Certificate key usage in standalone CA

I have a problem with a standalone sub CA.
Certificate must be able to sign Outlook mails, encrypt them and sign Word documents, so in certqtp.inc I've changed rgAvailReqTypes parametr for my certificate:
rgAvailReqTypes(0,FIELD_OID)="1.3.6.1.4.1.311.10.3.12, 1.3.6.1.5.5.7.3.4, 1.3.6.1.5.5.7.3.2, 1.3.6.1.4.1.311.10.3.4"
After that key usage field of enrolled certificates have changed to "data ecnryption (20)", but I don't know why. So with this key usage I can sign documents, can ecnrypt mails, but can't sign them (key usage must contain digital signature).
How to change key usage field in standalone CA ??

Hi,
Since you are using standalone CA, certificate templates won’t be used, therefore, you need to configure .inf file to achieve your goal.
Here are some related links below I suggest you refer to:
How do I set the keyUsage field in my offline, stand-alone root CA certificate to Critical=Yes?
http://social.technet.microsoft.com/Forums/windowsserver/en-US/406ce00d-5a29-483e-9b81-7d4867139dad/how-do-i-set-the-keyusage-field-in-my-offline-standalone-root-ca-certificate-to-criticalyes?forum=winserverDS
How to make a stand-alone certification authority that is running Windows Server 2003 with Service Pack 1 or an x64-based version of Windows Server 2003 compliant with ISIS-MTT version 1.1
http://support.microsoft.com/kb/888180
Certificate Services - Key Usage missing from IPSecIntermediateOffline Certificate
http://social.technet.microsoft.com/Forums/windowsserver/en-US/3f96b352-5542-4bb0-b5ae-3ca096d16478/certificate-services-key-usage-missing-from-ipsecintermediateoffline-certificate?forum=winserversecurity
Best Regards,
Amy Wang

Similar Messages

  • Since latest update, my bookmarked site fails with certificate key usage inadequate, why? (It works fine in windows explorer)explorer

    This worked the day before I got the "Gettting Started" screen when I started the browser and still works for co-workers who have not gotten the new version of Mozilla firefox.

    That could be a problem with the usage of libPKIX in the Firefox 31 and later releases.
    * https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/
    It is possible to disable this new feature by disabling libPKIX support, but this is not recommended for security and vulnerability reasons.
    *<b>about:config</b> page: security.use_mozillapkix_verification = false

  • Sign with certificate with 'non-repudiation' key usage only

    Hello,
    We are facing a problem validating digital signatures created by our partners with Adobe Reader. When validating the signature, we get the general 'The signer's identity is invalid' error. The Signature properties -> Certificate tab reports a warning "The selected certificate has errors: Not valid for usage".
    The key usage extension in the certificate that our partners use for signing contains the only 'non-repudiation' element. Still, the intended usage shown on the certificate summary tab is "Sign document".
    The main question is if the problem is related to the specific value of the key usage extension, or it has a different root.
    Thanks in advance,
    Ken

    Hello Steve,
    Thank you very much for the document. In the mean time, we've got a permission from our partners to share with you one of the documents we've exchanged with them before. I have uploaded it to Google Docs (https://docs.google.com/open?id=0B1wk9toh5e7AbWNlVGZoY2thY1U), as the forum doesn't allow me to attach documents to a message. Just in case if you're not familiar with Google Docs, simply go to File->Download menu after opening the link in the browser, and you will be able to retrieve and save the original document locally.
    Do I still need to ask them to sign the document you attached above as well?
    We really appreciate your efforts in this regard,
    Ken Ivanov

  • Problem with criticality of key usage extension

    Hi everybody, I'm instaling a subca and I'm submitting the request to a standalone CA. I need to make the key usage extension of the subca certificate critical, to do so after I submitted the request, I run this command
    certutil -setextension  Request_ID 2.5.29.15
    1 @File_Name.txt
    (exactly as what is said in the article below), but after the standalone ca issues the request, the key usage extension is not marked as critical.
    http://support.microsoft.com/kb/888180
    plaese help me solve this problem, thank you.

