Certificate enrollment via SunPKCS11

Hi, my question is whether certificate enrollment is possible via the SunPKCS11 provider.
Generating a key pair is possible and easy by using the standard KeyPairGenerator also implemented by SunPKCS11.
Generating a PKCS10 certificate request is also possible and easy, although it entails using the sun.security package.
At this point, one would assume that the worst is over, as the last required operation is installing the certificate received from the certification authority. Alas, the SunPKCS11 provider seems to prevent such a basic operation.
The setCertificateEntry() method implemented by the SunPKCS11 provider, via the P11KeyStore class, just refuses to install a normal end-entity certificate -- and this is documented! Absolutely nonsensical.
Can anyone provide hints / suggestions to overcome this frustrating problem?

Hi,
Have you found the solution for this problem? I also having the same problem with you. The more strange thing for me is that I can't even use the P11KeyStore though I can find this class in sunpkcs11.jar. Please advice. I am meeting my deadline right now.
Thanks.

Similar Messages

NDES Certificate Enrollment on Surface fails

Hi all
I implemented a NDES infra based on Pietrs Blog in my Sandpit Lab (Infra runs on ConfigMgr 2012 R2 CU4), OS 2012 R2
http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune.aspx I repeated each step sure 2 or 3 times.
If I try to assign a Client Cert/user Cert (both of them) it always fails 0X87D1FDE8 Remediation failed as posted here
https://social.technet.microsoft.com/Forums/en-US/15aebec7-4870-49af-8c0c-17d3d376783a/ndes-scep-certificate-profile-0x87d1fde8-remediation-failed-deployment-of-certificate-profiles?forum=configmanagermdm&prof=required
(All Certs are new re-created. NDES, CRP new installed). If there are no enrollments of certs possible I can understand it but Android 4.2 Devices are enrolling like a charme. A Detail the NDES Server is reachable via WAP Proxy but this works (If I enter
the Test URL I'm able to open the cert file). Finally on the Surface the Regkey in the MDM Hive is created and the NDES URi is available. All Log Files are looking fine.
Any ideas/help or tips will be very appreciated.
Cheers,
+Mat

All
It is running know. It was a heavy war in My lab ... ;-) - and raised from several missconfigured components and Settings. For an easier overview enclosed by component:
CA
I have an Enterprise Root CA with subordinated Issueing CA in the lab. Failure 1: The life time of the Issueing CA Cert is only configured for 2 years. So I changed this using certutil to 10 years (Root CA 20 years, Issueing 10 years). Failure 2: The NDES
Template had a longer life time than the issueing CA. This raised in the failed cert request the issue "Life time incorrect"
WAP Proxy
On the WAP Proxy the required Settings
Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Value: MaxFieldLength
Type DWORD
Data: 65534 (decimal)
Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Value: MaxRequestBytes
Type DWORD
Data: 65534 (decimal)
were applied but the required December Update 2014 Hotfix
http://blogs.technet.com/b/ems/archive/2014/12/11/hotfix-large-uri-request-in-web-application-proxy-on-windows-server-2012-r2.aspx was not properly installed (the WAP Proxy is a Workgroup Server)
NDES
The listed http Settings above I made a mistake (Dec and Hex) so typically copy/past error.
CRP
At least one Server is properly configured
Some Remarks
Within the Policies both certs Root and Iuessing CA has to be deployed to the Root Store. Later on in the configuration for the SECP Cert enrollment the template of the issueing CA has to be choosen.
Very happy that this is rolling. Next step is to configure the WIFI Network (NPAS) that only devices with a valid Client certificate can use them.
The biggest pain Overall is that the logging process is not really helpful and confusing e.g. the MCSEP.log reports
2905.902.0:<2015/4/14, 19:31:3>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 44D6EDAE C3C7C52F DE1B2CE4 9C102C22 5DF4CC54 but the enrolling is working fine. Here Microsoft should investigate for a better overview.
Cheers,
+mat

Certificate enrollment web servce GPO enablement failure

2012 Std R2
Added certificate authority role with web services
configuring via library hh831625
I have verified that IIS has the default site ADPolicyProvider_CEP_Kerbos and I copied the URI <a href="https:///ADPolicyProvider_CEP_Kerbos/service.svc/CEP">https://<server>/ADPolicyProvider_CEP_Kerbos/service.svc/CEP
I added a domain GPO per directions Certificate Enrollment Policy Web Services. I am editing the GPO for Computer->Policies->Windows Settings-> Security Settings->Public Key Policies. I double click Certificate Services Client - Certificate
Enrollment Policy. I enable the policy and ADD certificate enrollment policy list. I paste the above URI, Authentication type is "Windows Integrated". When I validate server I get the following error:
An error occurred while obtaining certificate enrollment policy
URI:https://<server>/ADPolicyProvider_CEP_Kerbos/services.svc/CEP
Error: The remote endpoint does not exist or could not be located. 0x803d00d (-21434855939 WS_E_ENDPOINT_NOT_FOUND)
Help with this final validation is appreciated. Logged on as administrator with domain admin rights and enterprise Admins rights
John Lenz

