B2B-51125:  No certificate to sign

Similar Messages

• 'Error while signing data-Private key or certificate of signer not availabl

  Hello All,
  In my message mapping I need to call a web service to which I need to send a field value consist of SIGNED DATA.
  I am using SAP SSF API to read the certificate stored in NWA and Signing the Data as explained in
  http://help.sap.com/saphelp_nw04/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm,
  when I have tested using Test tab of message mapping  it is working fine and I am able to access the certificate Keystore of NWA(we have created a keystore view and keystore entry to store the certificate) and generate the signed data ,but when I test end to end scenario from ECC system,it is getting failed in mapping with the error
  ' Error while signing data - Private key or certificate of signer not availableu2019.
  Appreciate your expert help to resolve this issue urgently please.
  Regards,
  Shivkumar

  Hi Shivkuar,
  Could you please let me know how you were trying to achieve the XML signature.
  We have a requirement where we have to sign the XML document and need to generate the target document as following structure.
  <Signature>
       <SignedInfo>
           <CanonicalizationMethod />
           <SignatureMethod />
           <Reference>
                   <Transforms>
                   <DigestMethod>
                   <DigestValue>
           </Reference>
      <Reference /> etc.
    </SignedInfo>
    <SignatureValue />
    <KeyInfo />
    <Object>ACTUAL PAYLOAD</Object>
  </Signature>
  I am analyzing the possibility of using the approach that is given in the help sap link that you have posted above. Any inputs will be apprecited.
  Thanks and Regards,
  Sami.

• Error while signing data-Private key or certificate of signer not available

  Hello All,
  I am new to PI.  I am currently stuck with an issue. The scenario is as explained below.
  We need to check for the service availability before processing the data. So, we test for the RFC connection first from the ECC system. During this process, we access the digital certificate stored in the PI system so that it can be validated and allowed to consume this intended service.
  Error :
  When we trigger the RFC test from the  ECC system, we get an error stating ' Error while signing data -  Private key or certificate of signer not available '. But when we test the same functionality within PI system(Locally), we does not encounter any such error. The certificate is maintained and it appears fine.
  The communication channels are stored with logon credentials.
  Can anyone please help me with this error or provide your valuable inputs. Thanks in advance.
  Regards,
  Shivkumar

  Hello,
  When we trigger the RFC test from the ECC system, we get an error stating ' Error while signing data - Private key or certificate of signer not available '.
  This should be normal behavior since the certificates are not installed in ECC SSL folders of Strust. Why not just install the certificates in the ECC system, perform an ICM restart and do a retest? After all, the certificates would both be the same in PI and ECC.
  Hope this helps,
  Mark

• Exchange 2013 don't unassign IIS Services from Certificate Self-Sign

  Hi,
  I Imported a new Public certificate to Exchange 2013 SP1 and assigned IIS Service, but IIS service keep assign to certificate self signed. Now, I have ISS services
  assigned in two certificate (self signed and public certificate), someone have seen it? What do I do now?
  Another question, Can I remove self-signed certificate? Is it any one service tied to Exchange?

  Hi,
  If possible, please provide more parameters(Status, IsSelfSigned etc.) about the certificate with IIS service:
  Get-ExchangeCertificate -Thumbprint
  382E9DCC4CCA38DA488345F7B46114BA91EBB8F0 | FL
  Get-ExchangeCertificate -Thumbprint
  86EE0029EBC8FDCC9F98572602E69F65226BAB76 | FL
  Please restart IIS service by running iisreset /noforce from a command prompt window. If the public certificate is configured correctly and has included all namespaces used for all Internal and external Exchange connections,
  we can remove the self-signed certificate safely.
  Thanks,
  Winnie Liang
  TechNet Community Support

• 11.0.9 Use certificate for signing

  In version 11.0.8- we could use our MS Lync Certificate to sign documents with IntegriSign Desktop.  Now the option to use for signing is no longer showing.  I can see that something from MS Lync was addressed but not what actual done.
  3647309: MS Lync certificate appears in the sign dialog box
  Does this stop us from using the Lync certificate from signing a document?