    after a lot of try and errors I'v found out that when I submit an end entity request to the ca, I can make the key usage extension critical with the said syntax. but when I Submit a subca request to the same ca it detects that its a subca request and kind
    of overwrites the criticality for key usage extension.
    I think it must have sth to do with subca template that the ca applies on the request by default (when the request is from a subca). as I mentioned before it's a standalone CA, I don't understand why it should use any template at all. how can I change the
    default setting for subca template or tell the ca that do not apply any templates? 
    anyway, here is a copy of my request, thank you
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIDKDCCAhACAQAwETEPMA0GA1UEAxMGU1NMIENBMIIBIjANBgkqhkiG9w0BAQEF
    AAOCAQ8AMIIBCgKCAQEA9QIIrvgAykEHLVAjSuQF+nBMP9axOJvLreHprSsTo53J
    C19iefjEFjCejuDPFpJdxFNybb5pZW62HntuCBtIs/cUPjlIrGJq6jffigaxT4Eh
    KTDIsFURGOVMDjN2miPv7pbNtCxSd4v8cAXvHy8O+bNa7UbBD/YLlGGpsRPiDkjr
    NIHM0XvdnflcsblTrbsTxiOZdzjnMGzae/g0GPngdOH9C7eDWMwnh8/iV6e7e+Bk
    QAxmAN9XLAuiykfAw8FNT9tK5S4LKe81HbmuLjUHTUaUO+y5hbaw1zbQF+j9r4FG
    8jPHc2EKQLb2ZydAd6jxchqaAx3sSMzuU9PE/bCRPQIDAQABoIHRMCkGCisGAQQB
    gjcNAgMxGxYZNi4xLjc2MDEuMi5TZXJ2aWNlIFBhY2sgMTCBowYJKoZIhvcNAQkO
    MYGVMIGSMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBS/n6huucIaXOa6dHW0
    uF2KGorsrjAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYJKwYB
    BAGCNxQCBAweCgBTAHUAYgBDAEEwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQI
    MAYBAf8CAQAwDQYJKoZIhvcNAQEFBQADggEBABwvcgW8zikD7NHsLvCrxiq3gqJ7
    5S+dRngwn7F4VGise6HLMMec3XoCSdvxfD+l8x7K2IdUgvW95OYkY+MV9kDdsgpZ
    ooE+KU01mTTLl4HiE74WyFyg+X70cvJaJG9ZgC6/9iuzMuU8aJy4uOyDWg7yeSIs
    VzFP3hvtTYk39h0PQaKirrmRdLOMGRNipYqhNsbeDCVJDmnqyzVwo4yARV8rjkVY
    Aoxz2cQKV+gCWuV/awDstdYucAcQd2mkio7FkLo0QW8f+rl1+LGjd3h9ee/phTZY
    McRn7GqKp2y3/5IA+WY4Q3tdIOaasePpMayi3IfVGKkynZeGHYEAYmzZVnM=
    -----END NEW CERTIFICATE REQUEST-----

  • Key usage extension on Signature.initVerify method

    Hi,
    I've a problem with method in object: my application tries to verify all CA-certs stored on a p12 file, but when I added some new certs with key usage extension it never works.
    I found on initVerify(Certificate) documentation the following information: If the certificate is of type X.509 and has a key usage extension field marked as critical, and the value of the key usage extension field implies that the public key in the certificate and its corresponding private key are not supposed to be used for digital signatures, an InvalidKeyException is thrown.
    Infact if I try to use initVerify with PublicKey (initVerify(PublicKey)), it correctly works.
    Unfortunately I don't understand what is the difference between the first check (Certificate) and the second (PublicKey). Can I do a correct check also with Certificate.getPublicKey?
    Thanks.

