11.0.9 Use certificate for signing

Similar Messages

• Using certificate for signing into portal

  Hello experts,
  we want to implement the functionality of certificate in the portal.
  If we have SAP passport then the pop up window lists the certificate from "User Certificate store", when i log on to service marketplace.
  We have a similar kind of requirement in our portal, that whenever user tries to log on into the portal a pop up should come which will list the certificates available in the store of his browser.
  This functionality should be similar to service marketplace one.
  If anybody has done this previously, please let me know the direction to proceed.
  thanks in advance, useful solution will be rewarded.
  rgds,
  Kedar Kulkarni

  Hi Kedar,
  I have configured SAP NetWeaver Portal using client certificates for user authentication. The configuration is a fairly straight forward process.
  Find the necessary information in the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/62/881e3e3986f701e10000000a114084/frameset.htm">SAP Library</a>.
  Best regards,
  Martin

• I have an apple id but ı can not use it for sign in to itunes connect account while publishing my ibook document. Why ı can not login? What can ı do to figure out this problem?

  I have an apple id but ı can not use it for sign in to itunes connect account while publishing my ibook document. Why ı can not login? What can ı do to figure out this problem?

  As note already on the iBA forum [ AppleID for ibooks publishing ], you need two IDs. You can't use your developer ID.
  If you already signed up for books with that ID, you need to talk to Apple to straighten things out.

• Adobe 6.0 Standard  - reissue of signing certificate for signing

  I have a problem where an employee re-applied for their PKI (Private Key Identifier) used for signing. They were having problems with their card and needed a new one.
  Now all of the old documents that were once certified and signed, Adobe says under Signature Properties: Document certification is INVALID
  - The document has not been modified since it was certified
  - The signer's identity is invalid because the signers Certificate has been revoked
  How do I handle lost or stolen PKI cards, or employees who have left the company. We handle all certificate authentication internally. What becomes of all the old documents that no longer have valid signatures? Is there a way to recognize the old certificates as valid?

  Possibly when applying for the PKI again you have the choice of
  whether the old one is revoked. If, for instance, it is based on a
  password that has been exposed, or a hardware card that is lost, it is
  very important that ALL documents be revoked, because there is no way
  to tell the difference between those validly signed, and those later
  fraudulently signed.
  Hopefully someone else will have more specific advice for this case.
  Aandi Inston

• How to filter list of digital certificates for signing PDF

  Is it possible to change the configuration of Reader installation to filter the list of installed certificates that can be used for digitally signing documents?
  The filtered list will appear when users attempt to select a certificate for digitally signing a document.
  Thanks.

  Hi Carla,
  Unfortunately, Extended Key Usage is not one of the properties you can enforce.
  The things you can set are:
  appearanceFilter (i.e. enforce the use of a custom signature appearance)
  certspec(i.e. the signing certificate must meet some specific criteria)  <<<----- This is what you are more interested in, more below
  digestMethod(i.e. enforce the use of a specific cryptographic hashing algorithm)
  filter (i.e. enforce the use of a specific security handler if you want to use something other than the one built into Acrobat)
  legalAttestations (i.e. enforce the reason or purpose of the certifying signature)
  lockDocument (i.e. enforce any further changes to the document after the signature is applied)
  mdp (i.e. the rules for changing the document applied as part of a certifying signature)
  reasons (i.e. a list of one or more reasons the signer can use, as opposed to them adding their own)
  shouldAddRevInfo (i.e. force the inclusion on the revocation information (CRL or OCSP response) in the PDF file)
  subFilter (i.e. require the use of a specific signature format. This is very arcane)
  timeStampspec (i.e. require the use of a specific time stamp server)
  version (i.e the minimum version of Acrobat that can decipher the signature. the only two options are versions 6 or 8)
  The second item is the certspec, and this is what I've been pointing you towards. For the sake of discussion, think of everything you can read in a certificate as an extension. The serial number is an extension, the subject is an extension, the valid from date is an extension, etc. When a certificate is created, some of these extensions are required, other optional, and you can even add in extension that are not publicly defined, and only you will know about.
  Acrobat has the ability to enforce the signer to use a certificate that contains some, but not all of the known extensions. The extensions it can enforce are:
  issuer (i.e. require the use of a certificate that is issued by a specific Certificate Authority)
  keyUsage (i.e. require the signers certificate contain one or more of the nine possible values that can be included)
  oid (i.e. require that the Certificate Policy extension contain a specific value)
  subject (i.e. require that the document is signed by one specific person using one specific digital ID)
  subjectDN (i.e. require that the document is signed by one specific person, but they get to choose which digital ID to use)
  url (i.e. if a required digital ID is not available, where the signer can procure an acceptable digital ID)
  urlType (i.e. if the user is directed to the URL, should it be a web server where they can download a digital ID or a remote signing server where the digital ID stays on the remote server)
  That's it. If it's not one of these items then Acrobat cannot enforce that the item is available. Extended Key Usage is not on the list.
  Steve

