I have a .Net SAML implementation that verifies assertions' signatures against a PKCS 7 certificate in a .p7b file.
I have a customer who have a Java based identity provider. They can only provide their certificate in a Java key store .jks file.
I can verify the assertions that their identity provider sends, but I can't check that those assertions were signed by a trusted provider without verifying them against the certificates in the Java key store.
I can find lots online on how to add a .p7b certificate to a .jks file, but nothing on how to reverse the process.
How do I get a .p7b certificate (that .Net and Windows can open) from a supplied .jks file?
Alternatively I'm loading the .p7b into .Net using the native X509Chain implementation. If I can't convert the .jks is there any way to load it in .Net in a way that lets me check the assertions' signatures?
It turns out that there is a command line utility in Java that do what I need. In the Java runtime directory (C:\Program Files (x86)\Java\jre7\bin on my machine) there is a utility called keytool (my newlines for readability):
>keytool -importkeystore
-srckeystore clientStore.jks -srcstoretype JKS
-destkeystore outputStore.p12 -deststoretype PKCS12
This produces an output store called outputStore.p12 that I can load in .Net with X509Certificate2Collection.Import()