  In Acrobat 11.0.9 there has been change the way Acrobat will search for digital certificates. All those certificates available for signing will be available for signing based on some key points in a certificate.
  Check 11.0.9 release notes thoroughly and you will find that was an issue: http://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotes/11/11.0.09.html#elevenzeroz eronine
  1   Getting Started — Digital Signatures Guide for IT
  Regards,
  Ajlan Huda.

• Is a truststore neeeded if the server certificate is signed by a CA?

  I have a server SSL certificate that has been signed by a trusted certificate authority (CA). I'm using a java desktop application to consume web services at that server over ssl/https using Axis 2 (no client certificate authentication). Everything is working fine, but I see code examples using a truststore or keystore (by the way, what is the difference?) and I'm starting to wonder if I need to use this kind of mechanism. Some articles I have read imply that I don't need to use a keystore because the server's certificate is signed by a CA. I've read lately about some man-in-the-middle attacks that involve intercepting https traffic and impersonating the server. Will my solution be vulnerable to this kind of attack if I don't use a keystore? If I simply provide Axis with an https endpoint url of the web services, will my solution be secure? Any help would be appreciated. Thanks.

  SSL provides you with privacy, integrity, and authentication. That is, the messages are encrypted, tamper-evident, and come from an authenticated identity. Whether that's the identity you want to talk to is another question. So the application has to perform the authorization step, i.e. check the identity against what is expected. You do this by getting the peer certificates out of the SSLSession, usually in a HandshakeCompletedListener, and check that the identity of the server is what you expect. SSL can't do this for you as only the application knows who it expects to talk to. Another way around this is to ship a custom truststore that only contains the server certificate for the correct server, so it won't trust anybody else.

• Add intermediate certificate to signed jar

  Is it possible to add an intermediate certificate to a signed jar file?
  The users of my applet are asked to trust the certificate showing the hint that the source is not trusted. The root certificate of my code signing certificate is included in the trusted sources.
  Thanks,
  Reinhard

  I have already a full trusted chain consisting of the root, an intermediate certificate and my code signing certificate. The root is included in Java�s trusted roots. But if I sign my jar with my code signing certificate, Java can not build the trust chain, as it does not have the intermediate certificate. If it would be possible to include the intermediate certificate certificate it would work, but appearantly this is not possible with jarsigner.

• Digital Certificates and signing

  i am developping a security application that needs to access the web client certificate store to enable him once he choose to submit his form to select which cetificate to sign with; i need to know how to access in java the certificate store on the cient machine.
  thanks

  U store the certificate in u r hard disk,,,and try to read from fileinputstream..
  Sample Code
  InputStream is = new FileInputStream("/anand/Example_test/test.cer");
  CertificateFactory cf = CertificateFactory.getInstance("X.509");
  X509Certificate cert =(X509Certificate)cf.generateCertificate(is);
  System.out.println("Certificate : algname = " + cert.getSigAlgName());
  System.out.println("Certificate : User DN = " + cert.getSigAlgOID());
  System.out.println("Certificate : After = " + cert.getNotAfter());
  System.out.println("Certificate :Before = " + cert.getNotBefore());
  System.out.println("Certificate : User DN = " + cert.getNotAfter());
  System.out.println("Certificate : User DN = " + cert.getSubjectDN().getName());
  Hope this will help
  Rgds,
  Anand