Hi,
Please try to do the following steps at first. Thanks.
Configuring the CEP web address in the client
Before I go into the steps it is important to understand that this configuration is based on the security context. You have a CEP configuration for the user, and you have another configuration for the computer. Depending on what certificates you plan on
issuing (user or computer certificates) you may only require one of these to be configured.
Configuring user certificate enrollment
Run CertMgr.msc.
Expand Certificates, then Current User.
Expand Personal.
Right click on Personal, and select All Tasks, then
Advanced Operations, then Manage Enrollment Policies…
On the Manage Enrollment Policies dialog click the Add… button. See Figure 12
Type in the URI for the CEP service in the field. This will be in the format of:
https://<Internet FQDN>/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
In my example this would be:
https://cert-enroll.fabrikam.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
NOTE: the only thing that will be unique to your environment is the Internet FQDN of the URI.
In the Authentication type drop down select: Username/password
Click the Validate button.
Once the Validate button is pressed, you will be prompted to type in a domain user name and password. Supply these credentials.
If everything goes correctly you should see that the validation test passed in the lower section of the dialog box see Figure 13.
NOTE: You can see in Figure 13 that the only difference is the DNS portion of this URI. If you scroll down further in the validation output, you will see the friendly name you added under the website configuration being displayed also.
Click the Add button.
Uncheck Enable for automatic enrollment and renewal.
NOTE: Failure to do so could cause users to be prompted for user name and password each time they logon to the computer. This occurs because Windows Autoenrollment runs immediately after the user has logged on. If the enrollment policy is configured for automatic
enrollment and renewal, Windows Autoenrollment will attempt to contact the configured CEP server when it starts in order to determine if new certificates have been assigned. Since this will result in the users being prompted for credentials every time they
log on your users may be annoyed.
Click the OK button.NOTE: Follow the same procedures to configure the Enrollment Policy server for the computer personal store if you need to enroll for computer certificates.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Auto certificate enrollment for computers not happening

Hi
In my environment the auto certificate enrollment for computers not happening through GPO.
Domain computers has permission of enroll on computer certificate template.
Please suggest.
Regards,
Deepak S

Hi,
Please reconfirm the Autoenrollment group policy is configured and applied to the user or machine. Verify the Group Policy settings set the proper registry settings. If Group
Policy is configured correctly, the next step is to troubleshoot enrollment.
Autoenrollment requires the use of Version 2 or Version 3 Certificate Templates. Certificate Authorities must be on the appropriate OS Version and edition. The table below
outlines OS Version and Edition support for Version 2 and Version 3 certificate templates.
The similar thread:
Certificate Autoenrollment for Domain Computers GPO does not work
http://social.technet.microsoft.com/Forums/windowsserver/en-US/3797dad9-6c4f-41e4-8c4f-ad37a7570aa4/certificate-autoenrollment-for-domain-computers-gpo-does-not-work?forum=winserversecurity
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

No password prompt from ASA 5500 for certificate enrollment

Greetings,
I work in a lab testing interoperability between Avaya and Cisco VoIP products.
I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP
going thru an ASA 5510 to a backend IP PBX.
Environment: Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES
                     Cisco ASA 5510 running 9.0(1)
I would like to setup certificate enrollment between a Windows Server 2008 R2 and a
Cisco ASA 5510. Here are the commands that I use for the Cisco ASA 5510:
     crypto key generate rsa modulus 2048
     crypto ca trustpoint ASA5510-trust
         enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll
         enrollment retry period 5
         enrollment retry count 3
         password Interop123
         exit
     crypto ca authenticate ASA5510-trust
     crypto ca enroll ASA5510-trust
Everything works as expected until I try to enroll. There is no prompt for the
enrollment password and the certificate request is denied.
ciscoasa(config)# crypto ca enroll ASA5510-trust
% Start certificate enrollment ..
% The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com
% Include the device serial number in the subject name? [yes/no]: No
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
ciscoasa(config)# The certificate enrollment request was denied by CA!
Why isn't there a prompt for the enrollment password?
BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
Thanks,

Richard,
In the trustpoint config you have the challange defined.
http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/p1.html#wp1961480
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Did you try removing it? If you're still not being asked after removing it. It's most likely a bug.
M.

MAC OS X Certificate Enrollment

I want to use this configuration for MAC OS X certificate enrollment. What is required on the Windows PKI side for this to work? Do I need NDES or something else?
Thank you.
MCITP Exchange 2010 | MCITP Lync Server 2010 | MCTS Windows 2008

The Macintosh OS lacks any long term certificate life-cycle management and the difficulty of enrollment and lack of renewal generally makes this un-scalable. Third party products fill the gap - such as AirWatch or Mobile Iron.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

