Cookbook for creating Self Signed Certificates using certutil

Similar Messages

• How do we create self-signed certificate using java packages

  Hi All,
  I require some information on creating self-signed certificate using java packages.
  The java.security.cert.* package allows you to read Certificates from an existing store or a file etc. but there is no way to generate one afresh. See CertificateFactory and Certificate classes. Even after loading a certificate you cannot regenerate some of its fields to embed the new public key – and hence regenerate the fingerprints etc. – and mention a new DN. Essentially, I see no way from java to self-sign a certificate that embeds a public key that I have already generated.
  I want to do the equivalent of ‘keytool –selfcert’ from java code. Please note that I am not trying to do this by using the keytool command line option – it is always a bad choice to execute external process from the java code – but if no other ways are found then I have to fall back on it.
  Regards,
  Chandra

  I require some information on creating self-signed certificate using java packages. Its not possible because JCE/JCA doesn't have implementation of X509Certificate. For that you have to use any other JCE Provider e.g. BouncyCastle, IAIK, Assembla and etc.
  I'm giving you sample code for producing self-signed certificate using IAIK JCE. Note that IAIK JCE is not free. But you can use BouncyCastle its open source and free.
  **Generating and Initialising the Public and Private Keys*/
    public KeyPair generateKeys() throws Exception
        //1 - Key Pair Generated [Public and Private Key]
        m_objkeypairgen = KeyPairGenerator.getInstance("RSA");
        m_objkeypair = m_objkeypairgen.generateKeyPair();
        System.out.println("Key Pair Generated....");
        //Returns Both Keys [Public and Private]*/
        return m_objkeypair;
  /**Generating and Initialising the Self Signed Certificate*/
    public X509Certificate generateSSCert() throws Exception
      //Creates Instance of X509 Certificate
      m_objX509 = new X509Certificate();
      //Creatting Calender Instance
      GregorianCalendar obj_date = new GregorianCalendar();
      Name obj_issuer = new Name();
      obj_issuer.addRDN(ObjectID.country, "CountryName");
      obj_issuer.addRDN(ObjectID.organization ,"CompanyName");
      obj_issuer.addRDN(ObjectID.organizationalUnit ,"Deptt");
      obj_issuer.addRDN(ObjectID.commonName ,"Valid CA Name");
      //Self Signed Certificate
      m_objX509.setIssuerDN(obj_issuer); // Sets Issuer Info:
      m_objX509.setSubjectDN(obj_issuer); // Sets Subjects Info:
      m_objX509.setSerialNumber(BigInteger.valueOf(0x1234L));
      m_objX509.setPublicKey(m_objkeypair.getPublic());// Sets Public Key
      m_objX509.setValidNotBefore(obj_date.getTime()); //Sets Starting Date
      obj_date.add(Calendar.MONTH, 6); //Extending the Date [Cert Validation Period (6-Months)]
      m_objX509.setValidNotAfter(obj_date.getTime()); //Sets Ending Date [Expiration Date]
      //Signing Certificate With SHA-1 and RSA
      m_objX509.sign(AlgorithmID.sha1WithRSAEncryption, m_objkeypair.getPrivate()); // JCE doesn't have that specific implementation so that why we need any //other provider e.g. BouncyCastle, IAIK and etc.
      System.out.println("Start Certificate....................................");
      System.out.println(m_objX509.toString());
      System.out.println("End Certificate......................................");
      //Returns Self Signed Certificate.
      return m_objX509;
    //****************************************************************

• Step by Step Instructions for Installing Self Signed Certificate using Certificate Modification Tool