    see this thread: http://forum.java.sun.com/thread.jspa?threadID=469244&tstart=0

  • X509v3 key usage in JWS 1.4.2

    I'm experiencing problem loading signed jar in 1.4.2. The same jar is working fine with JWS 1.0.1. Webstart loads the jar then complain with a message box
    "Warning: Failed to verify the authenticity of this certificate because there was an error parsing the certficate. No assertions can be made of the origin or validity of the code. Installation and running this code is not allowed"
    Strange enough, if I start the same application in 1.0.1 first and exit. Then start the same application using 1.4.2, it works. However, if I clear the cache and run it on 1.4.2, it ceases to work again. It seems to be some caching issues there.
    My question is "Has jws 1.4.2 changed in terms of reading the X509 certificate?" My bet is to do with my x509v3 certificate with a key usage set to
         X509v3 Key Usage: critical
         Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
    Otherwise, I can't really see anything wrong with my certificate.
    Any help would be really appreciated

    Thanks for the help. I managed to track it down to the certificate extension. I'm wondering if my certificate has key usage " DigitalSignature + Non_repudiation + Key_Encipherment + Key_Agreement", does it mean it's not valid to use that to sign a jar? Or that's just something the JCE provider is not recognising? Thanks in advance if anyone can shed some light.
    William
    failed extension check: [
    Version: V3
    Subject: CN=XXXXX, L=LeSC, OU=Imperial, O=eScience, C=UK
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    ba1078bd 5c94ec07 8d0332df 9a0de0d9 a5ae000a 0a410061 54fd07ea 7594acdc
    93c8a5b8 3913c8c9 73319662 503c956a e97a75c9 4d8477d9 5ff2169e 41948ac8
    99b23686 fb85b5aa 3dbff6d8 0a70dc82 aa92b4a3 92a34323 aae80d1b d526f96e
    5749a10e 7913fe75 60dcab67 fa854182 cd980866 cec5e3bc 120f26b3 e4dbe753
    Validity: [From: Tue Aug 05 11:21:58 BST 2003,
                   To: Wed Aug 04 11:21:58 BST 2004]
    Issuer: [email protected], CN=CA, OU=Authority, O=eScience
    , C=UK
    SerialNumber: [    0331]
    Certificate Extensions: 12
    [1]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 02 38 AB 11 A3 96 80 8B 0D D3 15 2B 08 A5 8E 30 .8.........+...0
    0010: DA B2 DA A8 ....
    [[email protected], CN=CA, OU=Authority, O=eScience, C=UK]
    SerialNumber: [    00]
    [2]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 4B 3A AD 15 5A E0 C3 89 FF 56 A9 B1 68 5B 4D 5A K:..Z....V..h[MZ
    0010: 78 B7 E2 B1 x...
    [3]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 1F 16 1D 55 4B 20 65 2D 53 63 69 65 6E 63 65 ....UK e-Science
    0010: 20 55 73 65 72 20 43 65 72 74 69 66 69 63 61 74 User Certificat
    0020: 65 e
    [4]: ObjectId: 2.5.29.18 Criticality=false
    IssuerAlternativeName [
    [RFC822Name: [email protected]]]
    [5]: ObjectId: 2.16.840.1.113730.1.7 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 2F 16 2D 68 74 74 70 3A 2F 2F 63 61 2E 67 72 ./.-http://ca.gr