Certificate Enroll Errors RPC Server Is Unavailable

I have a scenario in which I would like some advice before moving on. We have a Server 2012 root CA that was put in about a year-year and a half ago and at the same time there was another 2008 R2 root CA that was installed on a DC that was hosting FSMO roles.
Well that DC started to die so we transferred the FSMO roles and removed certificate services. However, we only uninstalled the role but as I understand, there is a bit of cleanup to do in AD beyond just removing the role. So when we started to perform the
first step, I noticed remnants of old servers that are no longer around. I've discovered that our previous admin had made 3 other servers (I believe all 2003) that have all completely gone away and yet are still listed in the Trusted Root Certification Authorities
on all computers and I find in the event log the following error when I log in to our domain machines of them trying to contact each of the old CA servers:
Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID N/A from server.domain.org\server (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
Now I have no way of knowing whether or not this admin actually properly removed the role before decommissioning these servers and I have no idea why we needed so many servers to be root CA's in the first place? Anyhow, I was wondering if the proper procedure
would be to remove the root trusted certs from group policy and then clean up the remnant entries in AD as described in the Microsoft documentation of removing a root CA from your environment. I still see some errors and machines requesting to check for stuff
like CRL with the most recent root CA that we removed so I just wanted to check to see if all of these errors will go away once we finish the cleanup and if there is anything special that needs to be done for the potentially orphaned root CA's. We did take
a backup of the 2008R2 CA (the one that was on the dying DC) before we removed the role and I have confirmed that our production CA (the one that we would like to remain in production - is a sub CA of an offline root) has already issued new machine and DC
certs to our domain machinese and domain controllers.
Sorry for the lengthy post. Please let me know if any more information is required and thank you in advance!

Hello,
the root CA normally is the first one in a forest issuing the certificates for the subordinate CAs if required or for certificates.
http://technet.microsoft.com/en-us/library/cc731183.aspx
SO there is no need for multiple root CAs.
To get rid of everything old and be sure the CA is configured correct for your needs I suggest to ask this in
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Cisco CA + Cisco VPN Client - Error 42: Unable to create certificate enrolment request

We find ourselves in a difficult situation with the
Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
There is no additional information in the VPN client logs where we have set 3-High for all logs.
In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enrol a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrolment dialog
2. Select Online
3. Select <New> for Certificate Authority
4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
5. Click Next to display the dialog where we can enter certificate details
6. Enter details in all fileds except IP Address and Domain
7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
Thank you
Emil

FYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
Cisco2691#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco2691(config)#crypto pki server CERTSERVER
Cisco2691(cs-server)#grant ?
auto Automatically grant incoming SCEP enrollment requests
none Automatically reject any incoming SCEP enrollment request
ra-auto Automatically grant RA-authorized incoming SCEP enrollment request
Cisco2691(cs-server)#grant auto
% The CS config is locked. You need to shut the server off before changing its configuration.
Cisco2691(cs-server)#shut
Cisco2691(cs-server)#grant auto
Cisco2691(cs-server)#
Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
Cisco2691(cs-server)#no shut
% Certificate Server enabled.

Deleted user Certificate enrollment requests

We have a user account, "Temp_admin " which was set up as a temporary domain admin, which was deleted a few months ago. For some reason this account is still triggering and Successfully being authenticated for certificate enrollment
on our internal certificate server. At least according to the application log on Dc#4. Looking at the logs on our certificate server this user does not even exist. event ID's 64 and 65 every 3-4 minutes with this. Any idea how to stop this or atleast keep
it from authenticating?
Server 2008r2 domain.
Certificate enrollment for *******\Temp_admin successfully load policy from policy server
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
EventSourceName="CertEnroll" />
<EventID Qualifiers="33370">64</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated
SystemTime="2014-09-02T19:56:04.000000000Z" />
<EventRecordID>99069</EventRecordID>
<Correlation
/>
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>MDSTVDC04.*******.local</Computer>
<Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
</System>
<EventData>
<Data Name="Context">*******\Temp_admin</Data>
<Data Name="ServerID" />
</EventData>
</Event>
Certificate enrollment for *******\Temp_admin is successfully authenticated by policy server {0E730552-3DDB-465A-83AD-CFAF040B236B}
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}"
EventSourceName="CertEnroll" />
<EventID Qualifiers="33370">65</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated
SystemTime="2014-09-02T19:56:04.000000000Z" />
<EventRecordID>99068</EventRecordID>
<Correlation
/>
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>MDSTVDC04.*******.local</Computer>
<Security UserID="S-1-5-21-420886195-1495481658-928725530-6981" />
</System>
<EventData>
<Data Name="Context">*******\Temp_admin</Data>
<Data Name="ServerURL">{0E730552-3DDB-465A-83AD-CFAF040B236B}</Data>
</EventData>
</Event>

Temp_admin is deleted from the domain
sid2username output: Error evaluating user name. Some or all identity references could not be translated.
Tested with Known accounts and they work so Temp account can not be found.
First thing I tried to do was search the AD Domain by both the sid and username and they could not be found. I was involved in a motorcycle accident and a temp was hired for the 3 months I was away. The temp did not leave on good terms and the account was
deleted as soon as she left the building.
This user was still listed under user profiles in the registry with that sid.
I deleted all references to the sid from the registry on that DC and restarted the server and the issue has disappeared. Really don't think I should have had to go this route though.

