The CreateCert executable outputs malformed X.509 certificates that are unsupported by Java. The program previously output X.509v3 files with proper X.509v3 extensions, but an update has introduced a bug causing the application to output X.509v1 certificates with X.509v3 extensions in violation of the X.509 specification. This causes java’s strict parser to fail when interacting with these certificates with the error text “java.security.cert.CertificateParsingException: no more data allowed for version 1 certificate.” This is true for both Java’s use of the KeyTool, and when interacting with the server over TLS with Java as a client.

asked 09 Feb '15, 16:54

J%20Diaz's gravatar image

J Diaz
accept rate: 14%

Sorry for the delay in responding. This is a bug in createcert that was created with the conversion to openssl (away from Certicom). We are working on a fix.

In the meantime, please use openssl directly to generate certificates:

# generate the private key
$ openssl genrsa -des3 -out server.key 1024

# generate a signing request
$ openssl req -new -key server.key -out server.csr

# generate a certificate and sign it with the previous signing request
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

# inspect the certificate
$ openssl x509 -text -in server.crt 
        Version: 1 (0x0)
        Serial Number: 10385265624665396460 (0x901fe00fe84194ec)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CA, ST=Ontario, L=Waterloo, O=SAP, OU=SAP Canada, CN=sap.com/emailAddress=me@sap.com
            Not Before: Mar 24 16:00:31 2015 GMT
            Not After : Mar 23 16:00:31 2016 GMT

If you want to use this in a SQL Anywhere server you have to create an identity file:

# create the identity file
$ cat server.crt server.key >server.pem

Now, if you want to import into a Java keystore:

# convert to PKCS12
$ openssl pkcs12 -export -in server.crt -inkey server.key -name "sap.com" -out server.p12

# import into Java keystore
$ keytool -importkeystore -deststorepass <store_password> -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12
permanent link

answered 24 Mar '15, 12:47

Phil%20Mitchell's gravatar image

Phil Mitchell
accept rate: 27%

edited 24 Mar '15, 14:37


createcert has been fixed in and

(24 Mar '15, 14:36) Phil Mitchell

In the meantime you can create self-signed certificates using Java's keytool. For example:

] keytool -genkeypair -keyalg RSA -keysize 2048 -keypass sample -validity 1825 -keystore mystore.jks -storepass STORE_PASSWORD_HERE -v -alias localhost
What is your first and last name?
What is the name of your organizational unit?
  [Unknown]:  SAPCanada
What is the name of your organization?
  [Unknown]:  SAP
What is the name of your City or Locality?
  [Unknown]:  Waterloo
What is the name of your State or Province?
  [Unknown]:  ON
What is the two-letter country code for this unit?
  [Unknown]:  CA
Is CN=Unknown, OU=SAPCanada, O=SAP, L=Waterloo, ST=ON, C=CA correct?
  [no]:  y

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 1,825 days
        for: CN=Unknown, OU=SAPCanada, O=SAP, L=Waterloo, ST=ON, C=CA
[Storing mystore.jks]

You can also generate chained certificates.

permanent link

answered 24 Mar '15, 12:03

PhilippeBertrand%20_SAP_'s gravatar image

accept rate: 22%

edited 24 Mar '15, 13:23

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 09 Feb '15, 16:54

question was seen: 970 times

last updated: 24 Mar '15, 14:37