Steps to create your own self signed certificate with java plugin working

You need two tools that comes with your jdk which are keytool and jarsigner.
Steps explain below in detail. Don't use netscape signtool, it will NEVER work!
* keytool -genkey -keyalg rsa -alias tstkey -keypass 2br2h2m -dname "cn=Test Object Signing Certificate, o=AI Khalil, ou=Java Products, c=AU"
cn = Certificate name
o = organistation
ou = organistation unit
c = country (first two letters)
If don't put the -dname, you can fill it line by line.
The -keypass has to be verify at the end, and you have to wait for it to create the rsa signing keys.
On NT by default it will put the alias information at D:\WINNT\Profiles\Administrator (if log in as administrator) with the default file called ".keystore". Windows 98 etc, don't know, search for .keystore
file. When you update it, check for the timestamp change and you know if you at the right spot.
You can store your alias information via the -storepass option to your current directory you work on, if you don't want to update the default .keystore file?
The .keystore contains a list of alias so you don't have to do this process again and again.
Another tip if you want your certificate encryption validity to be more than the default one month is simply
add the -validity <valDays>, after the -genkey option, to make your certificate usage for encryption to last much longer.
Note: You MUST use the -keyalg rsa because for starters the rsa encyption alogorthim is supported on ALL browsers instead of the default DSA and the other one SHA. Java plugins must work with the RSA algorthim when signing applets, else you will get all sorts of weird errors :)
Do not use signtool because thats a browser dependant solution!! Java plugin is supposed to work via running it owns jre instead of the browser JVM. So if you going to use netscape signtool, it starts to become a mess! ie certificate will install, but applet won't start and give you funny security exception errors :)
* keytool -export -alias tstkey -file MyTestCert.crt
It will read the alias information in the .keystore information picking up the rsa private/public keys info and
create your self sign certificate. You can double click this certificate to install it? But don't think this step is needed but maybe for IE? Someone else can check that part.
If you make a mistake with the alias, simply keytool -delete -v -alias <your alias key>
If not in default .keystore file, then simply keytool -delete -v -alias <your alias key> -keystore <your keystore filename>
* Put your classes in your jar file, my example is tst.jar.
* jarsigner tst.jar tstkey
Sign your testing jar file with your alias key that supports the RSA encryption alogorthim.
* jarsigner -verify -verbose -certs tst.jar
Check that its been verified.
The last step is the most tricky one. Its to do with having your own CA (Certified Authority) so you don't
have to fork out money straight away to buy a Verisign or Twarte certificate. The CA listing as you see in
netscape browsers under security/signers, is NOT where the plugin looks at. The plugin looks at a file called
CACERTS. Another confusion is that the cacerts file is stored in your jre/lib/security AND also at your
JavaSoft/Jre/<Java version>/lib/security. When you install the Java plugin for the first time in uses your
JavaSoft folder and its the cacerts file that has to be updated you add your own CA, because thats where
the plugin look at, NOT THE BROWSER. Everything about plugin is never to do with the browser!! :)
* keytool -import -file MyTestCert.crt -alias tstkey -keystore "D:\Program Files\JavaSoft\JRE\1.3.1\lib\security/cacerts"
Off course point to your own cacerts file destination.
Password to change it, is "changeit"
Before you do this step make a copy of it in its own directory in case you do something silly.
This example will add a CA with alias of my key called "tstkey" and store to my example destination.
* keytool -list -v -keystore "E:/jdk/jdk1.3/jre/lib/security/cacerts"
List to see if another CA is added with your alias key.
Your html, using Netscape embed and Internet explorer object tags to point to the java plugin,
your own self sign applet certificate should work
Cheers
Abraham Khalil

I follow Signed Applet in Plugin, and it's working on
my computer. Thanks
But When I open my applet from another computer on
network, why it does not work ..?
How to make this applet working at another computer
without change the policy file ..?
thanks in advance,
AnomYou must install the certificate on that computers plugin. Can this be done from the web? can anyone suggest a batch file or otherwise that could do this for end users?
I want a way for end users to accept my cert as Root or at least trust my cert so I dont have to buy one. I am not worried about my users refusing to accept my cert. just how do I make it easy for them? IE you can just click the cert from a link, but that installs for IE, and not the plugin where it needs to be.

Similar Messages

  • RV120W- How to create new unique self-signed certificate?

