.pem file?

Similar Messages

• .key.pem file missing from /etc/certificates

  Hi all
  I purchased an authority certificate from one of the big names.
  It's a wildcard cert for mail.domain, ical.domain etc that I want to setup.
  I've downloaded the cert from the provider and imported it into Keychain via Server Admin. That side all looks great but the cert will not work with any services. They just hang.
  Server log reports that cert.domain.verylongnumber.key.pem is missing from /etc/certificates.
  I had a look and indeed it's not there.
  .cert.pem and .chain.pem and .concat.pem are all present and correct. So where is .key.pem
  Thing is, I was using a self signed cert before and that does have a .key.pem file in /etc/certificates and that works fine....
  Cheers
  Ryan

  Solved.
  Turns out that the Certificate supplier (Globalsign in my case) don't supply the private key in the right format for OS X Server to understand - which is probably standard practice.
  10.6 Server requires the key in .pem format - mine was supplied as .pkcs12 (.pfx/.p12)
  You need to use openssl in Terminal to convert it to .pem as follows
  openssl pkcs12 -in mykey.pfx -out mykey.pem -nodes
  Then it can be dropped into Certificate Manager in Server Admin

• How to open a .pem file?

  How can I open a .pem file?I mean using what application

  .PEM files are used by OpenSSL.
  You can try something like this:
  - Convert the .PEM file to a PKCS#12 (PFX) file using the openssl tool
  - Import the PKCS#12 file into the keystore.

• Generating certificates pem file

  Hi,
  I am new to configuring client side ssl, I understand
  the client (which will actually run inside WLS 8.1) needs to specify programatically or by a system property a .pem file containing trusted servers certificates. So if I understand correctly, I might have a couple of certificates, each from a different server I will be communicating with, so how should I "merge" them into one .pem file? Shouldn't there be some command line tool available? Or should they simply be inserted manually into the same file with the
  "-----BEGIN CERTIFICATE-----"
  "-----END CERTIFICATE-----"
  header/footer to seperate them?
  Any help would be apreciated,
  Thanks,
  Uri.

  That's also what I thought.
  I am actually using BEA's JRockit but I suppose they have a keytool similar to the one sun provides.
  I know how to import a CA certificate to a truststore,
  The thing is I need to invoke a web service via ssl, and as I was reading through the docs I encountered this section, regarding the configuration of ssl client in WebLogic:
  <i>To configure basic SSL support for your client application, follow these steps:
  Set the filename of the file containing trusted Certificate Authority (CA) certificates. Do this by either:
  Setting the System property weblogic.webservice.client.ssl.trustedcertfile to the name of the file that contains a collection of PEM-encoded certificates.
  Executing the BaseWLSSLAdapter.setTrustedCertificatesFile(String ca_filename) method in your client application.</i>
  (http://e-docs.bea.com/wls/docs81/webserv/security.html#1053203)
  Maybe I missunderstood the text and PEM is simply the default encoding? that is, the encoding used for any JKS?

• Problem generating .pem file from certificate

  Hello and happy New Year,
  I am trying to generate a PEM file to upload to my Cisco 4402 Wireless LAN Controller. I have an unchained certificate from Verisign and have followed the instructions at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml using OpenSSL to generate the .PEM.
  I get as far as generating the .p12 file but I cant get the final pem file to upload to the controller.
  Does any one have any pointers as to what could be going wrong. OpenSSL is not throwing up any errors.
  Thanks in advance,
  Ben

  Fixed!! I was calling the final PEM file something other than final.pem and openssl didn't like it.

