Certificate in .pfx file
Hello everybody,
Is someone able to tell me if it is possible to handle Certificate object while the correponding certificate is stored in a .pfx file.
If it is, can you tell me also if the type of the certificate remains "X.509"?
Vincent
You can read pfx files with JCE IAIK.
jcewww.iaik.at/products/jce/index.php
Similar Messages
-
Importing personal certificate from pfx file
Using iPhone configuration utility 3.5.0, Is it poosible to import a perosnal certificate using a .pfx file.
When I try to miport it only lists certificates in the personal certificate store on windows machine? It doesn't allow me to import a certificate from a file.I am pretty sure that you can mail this certificate to an email account you can access on your iPad. Then when you open the certificate file it will be imported
-
Hi Guys
I need to add a digital certificate to a clients customer statements and invoices. XML Publisher 5.6.3 has been used originally to design the templates as RTF. I have the following questions please...
1. Can an RTF template be used or do I need to convert it to a pdf template?
2. Can XML publisher even be used or do I need to get the DBAs to install BI Publisher. XML Publisher doesn't even have the signature properties in the admin screens that BI Publisher has.
Below is a copy of the xdo.cfg file which currently does not add the pfx file...
<config version="1.0.0" xmlns="http://xmlns.oracle.com/oxp/config/">
<properties>
<property name="system-temp-dir">/tmp</property>
<property name="pdf-security">false</property>
<property name="pdf-open-password">testpass</property>
<property name="pdf-permissions-password">testpass</property>
<property name="pdf-encryption-level">1</property>
<property name="pdf-no-printing">true</property>
<property name="pdf-no-changing-the-document">true</property>
<property name="signature-enable">true</property>
<property name="signature-pkcs12-path">/app/oracle/product/appldev/apps/apps_st/appl/xdo/12.0.0/resource/digcert.pfx</property>
<property name="signature-pkcs12-password">testpass</property>
<property name="signature-field-location">top-left</property>
<property name="signature-reason">taxreasons</property>
<property name="signature-signed-at">Cape Town</property>
<property name="signature-display-style">detailed</property>
</properties>
</config>
Any help will be greatly appreciated.thanks for the summary of the many posts and threads describing all of these steps.
-
Unable to Export certificates as Personal Information Exchange - PKCS #12 (.PFX) file format.
We are using Windows 2003 Certificate Authorities, and we are unable to Export certificates as .PFX, our only options are, DER encoded binary X.509 (.CER), Base-64 encoded X.509 (.CER), or Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B). The .PFX option is grayed out in the Certificate Export Wizard on the CA.
This posses a problem because our Windows 2008 server running IIS 7 wants us to import a certificate as .PFX
can someone explain what is happening and how to fix it pleaseGreg --
The private key doesn't exist on the CA, but it does exist on the computer on whic you created the request. Here's what happens when you request a certificate.
If you're generating a request with a new key pair -- which you will in the vast majority of cases -- Windows first generates the public and private key pair. The private key is written to a key store. Where the key store is located will depend on which
Cryptographic Service Provider (CSP) or Key Storage Provider (KSP) is specified in the template. KSPs were introduced in Windows Server 2008/Vista, and are only available in v3 templates. In the case of most of the default Microsoft CSP/KSPs (with the exception
of those used with Smart Cards), the key store is located in either the user's profile, or in the case of computer certificates, the All Users profile. It is at this point, by the way, that the properties of that private key are also written to the key store.
One property of interest to you immediately is whether or not Windows should allow the private key to be exported.
Once the key pair is generated, the request is then created. The request contains the information that should be in the certificate. This information is generally specified by the template with the exception of the Subject field, which contains the Common
Name or Distinguished name of whoever is requesting the certificate. In the case of IIS, the Subject will be your site name. The public key is included in the request. Windows then signs the request with the newly created private key.
Windows also creates a dummy certificate object in the Certificate Enrollment Requests store so that it knows that there is an outstanding request.
At this point, the request is saved to a file or sent to an online CA depending on how you generated the request. Note that the private key is
not sent to the CA in most cases. The exception to this rule occurs when you have Key Archival enabled on the CA, and the template specifies that the private key should be archived in the CA database. If this is the case, Windows retrieves
the CA Exchange certificate from the CA and uses the public key in that certificate to encrypt the newly created private key. This encrypted private key is included in the request.
