DMS 5.3 csr public key size

Similar Messages

• Generate CSR public key 2048 bit

  Hello all,
  I apologize if the answer is already posted here.
  Trying to generate a certificate that uses a 2048 bit.
  Going through the UI, there is no option to define the bit and it generates a 1024 bit key.
  Looked at the CLI certconfig and the option there was to paste the PEM content.
  Async OS 7.5.0-833.
  Any help is appreciated.
  Thanks
  Paul

  Paul,
  There is currently no way to generate keys other than 1024 bit keys.  It is a feature request with the current bug id's.
  CSCzv70884 - [Feature Request] Support Generating 2048bit Certificates in HTTPS Proxy
  Christian Rahl
  Customer Support Engineer
  Cisco Web Content Security Appliance
  Cisco Technical Assistance Center RTP

• Need to change CSR key size from 1024 to 2048

  Hello SAP experts,
  I am encountering an error when generating new certificates:
  · Invalid Key Size
  Current Key Size: 1024
  The key size in the provided CSR is not valid. The key size must be at
  least 2048. Please attempt the request again. If the problem persists
  contact Entrust Certificate Services support for assistance.
  The CSR was generated using Visual Admin -> Server_Name -> Services ->
  Key Storage -> ServiceSSL ->  Generate CSR
  For ABAP systems, I know that the following parameters can control the
  key size/length:
  sec/dsakeylengthdefault
  sec/rsakeylengthdefault
  Are these parameters applicable to a pure Java stack system?
  How can the CSR key size be changed from 1024 to 2048?
  System: GRC Production
  Installation: NW Installation for GRC
  System Type: Production system
  Product Version: SAP GRC RISK MANAGEMENT 2.0
  Operating System: AIX 5.3
  Database: ORACLE 
  Technical Usage Type: Application Server Java
  Thanks in advance!
  Regards,
  Kris Caldoza

  See knowledgebase article [1548872|http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1548872]
  Cheers, Uwe

• AD CS Web Enrollment Error - "public key does not meet the minimum size required"

  I've installed a standalone root CA and a enterprise subordinate CA in our environment - both are Windows 2008 R2. Everything is working except for Web Enrollment using a custom User template. I duplicated the default User template and choose
  2003 Compatible for the new one. I changed the minimum key length to 2048 and set the validity period to 2 years.
  We'd like to avoid using the Advanced Certificate Request page, so I modified certrqtp.inc to point to the new template:
  Else
  ' Request types for enterprise
  rgAvailReqTypes(0,FIELD_TEMPLATE)="User-custom"
  rgAvailReqTypes(0,FIELD_FRIENDLYNAME)=L_UserTemplateCert_Text
  rgAvailReqTypes(0,FIELD_CSPLIST)="Microsoft Enhanced Cryptographic Provider v1.0?Microsoft Base Cryptographic Provider v1.0"
  rgAvailReqTypes(0,FIELD_CSPLIST2)="Microsoft Base Cryptographic Provider v1.0?Microsoft Enhanced Cryptographic Provider v1.0"
  rgAvailReqTypes(0,FIELD_EXPORTABLE)="True"
  nAvailReqTypes=1
  End If
  I also ran into this issue where Web Enrollment jumps straight to the Advanced page if the original User template isn't present on the CA:
  http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/9ab514bc-1f9f-424e-b70d-705874d9c623
  So I have both User templates loaded on the CA, and I get this error back when attempting a certificate request using IE 8 or 9:
  Your certificate request was denied.
  Your Request Id is 25. The disposition message is "Denied by Policy Module".
  Contact your administrator for further information.
  Looking at the CA's Failed Requests section, I see this error:
  The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375)
  I double-checked our custom template and it does specify 2048 as the minimum key size.
  Also, when trying with Chrome 11.0, I get an extra option during enrollment asking for a key size (1024 or 2048). When I choose 2048, the certificate request succeeds. I don't get the key size option when using IE, though.
  We'd like to get this working with IE if possible. Any ideas?

  We had the same error message. The problem turned out to be on the requesting computer, not the server. When we went to renew a cert in IIS on a server it was generating a 1028-bit key request. Since the minimum on the server was set to 2048-bit
  the request failed. So, there's two ways to handle this. You can change the certificate template on the server to have a minimum set to 1024-bit or you can have IIS submit a new request for a certificate and choose 2048-bit as the size of the key during the
  wizard. We opted to have IIS request a 2048-bit key. The same would apply for whatever computer, device, or software you are using to form the certificate request.
  Your message is pretty old, but I am running on the same problem right now. I've added a custom template to select (with 2048) minimum length, but the webpage from the IIS by default provides just 1024-bit. Where can i optimize the IIS to use a 2048-bit
  key when requesting the certificate?
  When I open the same site with Firefox for example, i got a listed option (Medium / High Strength) to choose for the encryption. It seems that the high strength is >= 2048-bit.

