Can't Export a Certificate with the Private Key

Similar Messages

• Out-of-range security question: Export a certificate with the private key

  Hi Forumers'
  As above title mention, if we doing PKI, we sure will get invovle with Certificate.
  The moment i doing WLC and ACS express appliance, where the appliances is not coming with generate CSR feature...So we use openSSL for it.
  To clear my curiousity, Why we need to export the certifiate wit the private key? Itsn't the private key cannot publish to the public ??
  Thanks
  Noel

  Because both appliances are acting as a server, and you would need to have the private key on the server. However, you don't give the private key to all the clients for sure as you mentioned you only need to provide public key to the client, not the private key. Private key should only be kept on the server, and in this case both appliances are the server.

• Problems with the private key at email signing

  Error when running the app: org.bouncycastle.cms.CMSStreamException: Inappropriate key for signature.
  I'm trying to sign an email with a smart card using Java, mime type multipart / signed, when I do a debug the code without saving the
  message or without sending, there is no error or warning, or exception. But when I save or send the message out, I'm getting errors,
  inappropriate key .
  When I save the message:
  body.writeTo(new FileOutputStream("signed.message"));
  Whe I send the message:
  Transport.send(body);
  The error:
  Exception in thread "main" org.bouncycastle.cms.CMSStreamException: key inappropriate for signature.
  at org.bouncycastle.cms.CMSSignedDataStreamGenerator$CmsSignedDataOutputStream.close(Unknown Source)
  at org.bouncycastle.mail.smime.SMIMESignedGenerator$ContentSigner.write(Unknown Source)
  at org.bouncycastle.mail.smime.handlers.PKCS7ContentHandler.writeTo(Unknown Source)
  at javax.activation.ObjectDataContentHandler.writeTo(DataHandler.java:869)
  at javax.activation.DataHandler.writeTo(DataHandler.java:302)
  at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1383)
  at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:852)
  at org.bouncycastle.mail.smime.handlers.multipart_signed.outputBodyPart(Unknown Source)
  at org.bouncycastle.mail.smime.handlers.multipart_signed.outputBodyPart(Unknown Source)
  at org.bouncycastle.mail.smime.handlers.multipart_signed.writeTo(Unknown Source)
  at javax.activation.ObjectDataContentHandler.writeTo(DataHandler.java:869)
  at javax.activation.DataHandler.writeTo(DataHandler.java:302)
  at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1383)
  at javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1743)
  at javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1719)
  at javaemail.SignedMultipartEmailTest.main(SignedMultipartEmailTest.java:537)
  Caused by: java.security.InvalidKeyException: Supplied key (sun.security.mscapi.RSAPrivateKey) is not a RSAPrivateKey instance
  at org.bouncycastle.jce.provider.JDKDigestSignature.engineInitSign(Unknown Source)
  at java.security.SignatureSpi.engineInitSign(SignatureSpi.java:86)
  at java.security.Signature$Delegate.engineInitSign(Signature.java:1104)
  at java.security.Signature.initSign(Signature.java:498)
  at org.bouncycastle.cms.CMSSignedDataStreamGenerator$SignerInf.toSignerInfo(Unknown Source)
  ... 16 more
  Java Result: 1
  BUILD SUCCESSFUL
  In the code:
  PrivateKey key = (PrivateKey)keyStore.getKey(aliasNm, null);
  gen.addSigner(key, signCert, SMIMESignedGenerator.DIGEST_SHA1, new AttributeTable(signedAttrs), null);
  where key is the private key of the alias from signature certificate at smart card of type RSAPrivateKey type, according to the debugger
  but according to the javadoc returns Type Key but is forced to type PrivateKey which extends to the other.
  This line is like a example which I'm using, is a bouncy castle example, but with generated certificates, I changed to use certificates
  from smarct card.
  signCert is the certificate associated with key , certificate of SIGNATURE from smartcard.
  At the debugger:
  In the method keyStore.getKey() I'm using null instead of char[] password because is using the windows certificate store which store the
  certificates at the smart card and is getting the PIN with PIN dialogue, and is loading the keystore perfectly and I'm getting the
  certificates from smart card.
  I tried to use:
  PrivateKey key = (PrivateKey)keyStore.getKey(aliasNm, PIN_FROM_SMARTCARD);
  And I'm getting the same value when I use null.
  The value at the debugger is:
  (java.security.PrivateKey) (sun.security.mscapi.RSAPrivateKey) RSAPrivateKey [size=2048 bits, type=Signature,
  container=hexadecimal_number](the same hexadecimal number in both cases)
  Obviously we can see in the error:
  Caused by: java.security.InvalidKeyException: Supplied key (sun.security.mscapi.RSAPrivateKey) is not a RSAPrivateKey instance
  And we can see too:
  RSAPrivateKey de 2048 bits
  at the debugger, in the key value.
  I can't understand why I'm getting the error only when the message is saved, or sended.
  If the key was inappropriate I would receive an error, or an exception when I'm not sending or saving the message.
  These are one, of the last lines of the code that I'm hidding with //
  When I save the message:
  //body.writeTo(new FileOutputStream("signed.message"));
  Whe I send the message:
  //Transport.send(body);
  If I uncomment one of these lines, I'm receiving the errors, previously written above
  Any suggestion?
  Than you
  Regards