Lync 2010 Certificate renewal via MMC

So I have been trying to find the answer to this and haven't had any luck digging through the forums. I am going to be renewing my Lync 2010 certificates next week. However, I am trying to find out if its possible to use the Certificate Manager via the MMC
to renew the certificate for the Lync server. This is a certificate from an internal CA and I would be right clicking the certificate and select "All Tasks>Advanced Operations>Renew This Certificate With The Same Key". Would this option work
for renewing the Lync 2010 Certificate? or does it absolutely have to happen via the Lync Deployment Wizard?
Thank you all for any insight on this.
Emmanuel Fumero Exchange Administrator

Will the Lync PS renew the existing certificate or will it request a new one the same was the Lync Deployment wizard does? I have noticed that the Lync deployment wizard tends to pull all the existing data the previous certificate uses.
Emmanuel Fumero Exchange Administrator

Monitor pki certificate status via snmp

I recently discovered that a number of our remote sites could not connect to each other via dmvpn due to various certificate problems.
They could all connect to our hubs due to pre shared keys, so the problem was never discovered before a colleague discovered MM_KEY_EXCH states on some of the routers.
I therefore want to monitor the state of the certificates, preferably via snmp.
I found a nice looking mib,CISCO-PKI-PARTICIPATION-MIB, on http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.505
but none of our routers seem to support it, and when you click on "view supporting images", it also specifies: "There is no supporting images available for
CISCO-PKI-PARTICIPATION-MIB"
Do you have any experience on how to monitor certificate status on your Cisco routers?

No real solution. I found that they all needed to connect to one specific router, so I fire off "show crypto isakmp sa | inc MM_KEY_EXCH" on that specific router via our management platform, and receive a mail with the output on a daily basis.

ASA Local CA certificate enrollment invitation

Hi,
I have been looking for the answer for a while.....
My ASA is version 8.2.1
I am planning to use ASA loca CA to ditsribute certificate for SSL VPN user.
After I create a user and email OTP, you get the E-mail like below.
(The following example is found at http://www.cisco.com/japanese/warp/public/3/jp/service/manual_j/sec/asa/caclcg4/chapter39/12172_01_39.shtml)
Date: 12/22/06
To: [email protected]
From: Wuseradmin
Subject: Certificate Enrollment Invitation
You have been granted access to enroll for a certificate.
The credentials below can be used to obtain your certificate.
Username: [email protected]
One-time Password: C93BBB733CD80C74
Enrollment is allowed until: 15:54:31 UTC Thu Dec 27 2006
NOTE: The one-time password is also used as the passphrase to unlock the certificate file.
Please visit the following site to obtain your certificate:
https://wu5520-FO.frdevtestad.local/+CSCOCA+/enroll.html
You may be asked to verify the fingerprint/thumbprint of the CA certificate
during installation of the certificates. The fingerprint/thumbprint should be:
MD5: 76DD1439 AC94FDBC 74A0A89F CB815ACC
SHA1: 58754FFD 9F19F9FD B13B4B02 15B3E4BE B70B5A83
My question is where the hostname (wu5520-FO.frdevtestad.local) of URL is from.
I though it is from hostname of ASA, so I changed hostname of ASA.
However the URL did not change.
Any comment would be greately appricated.
Thanks,
Taro

Hello Taro,
Agree with Atri,
I have not deal with this cases but it makes sense that you need to reset the CA server as it's basically using a different configuration set for the FQDN.
As soon as you enable the ASA CA capability the URL will be created based on the FQDN, so as it's up and running it will not change... That's how I see it,
Give it a try and let us know,
I think you can only remove the CA config with
clear config crypto ca server’
So be careful,
Regards
Julio