• OSB (11.1.1.7): Can OSB/Weblogic (11.1.1.7) support multiple PKIs (Public Key Infra-structure)

  Hi All,
  Would you be able to help me in understanding if OSB/Weblogic (11.1.1.7) can support multiple private key's in the domain to enable 2-SSL W/S calls ?
  Solution walk-through :
  A 3rd Party Web Service is only accessible via 2-way SSL http channel. To achieve this, OSB is required to use the private key which is issued by 3rd party. This private key and 3rd party root certificate (CA) need to be installed into OSB’s keystore which is based on Java Keystore format.
  The private key (issued by 3rd Party) will be used by OSB for identity signature. This private key is bound to IP address of the OSB machine calling the 3rd Party web service. Also, 3rd Party root certificate (CA) will be used by OSB to verify the identity of 3rd Party web service.
  Given the private key is used as the identity of the system and should be guarded closely by the target system, we believe this approach needs to be reviewed and assessed accordingly.
  Limitations and drawbacks with the current solution :  
  1. The private key of OSB system is issued and controlled by an external application vendor.
  2. OSB is enforced to use this private key and its signature algorithm for other external parties’ interactions. The current client certificate issued by 3rd Party is X509v3 certificate which uses RSA, with a 2048-bit key size, signed with a SHA-512 hash.
  3. The SSL is self-signed, not signed by a publicly trusted cert provider (i.e. VeriSign)
  4. Extra dependency on external vendor systems as the key provider. Currently, the keys are bound to server IP address; any changes to the production environment, (i.e. adding new nodes) will require a new key to be generated by 3rd Party system. In case 3rd Party is no more used in the future, the keys can no longer be generated.
  Conclusion : OSB does not support multiple PKIs (Public Key Infra-structure) which is a mapping mechanism that OSB uses to provide its certificate for SSL connecitons to the server. Multiple private keys, require multiple PKIs which OSB does not handle.
  So, do you agree that OSB/Welblofic (11.1.1.7) could not support multiple private key issued by more than one 3rd party vendor ?
  Thanks,
  Kunal Singh

  Hi Kunal,
  Although it is recommended to have 1 key pair for 1 identity store as it represents unique identity of your domain but you can:
  import multiple key-pairs in your identity store
  Configure PKI credential mapper to use reference of identity store consisting of multiple keys
  When in your OSB project, you create Service Key provider(SKP) then it loads all the private keys present in identity store referred by PKI mapper. It will browse both the keys.
  Depending on your requirement, you can choose different key pair for for different SKPs for "Client Authentication key" section(For SSL) and "Signature key" for DigiSign.
  Please let me know if i understood your query correctly and above helps.
  Regards,
  Ankit

• Public key encrypt/decrypt app

  Hi all,
  Does anyone know of a public key encrypt/decrypt ipad app (IOS5).  I use gpgtools on the imac (lion 7.2) and put spreadsheets, docs, and the like into dropbox.  I have the dropbox app on the ipad.  It opens non-encrypted files just fine; however, if they are encrypted - no soap. I need something that works with dropbox, or provides a dropbox-like repository.
  Searching the store gives me a couple of email encrypters but nothing for files. 
  Many thanks for any help,
  Best,

  By how much is the file size increasing? Depending on how you do the actual encryption, it can easily grow a bit due to varying headers and some padding, but it shouldn't be a significant part of the file size if the file is reasonably big.
  If, however, the file size grows by some significant factor (say your output is 2 time the size of the input), then there is some problem that you should look into.

• Keytool error: java.lang.Exception: Public keys in reply and keystore don't match - Web Logic 10.3.6.0 Linux 64 Bit