• Import "general use" certificate for use with Exchange

  Usually (that's the way I've always done it), we create a certificate request on the Exchange server, submit the request to the certificate authority (preferably a 3rd party public CA) and then import and enable the certificate for the appropriate Exchange
  functions: IIS, SMTP, IMAP. POP, for example.
  What if the company already has a wildcard certificate obtained for others uses or general use (that's how it was described to me).
  It was suggested that we might just use that certificate...
  I think it would be best to "go by the book" and proceed as mentioned above (creation of cert request on the Exchange server, submission to CA, and so forth). After all, you can obtain a certificate appropriate for use with Exchange for just over
  $50.
  But is the other option even possible?
  I know you can export an Exchange certificate obtained by what I believe to be the preferred way and import it on another Exchange server or on a ISA/TMG machine.
  But could you export a certificate from an Apache web server or a firewall device or... just something else, and use it for Exchange?
  This article seems to suggest you could:
  http://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-an-apache-server-to-a-windows-server.html
  But from what I know about Active Directory Certificate Services, there are all kinds of templates for various uses (disk encryption, email, code signing, etc.), presumably not interchangeable.
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

  So you want to export the existing wildcard certificate from a non-Windows system and import it to the Exchange server, correct?
  The article shows that openssl will create a PFX (PKCS#12) file - so this should work.
  I would not worry about templates. If the existing certificate is a SSL certificate (Extended Key Usage = Server Authentication) it should be OK.
  From "PKI Best Practices" perspective / "what a certificate actually is intended to be" it would be better to have a dedicated certificate including all the Subject Alternative Names needed by Exchange - but I know there are limitations to a certain number
  of names by public CAs. But theoretically if you ever wanted to revoke this wildcard certificate you would get into troubles as the same certificate is on very different systems.
  Elke

• Can't get Mail to recognize Thawte certificate for signing and encrypting

  I got a certificate from Thawte and double clicked on the p12 file. This installed the certificate in the login section of the Keychain. I read in several places that it must be in the X509Anchors chain in order to work. However, whenever I try to import it or copy it there I can't get past the authentication screen. I give it the password to decrypt the p12 file and that works, but then it asks for a password for the X509Anchors keychain. I'm giving it my login password, but that doesn't work. What am I doing wrong?

  You shouldn't have to do anything with the X509Anchors keychain. The X509Anchors keychain contains certificate authority (CA) certificates, i.e., certificates associated with CA's that sign certificates. In it you'll find various CA certificates for thawte among others.
  After you've successfully imported your thawte cert into your login chain, restart mail (I don't think you need to restart keychain access, but it wouldn't hurt).
  Now when you compose a message, you should see encrypt and sign buttons to the right and below the subject line. This of course assumes the email address configured in mail is the same as the one in the thawte certificate.

• Why do BT use an invalid certificate for signing e...

  Hello BT mods,
  In your online guides on setting up email, the instructions advise specifying the outgoing mail server as mail.btinternet.com, with SSL enabled. However, the certificate used to sign the connection is invalid! (This is because of a host name mismatch due to using a yahoo certificate) 
  This is pretty bad practise and doesn't help non-technical people understand online security! Is this mismatch going to get rectified, or do BT simply plan to tell customers to trust an invalid certificate?
  Cheers,
  --jenger