Problem using SmartCard with 2 Certificates stored and SunPKCS11

Hi,
I'm trying to access one SmartCard token in Java 1.5 using SunPKCS11 provider for crypt, decrypt and digital signature operations.
I have 2 certificates stored on Token:
- CertA;
- CertB.
There are also 2 PIN:
- PIN1;
- PIN2.
I use:
- PIN1 for logging into the token;
- PIN1 for operation involving CertA;
- PIN2 for operation involving CertB;
There is no problem to logging into the token using Java and, without any troubles, I can read certificates and key from the
cryptographic card.
There is no problem using CertA for all my operation, but every attempt of using Private Key of CertB (for the same operations) returns with an Exception:
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
Here there's an extract of my source code.
public void loginToken() {
Provider UserProvider = new sun.security.pkcs11.SunPKCS11(C:\\pkcs11.cfg);
Security.addProvider(UserProvider);
try {
KeyStore ks = null;
X509Certificate UserCert = null;
PrivateKey UserCertPrivKey = null;
PublicKey UserCertPubKey = null;
//PIN
char PIN1[] = "11111".toCharArray();
char PIN2[] = "22222".toCharArray();
//logging into token
ks = KeyStore.getInstance("PKCS11", UserProvider);
ks.load(null, PIN1);
//enumeration alias
String alias = "";
Enumeration e = ks.aliases();
while (e.hasMoreElements()) {
alias = (String) e.nextElement();
//Certificate
UserCert = (X509Certificate) ks.getCertificate(alias);
//PublicKey
UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();
if (alias.compareToIgnoreCase("Cert1") == 0) {
     //PrivateKey reference
UserCertPrivKey = (PrivateKey) ks.getKey(alias, PIN1);
} else if (alias.compareToIgnoreCase("Cert2") == 0) {
//PrivateKey reference
UserCertPrivKey = (PrivateKey) ks.getKey(alias, PIN2);
} else {
System.out.println("ALIAS UNKNOW");
System.exit(1);
//Signature Test
if (!MakeSignature(UserCertPrivKey, UserProvider))
System.out.println(" *** SIGNATURE OK *** ");
else
System.out.println(" *** SIGNATURE KO *** ");
catch (Exception ex) {
System.out.println("ERROR: " + ex);
public boolean MakeSign(PrivateKey PrivKey, Provider p) {
try {
//File I/O
FileInputStream txtfis = new FileInputStream("C:\\Test.txt");
FileOutputStream sigfos = new FileOutputStream("C:\\Test_Signature.txt");
//Signature Obj init
Signature dsa = Signature.getInstance("SHA1withRSA", p.getName());
dsa.initSign(PrivKey);
//Update data
BufferedInputStream bufin = new BufferedInputStream(txtfis);
byte[] buffer = new byte[1024];
int len;
while (bufin.available() != 0) {
len = bufin.read(buffer);
dsa.update(buffer, 0, len);
bufin.close();
//Make signature
byte[] realSig = dsa.sign();
//save signature on file
sigfos.write(realSig);
sigfos.close();
return true;
catch (Exception ex) {
System.out.println("ERROR: " + ex);
return false;
Any help would be grateful...
Thanks in advance.
P.S. Sorry for my English

