Client certificate question

Similar Messages

• Client Certificate Authentication

  Hi guys
  I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated get pushed.
  We have implemented Workplace Join, this allows us to use the certificate pushed by ADFS to log into a webapp with the only once, then for some reason (still under investigation) doesn't work anymore.
  I have also read about Client Certificate Mapping Authentication with IIS and AD but obviously the Client Certificate has to be in the mobile device in order to accomplish the authentication.
  Windows Intune ultimately will do the trick but the idea of this research is to find out what's available in Microsoft platform.
  any help would be truly appreciated
  Jesus

  If IIS is used for certificate distribution (and access to CRLs), I think this could be done with Active Directory Certificate Services.
  Users could go to the website of the issuing certificate authorities and make a request.
  I've only done this for real with Group Policy triggering the request behind the scenes for *domain members* and approval based on membership in a particular group.
  So I'm not 100% sure how you would configure automatic issuance of the cert based on entry of a correct password. Usually, the "certificate managers" have to approve per company policy.
  I'll look further though (interested in this myself).
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• How to install and use a client certificate for use with https sites on Android?

  I need to be able to install a .p12 client side certificate to be sent to the admin section of my company's site to authenticate me as an employee. In FireFox for PC there is the ability to install this client certificate. In the mobile I cannot figure out how to get this to work.
  I just bought an Asus Transformer Android Tablet running Honeycomb. I have tried the following method below:
  http://support.mozilla.com/en-US/questions/786035
  I get to the screen where I am able to present and choose a certificate but I still get the (Error code: ssl_error_handshake_failure_alert).
  Now that Android is really picking up steam, there needs to be a way to install client side certificates to present to sites requesting them.
  Is there another way to hack the system to allow or install a client side certificate in .p12 format?

  Sorry, there's not a good way to install client certificates in Firefox 4 for Android. A bug has been filed, and any work that we do on adding this feature will be tracked here:
  https://bugzilla.mozilla.org/show_bug.cgi?id=478938

• Applet does not get client certificate from browser (Firefox, IE7)

  I'm writing a web service which runs Tomcat through Apache. One critical requirement is that the service be able to invoke certain device drivers on the end user's machine. Fortunately, there is a Java API for this, so this requirement can be fulfilled using an applet.
  Here's the problem. This is a B2B application, so we're using SSL and requiring client authentication. I'm no web security guru, but I managed to get SSL set up through Apache (with a self-signed certificate for now; we'll get a real one from a real CA when we're ready to go to production). I also managed to set up client authentication by creating my own CA and generating a client certificate, which I then copied to my test client (Win XPSP2) and imported into both Firefox (2.0.0.15) and IE (6.0.2900). The applet is signed with a real certificate, and that causes no problems. And all of the pages for my web service work as expected.
  All except one. The page which is supposed to load the applet pops a dialog stating 'Identification required. Please select certificate to be used for authentication', and presents a list of zero certificates.
  Actually, I get this dialog in Firefox on my XPSP2 box, and also when I test on a Vista Home Premium box running IE 7.0.6000. Puzzlingly, this behavior does NOT occur on my XPSP2 box when running through IE 6.0. It seems that with XPSP2 and IE 6.0, the JVM can manage to obtain the required client certificate from the browser and pass it along to Apache, but the JVM can't do this when running in Firefox or in IE 7.0 on Vista.
  I have gone to the Java Control Panel and verified that the 'Use certificates and keys in browser keystore' option is selected on both boxes.
  I've done a fair amount of research for this (including in this forum) and see that this appears to be a chronic difficulty with applets. What makes it worse is that I don't think I can use the standard workaround, which is to download the applet from a different host/virtual host, because the applet needs to communicate with the web service. Since we have the additional layer of Tomcat container-managed user authentication, the applet needs to be communicating with the server using the same session token as everything else.
  So at this point, I'm stuck. Does anyone know a solution to this problem? Two thoughts (I'm reaching at straws here):
  1) I have the certificate imported in both Firefox and IE as a 'personal' certificate. Is there someplace else I can put it so the JVM will know how to find it? A rather old thread in this forum mentioned something about setting properties in the Java Control Panel, but I see no place in the JCP to specify such properties, so I'm guessing that solution is no longer operative.
  2) I'm using a trick I found on the internet to make the applet load cleanly with both Firefox and IE, namely, I'm using the <OBJECT> tag to specify the applet class and codebase for IE, and then using <COMMENT><EMBED ... /></COMMENT> within the <OBJECT> declaration to specify the information for Firefox. Is there some other way of doing the markup that will give the JVM a hint that it should get a certificate from the browser?
  BTW . . . I would hate to drop support for Firefox, but if someone has an IE-only solution, I'll take it. Unfortunately, I reckon a Firefox-only solution would not fly.
  Thanks all.