• Decrypting PEM file using Triple DES

  Hi all,
  I am trying to decrypt a Triple DES encrypted RSAPrivateKey stored in PEM format in a file. How do I get the DES key to initialize the Cipher. I am using the following code to get the IV from the file and get the DES key using pass phrase. But I get the message
  java.lang.SecurityException: Unsupported keysize or algorithm parameters
  Can someone help me.
  Thanks in advance,
  Trilok.
  // Gets the IV params from the RSAPrivate key PEM file.
  // Uses the last 16 digits in this line to get the IV.
  // DEK-Info: DES-EDE3-CBC,4A90C209D3A81791
  private IvParameterSpec getIV(String s) { // here s = 4A90C209D3A81791
  byte[] ivBytes = new byte[8];
  for (int j=0; j<8; j++) {
  ivBytes[j] = (byte)Integer.parseInt(s.substring(j*2, j*2 + 2), 16);
  return new IvParameterSpec(ivBytes);
  private SecretKeySpec getSecretKey(byte [] pwd, byte [] iv)
  throws NoSuchAlgorithmException {
       byte[] keyMat = new byte[24];
       MessageDigest md = MessageDigest.getInstance("MD5");
       md.update(pwd);
       md.update(iv);
       byte[] data = md.digest();
       System.arraycopy(data, 0, keyMat, 0, 16);
       md.update(data);
       md.update(pwd);
       md.update(iv);
       data = md.digest();
       System.arraycopy(data, 0, keyMat, 16, 8);
       return new SecretKeySpec(keyMat, encAlg);
  }

  Hi trilok,
  Please let me know what JCE provider you are using for decrypting the Key.
  Please make sure that you have made the static or dynamic registration properly.
  For Static registration:
  Please go to JAVA_HOME/jre/lib/security/java.security
  Please edit
  security.provider.1=sun.security.provider.Sun
  For Dynamic Registration
  Security.addProvider(new com.sun.crypto.provider.SunJCE());
  Also please refer this URL, which is the third party provider which supports RSA.
  http://www.bouncycastle.org/latest_releases.html
  I hope this will help you.
  Thanks
  Bakrudeen
  Technical Support Engineer
  Sun MicroSystems Inc, India

• Multiple Customers having Problems with .pem files -chain certificate

  I have 2 different customers who recently started using weblogic. My Applications are ASP hosted web services and require digital certificates. For added security, our CSO uses a <b>chain certificate</b>. The private cert is signed by an intermediary verisign cert which is signed by the Root CA. <p><p>
  Embaressingly, I just found out one Customer completed <b>side-stepped the BEA implementation for .pem files and implemented a non BEA class to work around</b> based on difficulty they had trying to get the .pem file for the intermediary verisign cert to work. I am stuck in that I don't want to advise the second client to do the same thing, but I can't find great support on what to do and some of the BLOGS are conflicting. From what I understand, this first client struggled on this for <b>2 weeks and gave up.</b> <p><p>What I am trying to ascertain is whether the <b>private</b> .pem file is suppossed to have <b>both the RSA PRIVATE KEY as well as the CERTIFICATE of the intermediate cert inside that one .pem file or not</b>. I can see their needs to be a .pem for the intermediary and a .pem for the private but not sure if any of the data should repeat.
  <p><p>
  Also, good samples of how these should look would help. The .pem files my client showed me looked incorrect.
  <p><p>
  Please note both these clients are top Investment Banks and I think it's in both Bea's interest and my interest to see this work on Weblogic without coding around the default Weblogic security implementation.

  Hi Patrick,
  If you fixed the issue changing your PowerShell code, would you mind posting the working code here for reference for other people that might experience this problem?
  Thanks in advance.
  Nico Martens - MCTS, MCITP
  SharePoint Infrastructure Consultant / Trainer

• Store server's X509certificate in to .pem file

  Hi,
  I recieved server's X509 certificate during SSL handshake process. now what should i need to do store my X509 Certificate in to .PEM file
  like USER.pem file
  some sample code
  URL url=new URL(add);
  HttpsURLConnection urlc=(HttpsURLConnection)url.openConnection();
  x509cert=urlc.getServerCertificateChain();
  now i would like to store x509[0](first certificate in the Certificate chain)
  in to some USER.pem file
  Thanks

  go to regional settings and there change the format which ever u want.
  ex: 09/11/2007 or 9/11/2007 ok