This is the same my initial problem.
I resolved it using IAIK-PKCS#11Wrapper (it is FREE) insted of sun.security.pkcs11.SunPKCS11.
You can find it here:
http://jce.iaik.tugraz.at/sic/products/core_crypto_toolkits/pkcs_11_wrapper
Here an exemple of code.
The main class:
import iaik.pkcs.pkcs11.Module;
import iaik.pkcs.pkcs11.DefaultInitializeArgs;
import java.util.Hashtable;
import iaik.pkcs.pkcs11.Token;
import iaik.pkcs.pkcs11.Slot;
import iaik.pkcs.pkcs11.Session;
import iaik.pkcs.pkcs11.objects.RSAPrivateKey;
import java.util.Vector;
import iaik.pkcs.pkcs11.objects.PrivateKey;
import iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate;
import java.util.Enumeration;
import iaik.pkcs.pkcs11.objects.Key;
import java.security.cert.CertificateFactory;
import java.io.ByteArrayInputStream;
import iaik.pkcs.pkcs11.Mechanism;
import java.security.Security;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.io.File;
import java.io.FileInputStream;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSProcessableByteArray;
import java.util.ArrayList;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import org.bouncycastle.cms.CMSSignedData;
import java.io.FileOutputStream;
import java.security.cert.X509Certificate;
import iaik.pkcs.pkcs11.TokenInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
public class MakeSignature {
public static void main(String[] args) {
     String USER_PIN = "12345678";
     String DLL_NAME = "C:\\windows\\system32\\dll_P11_name.dll";
     String OBJ_LABEL1 = "CNS0"; //this is the label of my 1th cert
     String OBJ_LABEL2 = "CNS1"; //this is the label of my 2th cert
     String INPUT_FILE = "C:\\Temp\\test.txt";
     String OUTPUT_FILE = "C:\\Temp\\test.p7m";
    try {
       // ********** INITIALIZE PKCS#11 MODULE WITH DEFAULT PARAMETERS **********
      Module pkcs11Module = Module.getInstance(DLL_NAME);
      pkcs11Module.initialize(new DefaultInitializeArgs());
       // ********** SELECT TOKEN **********
      Slot[] slotsWithToken = pkcs11Module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT);
      Token[] tokens = new Token[slotsWithToken.length];
      Hashtable tokenIDtoToken = new Hashtable(tokens.length);
      long tokenID = -1;
      Token tokenUsed = null;
      //enum readers
      for (int i = 0; i < slotsWithToken.length; i++) {
        tokens[i] = slotsWithToken.getToken();
tokenID = tokens[i].getTokenID();
tokenIDtoToken.put(new Long(tokenID), tokens[i]);
System.out.println("Active tokens:");
System.out.println("Token ID: " + tokenID);
if (tokens.length == 0) { //No SC found
System.out.println("No SC presents");
else {
System.out.println("Using token: " + tokens[0].getTokenID());
tokenUsed = tokens[0];
     //Note: if you have more reader and more SC inserted, you have to write
     //here the code for select the right token
     // ********** OPEN SESSION VS THE TOKEN AND IF REQUIRED SUBMIT PIN **********
TokenInfo tokenInfo = tokenUsed.getTokenInfo();
Session session = tokenUsed.openSession(Token.SessionType.SERIAL_SESSION, false, null, null);
if (tokenInfo.isLoginRequired()) {
session.login(Session.UserType.USER, USER_PIN.toCharArray());
     // ********** SET SEARCH TEMPLATE FOR THE P11 OBJECT **********
RSAPrivateKey privateSignatureKeyTemplate = new RSAPrivateKey();
privateSignatureKeyTemplate.getSign().setBooleanValue(Boolean.TRUE);
privateSignatureKeyTemplate.getLabel().setCharArrayValue(OBJ_LABEL2.toCharArray());
     // ********** SEARCH P11 OBJECT USING TEMPLATE **********
Vector keyList = new Vector(4);
session.findObjectsInit(privateSignatureKeyTemplate);
Object[] matchingKeys;
while ( (matchingKeys = session.findObjects(1)).length > 0) {
keyList.addElement(matchingKeys[0]);
session.findObjectsFinal();
     //Try to find the corresponding certificates for the signature keys
Hashtable keyToCertificateTable = new Hashtable(4);
Enumeration keyListEnumeration = keyList.elements();
while (keyListEnumeration.hasMoreElements()) {
PrivateKey signatureKey = (PrivateKey) keyListEnumeration.nextElement();
byte[] keyID = signatureKey.getId().getByteArrayValue();
X509PublicKeyCertificate certificateTemplate = new X509PublicKeyCertificate();
certificateTemplate.getId().setByteArrayValue(keyID);
session.findObjectsInit(certificateTemplate);
Object[] correspondingCertificates = session.findObjects(1);
if (correspondingCertificates.length > 0) {
keyToCertificateTable.put(signatureKey, correspondingCertificates[0]);
session.findObjectsFinal();
     //There are three cases now: 1 no obj found; 2 found only one obj, 3 found more obj
Key selectedKey = null;
X509PublicKeyCertificate correspondingCertificate = null;
//no object found for template
if (keyList.size() == 0) {
System.out.println("No object found for template");
throw new Exception("No object found for template");
//Founf only one object
else if (keyList.size() == 1) {
selectedKey = (Key) keyList.elementAt(0);
// create a IAIK JCE certificate from the PKCS11 certificate
          correspondingCertificate = (X509PublicKeyCertificate)keyToCertificateTable.get(selectedKey);
System.out.println("One object Found");
//Found more object ... user can select one
else {
     System.out.println("Many obj found!!!");
//write here the code for select the right object
     // ********** GET THE OBJECT **********
RSAPrivateKey signerPriKey = (RSAPrivateKey) selectedKey;
java.security.cert.CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
byte[] derEncodedCertificate = correspondingCertificate.getValue().getByteArrayValue();
//Cast to java.security.cert.X509Certificate
java.security.cert.X509Certificate signerCert = (java.security.cert.X509Certificate) certificateFactory.
generateCertificate(new ByteArrayInputStream(derEncodedCertificate));
     // ********** SIGNATURE OPERATION **********
//Add BouncyCastle as provider
Security.addProvider(new BouncyCastleProvider());
//initialize signature operation