    0010: 69 64 2D 73 75 70 70 6F 72 74 2E 61 63 2E 75 6B id-support.ac.uk
    0020: 2F 63 67 69 2D 62 69 6E 2F 72 65 6E 65 77 55 52 /cgi-bin/renewUR
    0030: 4C L
    [6]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [CertificatePolicyId: [1.3.6.1.4.1.11439.1.1.1.1.3]
    [7]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
    NetscapeCertType [
    SSL client
    S/MIME
    [8]: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 30 16 2E 68 74 74 70 3A 2F 2F 63 61 2E 67 72 .0..http://ca.gr
    0010: 69 64 2D 73 75 70 70 6F 72 74 2E 61 63 2E 75 6B id-support.ac.uk
    0020: 2F 63 67 69 2D 62 69 6E 2F 69 6D 70 6F 72 74 43 /cgi-bin/importC
    0030: 52 4C RL
    [9]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:false
    PathLen: undefined
    [10]: ObjectId: 2.16.840.1.113730.1.3 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 30 16 2E 68 74 74 70 3A 2F 2F 63 61 2E 67 72 .0..http://ca.gr
    0010: 69 64 2D 73 75 70 70 6F 72 74 2E 61 63 2E 75 6B id-support.ac.uk
    0020: 2F 63 67 69 2D 62 69 6E 2F 69 6D 70 6F 72 74 43 /cgi-bin/importC
    0030: 52 4C RL
    [11]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: http://ca.grid-support.ac.uk/cgi-bin/importCRL]
    [12]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    DigitalSignature
    Non_repudiation
    Key_Encipherment
    Key_Agreement
    Algorithm: [MD5withRSA]
    Signature:
    0000: 1A 7C 75 3F 5C 2B 4B 6D 64 E1 D3 5B 70 31 22 C8 ..u?\+Kmd..[p1".
    0010: 78 07 A5 8F B4 5A A0 D8 08 73 95 B2 E0 B9 20 D8 x....Z...s.... .
    0020: 01 50 7A D6 AE 48 7A 1E 49 6C 58 9A 18 9E B9 7F .Pz..Hz.IlX.....
    0030: 30 4F EB 00 B0 64 7C 02 23 35 80 19 15 74 B6 48 0O...d..#5...t.H
    0040: 4F 97 2C 03 1F A3 5D CE 98 A4 3C D2 35 F9 86 D7 O.,...]...<.5...
    0050: 86 2B 5C D3 0B A4 3F 34 E1 A5 72 FE 22 2F 18 E1 .+\...?4..r."/..
    0060: EA 5C 23 EB D4 73 69 4E 5A 86 57 C2 3E EE 02 53 .\#..siNZ.W.>..S
    0070: AB 9E 98 BC CE 32 68 08 C8 68 94 4C C7 98 32 77 .....2h..h.L..2w
    0080: 6F 18 A4 A7 A6 8A 29 FF 18 E2 A2 0E E4 51 57 80 o.....)......QW.
    0090: E8 94 6F 37 E5 4D 55 B0 86 42 3B 35 C5 5C D0 29 ..o7.MU..B;5.\.)
    00A0: C2 97 3F 56 D2 7F E2 60 11 8C E8 C7 77 9B 64 A9 ..?V...`....w.d.
    00B0: 62 96 96 05 A2 81 C9 A4 F7 06 21 51 74 16 43 14 b.........!Qt.C.
    00C0: D9 57 7E 40 EA 82 D6 44 44 03 E1 05 1E 76 D8 DD [email protected]..
    00D0: 97 54 29 5A DC B5 7B F8 B6 9D AC 29 6F 73 FC 0E .T)Z.......)os..
    00E0: 74 AD C0 A6 AD 75 FC 85 D1 84 93 2D 90 AF BB 68 t....u.....-...h
    00F0: 1A 54 6C 7C 58 28 50 07 6F 17 8C D7 F1 99 D9 29 .Tl.X(P.o......)
    exception was: java.security.cert.CertificateException: Invalid Netscape CertType exte
    nsion
    CertificateException: java.security.cert.CertificateException: Invalid Netscape CertTy
    pe extension

  • X509 certifcate key usage

    Hi, How do I determine if a X508v3 ccertifate is a client or server certificate?
    I can't find any documentation describing the difference.