  See point 12 right at the end, the screenshot shows SSL ticked.
  http://bt.custhelp.com/app/answers/detail/a_id/996​0/kw/mail%20setup%20os%20x/related/1
  Looking at it again, point 11 shows to leave outgoing SSL unticked, which is not how I remember it from earlier in the week - not sure if this has been updated since I reported it by phone or not, I remember the previous point as including a tick for SSL enabled as well though.
  Incidentally, it would appear to work with outgoing SSL both enabled and disabled - I'd been running with SSL enabled for years, TBH this only came to light after I had problems sending email at the beginning of the week.
  I did call the helpdesk, which was A Bad Idea, as I not only got conflicting info from two different reps, but the first one managed to delete all the historical mail in my inbox, thanks for that! My own fault really, I should have known better than to let someone onto my computer with GotoAssist!  (And to be fair, the second guy I spoke to was actually really good, knew what he was talking about and everything. Just a shame my mail had already been deleted by then!)
  These forums are a MUCH better resource! )

• Cheepest certificate for signing applets

  Hello,
  I just would like to make disappear the message "Java Applet Window" from my frame applets.
  Is there any free certificate available for that? If not, can somebody point me to the place where I can purchase the cheepest certificate?
  Thanks for helping.

  If you're using Plug-in 1.3.1, do a:
  keytool -list -v -keystore "\Program Files\javasoft\jre\1.3.1\lib\security\cacerts"
  to list all the CA certificates that get installed with the Plug-in. You probably don't want to stray from this list no matter how cheap the certificate because then you'd have to have your users import it into their cacerts file.
  From this list, I only looked at VeriSign and Thawte. I believe VeriSign was US$400 and Thawte was US$200, but it's been a while.

• Best practices on using OLM for sign-off on compliance policies?

  We are working on a project to build a parent/child learning object that will include four compliance policies and a "test" to sign off acceptance of these policies as a condition of employment. Has anyone implemented something like this? If so - can you please share some best practices around this type of implementation. Our plan is to build a learning certification.
  We are also interesting in looking into how to automate the assignment of the learning certification to all new hires. Any info here would also be appreciated.
  Thanks - Juli

  We use 11.5.10j...One thing I would recommend is creating an introductory module as child object to the certification, and a concluding module as child object as well.
  In the learning objects I have done where a parent/child relationship exists, the introductory module is important for several reasons, including instructing learners about how to expand the OLM Player outline on the left to move to the next module (in 11.5.10j, at least, it doesn't expand automatically so the general population is not going to understand they need to expand and move to the next module. You might try to tell people to do that independently of the course but we've found it's best to put as part of the course.) The introductory module also includes things like objectives, expected duration, completion requirements, audience, etc.
  As for the concluding module, I include a concluding module to instruct people that they have reached the end and provide a screenshot of the OLM Player "Home" button to instruct them to return to the OLM home page. Using the OLM "Home" button circumvents issues with popup blockers suppressing the passing of completion information back to OLM when exiting using the IE exit button and is generally a cleaner way to exit the course. Again, instructions might be provided independent of the learning object but most will not pay attention to those. There is a patch to test for the presence of popup blockers and alert the user so that there might be less need for a concluding module to do this but we have not been able to implement this yet due to problems caused after it was applied.

• Haven't received certificates for signing up for best buy credit card

  I had received an email on 2/20/14 stating that if I signed up for a best buy credit card before 3/19 and spent $500 I within 3 months, I would receive $50 in certificates. Called customer service and they can't find the promo. I received an email from randy and sent back a screen capture of the promo to the [email protected] email address. Haven't heard back from anyone.
  Can someone help resolve this matter?

  Good morning fatstooge,
  I am familiar with the promotion in-question, as we have offered it several times in the past.  To my knowledge, if you signed up for the My Best Buy™ MasterCard via the email you received and spent $500 within the first 90 days, then you should have qualified for a $50 certificate.  These bonus certificates, being the promotion is offered through Citibank, are usually added to all eligible members' accounts at once, which would take place about 2 to 3 months after the promotion ended.
  While looking through your account, I did notice that you have an open case with our Account Maintenance department.  I fully trust that they will be able to answer your questions; however, I am going to send you a private message to see if there is perhaps anything I can do to help.  You can check your private messages by logging into the forum and clicking on the yellow envelope icon located at the top of the page.
  Thank you for posting to the forum!
  Derek|Social Media Specialist | Best Buy® Corporate
   Private Message

• Update Secure Certificate for Mail (Identification and Encryption)