• OAM Access Server - Cannot load cert chain file aaa_chain.pem

  Hi experts,
  I am in the midst of changing the Transport Layer Security (TLS) of OAM Access Server from Open mode to Cert mode, and encountering the error not able to load aaa_chain.pem.
  Below are the steps which I have did:-
  1. Change the TLS mode for both Access Server and Webgate from Open >> Cert mode in the Access System console
  2. Stop the Access Server from Services
  3. From the <access server install dir> run ConfigureAAAServer.exe to generate aaa_req.pem and aaa_key.pem.
  4. Copy the certificate request from the aaa_req.pem and submit to Internal CA (Ms CA).
  5. Download the Certificate and Certificate Chain in Base 64 encoding, and rename into *.pem. E.g. certnew.cer >> aaa_cert.pem certnew.p7b >> aaa_chain.pem.
  6. Copy *.pem files in to <access server install dir>/oblix/config
  7. Rerun ConfigureAAAServer.exe to install the cert, all went smoothly without issue.
  8. Start Access Server from Services. <<< Service failed to start.
  NOTE: I did the same thing for Policy Manager, used genCert.exe to generate certificate request, submit the CA to sign and installed.
  Check on the event viewer, the following error was found.
  **===========================================================================**
  Log Name: Application
  Source: ObAAAServer-AccSvr01
  Date: 16/8/2010 1:06:39 AM
  Event ID: 1
  Task Category: None
  Level: Error
  Keywords: Classic
  User: N/A
  Computer: IDMsvr.SSO.com
  Description:
  The description for Event ID 1 from source ObAAAServer-AccSvr01 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  Access Server Exception: Error: Cannot load cert chain file C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem
  the message resource is present but the message is not found in the string/message table
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="ObAAAServer-AccSvr01" />
  <EventID Qualifiers="49152">1</EventID>
  <Level>2</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2010-08-15T17:06:39.000Z" />
  <EventRecordID>1072</EventRecordID>
  <Channel>Application</Channel>
  <Computer>IDMsvr.SSO.com</Computer>
  <Security />
  </System>
  <EventData>
  <Data>Access Server Exception: Error: Cannot load cert chain file C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem</Data>
  </EventData>
  </Event>
  **===========================================================================**
  The ConfigureAAAServer.exe_
  C:\Program Files (x86)\NetPoint\access\oblix\tools\configureAAAServer>configureA
  AAServer.exe reconfig "C:\Program Files (x86)\NetPoint\access"
  Please enter the Mode in which you want the Access Server to run : 1(Open) 2(Si
  mple) 3(Cert) : 3
  Do you want to request a certificate (1) or install a certificate (2) ? : 1
  Please enter the Pass phrase for this Access Server :
  Do you want to store the password in the file ? : 1(Y) 2(N) : 1
  Preparing to generate certificate. This may take up to 60 seconds. Please wai
  t.
  Loading 'screen' into random state - done
  Generating a 1024 bit RSA private key
  .............++++++
  ..++++++
  writing new private key to 'C:\Program Files (x86)\NetPoint\access\oblix\config\
  aaa_key.pem'
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  Country Name (2 letter code) [US]:.