  Try to reset the device by pressing hold of the home and power button for 15-20 seconds and letting of when the Apple logo appears.

• Can you export your files with the Trial Version??

  I've been into the help section, and it says to go to Share and then export ect ect, but when I clicked share, I can't click any of the options (theyre that light grey). I REALLY need to be able to export with this trial version I have, and soon. Please help!!

  Click in the timeline window to make sure it is the active windqw. The most common cause for grayed out share menu options is if you have the browser as the active window.

• Can I export Quicktime movies with the same quality/compression as DVD

  I would like to export iMovie HD 6 projects as quicktime movies of about the same size, compresson level and quality as I get with iDVD. I would like to watch them on my macbook, but don't want the dvd interface. My attempts have tended to produce something close to full quality that requires too much disk space (10 to 12 G per hour) or tiny, overly compressed videos that only an ipod could love. Does anyone know how to set the custom settings to get this?

  if your projects are Standard (=not HiDef), the iPhone preset in the export options work good for my standards..
  or..
  Export with Quicktime/Options... h264, original res of your project.. ='small' and good looking..

• How Can I Export A Table With Its Entries ( values )

  Hi guys,
  How can i export a table with the entries that the table is populated with ??!!
  Best Regards,
  Fateh

  To export a table and its data you can do it a number of ways.. Do you have access to SQL Developer? If not you can do it through the APEX SQL Workshop..
  Under SQL Workshop, Utilities, Data Unload, To text (or XML, whichever you are more comfortable with..).. Select your schema, click next button, select the table, click next, select the columns you want exported (select ALL ITEMS in the select List), click next, on optionally enclosed by I usually enter a " (Sometimes I have long strings in columns), click the include column names checkbox to get the column names at the top of the document, click unload data button..
  To get the ddl (code to build table) Sql Workshop, utilities, generate ddl, create script, select schema, select next, click table checkbox, select next, click the checkbox of table you want to get ddl for...
  Thank you,
  Tony Miller
  Webster, TX
  There are two kinds of pedestrians -- the quick and the dead.
  If this question is answered, please mark the thread as closed and assign points where earned..

• HT5012 Can I install two root certificates with the same name in iPad?

  Can I install two root certificates with the same name in iPad?

  Antaeus00 wrote:
  I tried sending a request for help,
  But did you succeeed in sending a request for help?
  Did you receive a response? How long has it been since you sent a request?
  but I need someone with more authority to talk to.
  There is no one with more authority than iTunes store support. We herem are only users.

• Can I create a cert with the Java API only?

