open source.

The MS CryptoAPI doesn't lend itself very well to JCE API and it shows. Read the Assembla Javadocs for more details.

It is not possible to extract the private key from a key entry.

JSSE cannot use (at least in the version 1.21 that I played with ) the KeyStore created by this provider.

Posted by pankaj at February 1, 2004 11:29 PM

	Pankaj Kumar's Weblog Random thoughts, musings, experiences, ideas, and opinions « Will you encrypt password with a fixed string? \| Main \| A key difference between FOSS and Proprietary Development »

Home Page Professional Blog Self Publications! Archive Index Search this site: Syndicate this site (XML) <MAP NAME="boxmap-p8"><AREA SHAPE="RECT" COORDS="14, 200, 103, 207" HREF="http://rcm.amazon.com/e/cm/privacy-policy.html?o=1" > <AREA COORDS="0,0,10000,10000" HREF="http://www.amazon.com/exec/obidos/redirect-home/j2eesecurity-20" > </MAP> <img src="http://rcm-images.amazon.com/images/G/01/rcm/120x240.gif" width="120" height="240" border="0" usemap="#boxmap-p8" alt="Shop at Amazon.com"> Powered by Movable Type 3.14	February 01, 2004 Accessing Windows Certificates from Java MS-Windows stores certificates and private keys in a registry-based certificate store which are accessed by applications such as IE, Outlook Express, MS-Outlook and so on. MS CryptoAPI lets any WIndows application to access these certificates. Java programs, on the other hand, must maintain their own certificate store in different file -- one for trusted CAs and one for personal certificates. Wouldn't it be nice if Java programs running on Windows could access the default certificate store and save the poor user from the trouble of maintaining multiple stores and allow him/her to work with much nicer Windows CertMgr Wizards than the crappy keytool. Well, this is now possible, at least in theory, through Assembla JCE Provider, a JCE provider that exposes a number of MS CryptoAPI capabilities. The provider itself is a thin wrapper over the MS CryptoAPI. I played with it a little bit. Comes with a good Windows based installer. However, I had to manually copy the jar file in J2SDK_HOME\jre\lib\ext and modify the java.security file. Nice to see that the provider jar class is signed by JCE Code Signing CA. Once installed, using this from my very own JSTK was straight-forward. But before you rush to download, install and use Assembla JCE provider let me warn you that Although Assembla is free to use, it is not open source. The MS CryptoAPI doesn't lend itself very well to JCE API and it shows. Read the Assembla Javadocs for more details. It is not possible to extract the private key from a key entry. JSSE cannot use (at least in the version 1.21 that I played with ) the KeyStore created by this provider. Posted by pankaj at February 1, 2004 11:29 PM
Disclaimer: Views expressed here are my own and do not represent those of my employer. © 2001-2005 Pankaj kumar. All Rights Reserved.