Once the CA receives the request, it processes that request to determine if it should issue the certificate or not. In the case of the Enterprise CA, this decision is based on the permissions on the template. One can also specify that certain templates
require CA manager approval before they can be issued. Assuming that everything is correct in the request, and that the necessary information can be retrieved from Active Directory (perhaps the user's email address, or the computer's DNS host name -- it depends
on the settings in the template), and that any CA Manager approvals specified in the template have been performed, the CA builds the certificate and signs it with its current private key. The certificate has been created.
This certificate is stored in the CA database, which is why you can export it in the Certificate Authority snap-in. If the encrypted private key for that certificate has been included in the request to be archived, the CA decrypts it first with its CA Exchange
private key, and then re-encrypts it using the public key(s) for any Key Recovery Agents configured on the CA. The newly encrypted private key is also stored in the CA database. Note that this encrypted private key can only be retrieved and decrypted
by a valid KRA.
The CA then returns the certificate to principal who requested it. If the request was first saved as a file and then submitted to the CA you have to retrieve the certificate manually. It is only returned automatically if you submitted the request via the
Certificiates MMC, or if the application you use to submit the request retrieves it for you. IIS does this, when you use the certificate request wizard to request a Web Server certificate.
When the client has received the certificate, it locates the dummy certificate object in the Certificate Enrollment Requests store. From this object, Windows copies the location of the key store for the private key (among other things). This dummy certificate
object is then deleted, and the new certificate is imported into the Personal store. The private key information is then written to an internal property of the certificate in the store. This is how Windows locates the private key of that certificate in order
to use it when you invoke the associated certificate.
When you go to export the certificate and private key, Windows reads the private key locate information from the certificate properties in order to find the key store wherein it is located. Assuming export is allowed, the certificate and private key are written
to a password protected PFX file.
That's how a certificate request gets turned into a certificate, and explains why the private key doesn't exist on the CA. If you need to generate a PFX file, then you'll have to export the certificate from the computer on which you generated the request.
Hope this helps.
Jonathan Stephens
Jonathan Stephens -
Help : How to import .pfx file to keystore
Hi,
I need to generate digital signature for some data string. I got the pfx file with password blank.
it shows the following detailsusing keytool.
keytool -list -keystore rating/ebs/scripts/MPay_certificate_11072003.p12 -storetype pkcs12
unknown attr1.3.6.1.4.1.311.17.1
Enter keystore password:
unknown attr1.3.6.1.4.1.311.17.1
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: pkcs12
Keystore provider: SunJSSE
Your keystore contains 1 entry
c1e673ff559b00e86a399a1b21e4aed2_6ee3fa08-8ba8-4ff1-a8fd-01031842a3a3, Aug 18, 2003, keyEntry,
How can I generate the keystore file and know the private key alias so that i can generate the sign using sign().
thanks in advance.
RanjanIt is possible to import a .p12 file into a keystore with a small Java program...
I found a sample to do this about a year ago, the source page is no longer valid. I have made some slight modifications to the original program, but left credit to the original author in the top (to the best of my knowledge).
Sample execution being:
$ java KeyStoreMove PKCS12 ~/igo.p12 p12-pas JKS ~/.keystore key-pas
Source alias: lester igo id #2
Rename alias to [<return> to keep original alias]: my-cert
New alias: my-cert
importing key lester igo id #2
keystore copy successful
* This code has been downloaded from the internet and contained no license.