  I'm building a client/server app that will use SSL and client certs for authenticating the client to the server. I'd like for each user to be able to create a keypair and an associated self-signed cert that they can provide to the server through some other means, to be included in the server's trust store.
  I know how to generate a key pair with an associated self-signed cert via keytool, but I'd prefer to do it directly with the Java APIs. From looking at the Javadocs, I can see how to generate a keypair and how to generate a cert object using an encoded representation of the cert ( e.g. java.security.cert.CertificateFactory.generateCertififcate() ).
  But how can I create this encoded representation of the certificate that I need to provide to generateCertificate()? I could do it with keytool and export the cert to a file, but is there no Java API that can accomplish the same thing?
  I want to avoid having the user use keytool. Perhaps I can execute the appropriate keytool command from the java code, using Runtime.exec(), but again a pure java API approach would be better. Is there a way to do this all with Java? If not, is executing keytool via Runtime.exec() the best approach?

  There is no solution available with the JDK. It's rather deficient wrt certificate management, as java.security.cert.CertificateFactory is a factory that only deals in re-treads. That is, it doesn't really create certs. Rather it converts a DER encoded byte stream into a Java Certificate object.
  I found two ways to create a certificate from scratch. The first one is an all Java implementation of what keytool does. The second is to use Runtime.exec(), which you don't want to do.
  1. Use BouncyCastle, a free open source cryptography library that you can find here: http://www.bouncycastle.org/ There are examples in the documentation that show you how to do just about anything you want to do. I chose not to use it, because my need was satisfied with a lighter approach, and I didn't want to add a dependency unnecessarily. Also Bouncy Castle requires you to use a distinct version with each version of the JDK. So if I wanted my app to work with JDK 1.4 or later, I would have to actually create three different versions, each bundled with the version of BouncyCastle that matches the version of the target JDK.
  2. I created my cert by using Runtime.exec() to invoke the keytool program, which you say you don't want to do. This seemed like a hack to me, so I tried to avoid it; but actually I think it was the better choice for me, and I've been happy with how it works. It may have some backward compatibility issues. I tested it on Windows XP and Mac 10.4.9 with JDK 1.6. Some keytool arguments changed with JDK versions, but I think they maintained backward compatibility. I haven't checked it, and I don't know if I'm using the later or earlier version of the keytool arguments.
  Here's my code.
  import java.io.File;
  import java.io.FileInputStream;
  import java.io.FileOutputStream;
  import java.io.IOException;
  import java.security.KeyStore;
  import java.security.KeyStoreException;
  import java.security.NoSuchAlgorithmException;
  import java.security.cert.CertificateException;
  import javax.security.auth.x500.X500Principal;
  import javax.swing.JOptionPane;
  public class CreateCertDemo {
       private static void createKey() throws IOException,
        KeyStoreException, NoSuchAlgorithmException, CertificateException{
       X500Principal principal;
       String storeName = ".keystore";
       String alias = "keyAlias";
       principal = PrincipalInfo.getInstance().getPrincipal();
       String validity = "10000";
       String[] cmd = new String[]{ "keytool", "-genKey", "-alias", alias, "-keyalg", "RSA",
          "-sigalg", "SHA256WithRSA", "-dname", principal.getName(), "-validity",
          validity, "-keypass", "keyPassword", "-keystore",
          storeName, "-storepass", "storePassword"};
       int result = doExecCommand(cmd);
       if (result != 0){
            String msg = "An error occured while trying to generate\n" +
                                "the private key. The error code returned by\n" +
                                "the keytool command was " + result + ".";
            JOptionPane.showMessageDialog(null, msg, "Key Generation Error", JOptionPane.WARNING_MESSAGE);
       KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
       ks.load(new FileInputStream(storeName), "storePassword".toCharArray());
          //return ks from the method if needed
  public static int doExecCommand(String[] cmd) throws IOException{
            Runtime r = Runtime.getRuntime();
            Process p = null;
            p = r.exec(cmd);
            FileOutputStream outFos = null;
            FileOutputStream errFos = null;
            File out = new File("keytool_exe.out");
            out.createNewFile();
            File err = new File("keytool_exe.err");