  Hi,
  Followed Oracle recommended note for generating .csr file  (Doc ID 1230333.1)
  01) $keytool -genkey -alias server.alias -keyalg RSA -keysize 1024 -dname "CN=ServerName,OU=Office,O=OTS,L=Location,S=SW,C=GB" -keypass mypass -keystore ServerName.jks -storepass mypass
  02) copy ServerName.jks ServerName.jks.org
  03) $keytool -list -v -keystore ServerName.jks -storepass mypass
  04) $keytool -certreq -v -alias server.alias -file ServerName.csr -keypass mypass -storepass mypass -keystore ServerName.jks
  05) Sent the .csr file to CA
  06) ived a filename.cer certificate.
  07) rated Root ServerNameRootCert.cer and Intermediate Certificate ServerNameRootInterCert.cer from filename.cer certificate
  Importing Root CA into the keystore ServerName.jks
  08) $keytool -import -v file ServerNameRootCert.cer -keystore ServerName.jks -trustcacerts -alias AliasOne
  09) $keytool -import -v file ServerNameRootInterCert.cer -keystore ServerName.jks -trustcacerts -alias AliasTwo
  Now importing the actual certificate using the alias server.alias in the above step 01) and 04)
  10) $keytool -import -v file ServerName.cer -keystore ServerName.jks -alias server.alias -keypass -storepass
  Getting error message
  keytool error: java.lang.Exception: Public keys in reply and keystore don't match
  java.lang.Exception: Public keys in reply and keystore don't match
  at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
  at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
  at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
  at sun.security.tools.KeyTool.run(KeyTool.java:172)
  at sun.security.tools.KeyTool.main(KeyTool.java:167)
  Is that anything wrong with the Certificate what is issued by CA?
  Is the java version need to be different?
  Current Java Version
  java version "1.6.0_29"
  Java(TM) SE Runtime Environment (build 1.6.0_29-b11)
  Oracle JRockit(R) (build R28.2.0-79-146777-1.6.0_29-20111005-1807-linux-x86_64, compiled mode)
  Any suggestions please?
  Thanks,
  Kam

  Import the intermediate cert first then the root and then the signed server certificate.
  The alias of root and intermediate doesnt matter, but make sure that the alias of server cert is same as the alias of the private key entry.
  Have a look at the following example :
  https://blogs.oracle.com/blogbypuneeth/entry/steps_to_create_a_csr

• Seeburger - AS2 Certification Public Key Generation

  Hi Experts,
  I'm not sure if what doing right now after deploying all necessary components for AS2Adapter and BIC adapter is that I can generate an AS2 Certificate from NWA. I just want a guideline on how do AS2 Private Key and Public Key being generated.
  I have created an AS2PrivateKey in Keystore. Then it created a public key most likely will be sent to a partner.
  Let me know if I'm doing the right thing.
  Cheers,
  R-jay

  R-Jay, it works like this.
  You generate the certificate at your end in NWA (as you already did). Now this certificate can be self signed or you can generate a CSR (Certificate Signing Request) based on this certificate. This CSR is sent to certification authority like Verisign. They then provide the certificate which you should share with your partners. If it is only a test, you can skip all this and send the public certificate to partners directly. I am a bit skeptic about this line
  "I have created an AS2PrivateKey in Keystore. Then it created a public key "
  Both the certificates are created at the same time when you tick option "Store certificate" while creating the certificate.
  Regards,
  Prateek Raj Srivastava

• Getting Key Size via SSL Certificate

  Good Day,
  I am writing client server with SSL. I want to display certificate information for the client, so I am writing a popup window. I can't figure out how to get the size of the key used (in this case RSA). I want to display. for example.
  "RSA (1024)", much the way IE does.
  I know it must be in there somewhere.
  ... Roger
  p.s. if anyone knows of a canned X509Certificate display component, please point me. I am probably writing what others have written before.

  Here is getFormat() method of Key Interface :
       * Returns the name of the primary encoding format of this key,
       * or null if this key does not support encoding.
       * The primary encoding format is
       * named in terms of the appropriate ASN.1 data format, if an
       * ASN.1 specification for this key exists.
       * For example, the name of the ASN.1 data format for public
       * keys is <I>SubjectPublicKeyInfo</I>, as
       * defined by the X.509 standard; in this case, the returned format is
       * <code>"X.509"</code>. Similarly,
       * the name of the ASN.1 data format for private keys is
       * <I>PrivateKeyInfo</I>,
       * as defined by the PKCS #8 standard; in this case, the returned format is
       * <code>"PKCS#8"</code>.
       * @return the primary encoding format of the key.
       public String getFormat();
  And what is the instance type of this PublicKey ?
  This kind of object may have method undefine in the Interface.

• Renewing public key certificate used for Seeburger AS2

  My general question is when a public key certificate, used for Seeburger AS2 payload decryption and digital signatures, needs to be renewed, how carefully do the certificate renewal steps need to be coordinated for a seamless transition?  More specifically...
  1. Once we import the CSR response from the CA, will the public key currently used by our partner become invalid, or will it continue to work until its expiration date? 
  2. Will our partner be able to validate our signature after the new CSR has been imported, but prior to them applying the new public key certificate in their system? 
  3. Or can we renew the certificate, import the CSR request, provide our partner with the renewed certificate, and let them apply the certificate at their own volition, provided they do it prior to the original certificate expiration?