• Problems with certificate and signed jad

  Hello
  I have a third party jar and jad which is signed as far as I can tell.
  When I run the jad under the phone emulator.exe I get the text below
  Is there something I need to do.
  Perhaps to do with keystores etc.
  I can install the jar and the application runs but keeps asking for permission to open etc.
  Thanks
  Jim
  C:\Java_ME_platform_SDK_3.0_EA\bin>
  C:\Java_ME_platform_SDK_3.0_EA\bin>emulator -Xdescriptor:trekbuddy.jad
  Device name is not set. Using -Xdevice:DefaultCldcPhone1 option.
  Hint: Use -Xquery argument to see all supported devices.
  HTTP server started!
  *** Error ***
  A problem occured during deploying application from http://127.0.0.1:49813/trekb
  uddy.jad
  * Reason:
  The content provider certificate issuer C=ZA;ST=Western Cape;L=Cape Town;O=Thawt
  e Consulting cc;OU=Certification Services Division;CN=Thawte Premium Server CA;E
  mailAddress=[email protected] is unknown.
  C:\Java_ME_platform_SDK_3.0_EA\bin>

  I got the Thawte certificates and after loading just about every one it stopped complaining about the issuer.
  How ever it then started on about not autorized for API.
  So I gave up in disgust and went back to the the 2.xx toolkit.
  This worked out the box.
  Jim

• Adobe 6.0 Standard  - reissue of signing certificate for signing

  I have a problem where an employee re-applied for their PKI (Private Key Identifier) used for signing. They were having problems with their card and needed a new one.
  Now all of the old documents that were once certified and signed, Adobe says under Signature Properties: Document certification is INVALID
  - The document has not been modified since it was certified
  - The signer's identity is invalid because the signers Certificate has been revoked
  How do I handle lost or stolen PKI cards, or employees who have left the company. We handle all certificate authentication internally. What becomes of all the old documents that no longer have valid signatures? Is there a way to recognize the old certificates as valid?

  Possibly when applying for the PKI again you have the choice of
  whether the old one is revoked. If, for instance, it is based on a
  password that has been exposed, or a hardware card that is lost, it is
  very important that ALL documents be revoked, because there is no way
  to tell the difference between those validly signed, and those later
  fraudulently signed.
  Hopefully someone else will have more specific advice for this case.
  Aandi Inston

• Why do BT use an invalid certificate for signing e...

  Hello BT mods,
  In your online guides on setting up email, the instructions advise specifying the outgoing mail server as mail.btinternet.com, with SSL enabled. However, the certificate used to sign the connection is invalid! (This is because of a host name mismatch due to using a yahoo certificate) 
  This is pretty bad practise and doesn't help non-technical people understand online security! Is this mismatch going to get rectified, or do BT simply plan to tell customers to trust an invalid certificate?
  Cheers,
  --jenger

  See point 12 right at the end, the screenshot shows SSL ticked.
  http://bt.custhelp.com/app/answers/detail/a_id/996​0/kw/mail%20setup%20os%20x/related/1
  Looking at it again, point 11 shows to leave outgoing SSL unticked, which is not how I remember it from earlier in the week - not sure if this has been updated since I reported it by phone or not, I remember the previous point as including a tick for SSL enabled as well though.
  Incidentally, it would appear to work with outgoing SSL both enabled and disabled - I'd been running with SSL enabled for years, TBH this only came to light after I had problems sending email at the beginning of the week.
  I did call the helpdesk, which was A Bad Idea, as I not only got conflicting info from two different reps, but the first one managed to delete all the historical mail in my inbox, thanks for that! My own fault really, I should have known better than to let someone onto my computer with GotoAssist!  (And to be fair, the second guy I spoke to was actually really good, knew what he was talking about and everything. Just a shame my mail had already been deleted by then!)
  These forums are a MUCH better resource! )

• How to filter list of digital certificates for signing PDF

  Is it possible to change the configuration of Reader installation to filter the list of installed certificates that can be used for digitally signing documents?
  The filtered list will appear when users attempt to select a certificate for digitally signing a document.
  Thanks.

