Digital Certificates and signing

Similar Messages

• Cant choose which digital certificate to sign outgoing email in Mail.app

  I am posting this here as this post:
  http://discussions.apple.com/message.jspa?messageID=5746197#5746197
  was archived.
  I just wanted to add that this is still an issue for us. We use three digital certificates inside our organization, one from Thawte, one from caCert, and one from our in-house/private CA. All three work perfectly inside all applications that we use them in. There is on issue which is that if the user clicks the icon on the far right side of their outgoing email to "sign" that email, there is no telling which certificate it will use. We want to use the one from Thawte for all outgoing email but it ends up picking one of the other ones instead & as far as I can tell there is no way to control this or change this.
  What I am requesting is that Mail.app ask me which certificate I want to use, either once, in preferences, or each email, or something, as sendind with the wrong one is really not workable.
  I think 10.5.2 is a real step forward. Thanks for all the hardwork to make the improvements in it that we see.
  Thanks so much.
  Sjobeck

  Somewhere online I found mention that you can assign the cert you don't want to use as untrusted and the one you do want to use as trusted. So in Keychain, double click on your Thawte cert, click on the Trust arrow and change the "When using this certificate:" drop down to "Always Trust". Do the opposite for your other certs.
  This way you can still use your other certs for decrypting if anyones uses it to send to you. But you'll always use the trusted cert for signing/encrypting new messages.
  I too wish there was a way to explicitly select the cert you want to use but till they allow that, this is the best way I've found to work around the issue.

• Problems with certificate and signed jad

  Hello
  I have a third party jar and jad which is signed as far as I can tell.
  When I run the jad under the phone emulator.exe I get the text below
  Is there something I need to do.
  Perhaps to do with keystores etc.
  I can install the jar and the application runs but keeps asking for permission to open etc.
  Thanks
  Jim
  C:\Java_ME_platform_SDK_3.0_EA\bin>
  C:\Java_ME_platform_SDK_3.0_EA\bin>emulator -Xdescriptor:trekbuddy.jad
  Device name is not set. Using -Xdevice:DefaultCldcPhone1 option.
  Hint: Use -Xquery argument to see all supported devices.
  HTTP server started!
  *** Error ***
  A problem occured during deploying application from http://127.0.0.1:49813/trekb
  uddy.jad
  * Reason:
  The content provider certificate issuer C=ZA;ST=Western Cape;L=Cape Town;O=Thawt
  e Consulting cc;OU=Certification Services Division;CN=Thawte Premium Server CA;E
  mailAddress=[email protected] is unknown.
  C:\Java_ME_platform_SDK_3.0_EA\bin>

  I got the Thawte certificates and after loading just about every one it stopped complaining about the issuer.
  How ever it then started on about not autorized for API.
  So I gave up in disgust and went back to the the 2.xx toolkit.
  This worked out the box.
  Jim

• WebVPN-Problem with Digital Certificate and AAA

  Hello everyone,
  I have a problem during configuring WebVPN on ASA 5520 using AAA and digital certificate of Microsoft. (MSCEP)
  Currently, The WebVPN service is enabled and it worked well with AAA (local or external) only,
  But now, I want to use both AAA and Certificate for most secure-I mean that the users will be authenticated 2 times (firstly, it is checked by valid certificate then user/pass is second one).
  Here are details:
  I tried installation CA server (Microsoft CA service combined with SCEP) and register ASA with CA server (ASA work as subordinate CA)-->these steps is ok, asa has registed, then client use web-browser request CA and it's issued by CA administrator then it is installed on web-browser.
  Testing:
  The Client tried to test with access SSL VPN, the welcome WEBVPN message prompt user/pass but the message is "Logon Failed" before I give user and pass,
  Does anyone know and advise ?
  Thanks
  Khanh