* The Source for this was: http://home.istar.ca/~neutron/Thawte/KeystoreMove.txt
* The Page referencing it was: http://home.istar.ca/~neutron/Thawte/index.html
* The author appears to be:
* Michel I. Gallant
* [email protected]
import java.io.*;
import java.security.*;
import java.util.*;
public class KeyStoreMove {
public static void main(String args[]) throws Throwable {
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
if (args.length<6) {
System.out.println(
"\nKeyStoreMove Usage: \njava KeyStoreMove <source> <destination> where\n" +
" <source> and <destination> are " +
"<storetype> <keystore> <password>\n");
System.out.println(" - Requires jsse for PKCS12 keystore support \n" +
" - source storetype can be JKS or PKCS12\n" +
" - destination storetype must be JKS type (PKCS12 write not supported)\n") ;
System.exit(0);
FileInputStream in;
// -------- Load source keystore to memory ---------
in = new FileInputStream(args[1]);
KeyStore ksin = KeyStore.getInstance(args[0]);
char[] pwin = args[2].toCharArray();
if (pwin.length==0) { pwin = null; }
ksin.load(in,pwin);
in.close();
// -------- Load destination keystore initial contents to memory ---------
in = new FileInputStream(args[4]);
KeyStore ksout = KeyStore.getInstance(args[3]);
char[] pwout = args[5].toCharArray();
if (pwout.length==0) { pwout = null; }
ksout.load(in,pwout);
in.close();
//--------- Main Loop to get keys/certs from source keystore ------------
BufferedReader stdin = new BufferedReader(new InputStreamReader(System.in));
Enumeration en = ksin.aliases();
while (en.hasMoreElements()) {
String alias = (String) en.nextElement();
if (ksout.containsAlias(alias)) {
System.out.println(args[4] + " already contains " + alias + " Key will not be copied.");
continue;
// ------- Ask user if alias of source key/cert should be renamed -----------
System.out.println("Source alias: " + alias);
System.out.print("Rename alias to [<return> to keep original alias]: ") ;
String newuseralias = stdin.readLine().trim() ;
if (newuseralias.equals("")){
newuseralias=alias;
System.out.println("Original alias used") ;
else {
System.out.println("New alias: " + newuseralias) ;
if (ksin.isCertificateEntry(alias)) {
System.out.println("importing certificate " + alias);
ksout.setCertificateEntry(newuseralias, ksin.getCertificate(alias));
if (ksin.isKeyEntry(alias)) {
System.out.println("importing key " + alias);
ksout.setKeyEntry(newuseralias, ksin.getKey(alias,pwin), pwout,ksin.getCertificateChain(alias));
//--------- End main loop ----------------------
//--------- Overwrite the destination keystore with new keys/certs --------------
FileOutputStream out = new FileOutputStream(args[4]);
ksout.store(out,pwout);
out.close();
System.out.println("keystore copy successful\n") ;
System.exit(0); -
How to convert a PFX file into mobileconfig format?
Hi,
I'm trying to automate the task of creating a mobileconfig file with a client certificate in it.
I understand that this is some kind of base64 encoding, but I don't get what they're encoding.
My PFX files are protected with a password (Although I tried to create a PFX without the password, and the base64 version of it differs from the .mobileconfig from iPCU version of it).
I already saw Alginald99 tip in: https://discussions.apple.com/message/15080631
That tip didn't work for me. When I convert my PFX file to base64, the encoded string is nothing like the string in the .mobileconfig I created by iPCU.
Alginald99 - If you're still hang here - please help!
Thanks,
Bar.Yes, the key container GUID and the cert container GUID are different. That's normal.
You can reproduce this:
Delete the cert in windows mmc/certificate console, reimport the same cert in mmc/certificate and import this cert in iPCU. You can see the difference in mobileconfig.
Catch only the cert part from mobileconfig and dump it with <certutil.exe -v user.enc>. You see different container GUIDs.
I hope this helps. -
Not able to install PFX file on my Q10.
I need to run a PFX file on my Q10 in order to setup my corporate activesync.
I was previous able to do so on my BB Bold (using Astrasync) as my Activesync client.
However, i cannot seem to open .PFX file on the Q10.
Error message is "Unable to open XXX.pfx"
Any ideas?Hey limmie.
Welcome to the BlackBerry Support Community Forums.
Can you please clarify what you are trying to do with the .pfx file? If you are looking to import the pfx certificate, you can do so by perfoming the following form your BlackBerry Q10 Smartphone.
Tap Settings > Security and Privacy > Certificates > Import.
If you need the pfx file for another reason please let me know in as much detail as possible. I look forward to your response.
Cheers.
-Sawks
Come follow your BlackBerry Technical Team on Twitter !@BlackBerryHelp
Be sure to click Like! for those who have helped you.
Click Accept as Solution for posts that have solved your issue(s) -
Provider hosted App certificates (.cer & .pfx)
I have a implemented a provider hosted App inside the SharePoint 2013 server (the certificates .cer & .pfx taken from the IIS of same server) and able to get the result. However I am not clear about taking the certificates in the multi server
environment (SharePoint Server & IIS server for remote web app).
can anyone please suggest from which server (Sharepoint Server or IIS server) do I need to take the .cer & .pfx files to configure multi server environment ?