            err.createNewFile();
            outFos = new FileOutputStream(out);
            errFos = new FileOutputStream(err);
            StreamSink outSink = new StreamSink(p.getInputStream(),"Output", outFos );
            StreamSink errSink = new StreamSink(p.getErrorStream(),"Error", errFos );
            outSink.start();
            errSink.start();
            int exitVal = 0;;
            try {
                 exitVal = p.waitFor();
            } catch (InterruptedException e) {
                 return -100;
            System.out.println (exitVal==0 ?  "certificate created" :
                 "A problem occured during certificate creation");
            outFos.flush();
            outFos.close();
            errFos.flush();
            errFos.close();
            out.delete();
            err.delete();
            return exitVal;
       public static void main (String[] args) throws
            KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException{
            createKey();
  import java.io.BufferedReader;
  import java.io.IOException;
  import java.io.InputStream;
  import java.io.InputStreamReader;
  import java.io.OutputStream;
  import java.io.PrintWriter;
  //Adapted from Mike Daconta's StreamGobbler at
  //http://www.javaworld.com/javaworld/jw-12-2000/jw-1229-traps.html?page=4
  public class StreamSink extends Thread
      InputStream is;
      String type;
      OutputStream os;
      public StreamSink(InputStream is, String type)
          this(is, type, null);
      public StreamSink(InputStream is, String type, OutputStream redirect)
          this.is = is;
          this.type = type;
          this.os = redirect;
      public void run()
          try
              PrintWriter pw = null;
              if (os != null)
                  pw = new PrintWriter(os);
              InputStreamReader isr = new InputStreamReader(is);
              BufferedReader br = new BufferedReader(isr);
              String line=null;
              while ( (line = br.readLine()) != null)
                  if (pw != null)
                      pw.println(line);
                  System.out.println(type + ">" + line);   
              if (pw != null)
                  pw.flush();
          } catch (IOException ioe)
              ioe.printStackTrace(); 
  import java.io.File;
  import java.io.FileInputStream;
  import java.io.FileNotFoundException;
  import java.io.FileOutputStream;
  import java.io.IOException;
  import javax.security.auth.x500.X500Principal;
  public class PrincipalInfo {
       private static String defInfoString = "CN=Name, O=Organization";
       //make it a singleton.
       private static class PrincipalInfoHolder{
            private static PrincipalInfo instance = new PrincipalInfo();
       public static PrincipalInfo getInstance(){
            return PrincipalInfoHolder.instance;
       private PrincipalInfo(){
       public X500Principal getPrincipal(){
            String fileName = "principal.der";
            File file = new File(fileName);
            if (file.exists()){
                 try {
                      return new X500Principal(new FileInputStream(file));
                 } catch (FileNotFoundException e) {
                      // TODO Auto-generated catch block
                      e.printStackTrace();
                      return null;
            }else{
                 return new X500Principal(defInfoString);
       public void savePrincipal(X500Principal p) throws IOException{
            FileOutputStream fos = new FileOutputStream("principal.der");
            fos.write(p.getEncoded());
            fos.close();
  }Message was edited by:
  MidnightJava
  Message was edited by:
  MidnightJava

• Integrating Exchange 2013 & Lync Server 2013: can't use a certificate with Seth-AuthConfig

  I'm trying to integrate Exchange and Lyn Server. One of the first steps is to bind a correct certificate to IIS on all of the CAS servers and set it as a main certificate in the global AuthConfig object. The certificate must be the same on all of the
  CAS servers because the autodiscover.domain.local DNS record points to all of them, and Lync Server uses this FQDN to access Exchange servers. The thumbprint of this certificate must be specified in Set-AuthConfig command run on an Exchange server.
  We have an internal enterprise CA. I generated a certificate on one of the CAS servers and bound it to all of the Exchange services. Then I exported it, imported it on the second CAS server and bound it to all of the services as well. Now Exchange correctly uses
  it for OWA, for example, and IE gives no security warnings when I connect to OWA.
  However, whenever I run Set-AuthConfig command on any server, it keeps telling me that
  The certificate with thumbprint XXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyNotAccessible).
  The key IS accessible - I can export the certificate along with its private key. What's wrong?