  Hi all,
  Here are attach files for my issuse,
  Khanh

• Digital Certificates and Web Services with Oracle APEX

  Hi people,
  I am working to implement Web Service communication using Oracle Apex. I need to create an application that calls an external public Web Service in Apex. So far, so good, and i am able to work with a public WS without any problems.
  However, this particular WS I'm calling has two peculiarities:
  1) It is SSL-Secured (HTTPS). This means i have to communicate using SSL and Public/Private Certificates.
  2) The message i pass (payload) must be digitally signed using XMLDsig Standard (www.w3.org/TR/xmldsig-core/)
  The first requirement i am still testing, but it will probably work if i import the public and private keys using Oracle Wallet and point to this Wallet, just as PayPal sample in OTN samples does, don't you think? Should i have any problems with this?
  The second one is more complicated, all APIs i have seen for XML Digital Signing are Java-based or .NET-based, i have found nothing based in PL/SQL packages or such. Can you point me some other options to sign this XML?
  Please bear in mind that, since the WS has more than one method, i am using plain old UTL_HTTP to call it (just like the PayPal sample in OTN). PayPal requests that all communication be SSL-enabled, but has no mention whatsoever for Digital Signatures.
  Can anybody help me out with this? any help is highly appreciated.
  Regards
  Thiago

  Thiago:
  You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
  I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
  http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
  Regards,
  Jason

• How to filter list of digital certificates for signing PDF

  Is it possible to change the configuration of Reader installation to filter the list of installed certificates that can be used for digitally signing documents?
  The filtered list will appear when users attempt to select a certificate for digitally signing a document.
  Thanks.

  Hi Carla,
  Unfortunately, Extended Key Usage is not one of the properties you can enforce.
  The things you can set are:
  appearanceFilter (i.e. enforce the use of a custom signature appearance)
  certspec(i.e. the signing certificate must meet some specific criteria)  <<<----- This is what you are more interested in, more below
  digestMethod(i.e. enforce the use of a specific cryptographic hashing algorithm)
  filter (i.e. enforce the use of a specific security handler if you want to use something other than the one built into Acrobat)
  legalAttestations (i.e. enforce the reason or purpose of the certifying signature)
  lockDocument (i.e. enforce any further changes to the document after the signature is applied)
  mdp (i.e. the rules for changing the document applied as part of a certifying signature)
  reasons (i.e. a list of one or more reasons the signer can use, as opposed to them adding their own)
  shouldAddRevInfo (i.e. force the inclusion on the revocation information (CRL or OCSP response) in the PDF file)
  subFilter (i.e. require the use of a specific signature format. This is very arcane)
  timeStampspec (i.e. require the use of a specific time stamp server)
  version (i.e the minimum version of Acrobat that can decipher the signature. the only two options are versions 6 or 8)
  The second item is the certspec, and this is what I've been pointing you towards. For the sake of discussion, think of everything you can read in a certificate as an extension. The serial number is an extension, the subject is an extension, the valid from date is an extension, etc. When a certificate is created, some of these extensions are required, other optional, and you can even add in extension that are not publicly defined, and only you will know about.
  Acrobat has the ability to enforce the signer to use a certificate that contains some, but not all of the known extensions. The extensions it can enforce are:
  issuer (i.e. require the use of a certificate that is issued by a specific Certificate Authority)
  keyUsage (i.e. require the signers certificate contain one or more of the nine possible values that can be included)
  oid (i.e. require that the Certificate Policy extension contain a specific value)
  subject (i.e. require that the document is signed by one specific person using one specific digital ID)
  subjectDN (i.e. require that the document is signed by one specific person, but they get to choose which digital ID to use)
  url (i.e. if a required digital ID is not available, where the signer can procure an acceptable digital ID)
  urlType (i.e. if the user is directed to the URL, should it be a web server where they can download a digital ID or a remote signing server where the digital ID stays on the remote server)
  That's it. If it's not one of these items then Acrobat cannot enforce that the item is available. Extended Key Usage is not on the list.
  Steve

• Digital certificates and keystore

  I have implemented the digital signature in my project.
  For that i have to add all the certificates in jre/lib/security/cacerts.
  Is it possible to store these certificates in database instead of keystore file (cacerts) ?
  if yes how to implement ?
  any code sample ??

  Yes, you can implement your own KeyStore class and access the keys any way you like. I found it simplest to serialize the keys and store them in a binary field in the database (not very storage efficient but easy to handle).