  State or Province Name (full name) [Some-State]:.
  Locality Name (eg, city) []:.
  Organization Name (eg, company) [Some-Organization Pty Ltd]:.
  Organizational Unit Name (eg, section) []:.
  Common Name (eg, hostName.domainName.com) []:IDMsvr.sso.com
  Email Address []:.
  writing RSA key
  Your certificate request is in file : C:\Program Files (x86)\NetPoint\access/ob
  lix/config/aaa_req.pem
  Please get your certificate request signed by the Certificate Authority.
  On obtaining your certificate, please place your certificate in 'C:\Program Fil
  es (x86)\NetPoint\access/oblix/config/aaa_cert.pem' file and the certificate aut
  hority's certificate for the corresponding component (for example: WebGate, AXML
  Server) in 'C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem'
  file.
  Once you have your certificate placed at the above mentioned location, please f
  ollow the instructions on how to start the Access Server.
  More Information on setting up Access Server in Certificate mode can be obtaine
  d from the Setup Installation Guide.
  Access Server mode has been re-configured successfully.
  Please note that new security mode will take effect only after the security mod
  e for this Access Server is changed to 'cert' from the Access Manager System Con
  sole.
  Do you want to specify or update the failover information ? : 1(Y) 2(N) :2
  Please restart the Access Server from the Control Panel Services once you have
  placed your certificates at the above mentioned location.
  Press enter key to continue ...
  C:\Program Files (x86)\NetPoint\access\oblix\tools\configureAAAServer>configureA
  AAServer.exe reconfig "C:\Program Files (x86)\NetPoint\access"
  Please enter the Mode in which you want the Access Server to run : 1(Open) 2(Si
  mple) 3(Cert) : 3
  Do you want to request a certificate (1) or install a certificate (2) ? : 2
  Please enter the Pass phrase for this Access Server :
  Do you want to store the password in the file ? : 1(Y) 2(N) : 1
  Please provide the full path to the Certificate key file [C:\Program Files (x86)
  \NetPoint\access/oblix/config/aaa_key.pem] : C:\Program Files (x86)\NetPoint\acc
  ess\oblix\config\aaa_key.pem
  Please provide the full path to the Certificate file [C:\Program Files (x86)\Net
  Point\access/oblix/config/aaa_cert.pem] : C:\Program Files (x86)\NetPoint\access
  \oblix\config\aaa_cert.pem
  Please provide the full path to the Certificate authority's certificate chain fi
  le [C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem] : C:\Prog
  ram Files (x86)\NetPoint\access\oblix\config\aaa_chain.pem
  Access Server mode has been re-configured successfully.
  Please note that new security mode will take effect only after the security mod
  e for this Access Server is changed to 'cert' from the Access Manager System Con
  sole.
  Do you want to specify or update the failover information ? : 1(Y) 2(N) :2
  Please restart the Access Server from the Control Panel Services.
  Press enter key to continue ...
  **===========================================================================**
  I followed through the documentation on OAM Identity & Common Admin - Chapter 8 guide.
  Is there anything which I have missed or something to do with the certificate.
  Thanks in advance.
  Regards,
  Wing
  Edited by: user13340813 on Aug 19, 2010 8:56 PM