    Hello,
    how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself. Any idea? Did I miss something? Many thanks!
    Abudef

    So basically RV120W does not support self-signed certificate? It only allows to generate private key and certificate signin request. There is no chance to replace default generic ssl/vpn certifice within router itself? Could you please give me an advice, how to sign that request by some "CA"? I mean no commercial CA, I need something free running under Windows os. Many thanks!

  • How do we create self-signed certificate using java packages

    Hi All,
    I require some information on creating self-signed certificate using java packages.
    The java.security.cert.* package allows you to read Certificates from an existing store or a file etc. but there is no way to generate one afresh. See CertificateFactory and Certificate classes. Even after loading a certificate you cannot regenerate some of its fields to embed the new public key &#8211; and hence regenerate the fingerprints etc. &#8211; and mention a new DN. Essentially, I see no way from java to self-sign a certificate that embeds a public key that I have already generated.
    I want to do the equivalent of &#8216;keytool &#8211;selfcert&#8217; from java code. Please note that I am not trying to do this by using the keytool command line option &#8211; it is always a bad choice to execute external process from the java code &#8211; but if no other ways are found then I have to fall back on it.
    Regards,
    Chandra

    I require some information on creating self-signed certificate using java packages. Its not possible because JCE/JCA doesn't have implementation of X509Certificate. For that you have to use any other JCE Provider e.g. BouncyCastle, IAIK, Assembla and etc.
    I'm giving you sample code for producing self-signed certificate using IAIK JCE. Note that IAIK JCE is not free. But you can use BouncyCastle its open source and free.
    **Generating and Initialising the Public and Private Keys*/
      public KeyPair generateKeys() throws Exception
          //1 - Key Pair Generated [Public and Private Key]
          m_objkeypairgen = KeyPairGenerator.getInstance("RSA");
          m_objkeypair = m_objkeypairgen.generateKeyPair();
          System.out.println("Key Pair Generated....");
          //Returns Both Keys [Public and Private]*/
          return m_objkeypair;
    /**Generating and Initialising the Self Signed Certificate*/
      public X509Certificate generateSSCert() throws Exception
        //Creates Instance of X509 Certificate
        m_objX509 = new X509Certificate();
        //Creatting Calender Instance
        GregorianCalendar obj_date = new GregorianCalendar();
        Name obj_issuer = new Name();
        obj_issuer.addRDN(ObjectID.country, "CountryName");
        obj_issuer.addRDN(ObjectID.organization ,"CompanyName");
        obj_issuer.addRDN(ObjectID.organizationalUnit ,"Deptt");
        obj_issuer.addRDN(ObjectID.commonName ,"Valid CA Name");
        //Self Signed Certificate
        m_objX509.setIssuerDN(obj_issuer); // Sets Issuer Info:
        m_objX509.setSubjectDN(obj_issuer); // Sets Subjects Info:
        m_objX509.setSerialNumber(BigInteger.valueOf(0x1234L));
        m_objX509.setPublicKey(m_objkeypair.getPublic());// Sets Public Key
        m_objX509.setValidNotBefore(obj_date.getTime()); //Sets Starting Date
        obj_date.add(Calendar.MONTH, 6); //Extending the Date [Cert Validation Period (6-Months)]
        m_objX509.setValidNotAfter(obj_date.getTime()); //Sets Ending Date [Expiration Date]
        //Signing Certificate With SHA-1 and RSA
        m_objX509.sign(AlgorithmID.sha1WithRSAEncryption, m_objkeypair.getPrivate()); // JCE doesn't have that specific implementation so that why we need any //other provider e.g. BouncyCastle, IAIK and etc.
        System.out.println("Start Certificate....................................");
        System.out.println(m_objX509.toString());
        System.out.println("End Certificate......................................");
        //Returns Self Signed Certificate.
        return m_objX509;
      //****************************************************************

  • How to use Self Signed certificate with SSLServerSocket?