• Multiple mail certificates and signing mail

  If I understand the information I have read correctly, you can sign an email in Mail as long as you have a personal certificate. I can do this without a problem. My question to you all is.. if you have multiple certificates on your machine, which is Mail using to sign? Is there a way to choose a default?
  Thanks.

  your personal cert should be tied to a specific email address. mail uses the one for the address that is being used to send the email. if the digital signatures/certs aren't tied to a single email address, what good would they be?

• Is there a way to authenticate an iPad to our WLAN using a digital certificate and then authorize the user in Active Directory?

  We want to authenticate both a device (iPad) to our corporate WLAN, but after authenticating the device we would also like to authentiate the user in Active Directory if possible.  Has anyone had any experience with this?

  You need to make sure that the server sends the "GeoTrust DV SSL CA" intermediate certificate.
  See:
  * http://www.networking4all.com/en/support/tools/site+check/ (www.ucfs.net)
  * https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO9557
  * https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422

• How to create a certificate and sign it programmatically?

  Hi all,
  I surfed the web to find a reference on this but it could not success to seek a good resource, do you know a sample about this issue?
  thank you so much

  http://www.bouncycastle.org/docs/docs1.5/org/bouncycastle/x509/X509V3CertificateGenerator.html

• Signing/approving an eForm -- digital certificate required, or is signing into LiveCycle enough?

  Our institute is looking at deploying LiveCycle and use it for form creation and workflow managment.
  There are forms that will require approval/sign-off from multiple users at different stages of processing.
  Currently, on our "non-workflowed" eForms we have an eSig field that a user must click on to put his/her digital certifcate there.
  The person's digital certificate is taken from a hardware token that is plugged into the computer.
  So here's what we see happening for a LiveCycle "workflowed" eForm...
  1. User logs into the system with his/her credentials (username/password).
  2. The system recognizes who the user is.  (E.g., Bob Smith, Manager of IT)
  3. User opens up a form that requires his approval/signature.
  4. User sees where he has to e-sign or give approval.... and clicks on the appropriate button (or similar).
  Now the questions:
  a) Confirm that the system recognizes who is logged in (e.g, Bob Smith).
  b) Without having a digital certificate plugged in or installed (as with current), is there a way to make a form such that all Bob Smith has to do is click a button to give his approval on a section?   The signature wouldn't come from a certificate, but rather since the system know's it is Bob Smith logged in... it will put Bob Smith's "signature" on a field and this will be seen as an "approval" ?
  What we are trying to accomplish is to remove the need for a digital certificate to sign or approve a form... but rather rely on the fact that the system knows it is Bob Smith logged on to the system and therefore when he gives his "approval" that the system accepts that (and moves the form the the next part of the process).
  I hope I phrased this right, and that someone will be able to give us some insight...
  Thanks in advance.

  The signature solution you are describing sounds like a "click-through" signature solution.  Here are some links to info that discuss this type of solution, hopefully you find the information useful...
  http://www.adobe.com/devnet/livecycle/pdfs/lc_digitalsig_wp_ue.pdf
  http://blogs.adobe.com/security/2009/09/contracts_the_speed_of_light_a.html
  http://blogs.adobe.com/security/2008/02/trust_us_electronic_signatures.html
  http://www.adobe.com/products/livecycle/pdfs/95011606_Digital_Signature_wp_ue.pdf
  By the way, you could achieve what you would like to do using LiveCycle.
  Regards
  Steve

• How to get digital certificate informaiton of the email in mail adapter

  Hi, expert:
  I have a requirement to verify the validation of coming email with digital certification. The mail is with digital certification. If the coming email is valid, I 'll get the attachemt of the mail for further processing. I have a sender mail adapter and receiver file adapter configued.
  I have already my own developed adapter module, which is configued in mail adapter. My question is how to retrieve the detailed certificate information in the adapter module developed by myself. Is it feasible?
  Thanks a lot.