ThanksHi,
According to your post, my understanding is that you want to create a provider hosted app and use NLB in premise environment.
You need to use a different certificate on this ‘Listener’ web application.
Configuring SharePoint 2013 Apps and Multiple Web Applications on SSL with a
Single IP Address
For more information, you can refer to:
Aspiring Architect: Sharepoint 2013 - Avoiding Azure on Dev Box
More TroubleShooting Tips for High Trust Apps on SharePoint 2013
You need to ensure that all connections to the SharePoint servers are secure and encrypted
Best Regards,
Linda Li
Linda Li
TechNet Community Support -
Hi All,
I want .pfx file.I searched in my portal also.But i didnt get that file.Can anyone help me regarding this.
Quick response will be helpful to me.
Thanks & regards
Anirudhhi
good
pfx file usually contains the private key and the certificates supporting it. I would suggest you open the pfx file using windows and copy the certificates into your desktop. Then you can import the certificate in PEM format into your trusted certificates folder.
another way of doing it is by using an identity file.
I would suggest logging on power.tibco.com and look for using BW with SSL. It is a comprehensive security document with example on BW(SOAP over HTTP), JMS and Adapter using SSL.
thanks
mrutyun -
CSS 11503 SSL Module: .pfx file export to sftp
Hello
I wanted to know of there was a way to export the .pfx files off of the SSL Module to an SFTP server.....preferably in bulk not one at a time. I want a central storage location for these files in the event that the CSS or the SSL module crashes.
ThanksHi Jay,
Sure you can export the .pfx files out of the CSS but you need to do this one by one, there is no way you can get them out all at once.
To export the files you first need to define your SFTP server IP address, username and passwd:
CSS(config)# ftp-record SFTP_Server 10.10.10.1 username "password"
Once you have the file name you need to enter this command:
CSS# copy ssl sftp SFTP_Server export Certificate.pfx PKCS12 "passphrase" "password"
: This is the password used to protect the file when it was created.
: This is a local significant password on the CSS used when the file was
imported into the box.
* If you don't know these passwds you can't export the files out of the CSS.
HTH
Pablo -
Automatically install PFX file
Hi
I have created a PFX file internally in my orgainisation and I have encrypted internal documentation via PDF with this certificate. I want to deploy the certificate to all the desktops in my Domain however I do not want to do this manually. Is it possible to do this via a GPO or script.
I installed the certificate in the trusted Certificates via a GPO but when I open the PDF on a domain machine I get an Error that the certificate is not installed. I can install the certificate manually and then I am able to open the document with no issues
Any ideas on Scripts or GPO installation
Many Thanks
GaryHey limmie.
Welcome to the BlackBerry Support Community Forums.
Can you please clarify what you are trying to do with the .pfx file? If you are looking to import the pfx certificate, you can do so by perfoming the following form your BlackBerry Q10 Smartphone.
Tap Settings > Security and Privacy > Certificates > Import.
If you need the pfx file for another reason please let me know in as much detail as possible. I look forward to your response.
Cheers.
-Sawks
Come follow your BlackBerry Technical Team on Twitter !@BlackBerryHelp
Be sure to click Like! for those who have helped you.
Click Accept as Solution for posts that have solved your issue(s) -
Custom certificates for JAR file signing
Hi,
Can anyone please let me know how to check that we have custom certificates for JAR file signing set up in our instance
Thanks,
PraveenIt depends on the version of your $ADJVAPRG. See the referenced note.
How to use,create and /or update Digital Certificates for Jinitiator in 11i Applications
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=365735.1 -
All,
I am trying to store a .pfx file in mysql.
What is the best way to do this?I'm using mysql, no CLOB only BLOB.
Currently I am trying to base64 encode the .pfx text and store it into a longtext field.
The problem is when I retrieve it:
Exception in thread "main" java.io.IOException: toDerInputStream rejects tag type 114
at sun.security.util.DerValue.toDerInputStream(DerValue.java:806)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1201)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.emoneyadvisor.services.util.ThirdPartyCertificate.<init>(ThirdPartyCertificate.java:29)
at emoneyjava.Emoney.main(Emoney.java:135)My cert is already made and I'm not going to change the format.