session.signInit(Mechanism.RSA_PKCS, (PrivateKey) signerPriKey);
//get input data
File src = new File(INPUT_FILE);
int sizecontent = ( (int) src.length());
byte[] contentData = new byte[sizecontent];
FileInputStream freader = new FileInputStream(src);
freader.read(contentData, 0, sizecontent);
freader.close();
     //calculate digest of the input data
byte[] toEncrypt = buildBits(contentData); //I've already posted the code for this function
//make signature
byte[] signature = session.sign(toEncrypt);
     // ********** MAKE P7 WELL FORMAT DOCUMENT **********
//CMSSignedDataGenerator fact = new CMSSignedDataGenerator();
Signature2CMSSignedData fact = new Signature2CMSSignedData();
CMSProcessableByteArray content = new CMSProcessableByteArray(contentData);
//Creation of BC CertStore
ArrayList certList = new ArrayList();
certList.add(signerCert);
CertStore certs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC");
//Signature Alg
String algorithm = CMSSignedDataGenerator.DIGEST_SHA1;
//add element to P7
fact.addSignature(signature, signerCert, algorithm);
fact.addCertificatesAndCRLs(certs);
//generate enveloped using Bouncycastle provider
     CMSSignedData envdata = fact.generate(PKCSObjectIdentifiers.data.getId(), content, true);
byte[] enveloped = envdata.getEncoded();
//Write P7 file
FileOutputStream efos = new FileOutputStream(OUTPUT_FILE);
efos.write(enveloped);
efos.close();
// ********** END **********
session.closeSession();
pkcs11Module.finalize(null);
catch (Exception ex) {
ex.printStackTrace();
}Main class uses buildBits function (already posted in this topic) and Signature2CMSSignedData class.import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.security.cert.CertStore;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.BERConstructedOctetString;
import org.bouncycastle.asn1.DEREncodable;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.cms.SignerIdentifier;
import org.bouncycastle.asn1.cms.SignerInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.TBSCertificateStructure;
import org.bouncycastle.asn1.x509.X509CertificateStructure;
import org.bouncycastle.cms.CMSProcessable;
import org.bouncycastle.cms.CMSSignedData;
* class for generating a RSA pkcs7-signature message.
public class Signature2CMSSignedData2 {
CertStore certStore;
List certs = new ArrayList();
List crls = new ArrayList();
List signerInfs = new ArrayList();
List signers = new ArrayList();
public static final String DATA = PKCSObjectIdentifiers.data.getId();
public static final String ENCRYPTION_RSA = "1.2.840.113549.1.1.1";
private byte[] signatureData = null;
private X509Certificate cert = null;
private String digestOID = null;
private String encOID = null;
public Signature2CMSSignedData2() {
public void addSignature(byte[] signatureData, X509Certificate cert, String digestOID) {
this.signatureData = signatureData;
this.cert = cert;
this.digestOID = digestOID;
this.encOID = ENCRYPTION_RSA;
public void addCertificatesAndCRLs(CertStore certStore) throws Exception{
try {
Iterator it = certStore.getCertificates(null).iterator();
while (it.hasNext()) {
X509Certificate c = (X509Certificate) it.next();
certs.add(new X509CertificateStructure((ASN1Sequence) makeObj(c.getEncoded())));
Iterator it2 = certStore.getCRLs(null).iterator();
while (it2.hasNext()) {
X509CRL c = (X509CRL) it2.next();
crls.add(new CertificateList((ASN1Sequence) makeObj(c.getEncoded())));
catch (Exception e) {
throw new Exception(e.getMessage());
private DERObject makeObj(byte[] encoding) throws Exception {
if (encoding == null) {
return null;
ByteArrayInputStream bIn = new ByteArrayInputStream(encoding);
ASN1InputStream aIn = new ASN1InputStream(bIn);
return aIn.readObject();
public CMSSignedData generate(String signedContentType, CMSProcessable content, boolean encapsulate) throws Exception {
try {
ASN1EncodableVector digestAlgs = new ASN1EncodableVector();
ASN1EncodableVector signerInfos = new ASN1EncodableVector();
DERObjectIdentifier contentTypeOID = new DERObjectIdentifier(signedContentType);
// add the SignerInfo objects
Iterator it = signerInfs.iterator();
AlgorithmIdentifier digAlgId = new AlgorithmIdentifier(new DERObjectIdentifier(digestOID), new DERNull());
AlgorithmIdentifier encAlgId;
encAlgId = new AlgorithmIdentifier(new DERObjectIdentifier(encOID), new DERNull());
digestAlgs.add(digAlgId);
ASN1Set signedAttr = null;
ASN1Set unsignedAttr = null;
ASN1OctetString encDigest = new DEROctetString(signatureData);
ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getTBSCertificate());
ASN1InputStream aIn = new ASN1InputStream(bIn);
TBSCertificateStructure tbs = TBSCertificateStructure.getInstance(aIn.readObject());
IssuerAndSerialNumber encSid = new IssuerAndSerialNumber(tbs.getIssuer(), tbs.getSerialNumber().getValue());
signerInfos.add(new SignerInfo(new SignerIdentifier(encSid), digAlgId, signedAttr, encAlgId, encDigest, unsignedAttr));
ASN1Set certificates = null;
if (certs.size() != 0) {
ASN1EncodableVector v = new ASN1EncodableVector();
it = certs.iterator();
while (it.hasNext()) {
v.add( (DEREncodable) it.next());
certificates = new DERSet(v);
ASN1Set certrevlist = null;
if (crls.size() != 0) {
ASN1EncodableVector v = new ASN1EncodableVector();
it = crls.iterator();
while (it.hasNext()) {
v.add( (DEREncodable) it.next());
certrevlist = new DERSet(v);
ContentInfo encInfo;
if (encapsulate) {
ByteArrayOutputStream bOut = new ByteArrayOutputStream();
content.write(bOut);
ASN1OctetString octs = new BERConstructedOctetString(bOut.toByteArray());
encInfo = new ContentInfo(contentTypeOID, octs);
else {
encInfo = new ContentInfo(contentTypeOID, null);
SignedData sd = new SignedData(new DERSet(digestAlgs), encInfo, certificates, certrevlist, new DERSet(signerInfos));
ContentInfo contentInfo = new ContentInfo(PKCSObjectIdentifiers.signedData, sd);
return new CMSSignedData(content, contentInfo);
catch (Exception e) {
throw new Exception(e.getMessage());
}Bye.