  Here's the answer.
  It seems that the -Server switch in the Set-AuthConfig command is only used to specify where you want to look for the certificate with the given thumbprint. However, it's impossible to predict which Exchange server will actually perform the operation
  (the Server switch doesn't influence it a bit). It could be ANY server, even a mailbox one with no CAS role at all. And, of course, another Exchange server has no access to the certificate store of the CAS server where the certificate is actually stored. It
  was exactly the case in my environment.
  So in order to enable this certificate you must import it on ALL of your Exchange servers. You need't (and even shouldn't) enable it for any services on your mailbox servers if you don't want to, just import it.

• How to decrypt data when you can't get the private key in Windows?

  I'm very confuse. My english is poor, but I try to say my question clearly.
  When browser connects to a https website which needs client certificate to authenticate the identity, the browser will send client certificate to web server.
  Then the web server will use the certificate to encrypt some data and send it to browser.
  Then broswer should have private key to decrypt that.
  But as I know, if I install a pfx format personal certificate, I can set can't export private key, which means you can't get the private key to use it. So how can
  the browser decrypt the data without private key?
  By the way, what is CSP, use CSP's interface can we use CryptoAPI
  to decrypt data without private key?

  Answer for question is  "you cant".. 
  "How to decrypt data when you can't get the private key in Windows?"
  Read more 
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa387460(v=vs.85).aspx
  http://msdn.microsoft.com/en-us/library/windows/desktop/bb427432(v=vs.85).aspx
  http://technet.microsoft.com/en-us/library/dd277320.aspx
  http://en.wikipedia.org/wiki/Public-key_cryptography

• Err: The private key material is not exportable outside of the HSM

  Hi,
  I am working on weblogic 8.1 with sp4, Using keytool generated certificates with HardwareSecurityModule (HSM) and enabled ssl in weblogic admin console.
  Now while starting the server following error is displayed
  <Oct 4, 2005 3:18:44 PM GMT+05:30> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
  <Oct 4, 2005 3:18:44 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000327> <Starting WebLogic Admin Server "ncss" for domain "ncqa">
  <Oct 4, 2005 3:18:49 PM GMT+05:30> <Notice> <Security> <BEA-090170> <Loading the private key stored under the alias srinualias from the nCipher.SWorld keystore file E:\bea\user_projects\domains\ncqa\srinu.>
  <Oct 4, 2005 3:18:51 PM GMT+05:30> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias srinualias from the nCipher.SWorldkeystore file E:\bea\user_projects\domains\ncqa\srinu.>
  com.ncipher.provider.nCSecurityException: The private key material is not exportable outside of the HSM
  at com.ncipher.provider.km.KMDSAKey.getParams(KMDSAKey.java:59)
  at com.certicom.tls.interfaceimpl.CertificateSupport.CheckIfKeyMatch(Unknown Source)
  at com.bea.sslplus.CerticomSSLContext.doKeysMatch(Unknown Source)
  at weblogic.security.utils.SSLContextWrapper.doKeysMatch(SSLContextWrapper.java:93)
  at weblogic.t3.srvr.SSLListenThread.checkIdentity(SSLListenThread.java:323)
  at weblogic.t3.srvr.SSLListenThread.initSSLContext(SSLListenThread.java:169)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:140)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:126)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1637)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:1009)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:361)
  at weblogic.Server.main(Server.java:32)
  <Oct 4, 2005 3:18:52 PM GMT+05:30> <Warning> <Security> <BEA-090552> <The public and private key could not be checked for consistency.>
  <Oct 4, 2005 3:18:52 PM GMT+05:30> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the nCipher.SWorld keystore file E:\bea\user_projects\domains\ncqa\srinu.>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "ncss" for domain "ncqa" running in Development Mode>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default" listening on port 7001, ip address *.*>
  Please let me know if any clues.
  thanks
  Ceenu

  This is just a warning to let you know that the server was not able to verify whether the private key matches your public key, because it could not get the key from HSM. This is normal. SSL should still work.
  Pavel.