  My applet is also signed by a valid certificate. The question of whether the applet is signed/self-signed/unsigned >isn't an issue --- I just wanted you to make sure the Applet runs because it is a know valid Java2 Applet that is 100% signed properly and verified to run.
  This eliminates the possibility that it is a JVM issue. However after reading your message further I am afraid
  it is not relevant to your issue.
  due to the client authentication, my browser (Firefox, IE7) refuses to even download the applet.
  I went to your site, and I can see your applet in both Firefox and IE6. However, I don't believe your site is set up >quite like mine, because it appears I can run your applet whether I have imported your X509 certificate or not. What I >did was:If that is true we are all dead :) No I think you just missed the cert in the IE databse. It doesn't have to be in the
  Applet database to function. Surprise!
  Check your IE/tools/internet options/content tab/certificates/trusted root certification authorities.
  I then opened the Java control panel and verified that the certificate isn't listed there, either. So unless the certificate >is being cached/read from some other location (which could be, this certificate stuff is largely black magic to me), >then your server isn't requiring client authentication, either accidentally or by design.No HyperView is a valid java2 Applet and actually writes to a file "hyperview.dat" though it is probably empty.
  If you click on a component in the view and then on the view and type "dumpgobs" it shoud write out some data about the current graphics objects so you can see it has complete read/write access..
  Further it opens up a complete NIO server ands starts listening for connections on a random port
  (Echoed in your java console) You can connect to it with telnet and watch impressive ping messages all day :)
  This all goes back to a few years BTW back before there was a plugin and there was only Netscape & IE.
  There are actually 2 certificate databases and what loads where depends on which type of cert you are using. Now self signed or not doesn't matter but what does matter is the type of certificate. IE: is it RSA/DSA/Sha1
  etc. The Netscape DB was a Berkley DB and MS used whatever they use. The Cert is a DSA/Sha1 cert
  which I like the best ATM as it (X fingers it stays so) always has worked.
  Sadly that tidbit doesn't help you either I am afraid.
  What I'm trying to do is require client authentication through Apache by including the following markup in a virtual >host definition:
  SSLCACertificateFile D:/Certificates/ca.crt
  SSLVerifyClient require
  SSLVerifyDepth 1You got me there I avoid markup at all costs and only code in C java and assembler :)
  Now unless I am wrong I think you are saying that you want the Applet to push the certificate to the server
  automatically and I don't think this happens. Least I have never heard of this happening from an Applet automatically.
  On my client machine, I have a certificate which was generated using OpenSSL and the ca.crt file listed. Testing >shows that the server is requiring a certificate from the client, and the web browser is always providing it.
  The problem is that when the browser fires up the Java plugin to run an applet, there is not sufficient communication >between the browser and the plugin so that the plugin can obtain the certificate from the browser and provide it to >the server.
  So the server refuses to send the applet bytecode to the JVM, and we're stuck.In terms of implementation ease I think you may have the cart before the horse because I think it would be far easier to run an Applet in the first place to do the authentication, and then send, for example, a jar file to bootstrap and run
  (or some classes) in the event the connection is valid. Then again one never knows it all and there may be some classes which enables the plugin as you wish. I have never heard of this being done with the plugin the way you suggest.
  I am thinking maybe there is another method of doing this I do not know.
  Did you try pushing the cert via JavaScript/LIveConnect?? That way it could run before the Applet and do the authentication.
  Maybe someone else has other ideas; did you try the security forum??
  Sorry but I am afraid that is not much help.
  I did snarf this tidbit which may have some relevance
  The current fix for this bug in Mantis and 1.4.1_02 is using JSSE API, Here are the step:
  In Java control panel, Advanced tab -> Java Runtime Parameters, specify:
  -Djavax.net.ssl.keyStore=<name and path to client keystore file>
  -Djavax.net.ssl.keyStorePassword=<password to access this client keystore file>
  If it is a PKCS12 format keystore, specify:
  -Djavax.net.ssl.keyStoreType=PKCS12
  In our future JRE release 1.5, we will create our own client authentication keystore file for JPI and use that for client authentication, for detail info, please see RFE 4797512.
  Dennis
  Posted Date : 2005-07-28 19:55:50.0Good Luck!
  Sincerely:
  (T)
  Edited by: tswain on 23-Jul-2008 10:07 AM