Any ideas on how I can easily resolve this?
I guess I understand that java is not understanding the format.
Here I get the contents of the cert file:
import com.Ostermiller.util.Base64;
public static String getFileContents(String filename) throws IOException {
File file = new File(filename);
InputStream is = new FileInputStream(file.getPath());
// Get the size of the file
long length = file.length();
// Create the byte array to hold the data
byte[] bytes = new byte[(int)length];
// debug - init array
for (int i = 0; i < length; i++){
bytes[i] = 0x0;
// Read in the bytes
int offset = 0;
int numRead = 0;
while (offset < bytes.length && (numRead=is.read(bytes, offset, bytes.length-offset)) >= 0) {
offset += numRead;
// Ensure all the bytes have been read in
if (offset < bytes.length) {
throw new IOException("Could not completely read file "+file.getName());
// Close the input stream and return bytes
is.close();
String id = null;
try {
ByteArrayOutputStream baos = new
ByteArrayOutputStream();
ObjectOutputStream stream = new
ObjectOutputStream(baos);
stream.write(bytes);
stream.flush();
stream.close();
id = new
String(Base64.encode(baos.toByteArray()));
} catch(Exception ex) {
ex.printStackTrace();
return id;
}Using setString with PreparedStatement I add the cert to the LONGTEXT field.
Then I use this to retrieve the cert:
public static InputStream getCert(String coid){
InputStream is = null;
Connection conn = null;
PreparedStatement pstmt = null;
String sql = "select cert from table where coid = ? limit 1";
String cert = null;
try{
conn = TradeHelper.connect();
pstmt = conn.prepareStatement(sql);
pstmt.setString(1, coid);
ResultSet rs = pstmt.executeQuery();
while(rs.next()){
cert = rs.getString("cert");
}catch(Exception e){
e.printStackTrace();
}finally{
try{
TradeHelper.closeConnection(conn);
pstmt.close();
}catch(Exception e){
e.printStackTrace();
Base64.decode(cert);
//lets get an inputstream on the cert.
try {
is = new ByteArrayInputStream(cert.getBytes("UTF-8"));
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
return is;
}Edited by: iketurner on Apr 14, 2010 10:08 AM -
Adobe Air SDK for IOS, i'm searching for a week to get the certificate and provisioning files
Adobe Air SDK for IOS, I'm searching for a week to get the certificate and provisioning files!!
Please help me to get the certificate and provisioning files and I should pay to have these files.
ThanksApple doesn't provide support for third-party development tools.
You need to post in the Adobe forums.
You need a paid developer account to install apps on an iOS device. -
I'm trying to install a PFX file onto a Cisco 1941 but cannot find instructions for this. I've found similar instructions but these are for ASA's and seem to only give instructions of doing it via the wenb interface.
Can anyone point me in the right direction?
Thanks
AndrewHello,
As you mentioned some users in your organisation are facing this issue, is there any user profile difference between the working and non working ones? Also do you face the same issue with the admin accounts as well?
Try to upgrade the Reader to the latest version, see if that helps.
~Deepak
Maybe you are looking for
-
Something went wrong to the system of my client and they reloaded old configuration from QA to PRD server. Situation before the system crash: When you create a "replacement" order, the price of the item is "automatically" zero. It allows zero cost of
-
Very much regret upgrading to Infinity!
We were plagued by calls from the company BT use to sell Infinity for over a year, often receiving 2 calls per week! We were quite happy with standard broadband which was fast enough for our BB needs and didn't want to incur any additional monthly co
-
HI Experts, does enyone know the name of direct input, which transfer commodity code to SAP? I can't do it by batch input recording becouse i don't have direct transaction in spro to filling the commodity code. Thanks for reply Kasia.
-
Spawning Enemies to Stage in Flash AS3
I have the enemies appearing on my stage and spawning accordingly. I have the location on where I want them to spawn. The problem is that they are spawning on the first frame of my game which is the main menu before entering the actual playing fi
-
Is there an imminent upgrade likely for N95-1 handsets that are on the 3 network in the UK? It is saying that my most recent software version is 20.0.015 instead of 21. Solved! Go to Solution.