  Hello...
  Can you help?
  I have several email addresses; all of which have valid secure certificates (stored by default automatically in Key Chain).
  Whereas previously the certificates did not feature my name, new ones have been issued which do.
  So... my question is as follows:
  How do I point Mail to use the new certificates that have my name engrained within, opposed to the older ones which do not?
  Thank you, in advance.
  A

  Hi ... I have been struggling with exactly this point, too. Try out the new Leopard feature called "New preferred Identity". For this open keychain, go to my certificates and control-click on each certificate individually as choose "new preferred identity". Here you can type the e-mail address and choose one of your certificates to be used "preferably". This is the official Apple way of doing it and you may read further information in the support section. Please let me know if it works with you!
  In any case, it hasn't worked for me. I had to delete all old certificates for the same e-mail address and keep only the most recent one with my real-life name in it (you can delete right in keychain). After restart mail.app only uses the new certificate for signing e-mails.
  You would expect that deleting the old certificate destroys your ability to read the older encrypted e-mails. But the good news is that everytime you open an e-mail with your old certificate mail.app will add the old certificate back to keychain and you can again read your encrypted e-mails which used the 'public' key from the old certificate. Although mail.app will add the old certificates again it will continue to use the new certificate. I call this a work-around because really the "new identity preference" should have worked.
  I hope I helped you.
  Valentin.

• Pix vpn tunnel using certificates problem

  hi
  I have set up a small network at home to practice a branch office
  pix 501 obtaining a digital certificate from a windows 2000 server
  which is located on a dmz on a pix 515 over an encrypted tunnel
  the tunnel is initually set up using pre-shared keys and once the
  branch pix has its certificate altering the configs on both pix's
  to use certificates for authentication,but have run into a problem
  i have included an attachment to explain how i went about it and
  the problem i have encounterd
  would appreciate it if someone could take a look and tell me where
  the problem lies
  regards
  melvyn brown

  I am having the same issues with small business server 2003. VPN from the iTouch works fine, but it will not sync with contacts,mail and calendar.
  The Apple Store Genius bar was of no help. Generally their pretty good. I believe this will be NEW turf for the folks at Apple.

• Why, when I successfully connect to Server 2012 Essentials R2 via Anywhere Access does the Remote Desktop Connection use the self signed certificate for RDP instead of the SSL certificate I installed when I set up access anywhere?

  Scenario:
  Windows Server 2012 R2 Essentials
  I purchased an SSL Cert from GoDaddy and I managed (after some challenges) to set up Anywhere access to use that new SSL Cert. I to rebooted the server and I am able to login to Anywhere Access vis https (using the SSL certificate) from PC, Mac and iOS.
  So far so good.
  The problem I am having is that when I click to launch a remote desktop connection to the server RDP connection wants to use the self signed SSL certificate of the server rather than the SSL Certificate I installed into Anywhere Access. As a result, I get
  a security warning like this: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
  The name in the certificate appears as ACME-SERVER.ACMEDOMAIN.local  instead of the SSL Certificate I installed, which is
  remote.acmedomain.com
  If I lick to accept, RDP does work fine, it;s just using a self signed certificate. I want it to use the trusted certificate that I purchased and installed.
  My guess is that there must be an additional step to tell Anywhere Access that when it generates the RDP session that it should use the cert? OR, is this just how it works?

  Because....
  the server does not have a 'trusted' certificate assigned to it.
  Only the RDP Gateway has the trusted certificate for the external name.
  If you want to remove that error, you have to do one of the following:
  Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
  So, something like,
  server.domain.publicdomain.com
  Or,
  Install that certificate on your remote computer so it is trusted.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• Using a Code Signing Certificate for download on Azure

  Currently, I have a hosted web application and Web API on a VM that I use to allow users to download an executable file that is signed with a Code Signing certificate. My question is how would I do the same thing with a Web Role or Cloud Service?  The
  goal is to move to PAAS in Azure with our web application.
  Thanks for any help in advance.

  I appreciate the link to the article, but I don't need an SSL certificate, I need a code signing certificate.  I'm afraid this post does not help me at all.  What I need is a certificate to sign my downloadable applications with.  I have
  an .exe file that users can download, and I need those people to know my code can be trusted, which is why I need the code signing certificate.  My problem is how do I utilize this with a Web Role or Cloud Service?