  No, you didn't do anything wrong, JeanPhilippe. I'm right there with you. There's even another thread on this issue:
  <http://discussions.apple.com/thread.jspa?messageID=10808126>
  I had the same problem: IMAP & POP services would not launch using SSL. Finally got it resolved today. It had nothing to do with certificates and their names, or creating them in openssl, and everything to do with a botched dovecot.conf file, courtesy of Server Admin.
  It appears that every time I changed the certificate for IMAP & POP SSL in Server Admin, it appended the new selection to the dovecot.conf file on 3 separate lines. The result was an unhealthy list of every certificate file Server Admin had ever been pointed to for this service.
  After making a backup, I edited the file (/etc/dovecot/dovecot.conf) down to the single cert file I wanted it to use. It happened to be first in the list, FWIW.
  If you want to duplicate this, look for the lines beginning with:
  "sslcertfile"
  "sslkeyfile"
  "sslcafile"
  Obviously you need to be careful in there. But I did not even have to bounce the service before it took my changes. Thankfully, Server Admin did not overwrite my edits (which I've seen happen with manual config of other services, such as the iChat service.)
  Good luck, and let me know if I can provide more detail.

• Converting Netscape cert7.db file to PEM format

  Does anyone know of a recommended way to convert a Netscape cert7.db file to PEM format so that clients can connect to the Sun Directory securely over TSL/SSL using, for example, Perl/Net::LDAPS. Net::LDAPS and other client ldap implementations often need to refer to a certificate store in PEM format.
  I figured out how to do this with the old iPlanet Directory 4.16 series,
  but with the new Sun 5.2 series, I'm hitting an interesting wall.
  First, I install my campus CA's cert as well as the server cert (oldsage.berkeley.edu) to be used for TLS/SSL connections...
  %/opt/sunone/lib/nss/bin/certutil -A -n "UCB-CA" -t "CT,," -a -i /home/staff/robreid/ssl-certs/ucb-ca.cer -d /directoryServerPath/alias -P 'slapd-oldsage-'
  %/opt/sunone/lib/nss/bin/certutil -A -n "oldsage.berkeley.edu" -t "u,," -a -i /home/staff/robreid/ssl-certs/oldsage.cer -d /directoryServerPath/alias -P slapd-oldsage-
  I can verity that the certs are installed properly...
  %/opt/sunone/lib/nss/bin/certutil -L -d /directoryServerPath/alias -P slapd-oldsage-
  Certificate Name Trust Attributes
  server-cert u,,
  UCB Issuing Certificate Authority 02 CT,,
  Now, the conversion to PEM is interesting.
  First I have to convert the cert7.db and key3.db files to a PKCS12 format, and this is where the problem begins... (Note, I do strip out the private key(s) as well but I'm not going to document those steps here)
  %/opt/sunone/lib/nss/bin/pk12util -o /home/staff/robreid/ssl-certs/oldsage-alias/oldage.pkcs12.cert2 -n "server-cert" -d /directoryServerPath/alias -P 'slapd-oldsage-'
  Notice that I have to refer to the certificate as 'server-cert' rather then
  'oldsage.berkeley.edu'. This will cause problems after the next steps, where I convert the PCKS12 file to PEM format...
  %/usr/local/openssl/bin/openssl pkcs12 -in /home/staff/robreid/ssl-certs/oldsage-alias/oldage.pkcs12.cert2 -out /home/staff/robreid/ssl-certs/oldsage-alias/oldsage.pem.cert
  %ln -s oldsage.pem.cert `/usr/local/openssl/bin/openssl x509 -hash -noout < oldsage.pem.cert`.0
  And the problem is that the certificate baggage in the PEM file is named
  'server-cert' and not 'oldsage.berkeley.edu', which then causes client to encounter the 'hostname mismatch' error when attempting to verify the certificate as it tries to connect securely to the Directory.
  Does anyone know where I'm going wrong and of a better technique to use?
  Also, does the Sun Directory Proxy Server also use the same Netscape cert7/key3.db system for it's certificate database/store?
  Thanks a bunch for any insights,
  Rob Chevalier
  University of California, Berkeley

  Hi,
  The necessary certificates have been sent to me
  me in .cer file format.....can someone fill me in on
  how to create this database file? I'm currently
  working in a Win2K environment, incase that is
  relevant.You have several options. The easiest way to create the certificate database if you import the certificate using a Netscape Communicator or Mozilla browser.
  Alternatively, you can use certutil from NSS (http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html)
  to create an empty database:
  certutil -N -d .
  (this creates an empty database in the current directory)
  Next, you will have to add the certificates to the database:
  certutil -A -d . -n <an arbitrary name for your certificate> -t C,, -i <certificate-file>
  Check the above referenced manual for the description of these options.
  Also, chapter 30 of the Directory Server Resource Kit Reference (http://docs.sun.com/source/816-6400-10/pkcsutil.html) has pointers to various tools that can be useful during development.
  I hope this helps.
  Bertold

• How to send request to web service using .pem certificate.