  Hi Kurt
  In my experience, the renewal/replacement of AS2 certificates for encryption/decryption & signing/authentication requires coordinated effort on both sides.
  This is because AS2 uses asymmetrical encryption, so both parties need to use the same pair of certificates at the same time, i.e. you encrypt on your private key, and partner decrypt on the public key matching your private key. If the keys used do not belong to the same pair, then decryption will not work.
  I'm not sure what AS2 software your partner uses and if it has the feature of automatic rollover of certificate, but PI/Seeburger does not. The approach in PI/Seeburger can either be one of the following:-
  i) import new cert replacing original cert of the same name
  ii) import new cert into new name, manually update sender/receiver agreements
  Due to the manual nature of the tasks, normally it requires coordinated effort during a cutover window.
  Rgds
  Eng Swee

• [Solved] gpg --list-public-keys (removed duplicate - see my last post)

  I followed https://wiki.archlinux.org/index.php/GnuPG#Create_key and https://wiki.archlinux.org/index.php/Talk:Pacman-key, but I have ended up with my public key being listed twice. It's both first and last in the full list of public keys. Here is just mine:
  /home/colin% gpg --list-public-keys colin
  pub   4096R/0940E3F9 2014-11-18 [expires: 2015-11-18]
  uid       [ultimate] Colin Keenan <[email protected]>
  uid       [ultimate] [jpeg image of size 6283]
  sub   4096R/EDA19F9C 2014-11-18 [expires: 2015-11-18]
  pub   4096R/0940E3F9 2014-11-18 [expires: 2015-11-18]
  uid       [ultimate] Colin Keenan <[email protected]>
  uid       [ultimate] [jpeg image of size 6283]
  sub   4096R/EDA19F9C 2014-11-18 [expires: 2015-11-18]
  How do I remove just the 2nd entry so that my public key is only listed one time?
  I am afraid to start signing my packages (https://wiki.archlinux.org/index.php/De … ge_signing) before I fix this issue.
  Edit to add what I've tried so far:
  gpg -o colin.gpg --export colin            # to create a backup of my public key in a file called colin.gpg
  cp pubring.gpg pubring-backup.gpg   # in case I screw up pubring.gpg
  gpg --import colin.gpg                          # hoping it will magically merge the duplicate, but it left both unchanged
  gpg --delete-key colin                           # hoping it would delete both copies of the public key so I could import it again
  It refused to delete the public key until I delete the private key which I don't want to do.
  I also realized the export may have the duplicate as well. I tested that with:
  gpg colin.gpg
  And, sure enough, it listed my key twice.
  Another edit: I have tried a lot and exposed a bug that I will try to submit upstream. Here is what I have done:
  gpg --edit-key colin                              # this selected the first of the duplicate keys to be edited
  gpg> adduid
  Real name: Colin N Keenan
  Email address: [email protected]
  Comment:
  You selected this USER-ID:
      "Colin N Keenan <[email protected]>"
  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  You need a passphrase to unlock the secret key for
  user: "Colin Keenan <[email protected]>"
  4096-bit RSA key, ID 0940E3F9, created 2014-11-18
  pub  4096R/0940E3F9  created: 2014-11-18  expires: 2015-11-18  usage: SC 
                       trust: ultimate      validity: ultimate
  sub  4096R/EDA19F9C  created: 2014-11-18  expires: 2015-11-18  usage: E   
  [ultimate] (1)  Colin Keenan <[email protected]>
  [ultimate] (2)  [jpeg image of size 6283]
  [ unknown] (3). Colin N Keenan <[email protected]>
  gpg> save
  gpg --edit-key "Colin N Keenan"
  Secret key is available.
  pub  4096R/0940E3F9  created: 2014-11-18  expires: 2015-11-18  usage: SC 
                       trust: ultimate      validity: ultimate
  sub  4096R/EDA19F9C  created: 2014-11-18  expires: 2015-11-18  usage: E   
  [ultimate] (1). Colin N Keenan <[email protected]>
  [ultimate] (2)  Colin Keenan <[email protected]>
  [ultimate] (3)  [jpeg image of size 6283]
  gpg> 2
  pub  4096R/0940E3F9  created: 2014-11-18  expires: 2015-11-18  usage: SC 
                       trust: ultimate      validity: ultimate
  sub  4096R/EDA19F9C  created: 2014-11-18  expires: 2015-11-18  usage: E   
  [ultimate] (1). Colin N Keenan <[email protected]>
  [ultimate] (2)* Colin Keenan <[email protected]>
  [ultimate] (3)  [jpeg image of size 6283]
  gpg> deluid
  Really remove this user ID? (y/N) y
  pub  4096R/0940E3F9  created: 2014-11-18  expires: 2015-11-18  usage: SC 
                       trust: ultimate      validity: ultimate
  sub  4096R/EDA19F9C  created: 2014-11-18  expires: 2015-11-18  usage: E   
  [ultimate] (1). Colin N Keenan <[email protected]>
  [ultimate] (2)  [jpeg image of size 6283]
  gpg> quit
  Save changes? (y/N) y
  And now the bug:
  /home/colin% gpg --delete-key "Colin Keenan"
  gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  gpg: there is a secret key for public key "Colin Keenan"!
  gpg: use option "--delete-secret-keys" to delete it first.
  /home/colin% gpg --delete-secret-key "Colin Keenan"
  gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  gpg: key "Colin Keenan" not found: Unknown system error
  gpg: Colin Keenan: delete key failed: Unknown system error
  So, --delete-key fails because there is a secret key, and --delete-secret-key fails because it can't find the secret key!
  Last edited by colinkeenan (2014-11-19 16:26:31)