User enrolled via API does not appear to be enrolled within Connect

Posting this here because it appears I have stumped the band over at connectusers.com...
Using the API to access our hosted account I am able to:
Login as a user (administrator or normal user)
Add a user
Change user password
List all of the SCOs that the user has access to
List the response to the report-my-training action
I am attempting to enroll a user by calling permission-update. It appears to work because the status returned is "ok". When I connect to the API as the user and call report-my-training the curriculum appears in the response. So far, so good.
Next, I accessed Adobe Connect via a web browser and logged in as the user. The curriculum I thought I enrolled the user in appears in the training catalog. The first sign of trouble is that the enrollment status is reported as "You are currently not enrolled."
If I direct the user to the curriculum using a URL like "http://hosted-account.acrobat.com/p31959044/?session=na1breezyxxxxxxxxxxxxxxx" the browser is redirected to a page that shows the title of the curriculum, but nothing more (blank white page).
What am I missing or doing wrong?

Thank you for your reply Loren. Unfortunately I don't currently have access to the remote side's crypto configuration, since they are an external entity. However, I can check in and see if I can get that info.
Hopefully this is the information that you requested:
access-list Outside_27_cryptomap extended permit tcp object 20.0.0.106 object Remote_Server object-group RemoteSite
Result of the command: "sh access-list Outside_27_cryptomap"
access-list Outside_27_cryptomap; 1 elements; name hash: 0x3a48e673
access-list Outside_27_cryptomap line 1 extended permit tcp object 20.0.0.106 object Remote_Server object-group RemoteSite (hitcnt=36) 0xce74f220
access-list Outside_27_cryptomap line 1 extended permit tcp host 20.0.0.106 host 188.1.1.69 eq 204 (hitcnt=36) 0xdd218de0
Again, thank you for your help.

ADCS certificate enrollment error with RPC

I'm attempting to enroll in a computer certificate that works for a windows clients (W7), but not for the Apple (OS 10.9.4) clients. I've been using the following document, with no success (http://support.apple.com/kb/HT5357). The enrollment is being attempted from a mobileconfig generated from an OS X server. The payload is limited to only ADCertificatePayload to limit how much to troubleshoot. We are also limiting the enrollment to a single Issuing CA to limit where to look for communication. I greatly appreciate any assistance you can provide.
This is the ManagedClient.log from /Library/Logs:
+||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep 3 13:44:20[562:1]:+|||||||||||||| Calling installPayload on plugin: ADCertificatePayloadPlugin ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep 3 13:44:20[562:1]:+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload
Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin scheme overrides HTML to use RPC; scheme = (null)
Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin using RPC = YES
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.boundADInformationWithError dict =
    computerID = AppleWorkID;
    domainName = "FQDN.com";
    name = domainname;
    subject = "/CN=AppleWorkID.FQDN.com";
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.credentialsForDomain domainname = domainname; username = AppleWorkID$
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer credentials username = AppleWorkID$
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer gss_aapl_initial_cred status = 0
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer running as euid = 0
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer ca_name = IssuingCA
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer servername = IssuingCA.FQDN.com
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer cert_template = AppleWorkstation
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer csr length = 624
Sep 3 13:44:21[562:1]:+Using RPC authn_level: 6
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer partial_string_binding = ncacn_ip_tcp:IssuingCA.FQDN.com[]
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer using principal name: host/IssuingCA.FQDN.com
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer dwFlags is ff
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer Calling CertServerRequest...
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer CertServerRequest return pdwRequestId = 0
Sep 3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest exception name :
Sep 3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest -2147024809
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer server returned cert = FAILED
Sep 3 13:44:21[562:1]:+**************** AD certificate getCertificateFromServer failed
Sep 3 13:44:21[562:1]:+:::::::::::::::: ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = -319
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = fail
Sep 3 13:44:21[562:1]:+**************** Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The 'Active Directory Certificate' payload could not be installed. The certificate request failed." UserInfo=0x7fbd4157b540 {NSLocalizedDescription=The 'Active Directory Certificate' payload could not be installed. The certificate request failed.} from: InstallPayload in ADCertificatePayloadPlugin
The template, 'AppleWorkstation' template seems to have all the settings set correctly, but I'll go through them all.
General: Both display name and template name = "AppleWorkstation"
Compatability-> CA: Windows Server 2008 R2
Compatability->Certificate recipient: Windows 7 / Server 2008r2
Request Handling->Purpose:Signature and Encryption
Cryptography->Algorthim name:RSA
Cryptography->Minimum key size:2048
Cryptography->Request hash:SHA256
Security: Both the windows and mac domain computer objects have (read,enroll, autoenroll).
Subject Name->Build from this Active Directory information: Subject name format: common name
Subject Name: Only UPN is checked
The schema version of the template is 3 and the version of the template is 100.43
Both computers are joined to the Active Directory 2008 r2 domain. Certificate services exist within the site on their own dedicated servers. The CA's are as follows: 1x 2012r2 for offline root and 2 x Issuing CA's.

Hi Alexander,
But by group should work by desing or did I get something wrong
I am not sure that I understand this query correctly, I’ll just put it this way, feel free to correct me if I misunderstood:
Access control assignment on a group will grant corresponding permissions to all members within it, it’s called inherited permissions.
If there is a direct access control entry which assigns permissions to
single security principle belonging to the group, then the direct permissions take precedence, it’s called explicit permissions.
Well, if a security principle belongs to two/multiple groups, and each group gets conflicting permissions, then the more
restricted (deny or not allow) ones take precedence. This rule goes the same with explicit permissions, more restricted ones have higher precedence.
In addition, here are some scripting forums below for you if there are any scripting requirements:
The Official Scripting Guys Forum
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
Windows PowerShell Forum
https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell&filter=alltypes&sort=lastpostdesc
MSDN Forums
https://social.msdn.microsoft.com/Forums/en-US/home
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]

Certificate enrollment via SunPKCS11

Similar Messages

Maybe you are looking for