  Dear All,
  I have a .pem, WSDL file and (Request and Response format), this files are provided by the customer, now I have generated the ServiceClass using WSDL file using wsdl.exe.
  Now when I send the request I am getting error as "The underlying connection was closed: An unexpected error
  occurred on a send" when I told my customer to remove the certificate validation from their web service the "Request
  and Response both are working fine".
  When I opened the .pem file in notepad the content was 
  -----BEGIN CERTIFICATE-----
  dfkhdfhsdfghgfjhAklajdaJHZKkjjHAKJhjkhkjhkjhkjhkjJKJHKJ......................................
  /R-----END CERTIFICATE-----
  and nothing else was there as per my client my code is proper for sending request to web service but the using of file i.e .pem file is not proper.
  I want to know what else I have to do my customer have given me only .pem file with -----BEGIN CERTIFICATE-----  and -----END CERTIFICATE----- nothing else in the file.
  Can anybody please help me in this, below is my code snapshot.
  try
  var pem = System.IO.File.ReadAllText(Application.StartupPath + "\\server_selfsigned.pem");
  byte[] certBuffer = GetBytesFromPEM(pem, "CERTIFICATE");
  SMSService sms = new SMSService(txtURL.Text.Trim());
  sms.ClientCertificates.Add(new System.Security.Cryptography.X509Certificates.X509Certificate2
  (certBuffer));
  SMSRequest smsReq = new SMSRequest();
  smsReq.UID = "2000";
  smsReq.SMSDetails = new SMSRequestSMSDetails { MessageText = txtMessage.Text.Trim(), MobileNumber = txtMobile.Text.Trim() };
  SMSReponse smsRes = sms.sendSMSOperation(smsReq);
  MessageBox.Show(smsRes.Code + " = " + smsRes.Message + " = " + smsRes.Status);
  catch (Exception ex)
  MessageBox.Show(ex.Message);
  Thanks in advance.
  Best Regards,
  Manoj Gupta.

  Hi,
  This issue might be due to the invalid .pem certificate file.
  Make sure to include the beginning and end tags on each certificate.                   
  The result should look like this:                
  -----BEGIN CERTIFICATE-----
  (Your Primary SSL certificate: your_domain_name.crt)
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  (Your Intermediate certificate: DigiCertCA.crt)
  -----END CERTIFICATE-----
  For more detailed information, you could refer to:
  https://www.digicert.com/ssl-support/pem-ssl-creation.htm
  Regards

• Cisco ACE key.pem import error

  Hi
  after extracting the Cert.pem and Key.pem from the PXF file.
  i am get the following error trying to import the Key.pem file to the ACE
  ENG-CTN-ACE01/Admin# crypto import tftp 10.3.31.249 key5.pem key5
  Trying to connect to tftp server......
  TFTP get operation was successful
  3294 bytes copied
  Successfully imported file from remote server.
  Error: File not of supported key or certificate type - RSA,  import failed.
  ENG-CTN-ACE01/Admin#
  * i have decrypted the key.pem and tried adding the key manually with crypto import terminal command but still getting the same error.
  can you please assist as want am i doing wrong.
  the cert has been uploaded successfully.
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  cisco-sample-cert                        1082  PEM     Yes        CERT
  cisco-sample-key                         887   PEM     Yes         KEY
  wildcard-20140102.cer                    1459  DER     Yes        CERT
  Thanks
  rayyaan

  HI Rayyaan,
  This is a key which you cannot share so that i can try here on my and see what is going on so i would suggested contacting your CA vendor and ask them to provide the key and cert in PEM format. Once you have that try it again. That's all i guess we can do here or you can open a TAC case and see what is going on. If the key is in PEM format ACE shouldn't have any problem in accepting it.
  From user guide:
  Importing Certificate and Key Pair Files
  The ACE supports the importation of PEM-encoded key pairs and certificates (including wildcard certificates) signed by keys. The ACE allows a maximum public key size of 4096 bits. The maximum private key size is 2048 bits.
  You can import a certificate or key pair file to the ACE from a remote server by using the crypto import command in Exec mode. You can import either individual certificates and keys or multiple certificates and keys. Because a network device uses its certificate and corresponding public key together to prove its identity during the SSL handshake, be sure to import both the certificate file and its corresponding key pair file.
  The ACE supports the importation of PEM-encoded SSL certificates and keys with a maximum line width of 130 characters using the terminal. If an SSL certificate or key is not wrapped or it exceeds 130 characters per line, use a text editor such as the visual (vi) editor or Notepad to manually wrap the certificate or key to less than 130 characters per line. Alternatively, you can import the certificate or key by using SFTP, FTP, or TFTP with no regard to line width
  Regards,
  Kanwal

