Recently some of the partners we use have started to deploy certificates with key lengths of 2048bits. The 2048 bit length has become the standard accepted minimum key length for secure communication.
We have been using 2048bit key length for a couple for a few years now on our web sites, so we are not unused to them, however with the partners now using them it meant we had to trust these certificates. Now here comes the issue…. Our systems use ColdFusion and as such run on Java. Due to a US export policy which limited the key length US companies could provide outside the US. As such by default all versions of java up to 1.7, have this limitation and you would not be able to apply the certificate with a key length of 2048bit.
The way round this is to download the
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
These files overwrite the existing policy files, and are available for download from Oracle, from what I can see there are policy files for
Java SE 7, Java SE 6, Java SE 5, Java 1.4.2, Java 1.2.2
To install these policy files is very easy, down load the correct version and extract. You then need to grab 2 files
- local_policy.jar
- US_export_policy.jar
Now in the java environment you want to amend locate the following folder
i.e. (default for Java SE6)
c:\Program Files\Java\jre6\lib\security
In here you should find files of the same name, create copies of these files. Now overwrite the original files with the files extracted from the downloaded JCE Policy zip file.
Now you will have to restart the Java instance.
OK, so now you should be able to install the 2048bit Key Length certificate in to the keystore (cacerts).
Below is a couple of commands for how to list existing certificates in a keystore and then how to install a certificate.
The cacerts keystore is usually found somewhere like this. (but it will be wherever the java instance is installed)
c:\Program Files\Java\jre6\lib\security
List out certificates in keystore, and dump into a text file.
<Java home>\bin>keytool.exe -list -v -storepass changeit -noprompt -keystore <Java home>\lib\security\cacerts>c:\certificate.txt
Install Certificate CertificateFileName.crt into keystore
note: -storepass changeit, is the default password for the keystore which can be changed.
<Java home>\bin>keytool.exe -import -keystore <Java home>\lib\security\cacerts -alias anyNameYouWantToReferenceYourCertificateInKeyStore -storepass changeit –noprompt –trustcacerts -file C:\temp\CertificateFileName.crt

No comments:
Post a Comment