• How can I export a video with audio from premiere cs 5.5 to a DVD

  how can I export a video with audio from premiere cs 5.5 to a DVD

  You don't... at least not directly... you export MPEG2-DVD and then use the TWO files (audio and video) in Encore
  CS5-thru-CC PPro/Encore tutorial list http://forums.adobe.com/thread/1448923 may help

• How can I export a file with transparent background?

  Hi all,
  I know InDesign doesn't allow to export a PNG file, but I need my file to be in image file format with transparent background.
  I'm still learning so I am stuck here. How can I export a file with transparent background?

  If you can't get the PNG file export to work, you can export a pdf and open it in Photoshop, from there you can save it as whatever you like.

• I suddenly can't watch .mov files with the QuickTime Player x?

  I suddenly can't watch .mov files with the QuickTime Player x? There is always the message, i should look after new software! Can you help me?

  Handy-dandy cut and paste to the rescue!
  you need to install some other stuff to get the full file functionality back.
  Here's the list.
  Start with QT 7.6.6. - http://support.apple.com/kb/DL923
  Get Perian, and install it. - http://perian.org
  then VLC, - http://videolan.org
  DivX - http://divx.com - and the
  Flip4Mac package from Telestream - http://www.telestream.net/flip4mac/
  A52/AC3 downloader: https://www.macupdate.com/app/mac/21875/a52codec - In this installer package there is an audio A52Codec.component. DO NOT USE IT! Throw it out and use the one that is linked below.
  This is what I've put into my system and so far I've gotten every file to run fine, even my oldest videos.
  These are codecs you should see.
  In System/Library/QuickTime
       AppleIntermediateCodec.component
       AppleMPEG2Codec.component* (*optional if you've bought it)
       DivX Decoder.component
       Flip4Mac WMV Advanced.component
       Flip4Mac WMV Export.component
       Flip4Mac WMV Import.component
  In your Home/Library/QuickTime/
       AC3MovieImport.component (you may or may not want this component, in some instances it causes conflicts. In my system, it doesn't. Who knows why? I don't.)
       Perian.component
  For AC3 sound that is in most .mkv files, you need the A52Codec.component, this is the one you want, here: https://code.google.com/p/subler/downloads/detail?name=A52Codec.component.zip - unzip the file and put the component into the System/Library/Audio/Plug-ins/Components
  Go back to your Perian settings and in the Audio Output button, set it to 'Multi Channel Sound' - Ignore the message Perian puts up and select it.
  By doing a 'Get Info' on your files and where it says 'Open With' - default them to the QuickTime 7 program. Perian no longer will work with QuickTime Player so you must have QT 7.6.6 and set it so it is the default for all the filetypes you use.
  It works perfectly with QT7. So far I've gotten ALL my old videos to play.
  .avi, .mov (with the AC3 sound), .wmv, .flv, .mp4 and .m4v. all run fine as do all the older formats.
  Good luck!
  Deb.

• I want to export my photos with the title and info attached

  I want to export my photos with the title and info attached but cannot seem to do it with this new os.

  Are you confusing Titles and Filenames by any chance?
  When you email you're sending a file. The email client sees the Filename. The title is in the Exif metadata of the file and the email app doesn't see this - neither will the Finder or filebrowser.
  You can export (as above) and opt to use the Title as Filename - it's there at the Filename section.
  Regards
  TD