• Missing files from /etc/certificates

  Hi, I have a certificate in my keychain for which I miss the .cert.pem, chain.pem, concat.pem and key.pem files in /etc/certificates.
  This results in a problem in server.app as I can't configure all my web-sites correctly and server.app won't write out the correct config files.
  Any idea how I can create the four files?

  So, I solve this issue and one more. I really can't believe nor understand why Apple is unable to create a server.app that can handle the simpelst things. What trainees are working on it?
  You need two fixes:
  1. http://support.apple.com/kb/TS4539 (OS X Server: Saving a certificate identity to the system keychain does not work with Server services)
  The importan part is, that you need (!!) to reboot your machine. Only than the files are generated. I don't understand what's so hard to generate them right when adding the certificate but that's an other story.
  If you than try to use your now finally available certificate, you are hit by this problem:
  2. https://discussions.apple.com/thread/4266473?start=0&tstart=0 (Strange issue with Dovecot (err 89))
  And yes, that's because server.app comments out the SSL stuff in the dovecot config. Which of course makes a lot of sense if you want to use SSL. The bad sideeffect is, that dovecot won't startup with this wrong config.
  Enough hours lost by this Apple botch...

• PEM Encoded Certificate

  I have code ( see below ) which is successfully generating a Self Signed certificate in PEM format using the Bouncy Castle libraries.
  I'm not sure how to directly generate the cert in PEM format, ...the generated cert is in DER format and the extra code you see is to convert it to PEM. I have verified that the certificate works by running the openssl command :
  openssl x509 -in certificatename.pem -text
  The problem I am having is that openssl does not like the private key. Note in the code that I convert the private key I used to generate the certificate to PEM format - I use the very same technique as that used for the certificate. The following openssl command says that there is a problem with the private key:
  openssl rsa -in privatekeyname.pem -text
  Does anyone know how to generate either the certificate, private key or both directly in PEM format or what I may be doing wrong ? See code below:
  =================================================================================
  private X509Certificate buildSelfSignedCert(int keyLen, String associatedOrg) {
  // Security constants
  X509Certificate X509certificate = null;
  String ecnryptionType = "MD5WithRSAEncryption";
  String keyGeneratorType = "RSA";
  String LF = "\n";
  String beginCertificate = "-----BEGIN CERTIFICATE-----" +LF;
  String endCertificate = "-----END CERTIFICATE-----" +LF;
  String beginRSAPrivateKey = "-----BEGIN RSA PRIVATE KEY-----" +LF;
  String endRSAPrivateKey = "-----END RSA PRIVATE KEY-----" +LF;          
  // Init a security provider
  Security.addProvider(new BouncyCastleProvider());
  // Generate key pair
  try {
  // Pub / Private key stuff
  KeyPairGenerator keyGen =
  KeyPairGenerator.getInstance( keyGeneratorType);
  keyGen.initialize(keyLen, new SecureRandom());
  KeyPair keypair = keyGen.generateKeyPair();
  PrivateKey prikey = keypair.getPrivate();
  PublicKey pubkey = keypair.getPublic();
  // Init values for cert
  Calendar dateThen = Calendar.getInstance();
  dateThen.add(Calendar.YEAR, 1);
  X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
  certGen.setSerialNumber(BigInteger.valueOf(1));
  certGen.setIssuerDN(new X509Principal(associatedOrg));
  certGen.setNotBefore(new Date());
  certGen.setNotAfter(new Date(dateThen.getTimeInMillis()));
  certGen.setSubjectDN(new X509Principal(associatedOrg));
  certGen.setPublicKey(pubkey);
  certGen.setSignatureAlgorithm(ecnryptionType);
  // Create Cert
  X509certificate = certGen.generateX509Certificate(prikey);
  // Persist Cert
  try {
  // Write cert in PEM ( Base64 ) format - each line 64 bytes
  FileOutputStream fos = new FileOutputStream("CERT.pem");
  fos.write(beginCertificate.getBytes());
  byte [] certb64 = Base64.encode(X509certificate.getEncoded());
  int length = certb64.length;
  int bytestowrite = 64;
  for ( int written = 0; written < length; ) {
  fos.write(certb64,written,bytestowrite);
  fos.write(LF.getBytes());
  written+=bytestowrite;
  if ( (length - written) < 64 ) {
  bytestowrite=(length - written);
  } // for ( int written = 0; written < length; )
  fos.write(endCertificate.getBytes());
  fos.close();
  // Write Private Key in PEM ( Base64 ) format
  certb64 = null;
  fos = new FileOutputStream("prikey.pem");
  fos.write(beginRSAPrivateKey.getBytes());
  certb64 = Base64.encode(prikey.getEncoded());
  length = certb64.length;
  bytestowrite = 64;
  for ( int written = 0; written < length; ) {
  fos.write(certb64,written,bytestowrite);
  fos.write(LF.getBytes());
  written+=bytestowrite;
  if ( (length - written) < 64 ) {
  bytestowrite=(length - written);
  } // for ( int written = 0; written < length; )
  fos.write(endRSAPrivateKey.getBytes());
  fos.close();
  } catch (IOException ex) {
  } catch (CertificateEncodingException ex) {
  } catch (java.security.NoSuchAlgorithmException x) {
  } catch (java.security.SignatureException x) {
  } catch (java.security.InvalidKeyException x) {
  return X509certificate;