  Hi Oscar !!
  refer this blog & links , you will get all you are looking for
  <b>How to use Digital Certificates for Signing & Encrypting Messages in XI</b>
  /people/varadharajan.krishnasamy/blog/2007/05/11/how-to-use-digital-certificates-for-signing-encrypting-messages-in-xi
  http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
  Thanks !
  Regards
  Abhishek Agrahari

• Digital envelop and signature

  Does SAP NetWeaver 2004s supports digital envelop along with signature?
  Do we have to use some third party SAP recommended tool for encrypting documents while sending via email?
  And can we show bitmap signature image as digital signature, do we require any additional softwares in this case?
  Thanks,
  Nitesh Shelar.

  Hi Nitesh
  the digital signature supported by SAP Interactive Forms is one where you use a digital certificate to sign, not a bitmap of a hand-written signature as the latter has no legal relevance.
  Encrypting a mail you send with an attachment, has nothing to do with an SAP system, but needs to be set up using third-party software. I am not aware of any recommendations by SAP. In general, we point to certified partners (if there are any) - see Integration & Certification Center pages here in SDN - but do not usually recommend a particular one.
  Best regards,
  Markus Meisl
  SAP NetWeaver Product Management

• Certificates and Signature

  Dear folks
  Why and How to get certificate and signature for midlet application. I have just void knowledge about that.

  Basically you would need certificates so that your midlet may access restricted API's such as sms and cbs (JSR-120) and file system access (JSR-75). If you have signed your midlet you can avoid annoying questions asking you whether you would allow access to such APIs.
  Certificates for code signing can be obtained from either Thawte or VeriSign (other providers also exist), the certificate you choose depends on which handsets you would like to support. Handsets support different certificates for code signing.
  Thawte:
  http://www.thawte.com/ssl-digital-certificates/code-signing/index.html
  VeriSign:
  http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/index.html
  This tutorial provides a desent explaination on how to sign your midlets:
  http://www.spindriftpages.net/blog/dave/2006/06/18/midlet-jar-signing-a-tutorial-revised/

• CIDX Adopter Digital Certificates

  Guys,
  Here is the scenario..
  We are getting the HTTPS message from external system to XI.
  We are using CIDX Adopter to read external message and validate the digital certificates and map to ORDERS05 Idoc. As soon I trigger the message from external system (HTTPS message), I am seeing message in XI RWB adopter engine, when CIDX adopter is trying the validate the digital signatures somehow it is pointing to J2EE_GUSET user. And it is giving error as below mention.
  <b>ERROR</b>
  "Signature verification failed, alerted;Error when accessing keystore:service_ssl
  Signature verification failed, alerted
  Unexpected error while packing the CIDX message -
  null
  Message Processing caused Failure. -
  BTD handler indicated processing error
  Error encountered while receiving inbound action; See nested exception for detailed error message -
  Message Processing caused Failure. -
  Message Processing caused Failure. -
  BTD handler indicated processing error
  Delivery of the message to the application using connection CIDXAdapter failed, due to: Error encountered while receiving inbound action; See nested exception for detailed error message. "
  <b>Regarding Digital Certificates</b>
        We got the digital certificates from my external party and installed and
         created the Key stores in XI Visual Administration tool.
         We configured in sender agreement by selecting those key stores..
  Can any one help me on how to resolve the issue, is there any problem in Visual Admin Toll, while installing the certificates..
  Thanks
  Murali
  Message was edited by:
          Murali Babu Pallabothula

  HI,
  See the below links
  HTTP* Errors /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
  also see the below links may be useful..
  See the below links
  /people/sap.user72/blog/2005/06/16/using-digital-signatures-in-xi
  SAP Java Cryptographic Toolkit
  http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/content.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
  http://help.sap.com/saphelp_nw04/helpdata/en/fb/322f41d606ef23e10000000a155106/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/45/341a2176b74002e10000000a155369/frameset.htm
  Also see the below threads.
  how to deal with digital signatures when converting messages?
  Certificates Vs Digital Signatures
  Security Issues: SSL on SOAP Adapter and Digital Signature in BPM
  message level security: difference digital signature and certificate
  Loading Invoice XML IDoc with digital signature via XI into R/3
  Regards
  CHilla