    Certificate can have extended key usage constraint that says it can be used for
    client or server authentication only.
    See rfc 3280: http://rfc-3280.rfc-index.net/rfc-3280-41.htm
    Pavel.
    "Dave Gray" <[email protected]> wrote:
    >
    Hi, How do I determine if a X508v3 ccertifate is a client or server certificate?
    I can't find any documentation describing the difference.

  • Wrong key usage exception since 7u6

    Hi!
    I have completely signed (DigiCert) applet, which using mixed code (JOGL). It works well before release 7u6. After it, i have these exceptions:
    sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
    at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
    at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
    at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
    at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
    at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
    at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
    at java.security.cert.CertPathValidator.validate(Unknown Source)
    ... 14 more
    Caused by: java.security.InvalidKeyException: Wrong key usage
    at java.security.Signature.initVerify(Unknown Source)
    at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
    at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
    ... 18 more
    In newest 6u35 and 7u5 it works OK.
    Any suggestions?

    We receive the same error message as described above by user 956556, when certificate validation (CRL, OCSP or both) is activated.
    The certificate is issued by "VeriSign Class 3 Code Signing 2010 CA"
    The extensions are:
    SEQUENCE :
    SEQUENCE :
    OBJECT IDENTIFIER : basicConstraints [2.5.29.19]
    OCTET STRING :
    SEQUENCE : ''
    SEQUENCE :
    OBJECT IDENTIFIER : keyUsage [2.5.29.15]
    BOOLEAN : 'ÿ'
    OCTET STRING :
    BIT STRING UnusedBits:7 : '80'
    SEQUENCE :
    OBJECT IDENTIFIER : cRLDistributionPoints [2.5.29.31]
    OCTET STRING : ''
    SEQUENCE : ''
    SEQUENCE : ''
    CONTEXT SPECIFIC (0) : ''
    CONTEXT SPECIFIC (0) : ''
    CONTEXT SPECIFIC (6) : 'http://csc3-2010-crl.verisign.com/CSC3-2010.crl'
    SEQUENCE :
    OBJECT IDENTIFIER : certificatePolicies [2.5.29.32]
    OCTET STRING :
    SEQUENCE :
    SEQUENCE :
    OBJECT IDENTIFIER :  [2.16.840.1.113733.1.7.23.3]
    SEQUENCE :
    SEQUENCE :
    OBJECT IDENTIFIER : cps [1.3.6.1.5.5.7.2.1]
    IA5 STRING : 'https://www.verisign.com/rpa'
    SEQUENCE :
    OBJECT IDENTIFIER : extKeyUsage [2.5.29.37]
    OCTET STRING :
    SEQUENCE :
    OBJECT IDENTIFIER : codeSigning [1.3.6.1.5.5.7.3.3]
    SEQUENCE :
    OBJECT IDENTIFIER : authorityInfoAccess [1.3.6.1.5.5.7.1.1]
    OCTET STRING :
    SEQUENCE :
    SEQUENCE :
    OBJECT IDENTIFIER : ocsp [1.3.6.1.5.5.7.48.1]
    CONTEXT SPECIFIC (6) : 'http://ocsp.verisign.com'
    SEQUENCE :
    OBJECT IDENTIFIER : caIssuers [1.3.6.1.5.5.7.48.2]
    CONTEXT SPECIFIC (6) : 'http://csc3-2010-aia.verisign.com/CSC3-2010.cer'
    SEQUENCE :
    OBJECT IDENTIFIER : authorityKeyIdentifier [2.5.29.35]
    OCTET STRING :
    SEQUENCE :
    CONTEXT SPECIFIC (0) : 'CF99A9EA7B26F44BC98E8FD7F00526EFE3D2A79D'
    SEQUENCE :
    OBJECT IDENTIFIER : netscape-cert-type [2.16.840.1.113730.1.1]
    OCTET STRING :
    BIT STRING UnusedBits:4 : '10'
    SEQUENCE :
    OBJECT IDENTIFIER : spcFinancialCriteriaInfo [1.3.6.1.4.1.311.2.1.27]
    OCTET STRING :
    SEQUENCE :
    BOOLEAN : '00'
    BOOLEAN : 'ÿ'