• SOAP Receiver Adapter problem (client certificate required)

  My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
  PI Server AXD - (Client) - Receiver SOAP adapter
  PI Server AXQ - (Server) - Sender SOAP Adapter.
  Steps in AXD
  1. I have created a certificate of AXD in the service_ssl view of key storage.
  2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
  Steps in AXQ
  1. I have created a certificate of AXQ in the service_ssl view of key storage.
  2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
  3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
  4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
  5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
  Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
  Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
  Any pointer to solve this problem is highly appreciated.
  Thanks
  Abinash

  Hi Hemant,
  I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
  As far as my scenario goes I am not using message level security.
  Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage.  I can see a view named just WebServiceSecuity though.
  Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
  Abinash

• Presenting a Client Certificate from ACE?

  Hi Folks,
  This is a bit of an odd one, so please stick with me!
  A bit of background:
  We currently visit a secure 3rd party website from our company, in order to identify our company to the website we have to use a client-side certificate to authenticate us (before we then login to the website).
  As we have a large number of machines loading a client-certificate on to each one has not proved agile enough (this is more a legacy thing).  So to work around this we have used a Stunnel proxy which the clients are forwared too (HTTP), which then proxies the connection as HTTPS and provides the end website with the Client Cert and does all the bits for SSL.   The Stunnel service was meant to be a tempory workaround, about 3 or so years ago (don't you just love those?) and is hosted on a desktop PC which has recently started to crash - there's no real support on this either - which leads me onto the question:
  Can the ACE module replace the Stunnel Box in this scenario?
  Is it possibile to load a client certificate onto the ACE and get it to provide this to an end webserver.  I realise that the ACE is probably not designed for this function, however this would get us onto something more stable and has a better internal support function.
  I've attached a really basic diagram of how the connectivity operates - but I'm happy to consider suggestions on alternative ways of doing it.
  Thanks in advance
  Kev

  Hi.
  It seems to be not possible : http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/initiate.html
  I have to check if other products can do what you want, but I have some doubts...

• SOAP Axis adapter_Encryption via Client Certificate not working

  Dear Experts,
  Could anyone please share the steps to enable encryption via client certificate in SOAP AXIS receiver adapter.
  I am able to do the same using normal SOAP adapter but with AXIS framework the steps are not working.
  I have come across few sdn links to configure axis framework for authentication using wsse security standard but this seems to be different as it requires user and password whereas with certificates we are not given any user/password.
  Please provide some valuable inputs.
  Thanks.

  Hi Shikha,
  see the -
  Advanced Usage Questions
      8. How can I configure a channel to use the encryption and ....
  of the FAQ attached to the note -
  1039369 - FAQ XI Axis Adapter
  Regards
  Kenny

• Webdav using Client Certificates

  Hello all
  Finder (10.5.6) seems not to be able to use Webdav with client certificates. Especially in conjunction with Alfresco Share this would be nice.
  Any ideas?
  Pascal.