    Hello to all.
    I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
    The server must have it's own certificate, clients don't need one.
    I started with this
    http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
    To generate key for the server and a self signed certificate.
    To sum it up:
         Create a new keystore and self-signed certificate with corresponding public/private keys.
    keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
         Export and examine the self-signed certificate.
    keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
         Import the certificate into a new truststore.
    keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jksThen in my server code I do
    System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
    System.setProperty("javax.net.ssl.keyStorePassword", "123456");
    SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
    SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
    Socket s = sslServerSocket.accept();I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
    Can it be a problem with the certificate? When using -validity <days> in keytool the certificate gets self-signed, so it should work if I'm not wrong.
    I have also tried this solution
    serverKeyStore = KeyStore.getInstance( "JKS" );
    serverKeyStore.load( new FileInputStream("/scratch/stores/server.jks" ),
         "123456".toCharArray() );
    tmf = TrustManagerFactory.getInstance( "SunX509" );
    tmf.init( serverKeyStore );
    sslContext = SSLContext.getInstance( "TLS" );
    sslContext.init( null, tmf.getTrustManagers(),secureRandom );
    SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
    SSLServerSocket ss = (SSLServerSocket)sf.createServerSocket( port );and still it doesn't work.
    So what am I missing?

    You were right. I corrected the mistakes in the server code, now it's
         private SSLServerSocket setupSSLServerSocket(){
              try {
                   SSLContext sslContext = SSLContext.getInstance( "TLS" );
                   KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
                   KeyStore ks = KeyStore.getInstance("JKS");
                   ks.load(new FileInputStream(_KEYSTORE), _KEYSTORE_PASSWORD.toCharArray());
                   km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
                    * Da usare con un truststore se serve autenticazione dei client
                    * TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
                   tm.init(ks);*/
                   sslContext.init(km.getKeyManagers(), null, null);
                   SSLServerSocketFactory f = sslContext.getServerSocketFactory();
                   SSLServerSocket ss = (SSLServerSocket) f.createServerSocket(_PORT);
                   return ss;
              } catch (UnrecoverableKeyException e) {
                   e.printStackTrace();
              } catch (KeyManagementException e) {
                   e.printStackTrace();
              } catch (NoSuchAlgorithmException e) {
                   e.printStackTrace();
              } catch (KeyStoreException e) {
                   e.printStackTrace();
              } catch (CertificateException e) {
                   e.printStackTrace();
              } catch (FileNotFoundException e) {
                   e.printStackTrace();
              } catch (IOException e) {
                   e.printStackTrace();
              return null;
         }and on the client code
    private SSLSocket setupSSLClientSocket(){
         try {
              SSLContext sslContext = SSLContext.getInstance( "TLS" );
              /* SERVER
              KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
              km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
              KeyStore clientks = KeyStore.getInstance("JKS");
              clientks.load(new FileInputStream(_TRUSTSTORE), _TRUSTSTORE_PASS.toCharArray());
              TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
              tm.init(clientks);
              sslContext.init(null, tm.getTrustManagers(), null);
              SSLSocketFactory f = sslContext.getSocketFactory();
              SSLSocket sslSocket = (SSLSocket) f.createSocket("localhost", _PORT);
              return sslSocket;
         } catch (KeyManagementException e) {
              e.printStackTrace();
         } catch (NoSuchAlgorithmException e) {
              e.printStackTrace();
         } catch (KeyStoreException e) {
              e.printStackTrace();
         } catch (CertificateException e) {
              e.printStackTrace();
         } catch (FileNotFoundException e) {
              e.printStackTrace();
         } catch (IOException e) {
              e.printStackTrace();
         return null;
    }and added a System.out.println(sslSocket); after every incoming message (server side) and SSL is now fully working!
    So my mistakes were:
    [] Incorrect setup done by code
    [] Incorrect and insufficient println() of socket status
    Now that everything works, I've deleted all this manual setup and just use the system properties. (They MUST be set before getting the Factory)
    SERVER SIDE:
    System.setProperty("javax.net.ssl.keyStore", _KEYSTORE);
    System.setProperty("javax.net.ssl.keyStorePassword", KEYSTOREPASSWORD);
    SSLServerSocketFactory f = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
    SSLServerSocket sslServerSocket = (SSLServerSocket) f.createServerSocket(_PORT);
    CLIENT SIDE:
    System.setProperty("javax.net.ssl.trustStore", "/scratch/stores/client.jks");
    System.setProperty("javax.net.ssl.trustStorePassword", "client");
    SSLSocketFactory f = (SSLSocketFactory) SSLSocketFactory.getDefault();
    SSLSocket sslSocket = (SSLSocket) f.createSocket(_HOST, _PORT);
    And everything is working as expected. Thank you!
    I hope my code will help someone else in the future.

  • Does anyone know how to use a self signed certificate with apple mail??