  • How to obtain the Management Certificate Key for using Azure with Release Managment

    In the "Release Management" app in administration --> Manage Azure one must provide a "Management Certificate Key".
    I have created a self-signed cert and uploaded it to Azure Portal --> Settings --> Management certificates
    How do I get the key?
    Thanks ))

    Hi Atwater and Sons,
    when you look at the blog post paragraph four you find a link
    Download the settings file from the Azure portal to get your subscription ID and Management Certificate key.
    After you have downloaded the file, open the file with Notepad.
    You will find everything there - except the storage Account Name:
    <PublishData>
    <PublishProfile
    SchemaVersion="2.0"
    PublishMethod="AzureServiceManagementAPI">
    <Subscription
    ServiceManagementUrl="***"
    Id="***"
    Name="***"
    ManagementCertificate="***" />
    </PublishProfile>
    Copy the Id and the ManagementCertificate and past them into RM (Manage Azure)
    Your Storage Account Name: Blog Post Paragraph four
    Go here to get the name of an existing storage account or add
    a new storage account using the Azure portal.
    Regards,
    Daniel

  • Error  connecting https when certificate key 2048

    Hello,
    I've got the following exception when I tried connecting an HTTPS web server AND when the certificate key > 2048 bits:
    javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLProtocolException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
    The exception occurs when trying to handshake the certificate:
    com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateMsg.<init>
    I tried using jdk 1.4.2_08 and 1.5.0.
    Is somebody can help me? Is there a specific work around or library to use?
    Thanks for your help
    C�dric Braem
    http://www.internetVista.com

    hi ,
    R/3 and EP are running in cross domains.
    ex- R/3 india.ac,in:port/irj/portal
          EP europe.ac.in:port/irj/portal
    There is no web dispatcher for the portal and also for backend, there are no additonal SSL in the network
    It is java webdynpro causing the issue when i am trying to access my backend system from portal from talent management.
    A new iwndows appears with pop-up and poempts fro user id & password.
    Thanks & regards,
    rahul

  • OS X Support of Certificate Key Length

    I'm trying to import a self signed root certificate for our enterprise into a Lion machine's key chain and I'm getting an error message: "An error occured. Unable to import "<cert name>" Error -67762"
    The certificate has a key length of 8192 bits, signature algorithm of SHA256RSA.
    The subordiant certificate with a key length of 4096 bits, signature algorithm of SHA256RSA.
    Is there a limitation on the certificate key length that OS X Lion supports? Is this planned to be addressed in an update, or is there a way to change this?

    According to this document:
    https://developer.apple.com/library/mac/#documentation/security/Reference/keycha inservices/Reference/reference.html
    That error value is errSecInvalidAttributeKeyLength
    And I can confirm that the key length of 8192 bits is indeed the issue, as I came across this problem myself from generating a certificate key at that length.

  • Microsoft communicator certificate key store passw...

    I configured communicator on my N8. Had to install a certificate to access the office network . Am able to access it but every few seconds I keep getting asked for the phone key store password. Is there anyway to avoid it? Tried moving the personal certificate as a phone certificate, but that doesn't help with the authentication......any solutions.

    Hi,
    I have recently installed communicator for N8. But it gets stuck at authentication.... Can u provide some insight as to how/where u got the certificate key and how u configured the communicator

  • T431s - Microsoft Certificate / Key - where is it?

    Hi,
    just received my new T431s (which came preinstalled with Windows 7 Professional). I would like to reinstall the OS. The key is not printed somewhere on the machine. I hope :-) it's not under the battery (as the battery is not user replacible, I would have to open the laptop) and is not part of the documentation that came with the machine.
    Where is the Windows 7 Activation key / Microsoft Certificate?
    Thank you!