  Hi,
  > have a question, if we use this mechansim do we have to mainatin User's cerificate in user master or >this is not needed as we are accepting the connection from the intermediary server which is trusted by >the J2EE engine.
  I think it depends from your Biller Direct application.
  In my company we use Rosettanet B2B with SAP XI and have this setup :
  Internet -- https --> Apache -- https --> Web dispatcher -- https --> SAP J2EE PI
  The client certificate from the B2B partner is sent up to SAP PI and we did not have to set the certificate in the user mast.
  We did have to import the certificate in the J2EE keystore and to configure the Rosettanet connector.
  Regards,
  Olivier

• How to read client certificate after SSL has be established

  Hi, Folks:
  I've established mutual authentication between client and server, how do I go about reading the client certificate on the server side after SSL session has been established? Basically I am trying to read the client name from the client certificate, based on the name, the server will decide what resource the client can access.
  Thanks a lot
  --Richard                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  I need to know the process clearly... like how to configure ssl serverAs I said, that's not the topic of this thread. It's described in the Javadoc, and it's been covered in this forum, and the forum has a search facility. If you still have a question, start your own thread. Don't hijack other threads about other topics.
  Every one knows to read API documentation. If those were clear then I wouldn't ask here for help. Then you need to ask a specific question about something you specifically didn't understand, in a specific thread, in a specific forum. The best reference is the Javadoc. That's what it's for, and reading it is how I learned Java. If you can't understand it maybe you need to make more of an effort. Nobody is going to type it in here again for you in a more comprehensible form (I hope). It's your job to understand the material you have to work with. At the moment you're just asking someone to do your job for you.
  And yes this topic may have been covered previously, but its not necessary for me to know what topics are covered in this forum.The question asked in this thread has been answered previously in this thread. Is that too hard to find? The question you asked that hasn't been covered in this thread doesn't belong in this thread. Is that too hard to understand?

• Problem using multiple Client Certificates

  Hi folks, I had (mistakenly) posted an earlier version of this question to the crypto forum.
  My problem is that I have multiple client certs in my keystore, but only one is being used as the selected certificate for client authentication for all connection�s. So, one connection works fine, the rest fail because the server doesn�t like the client cert being presented.
  I have been trying to get the JSSE to select the proper client certificate by making use of the chooseClientAlias method. (init the SSL context with a custom key manager that extends X509ExtendedKeyManager and implements the inherited abstract method X509KeyManager.chooseClientAlias(String[], Principal[], Socket))
  But, still no luck.. the JSSE is not calling in to the my version of chooseClientAlias, and it just keeps presenting the same client certificate.
  No clue why, any thoughts on how to get the JSSE to call my version of chooseClientAlias?
  Thanks!
  SSLContext sslContext = SSLContext.getInstance("TLS");
  sslContext.init(createCustomKeyManagers(Keystore, KeystorePassword),
              createCustomTrustManagers(Keystore, KeystorePassword),null);
  SSLSocketFactory factory = sslContext.getSocketFactory();
  URL url = new URL(urlString);
  URLConnection conn = url.openConnection();
  urlConn = (HttpsURLConnection) conn;
  urlConn.setSSLSocketFactory(factory);
  BufferedReader rd = new BufferedReader(new InputStreamReader(urlConn.getInputStream()));
  String line;
  while ((line = rd.readLine()) != null) {
       System.out.println(line);  }
  public class CustomKeyManager extends X509ExtendedKeyManager
      private X509ExtendedKeyManager defaultKeyManager;
      private Properties serverMap;
      public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
          SocketAddress socketAddress = socket.getRemoteSocketAddress();
          String hostName = ((InetSocketAddress)socketAddress).getHostName().toUpperCase();
          String alias = null;
          if(serverMap.containsKey(hostName)){
              alias = serverMap.getProperty(hostName.toUpperCase());
              if(alias != null && alias.length() ==0){
                  alias = null; }
          else {
              alias = defaultKeyManager.chooseClientAlias(keyType, issuers, socket);
          return alias;
  .

  Topic was correctly answered by ejp in the crypto forum..
  namely: javax.net.ssl.X509KeyManager.chooseClientAlias() is called if there was an incoming CertificateRequest, according to the JSSE source code. If there's an SSLEngine it calls javax.net.ssl.X509ExtendedKeyManager.chooseEngineClientAlias() instead.*
  You can create your own SSLContext with your own X509KeyManager, get its socketFactory, and set that as the socket factory for HttpsURLConnection.*
  Edited by: wick123 on Mar 5, 2008 10:26 AM