    Ive read about it in mail's help and tried to set it up according to it. Ive created a self-signed certificate but have no idea how to set it up as it would work with Mail so that i would be able to send signed messages. could anyone help me??

    Hello rado:
    Welcome to Apple discussions.
    I am assuming this is what you read:
    http://docs.info.apple.com/article.html?path=Mac/10.5/en/8916.html
    If you follow the instructions when you set up the certificate, you should be fine.
    Incidentally, most +"ordinary users"+ (like me) do not use this function. I am curious as to why you want to jump through hoops in your Mail application.
    Barry

  • How to install self-signed certificate with iOS 4?

    I've been trying to install a self-signed certificate in iOS 4 with no avail. I have a webserver at home in which I connect to via SSL using a self-signed cert. It used to work in 3.1.3; it would kick out a dialog, but you were able to continue to the page. Now with iOS 4, that is no longer the case, I am unable to view the site.
    I have tried several things. I have tried emailing the cert. to myself and installing it. I get it installed but says it's untrusted and am not able to view the site. I have tried converting my .pem that is on my server to .p12 and that didn't work. I tried going to the site in Safari on my Mac and adding the cert. to the keychain and then syncing; that didn't work. I tried taking that cert. in the keychain, making sure it was trusted, exporting it to .cer and adding that to a configuration profile I created in the iPhone Configuration Utility.. that did not work despite the fact that it showed it as trusted. Am I doing something wrong or missing something here?

    I've been trying to install a self-signed certificate in iOS 4 with no avail. I have a webserver at home in which I connect to via SSL using a self-signed cert. It used to work in 3.1.3; it would kick out a dialog, but you were able to continue to the page. Now with iOS 4, that is no longer the case, I am unable to view the site.
    I have tried several things. I have tried emailing the cert. to myself and installing it. I get it installed but says it's untrusted and am not able to view the site. I have tried converting my .pem that is on my server to .p12 and that didn't work. I tried going to the site in Safari on my Mac and adding the cert. to the keychain and then syncing; that didn't work. I tried taking that cert. in the keychain, making sure it was trusted, exporting it to .cer and adding that to a configuration profile I created in the iPhone Configuration Utility.. that did not work despite the fact that it showed it as trusted. Am I doing something wrong or missing something here?

  • How to register iOS device when using self signed certificate with apple Server?

    Hi,
    I have installed the server.app by Apple and used a slef signed certificate for my server. Now I want to register my different devices (iMac, iPhone etc.). I could register the iMac without problesm (I just had to add my self signed certificate to the trusted certificates)
    Sadly, with the iPhone it is not that easy. I can install the "trust profile", but still after that I can not register my device. It seems like it does not accept my self signed certificate for device registration. When adding a registration profile, I get the error "www._mydomain_.tld/devicemanagement/api/device/auto_join_ota_service" is not valid.
    Nethertheless, I can install a profile with setting, e.g. my imap settings, via the profile management without problems.
    Does anyone have an idea how to get around the problem with the self signed certificate?
    Best regards

    Try deleting the Server.app and download it again from the App Store, restart.
    My Server is also using self signed certificates and is working with iOS device (Trust Profile needed first).

  • Problems with Creating a self-signed Certificate

    hi,
    I read the keytool Documentation and wanted to create my own self-signed certificate.
    ok, I followed the steps :
    1) keytool -keyclone -alias origkey -dest my_key
    2) keytool -selfcert -alias my_key -dname "cn=Stefan Gross, ou=Computers, o=notintersting, c=D"
    3) keytool -certreq -alias my_key (output in mycert.cer)
    4)keytool -certreq -alias my_key -sigalg X.509 -file newcert.cer
    .. Password Input...
    Keytool-Error: java.lang.Exception: Alias <my_key> does not exist.
    But it exists, see :
    [usr]$ keytool -list
    Keystore-Typ: jks
    Keystore-Provider: SUN
    new_key, 06.05.2003, keyEntry,
    So it exists, but why do I get the error ?
    So far,
    Stefan Gross