    Hi bazzzer,
    Try checking the bios of the laptop for an embedded key (usually this is done with windows 8 only, but things may have changed). I believe you press the enter key immediately after the system turns on. If its not there, you can dowload a free program called "belarc advisor" that can find all product keys including the Windows 7 one (assuming you haven't already  wiped the OS).
    -Brian
    My Thinkpads: T42 (GPU failure), T60, W530
    W530: Windows 7 Pro | i7-3720qm | FHD screen | 256gb Samsung 840 Pro SSD | 500GB Ultrabay HDD | 16gb Crucial RAM | Nvidia K1000m

  • Need advice for Fn key usage in Motion.

    I am just beginning my usage of Motion 4 and working through Mark Spencer's book. The book keeps referring you to use the Fn keys. But mine don't work the way they are supposed to. I went into System prefs and selected the use all Fn keys and when I go back into the program to use them I press the fn key and the appropriate Fn key (ex. F5 to open the project pane) and all I get is a beep and nothing happens. If I just use the F-F8 procedure it will just add an f or a 5 etc, into the area at the bottom for the current time. Or if I hit the Fn-F8 it opens iTunes. I know I can work it out by using the long way around. But I know it is easier to use the function keys from experience in the CS4 suites. Is there anything I am not trying or something anyone can recommend to make these work properly?
    Thanks,
    Scott

    That's what I have been counting on. However, when I press F5 for example, it takes whatever is on the canvas and replaces the bounding box with a red rectangle. I am somewhat proficient on a Mac but this is the first issue I have come across.

  • OIF-do I need to exchange certificate,keys if using selfsigned certificate?

    I have setup OIF federated authentication and it works between SP and IdP. I think I'm using self-signed certificates.
    With my setup, I did not have to exchange certificate between SP and IdP, however, my customer (IdP side) told me that I need to exchange with them the self-signed certificates and public key/private key.
    Do I need to exchange self-signed certificates and public key/private key between SP and IdP or only third party CA signed certs need to be exchanged?
    Also, to exchange certificate, I thought I just need to add it through "Trusted CAs and CRLs" in EM, but I'm not sure how to exchange public key/private key?
    Thanks

    I got "exchange certificate" working by enable certificate validation and adding IdP's certificate to SP or vice versa. the configuration was done through "Trusted CAs and CRLs" in OIF EM.
    However, I'm not sure what "public key needs to be exchanged" means. Could you please tell me what to do? or, are you saying public key is part of certificate and it exchanged by exchangeing certificate?
    Thanks

Maybe you are looking for

  • A Petition to ask Creative to update the firmware of the Zen Touch to Include EAX capabiliti

    <SPAN>Hi. I have been looking for a new hard dri've MP3 player and am thinking about getting the Zen Touch. But I was unhappy that creative removed the EAX functions that were in their other players. I will be sending this to creative to show them th

  • Non detection of integral camera in skyp

    hi  i have hp core i3 2310M model......some days back my computer started giving the problem of non detection of camera whenever i open skype....previosly it was working fine........i dont know whats the problem...i searched it online but didnt succe

  • MySAP ERP 2005-functionality

    Hello! I have the following questions: - Which scenarios can be used for support ELSTER-method (sales tax reservation) and    DEÜV-method (notice to the hospital) in the area of ERP 2005? - Has the SAP Business connector still any supports? - Which s

  • Sorting issue in ALV ABAP webdynpro

    Hi All, We are displaying the data in ALV format using ABAP webdynpro. The issue here is sorting the values. The field  is the character field, as the field may contain character or numberic values. When we sort a set of values in ascending order, th

  • Opening the iphoto library to view and manage it's content

    I know there is a way, by pressing some keys together, either in the finder or on iphoto itself at launching, in order to be able to open the application and, as in the older version, be able to see the folders and the rolls inside them.