  I am looking for some step by step instructions for installing the self signed certificate from my Microsoft SBS 2003 server on a Treo 755p and 750p.  In particular I need some help with the form of the actual certificate and how to use the Certificate Modification tool. 
  Some questions I have are as follows:
  1. When I install the certificate on a Windows Mobile device I used an exported version of the certificate.  This export is done using the DER x.509 format.  Is that the same form I’ll need for the Palm?  Do I need some other form? Can/should I just use sbscert.cer file that is generated when SBS is configured?
  2. Does the self signed cert need to be installed on the computer being used to update the Palm or do we just need to be able to access the appropriate .CER file?
  3. There are three things included in the PalmCertificatesTool.zip file:
                                  Trusted CAs (folder)
                                  Cert2pdb.exe
                                  PalmCertificates.exe
     How do I use these tools?
  4. It looks like the PalmCertificates.exe file opens an interface that will allow me to browse to the desired .CER file.  Then I suppose I use the < Generate PDB > to create something that needs to then be uploaded to the Palm device?  Not having any real experience with a Palm device how do I upload and install this file? 
  5. Once uploaded do I do something on the device to install it?
  If there is some white paper that provides step by step instructions on doing this that would be great.
  Thanks,
  Walt Bell
  Post relates to: Treo 755p (Verizon)
  Post relates to: Treo 755p (Verizon)

  Thanks for that.
  I have one question after reading the article 43375:
  The article has you "Turn of AutoSync" and then "Reset the device".  It then indicates the device should be left idle. 
  The next step relates to running the PalmCertificates.exe, navigate to the certificate file and add it and then run the < Generate PDB > button.  Should the device be connected to the computer during this process? If so, at what point after the reset do you connect it to the computer?
  Thanks!
  Post relates to: Treo 755p (Verizon)

• Problems generating a self-signed certificate using SDK

  Adobe AIR 1.1 SDK was extracted to "D:\AIR\SDK\" in XP Pro
  SP2 system. Also Java 2 runtime version 1.4 installed.
  When I'm trying to generate a self-signed certificate I typed
  the following in command line:
  D:\AIR\SDK\bin\adt.bat -certificate -cn SelfSign 2048-RSA
  newcert.p12 pass123
  After a short delay an "unable to create output file" message
  appears in command console and an empty (0 byte length) newcert.p12
  created.
  What may be the problem?
  Also I would like to know if there was another way to create
  self-signed certificates or is it possible to build air packages
  without signing the source code?
  Thanks in advance and sorry for bad English!

  I haven't seen this error occur before. It could indicate a
  full drive or similar condition that might prevent writing to the
  file.
  Can you try using Java 1.5? Although 1.4 is officially
  supported, I think 1.5 receives much more testing.
  You can create self-signed certificates using other tools. If
  you do that, make sure the certificate is marked as usable for
  code-signing; otherwise, adt won't accept it.
  You cannot create air packages without signing them.

• How to monitor self signed certificates using scom 2007 R2

  How to monitor self signed certificates using scom 2007 R2.  i need to monitor specifically self signed certificates expiration. if  possible in two state monitor...please suggest me the best way..
  B John

  Hi,
  Based on my understanding, that you want to create a monitor to monitor certificate expiration, with two state, when the certificate is about expiration for 21 days,, send warning, when the certificate is about expiration for 10 days, then send
  alert. I think we need to create scripts to do so, hope the below links can be helpful:
  Monitoring Certificates In SCOM
  http://blogs.technet.com/b/omx/archive/2013/01/30/monitoring-certificates-in-scom.aspx
  Monitoring Expiring Certificates using SCOM
  http://blogs.technet.com/b/sgopi/archive/2012/05/18/monitoring-expiring-certificates-using-scom.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• In Firefox 4.0 with a Server with a self signed certificate using IPv6 I can not add a "Security Exception" for this certificate.

  In Firefox 4.0 I have a server ... it contains a self signed certificate. Using IPv6 I can not add a "Security Exception" for this certificate.
  1. I log onto the server (using IPv6). I get the "Untrusted connection page" saying "This connection is Untrusted"
  2. I click on "Add Exception.." under the "I understand the Risks" section.
  3. The "Add Security Exception" dialog comes up. soon after the dialog comes up I get an additional "Alert" dialog saying
  An exception occured during connection to xxxxxxxxx.
  Peer's certificate issuer has been marked as not trusted by the User.
  (Error code sec_error_untrusted_issuer).
  Please note that this works in Firefox 3.6.16 (in IPv4 and IPv6). It also works in Firefox 4.0 in IPv4 only IPv6 has an issue. What's wrong?