    stefan hi,
    i have tried to produce a certificate my_cert.cer and it went well. as far as i understood you have to create a keystore first. this keystore holds a key pair.
    and then using the keystore you can create as many certificates as possible based on the key pair.
    try following the steps below. it should work, i mean i have followed them and all was fine. you can find the original form of the following from documentation of keytool (sun).
    hope this time it'll work, let me know.
    cem.
    note: the last step is importing the certificate to the keystore which is not necessary if you only want the certificate.
    To set up a digital certificate,
    Generate a key pair.
    The keytool utility enables you to generate the key pair. The keytool utility that ships with the J2SE SDK programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
    To generate the keystore file, run the keytool utility as follows, replacing <keystore_filename> with the name of your keystore file, for example, server.keystore. If you are using the Tomcat server, the file must either be named .keystore and located in the home directory of the machine on which Tomcat is running, or you will need to tell Tomcat where the kestore file is by adding a keystoreFile attribute to the <Factory> element in the Tomcat configuration file or by specifying the location of the file on the Connector (8443) node of admintool.
    keytool -genkey -keyalg RSA -alias tomcat-server
    -keystore <keystore_filename>
    The keytool utility prompts you for the following information:
    Keystore password--Enter the default password, which is changeit. Refer to the keytool documentation for information on changing the password.
    First and last name--Enter the appropriate value, for example, JWSDP.
    Organizational unit--Enter the appropriate value, for example, Java Web Services.
    Organization--Enter the appropriate value, for example, Sun Microsystems.
    City or locality--Enter the appropriate value, for example, Santa Clara.
    State or province--Enter the unabbreviated name, for example, CA.
    Two-letter country code--For the USA, the two-letter country code is US.
    Review the information you've entered so far, enter Yes if it is correct.
    Key password for the Web server--Do not enter a password. Press Return.
    The next step is generate a signed certificate for this keystore. A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, continue with Creating a Self-Signed Certificate. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.
    Creating a Self-Signed Certificate
    This example assumes that the keystore is named server.keystore, the certificate file is server.cer, and the CA file is cacerts.jks. Run these commands in your <HOME> directory so that they are created there.
    Export the server certificate to a certificate file:
    keytool -keystore server.keystore -export -alias tomcat-server -file server.cer
    Enter the password (changeit).
    Keytool returns the following message:
    Certificate stored in file <server.cer>
    Import the new server certificate into the Certificate Authority file cacerts.jks:
    keytool -import -alias serverCA -keystore <HOME>/cacerts.jks
    -file server.cer
    Enter the password (changeit).
    Keytool returns a message similar to the following:
    Owner: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
    ST=CA, C=US
    Issuer: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
    ST=CA, C=US
    Serial number: 3e39e3e0
    Valid from: Thu Jan 30 18:48:00 PST 2003 until: Wed Apr 30 19:48:00 PDT 2003
    Certificate fingerprints:
    MD5: 44:89:AF:54:FE:79:66:DB:0D:BE:DC:15:A9:B6:09:84
    SHA1:21:09:8A:F6:78:E5:C2:19:D5:FF:CB:DB:AB:78:9B:98:8D:06:8C:71
    Trust this certificate? [no]: yes
    Certificate was added to keystore
    ----------------------------------

  • Step by Step Instructions for Installing Self Signed Certificate using Certificate Modification Tool

    I am looking for some step by step instructions for installing the self signed certificate from my Microsoft SBS 2003 server on a Treo 755p and 750p.  In particular I need some help with the form of the actual certificate and how to use the Certificate Modification tool. 
    Some questions I have are as follows:
    1. When I install the certificate on a Windows Mobile device I used an exported version of the certificate.  This export is done using the DER x.509 format.  Is that the same form I’ll need for the Palm?  Do I need some other form? Can/should I just use sbscert.cer file that is generated when SBS is configured?
    2. Does the self signed cert need to be installed on the computer being used to update the Palm or do we just need to be able to access the appropriate .CER file?
    3. There are three things included in the PalmCertificatesTool.zip file:
                                    Trusted CAs (folder)
                                    Cert2pdb.exe
                                    PalmCertificates.exe
       How do I use these tools?
    4. It looks like the PalmCertificates.exe file opens an interface that will allow me to browse to the desired .CER file.  Then I suppose I use the < Generate PDB > to create something that needs to then be uploaded to the Palm device?  Not having any real experience with a Palm device how do I upload and install this file? 
    5. Once uploaded do I do something on the device to install it?
    If there is some white paper that provides step by step instructions on doing this that would be great.
    Thanks,
    Walt Bell
    Post relates to: Treo 755p (Verizon)
    Post relates to: Treo 755p (Verizon)

    Thanks for that.
    I have one question after reading the article 43375:
    The article has you "Turn of AutoSync" and then "Reset the device".  It then indicates the device should be left idle. 
    The next step relates to running the PalmCertificates.exe, navigate to the certificate file and add it and then run the < Generate PDB > button.  Should the device be connected to the computer during this process? If so, at what point after the reset do you connect it to the computer?
    Thanks!
    Post relates to: Treo 755p (Verizon)

  • How to replace an expiring self-signed certificate?

    Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
    First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
    It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
    The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
    It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
    I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
    I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
    Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
    http://screencast.com/t/zlVyR2Hsc
    Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
    Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
    http://screencast.com/t/54c2BUJuXO2
    Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
    Be aware that creating certificates starts to populate your server Keychain.
    http://screencast.com/t/JjLb4YkAM
    It appears that when you start to delete certificates, it leaves behind private keys.
    http://screencast.com/t/XD9zO3n16z
    If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
    OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
    In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
    Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
    Bypass "Introduction".
    In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
    The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
    You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
    In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
    The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
    (OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
    Pant, pant...
    The next window asks for an email address and location information - this appears to be optional.
    Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
    Key Usage Extension window
    Here's where it gets interesting...
    I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
    Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
    Extended Key Usage Extension...
    Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
    Sorry, folks, I just HAVE to show you the help for this window...
    +*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible.  EKU is defined with object identifiers called OIDs.  If the EKU extension is omitted, all operations are potentially valid.*+
    KILL ME NOW!!!
    OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
    Basic Constraints Extension...
    Well, there is no mention of that on the original certificate, so leave it unchecked.
    Subject Alternate Name Extension...
    Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
    DONE!!!! Let's see what the heck we got!
    http://screencast.com/t/QgU86suCiQH
    Well, I don't know about you but that looks pretty close for Jazz?
    I got some extra crap in there but the stuff from the original cert is all there.
    Think we're OK??
    Out with the old certificate (delete).
    Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
    http://screencast.com/t/bydMfhXcBFDH
    Oh yeah...one more thing in KeyChain Access...
    See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
    http://screencast.com/t/GdZfxBkHrea
    Select "Always Trust".
    I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
    I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
    Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
    If you want to see my rant on Apple's worthless documentation, it's here.
    http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

    to add to countryschool and john orban's experiences:
    using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
    in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
    when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
    supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
    you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
    now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
    after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
    lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
    maybe that's hopeful to somebody. but i stopped there since things seem to be working.
    last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
    now, we'll see how everything works once people start really using it...

  • Lion server erased self signed certificate

    Help!!! I accidentally deleted the self signed certificate that had the right keys for my third party SSL.  Now I cannot replace the self signed certificate with the new SSL.  Now what????

    I will begin my answer by making an emphasis that the best way to protect your data in-transit is using a 2048 bit certificate signed by a trusted certificate authority (CA) instead of relying on the self-signed certificate created by SQL Server.
     Please remember that the self-signed certificate created by SQL Server usage for data in-transit protection was designed as a mitigation against passive traffic sniffers that could potentially obtain SQL Server credentials being transmitted
    in cleartext, but nothing more. Think of it as a mitigation against a casual adversary.
     The self-signed certificate usage was not intended to replace real data in-transit protection using a certificate signed by a trusted CA and encrypting the whole communication channel. Remember, if it is self-signed, it is trivial to spoof.
    After making this clarification, the self-signed certificate generated by SQL Server uses a 1024 bit key, but that size may be subject to change in future versions of the product. Once again, I would like to strongly discourage relying on the self-signed
    certificate created by SQL Server for data in transit transmission.
    BTW. Azure SQL Database uses a 2048 certificate issued by a valid certificate authority.
    I hope this information helps,
    -Raul Garcia
     SQL Server Security
    This posting is provided "AS IS" with no warranties, and confers no rights.

  • Self Signed Certificate for Web Proxy 4.0.2

    Does anyone have instructions on how to create and install self signed Certificate for Web Proxy Server 4.0.2? My OS is RHEL 4.
    Shed.