• AnyConnect SSL-client Certificate AND AAA RADIUS

  Hi All,
  I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
  I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
  Here are some relevant log messages I'm getting:
  Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
  Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
  Certificate chain was successfully validated with warning, revocation status was not checked.
  Tunnel group search using certificate maps failed for peer certificate:  serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name:  cn=Cisco Manufacturing CA,o=Cisco Systems.
  Device completed SSL handshake with client outside:72.91.xx.xx/42501
  Group SSLClientProfile: Authenticating ssl-client connection from  72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client  certificate
  Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to  identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by  appliance
  Relevant Config:
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  authentication-server-group RADIUS
  default-group-policy GroupPolicy1
  tunnel-group SSLClientProfile webvpn-attributes
  authentication aaa certificate
  radius-reject-message
  pre-fill-username ssl-client
  group-alias SSLClientProfile enable
  group-url https://URL enable
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  wins-server none
  dns-server value <ip1> <ip2>
  vpn-tunnel-protocol ssl-client
  default-domain value xxxxxxxx
  address-pools value VPNPOOL
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.102.242
  key *****
  aaa-server RADIUS (inside) host 192.168.240.242
  key *****
  ASA version 8.4
  What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

  PRogress....
  I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

• Google chrome : client certificate install fails

  when i try ti install client certificate on google chrome, the error says : The server returned invalid client certificate.
  This is happening in Google chrome under the certsrv site to install the issued certificate. Does chrome support client certificates?

  Question: 
  What does Error
  207 (net::ERR_CERT_INVALID) mean when I try to collect my certificate (CodeSigning or Email)?
  Answer: 
  This means that you have tried to obtain your certificate using the Google Chrome browser. At this present time Google Chrome does
  not support chained certificate enrollment and you can not use another browser to collect this certificate because the private key was generated with Chrome and you must start the process from the beginning again using another browser such as Mozilla Firefox
  or Microsoft Internet Explorer.
  Source:
  https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/776/38/ 

• How to install client certificate in Jdeveloper 10.1.3.41.57

  Hi,
  We need to connect to another website by presenting client certificate. This certifficate is provided by this website and password is required. Though I tried to tried to launch the JSP that redirects the page to the URL to connec to that website, and I imported the certifcate to the browser, I am still asked credential to connect.
  I was told by other people I need to install the client certificate on the server.
  My question is that how I install this client certificate on Jdeveloper 10.1.3.41.57 and launch JSP to connect to that website?
  the certificate is like xxx2_x.509Cert.pfx.
  Please help
  Thank you.
  jfu

  First, thank you so much for your reply. Yes, it works. I did converted pfx to JKS successfully.
  i use keytool -list to view this JKS file. I can see the content. The chain length is 2.
  However, I got error same error message when I tried to use above command to import JKS to cacerts under jdk/jre/lib/security/; if I add -storetype pKCS12, I got another error keytool error: java.io.IOException: DerInputStream.getLength(): lengthTAg=109, too big.
  Please help.
  Thanks,
  Jfu
  Edited by: 872272 on Sep 20, 2011 8:58 AM

• Lowest cost SSL accelerator for HTTPS client certificate auth testing

  Hi,
  I need to test some some https connections that use client certificate authentication and need a low cost ebay-purchasable cisco ssl box (I think).
  My understanding is that some Cisco products can terminate https connections (once client cert auth is successful) and then pass on the http connection with a cookie value set with the Subject DN information from the client certificate - correct me if I'm wrong :).
  So any suitable kit for this?
  Thanks,
  Marc.

  Hi Oliver,
  Have a look at this http://forum.java.sun.com/thread.jsp?forum=2&thread=258908
  You may find the answer to your question there.
  Majid.

• JDBC Thin Connections with SSL and client certificates

  Hi ,
  we are going have a look at JDBC Thin Connections with SSL and client certificates.
  I have two questions:
  1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
  2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
  Thanks for your help
  regards
  Markus Reichert

  I could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
  Steps to add the SSL Certificate:
  1. Run the form with the https mode in the IE Browser.
  2. Security Alert is raised.
  3. Click on the View Certificate button.
  4. In the Certificate Window, click on the Details tab.
  5. Click on the Copy to File button to copy the certificate.
  6. Copy the certificate and append to the certdb.txt file.