IPAWS and Certificates

FEMA now issues their COG certificates in .JKS format. In order to use the IPAWS Proxy Lib found on this site, your FEMA certificate needs to be converted to a format that Microsoft can import. It can be converted with the following steps (thanks to user plupiani):

Please note in the steps below - Replace the XXXXXX with the cogid from the cert, and keypassword with the key password,not the key store password.

Using keytool
Set the keystore and key password to the same value:
  • keytool -storepasswd -new keypassword -keystore IPAWSOPEN_XXXXXX.jks

Export to pfx:
  • keytool -importkeystore -srckeystore IPAWSOPENXXXXXX.jks -destkeystore IPAWSOPENXXXXXX.pfx -srcstoretype JKS -deststoretype PKCS12 -srcstorepasskeypassword -deststorepass keypassword -srcalias IPAWSOPENXXXXXX -destalias IPAWSOPENXXXXXX

Now verify your IPAWS provide certificate is associated to the Microsoft Enhanced RSA and AES Cryptographic Provider for CAP 1.2 support.

Using OpenSSL

Examine the bag attributes of your certificate.
  • openssl pkcs12 -info -nodes -in IPAWSOPENXXXXXX.pfx
    • Look for a Bag Attribute - Microsoft CSP Name: Microsoft Enhanced RSA and AES Cryptographic Provider

If this doesn't exist, the certificate will need be exported and reimported with the correct Cryptographic Provider support or the certificate CAN NOT be used to sign the IPAWS SOAP message with SHA256.

Enter your certificate password as prompted.
  • openssl pkcs12 -in IPAWSOPENXXXXXX.pfx -out IPAWSOPENXXXXXX.pem –nodes
  • openssl pkcs12 -export -in IPAWSOPENXXXXXX.pem -inkey IPAWSOPENXXXXXX.pem -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out IPAWSOPENXXXXXX.p12
  • openssl pkcs12 -info -nodes -in IPAWSOPENXXXXXX.p12

Last edited Mar 15, 2013 at 6:28 PM by bwilkinsnh, version 4


No comments yet.