  Hi Carla,
  Unfortunately, Extended Key Usage is not one of the properties you can enforce.
  The things you can set are:
  appearanceFilter (i.e. enforce the use of a custom signature appearance)
  certspec(i.e. the signing certificate must meet some specific criteria)  <<<----- This is what you are more interested in, more below
  digestMethod(i.e. enforce the use of a specific cryptographic hashing algorithm)
  filter (i.e. enforce the use of a specific security handler if you want to use something other than the one built into Acrobat)
  legalAttestations (i.e. enforce the reason or purpose of the certifying signature)
  lockDocument (i.e. enforce any further changes to the document after the signature is applied)
  mdp (i.e. the rules for changing the document applied as part of a certifying signature)
  reasons (i.e. a list of one or more reasons the signer can use, as opposed to them adding their own)
  shouldAddRevInfo (i.e. force the inclusion on the revocation information (CRL or OCSP response) in the PDF file)
  subFilter (i.e. require the use of a specific signature format. This is very arcane)
  timeStampspec (i.e. require the use of a specific time stamp server)
  version (i.e the minimum version of Acrobat that can decipher the signature. the only two options are versions 6 or 8)
  The second item is the certspec, and this is what I've been pointing you towards. For the sake of discussion, think of everything you can read in a certificate as an extension. The serial number is an extension, the subject is an extension, the valid from date is an extension, etc. When a certificate is created, some of these extensions are required, other optional, and you can even add in extension that are not publicly defined, and only you will know about.
  Acrobat has the ability to enforce the signer to use a certificate that contains some, but not all of the known extensions. The extensions it can enforce are:
  issuer (i.e. require the use of a certificate that is issued by a specific Certificate Authority)
  keyUsage (i.e. require the signers certificate contain one or more of the nine possible values that can be included)
  oid (i.e. require that the Certificate Policy extension contain a specific value)
  subject (i.e. require that the document is signed by one specific person using one specific digital ID)
  subjectDN (i.e. require that the document is signed by one specific person, but they get to choose which digital ID to use)
  url (i.e. if a required digital ID is not available, where the signer can procure an acceptable digital ID)
  urlType (i.e. if the user is directed to the URL, should it be a web server where they can download a digital ID or a remote signing server where the digital ID stays on the remote server)
  That's it. If it's not one of these items then Acrobat cannot enforce that the item is available. Extended Key Usage is not on the list.
  Steve

• Haven't received certificates for signing up for best buy credit card

  I had received an email on 2/20/14 stating that if I signed up for a best buy credit card before 3/19 and spent $500 I within 3 months, I would receive $50 in certificates. Called customer service and they can't find the promo. I received an email from randy and sent back a screen capture of the promo to the [email protected] email address. Haven't heard back from anyone.
  Can someone help resolve this matter?

  Good morning fatstooge,
  I am familiar with the promotion in-question, as we have offered it several times in the past.  To my knowledge, if you signed up for the My Best Buy™ MasterCard via the email you received and spent $500 within the first 90 days, then you should have qualified for a $50 certificate.  These bonus certificates, being the promotion is offered through Citibank, are usually added to all eligible members' accounts at once, which would take place about 2 to 3 months after the promotion ended.
  While looking through your account, I did notice that you have an open case with our Account Maintenance department.  I fully trust that they will be able to answer your questions; however, I am going to send you a private message to see if there is perhaps anything I can do to help.  You can check your private messages by logging into the forum and clicking on the yellow envelope icon located at the top of the page.
  Thank you for posting to the forum!
  Derek|Social Media Specialist | Best Buy® Corporate
   Private Message

• SA520W: difficulty getting self certificate request signed by trusted 3rd party

  Please forgive me if this is a dumb question or if I am fundamentally confused, but I have pored over the manual, forum, and web.  Very simply I need a trusted third party to sign my CSR and then for the SA520W to accept it as the active self certificate.  In principle this is straightforward but I cannot figure out how to make this work in practice.  Two examples.
  1) GoDaddy:  they require a 2048 bit signature and the router only generates 1024.  I can generate my own CSR with OpenSSL but then am unable to upload my 2048 bit key to the router, and thus the signed certificate is not accepted
  2)  Verisign.  They will take the router's 1024 bit signature, but they require lots of fields in the CSR, like country and state, that are not supported by the router's generate CSR function.  Thus Verisign will not accept the CSR.
  Is there any way to get the router to accept a CSR signed by GoDaddy?  Or any CA?
  Thanks in advance.
  Andy