  Exactly the same problem, except I'm using FF v6 for Windows, not FF v4 as for the lead post. This is for a self-cert which IS trusted, although the error message says it isn't.

• How to deploy self signed certificate using GPO

  Hello,
  I am applying a self-signed certificate for HTTPS inspection, as you know Firefox is not using Windows root certificate as IE & chrome did, so I did some research about this issue and check admx & FF GPO, nothing helped me !!
  Do anyone have any new idea on how to solve this issue?

  Well, this might not be much help, but for 10g, on AIX, docID 1171558.1 describes how to create a new certificate.
  Not sure how relevant it will be for 11g, sorry :(

• N97 - Mail for Exchange self signed certificate

  I would like to use my N97 for sychronizing my nokia with my office e-mails (MfE 2003). Sync keeps on failing. I assume that my n97 does not accept the self-signed certificate we are using (unlike the iPhone and any other HTC or Windows mobile based device). I tried to install the certificate on my nokia - however all versions offered for conversion by my internet explorer are not recognized as a certificate by the n97 (either unkown format or just displayed as text).
  Can anyone help? (I am afraid I have to deal with our self-signed certificate - so there is no chance to approach the problem from that end)
  Many thanks!

  I am also having the exact same problem.  My company uses Exchange Server 2003, but I cannot get the Nokia N97 to sync using Mail for Exchange.  I too am guessing that it might be related to the fact that we are using a self signed certificate.
  When the sync failed, I tried to browse to our web exchange access on the N97 web browser, but that wouldn't work either (I have successfully been able to do this on a Sony Ericsson C905 and a BlackBerry Pearl, but the Nokie N97 says it is unable to perform the operation).
  Can anyone confirm if the issue is in fact the self signed certificate, or make any other suggestions?  I do not want to push my company down the path of getting the certificate signed if it's not going to solve the problem.
  Thanks!

• Firefox 3.6.3 does not bring up the "add exception" option for a self-signed certificate

  Hello. The company website I use has moved to a new server. The new server required some changes apparently, and now I am receiving the message CompanyXYZ.net:987 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for Now, on 1 of my 3 computers, I received the I understand the risks, and an option to Add an Exception. However, on the other 2 computers, I simply receive the previously described popup window and no option to proceed. Any suggestions would be appreciated. Thank you for your genius.
  == URL of affected sites ==
  private company server

  I already have the browser.uxl.error_pages.enabled setting set to true, but I still do not get the option to add an exception for an internal certificate. I'm trying to connect to the iLO port on an HP server. Thanks.

• Self signed certificate for web service security !!

  i've created self-signed certificate using keytool for web serivce security. But i'm unable to implement from the client side. When i'm giving "dn=localhost" it's working fine. But when i'm giving other than that it's throwing me error as :
  java.io.IOException: HTTPS hostname wrong: should be <192.168.2.36>
  I don't know what's the problem. Could any tell me where i'm wrong. In the CN i've given my ip address. Please help me out.
  Do i need to do something else?

  thanks for your kind help.
  But i follwed the same which are given. Do i need to set something in netbeans? i'm usign netbeans 5.5,tomcat 5.5 and jdk5. Still i'm getting the same error as "https hostname is wrong: it should be <192.168.2.278>", which my ip address. I've created my self signed certificate and given the path to it by mentioning in System.setProperty("javax.net.ssl.trustStore","d:/keystore/auth.keystore"); and for password to. Do i need to do something else?
  Please help me out in this reagard. I'm startup of this technology.
  in advance thanks.

• Keytool self-signed certificate.

  Using Keyman on hp-unix. Wanted to create self-signed certificate.
  When I tried to create, it asked to create keys. I created them. Then I could select self-signed and create it. This is listed under private certificates. Now what to do? For somebody to trust this certificate, do I have to take it to another database on another box?
  Say, I created a private certificate pc1 at Box1. For Box2 to trust Box1, I guess I need to take this certificate and put it on Box2. (exporting from box1 and importing to box2). Is this what I am supposed to do? Or am I understanding something different? If I am correct, it(keyman) is not giving me option to export the certificate.
  Please help.