    Unfortunately you will not be able to do that from the GUI.
    You will have to use certutil frin proxy-install/bin/proxy/admin/bin/certutil
    Make sure that your LD_LIBRARY_PATH includes proxy-install/bin/proxy/lib
    (start -shell will give you a shell with all necessary paths set.)
    create a file called password-file which contains your password to your cert database
    your cert database resides in the alias directory of proxy installation.
    certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234
    -f password-file -d certdir

  • Cannot upload self signed certificate on EZ Media

    The problem I have is on my Lenovo Iomega EZ Media & Backup Center 3TB, version 4.1.108.32627
    Using openssl I created the following self signed certificates in both .pem and .der format:
    -CA.cert.pem( this is the CA that I used to sign the server certificate that I intend to upload to the Iomega EZ; I installed this in my browser, works ok )
    -server.cert.pem ( this is the certificate that I want to install on server )
    -server.key.pem ( this is the key that I used to make the certificate signing request that I used to generate server.cert.pem ).
    From the security menu ( https://<personal_cloud_url>/manage/security.html ) I try to install server.cert.pem ( and also in .der format ).
    The problem is that I receive this error:
    "Failed to validate the uploaded certificate"
    Same error is seen when I try to upload CA.cert.pem/.crt.
    I red the help file for this particular security page, but I could not find anything about the required format of the certificate.
    Does anyone have any idea how to install a self signed certificate?
    Thank you.
    Solved!
    Go to Solution.

    Hello zupermann
    Iomega/LenovoEMC Lifeline devices only support x.509 certificates with one private key and pem extension.  
    This should be the format used to create an open ssl cert for use with a lifeline device 
    " # openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout newCertificate.pem -out newCertificate.pem "
    Hope that helps!
    LenovoEMC Contact Information is region specific. Please select the correct link then access the Contact Us at the top right:
    US and Canada: https://lenovo-na-en.custhelp.com/
    Latin America and Mexico: https://lenovo-la-es.custhelp.com/
    EU: https://lenovo-eu-en.custhelp.com/
    India/Asia Pacific: https://lenovo-ap-en.custhelp.com/
    http://support.lenovoemc.com/

  • Self signed certificate, key of 2048 bits, CUOM 8.7

    Hello:
    What is the correct way to create a self signed certificate with a key of 2048 bits in Cisco Unified Operations Manager 8.7?
    I edited the file
    "NMSROOT\MDC\Apache\conf\ssl\openssl.conf",
    changing
    default_bits from 1024 to 2048 and
    prompt from no to yes and then executed
    "NMSROOT\MDC\Apache\gencert.bat"
    and now the files
    "NMSROOT\MDC\Apache\conf\ssl\server.crt" and
    "NMSROOT\MDC\Apache\conf\ssl\chain.cer"
    show public keys RSA of 2048 Bits.
    Is this the right procedure to increase the lenght of the key?
    Regards,
    Marco Antonio.

    Sure, the secure-server is the quickest and easiest method but you can create the new key, define the trustpoint manually and enroll the certificate that way.
    Below are the commands. (You can of course call the key, trustpoint, O and CN values whatever locally significant names make sense for you.)
    router(config)#crypto key generate rsa label router-rsa modulus 2048
    The name for the keys will be: router-rsa
    % The key modulus size is 2048 bits
    % Generating 2048 bit RSA keys, keys will be non-exportable...
    [OK] (elapsed time was 10 seconds)
    router(config)#
    router(config)#crypto pki trustpoint router-ca
    router(ca-trustpoint)#enrollment selfsigned
    router(ca-trustpoint)#subject-name O=Test,CN=www.router.com
    router(ca-trustpoint)#rsakeypair router-rsa
    router(config)#crypto pki enroll router-ca
    % Include the router serial number in the subject name? [yes/no]: no
    % Include an IP address in the subject name? [no]: no
    Generate Self Signed Router Certificate? [yes/no]: yes
    Router Self Signed Certificate successfully created
    router(config)#

  • Two way ssl with self signed certificate?

    How can I use a self signed certificate with two-way SSL with weblogic 7sp4?
    Specfically, I don't want to use any CA authority.
    Is it possible to simply have the clients certificate in the servers truststore or not?
    I pull out the certificate via
    javax.servlet.request.X509Certificate
    but when I use a self signed certificate it's never there.
    If I instead use a certificate that was created with CertGen it works. But CertGen uses the GenCertCA to create the certificate chain.

    How can I use a self signed certificate with two-way SSL with weblogic 7sp4?
    Specfically, I don't want to use any CA authority.
    Is it possible to simply have the clients certificate in the servers truststore or not?
    I pull out the certificate via
    javax.servlet.request.X509Certificate
    but when I use a self signed certificate it's never there.
    If I instead use a certificate that was created with CertGen it works. But CertGen uses the GenCertCA to create the certificate chain.

Maybe you are looking for