  Sorry to dredge up an old thread, but I've been trying to get this to work for the last three weeks also.
  The firmware supports a 2048 bit key, so that's not the issue.
  I entered all the information that the registrar wanted into the CN field, in the correct format.
  The registrar has accepted the CSR and generated the certificate, and returned it to me.
  I'm using a Geotrust quickSSL certificate.
  Now, the issue is that I can't upload the certificate. If I try and load it, I get the error;
  "No trusted certificate found, Can't Upload Self Certificate"
  So, I'm guessing it is a chaining issue. I go to http://www.geotrust.com/resources/root-certificates/
  I download the Root 1  "Download - Equifax Secure Certificate Authority (Base-64 encoded X.509) Right Click, Save As"
  and then I try to add it to the SA520 as a trusted certificate...
  "Added Trusted Certificate"
  Now I try adding my signed certificate again, and get the error;
  "No trusted certificate found, Can't Upload Self Certificate"
  So we're still missing something (intermediate certificate(?)), so I try adding the next one in the list;
  I download Root 2 "Download - GeoTrust Global CA (Base-64 encoded X.509) Right Click, Save As"
  and try to add it to the SA520 as a trusted certificate...
  "Cannot Add Trusted Certificate"
  So I try the next one...
  I download Root 3 "Download - GeoTrust Primary CA (.pem file) Right Click, Save As"
  and then I try to add it to the SA520 as a trusted certificate...
  "Added Trusted Certificate"
  So, once again, I try my signed certificate and get the same error;
  "No trusted certificate found, Can't Upload Self Certificate"
  So I give up on the Cisco, and go to a Mac which has great keychain management.
  I open my signed certificate on the mac, and see it is issued by "GeoTrust DV SSL CA"
  Hang on, that's the "Root 2" certificate above that wouldn't load. I try add the Root 2 again, but I get the same error
  So I contact Geotrust and get them to send me the DV SSL CA file, which I upload successfully.
  Now, I have three trusted Certificates from Geotrust loaded.
  Trusted Certificates (CA Certificate)
  CA Identity (Subject Name)
  Issuer Name
  Expiry Time
  C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
  C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
  May 21 04:00:00 2022 GMT
  C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA
  C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
  Feb 25 21:32:31 2020 GMT
  C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority
  C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority
  Jul 16 23:59:59 2036 GMT
  So I try once again to upload my signed certificate, and once again, I get:
  "No trusted certificate found, Can't Upload Self Certificate"
  So, the question is, WHAT is going on ? Has anyone at Cisco managed to load a GeoTrust certficate into this device, if so, step by step, HOW ?
  Thanks !

• Can't choose existing certificate to sign/decrypt email after profile installed

  After playing with iphone configuration utiltiy
  After profile installed, I can't choose existing S/MIME sign/encrypt certificate inside the phone. But ok if I config manually in iphone.
  Is there any purpose for this? Is there anyway to let user choose certificate after profile installed?

  I just thought I would put myself on this discussion, since I can't find anything to "fix" this problem. It seems to work for some people, but not others...
  I have everything set up the same way as nebbbben. Server is set up, certificate installed, VPP set up, and everything works great for some of my users.
  For about half of my users- I can send out invites, they will click on the invite and login to the App Store, but they will never show up in Profile Manager as registered for VPP on the Mac Server. For those that do- pushing apps is easy and transparent, although there is as much as a half-hour time delay. For those that can't get registered, no matter how many invites I send them, there isn't any way to distribute the apps. It's very frustrating, and the only "answers" I can find just say it should "just work."
  I'm assigning apps to the users specifically, not to groups. I have no doubt it would work fine if the Server/VPP ever showed they were registered. The invite system seems to be hit-and-miss.
  I'm wondering if there is a command-line hack or some other setting that can be changed to reset their App Store settings to try again?