  Using ikeyman, Not keytool

• Safari could not establish secure connection to my localhost with self signed certificate

  was using maven+grizzly+jersey to start my own server. I created self signed certificate so that my server can support https. I case you are curious, following is how I generated my certificate
  I was testing this on my iMac (Running Mavericks) Now, I added the server.cert to the system keychain so that all users can trust this certificate. Also, I change the trust level to "Always Trust".
  I get this work in Chrome and Firefox. They asked me to add exception for this certificate, I did and then everything goes fine. However, I have never make Safari(7.0) happy. I always get the error saying that Safari cannot establish secure connection to my localhost.
  Does anyone have any idea why it happened? Or is there better way to debug this problem so that I will be able to tell at which step things goes wrong.
  Thank you in advance. I really appreciated it.

  Any help much appreciated!

• Cannot accept self-signed certificate on some machines

  I'm trying to connect to a certain server that uses a self-signed certificate - the admin thinks that's safer than accepting thousands of unknown intermediate CAs, and he has a point; witness the Certificate Patrol add-on.
  When I try from some client machines with various OS, FireFox versions etc., it works. I can accept the certificate permanently.
  But on at least 3 machines, I get an error message "unable to obtain identification status for the given site", and I cannot confirm an exception and get to the site at all.
  2 of those machines have FF 10.0.4. But on another machine with FF 10.0.4, there is no problem.
  On machines where I can store an exception, when I look in the certificate manager, the certificate is marked "(not stored)", and I cannot view it. What does that mean ? A few other certs in the server store are also marked not stored, while most have a certificate name and are viewable, along with one marked "no nickname".

  The issue seems to revolve around a cached HTTPS redirect when the server certificate has changed. I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=767611
  The "not stored" issue I realize is due to a permanent excep[tion for a self-signed certificate being stored as a certificate authority, with a placeholder in the servers tab

• Help w/ self-signed certificate in SunOne 5.2 P4

  I'm running SunOne 5.2 P4 and I'm very new to the whole SSL thing and want to enable SSL in SunOne for some testing.
  However, all attempts at generating and importing a certificate of varying lengths (512, 1024, 2048, 4096 bits) results in the following error in the Certificate Install Wizard of the Console:
  "Either this certificate is for another server, or this certificate was not requested using this server."
  Could someone point me to some instructions or walk me through the steps for generating self-signed certificates so they will import correctly? All the instructions I have seen so far say to send the "Certificate Request" to a CA for signing. I don't want to do that. I just need it for testing and would like to know how to do it locally. I assume this means self-signing it.
  Thanks!!

  It's not necessarily the server-certificate itself that is self-signed. My guess is that the CA that signed this certificate uses a self-signed certificate for itself.
  Your certificate chain might look like this:
  Your certificate <<signed by>> Your CA <<signed by>> Your CA
  Your CA isn't a trusted issuer by default, therefore you need to import the CA's certificate into the truststore.

• Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

  SCCM 2012 has been successfully installed on the server:
  SRVSCCM.
  The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
  Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
  The cluster service is running on the account: sqlclusteruser
  The account has the appropriate SPN are registered:
  setspn -L domain\sqlclusteruser
  Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
  MSSQLSvc/CLS-SQL4
  MSSQLSvc/CLS-SQL4.domain.local
  MSSQLSvc/CLS-SQL4:11434
  MSSQLSvc/CLS-SQL4.domain.local:11434
  After some time on the cluster hosts every day started appearing new folders with files inside:
  srvboot.exe
  srvboot.ini
  srvboot.log
  srvboot.log contains the following information:
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
  Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
  Copyright (C) 2011 Microsoft Corp.
  Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
  Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
  Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
  Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
  Failed to retrieve SQL Server service account.
  Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
  Disconnecting from Site Server.
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

  The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
  Without successfull bootstrap the siteserver backup is not able to run successfully.
  Try grant everyone the read permisson on
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
  This worked for me.
  After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
  After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
  sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"