  Hi, i have a similar problem with BouncyCastle and openssl PEM functions; so, i 'm found that normally BC lib creates RSA key encoded (padded) with PKCS#8 spec.; instead openssl is able to read only PKCS#1 padded keys; fortunately openssl can convert PKCS#8 key using command:
  openssl pkcs8 -in "pk-pkcs8.pem" -out "pk.key" -nocrypt
  important: the original (BC created) pk PEM file need to start with -----BEGIN PRIVATE KEY----- only ("...BEGIN RSA PRIVATE KEY..." is not good....)
  the converted file, "pk.key" in the example, is now in the right format for openssl functions....
  ...but, i'm another problem now: merging the PK PEM file converted with corresponding X509 certificate PEM (Base64) encoded, to obtain a complete certificate PEM description (adding also the HD section on the bottom, like openssl documentation example), i've tried to use it in Apache modssl module, but openssl response is always "key mismatch"...
  suggestions ?
  thnx

• PEM to DER decoding using JCE API

  Hi,
  I need to convert PEM files to DER format within my
  Java code (each PEM file is coming in as a String object).
  Does anyone know of a way to do this using the Sun JCE
  (or IBM provider)?
  Thanks much

  I figured out how to do this. In case someone else runs into
  this problem in the future, here's one solution.
  1. Strip the delimiters , i.e "-----BEGIN PRIVATE KEY-----"
  and "-----END PRIVATE KEY-----" from the PEM file. You
  will be left with the Base64 encode text.
  2. Use a Base64 decoder class (e.g com.ibm.misc.BASE64Decoder)
  to decode the Base64 back to the original DER bytes.
  For example:
  //privateKeyStr String contains the PEM data
  int pemStartIndex = privateKeyStr.indexOf("\n") + 1;
  int pemEndIndex = privateKeyStr.indexOf("-----END");
  String pemStr = privateKeyStr.substring(pemStartIndex, pemEndIndex);
  byte[] keyData = null;
  com.ibm.misc.BASE64Decoder base64 = new com.ibm.misc.BASE64Decoder();
  keyData = base64.decodeBuffer(pemStr); //keyData now contains DER data
  That's it.