  I have solved the issue. Since I had made a backup of .gnupg while there was a duplicate of the public key for "Colin Keenan", I realized the secret key in the backup was also for "Colin Keenan", so I didn't want to delete that one. I should delete "Colin N Keenan" by deleting the secret and public key matching it, then copy the resulting public key file to the backup, then restore the backup. That solved the issue, as follows:
  gpg --delete-secret-key "Colin N Keenan"
  gpg --delete-key "Colin N Keenan"
  cp .gnupg/pubring.gpg .gnupg-backup
  rm -r .gnupg
  cp -r .gnupg-backup .gnupg
  Here is a full outline of the commands I ran to eliminate the duplicate public key, in case anyone else runs into this very unusual problem:
  cd                                     # just making sure I'm in home directory so don't have to type dreaded ~
  cp -r .gnupg .gnupg-backup
  gpg --edit-key colin
  gpg> adduid (added Colin N Keenan, original was Colin Keenan)
  gpg> save
  gpg --edit-key "Colin N Keenan"
  gpg> 2 (because "Colin Keenan" was the 2nd uid)
  gpg> deluid
  gpg> save
  gpg --delete-secret-key "Colin N Keenan"
  gpg --delete-key "Colin N Keenan"
  cp .gnupg/pubring.gpg .gnupg-backup
  rm -r .gnupg
  cp -r .gnupg-backup .gnupg
  Last edited by colinkeenan (2014-11-19 16:41:03)

• Import a signed public key into a keystore

  Hai all,
  When I followed the steps listed at the end of the email, to create a cert request using keytool (from jdk 1.3.0), make it signed by a CA and import the signed public key into a keystore,
  I got the following error when I did step 9: keytool error: java.security.cert.CertificateException: IOException: data is not sufficient
  Could you please give me a help? Thanks in advance. ---
  1.Generate the CA key
  $ openssl genrsa -rand -des -out ca.key 1024
  2.Create a self signed certificate
  $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
  3.Setup the OpenSSL CA tools
  $ mkdir demoCA $ mkdir demoCA/newcerts $ touch demoCA/index.txt
  $ cp ca.crt demoCA/ $ echo "01" > demoCA/serial
  4.Create a new key store for the client application
  $ keytool -keystore testkeys -genkey - alias client
  5.Export the client's public key
  $ keytool -keystore testkeys -certreq -alias client -file client.crs
  6.Sign the client's key with our CA key
  $ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem -keyfile ca.key
  7.Convert to DER format
  $ openssl x509 -in client.crs.pem -out client.crs.der -outform DER
  8.Import CA certificate into client's key store
  $ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt
  9.Import signed key into client's key store
  $ keytool -keystore testkeys -alias client -import -file client.crs.der
  (The above steps are available at <http://www.ddj.com/articles/2001/0102/0102a/0102a.htm>)
  I have created CA and Server certificates using openssl and client certificate request using keytool and it is signed by our CA.
  I am using openssl server (C++) and JSSE client (JAVA)...
  to communicate these two what certificates i need to put in the client keystore (created using keytool).
  I have imported CA into keytool ,but i am unable to import client cert into keystore.
  Please tell me some way to sort out this problem...
  Prasad.

  The following script using openssl and keytool (JDK1.3)
  works. Be sure to have the following in
  your extension directory (/opt/java1.3/jre/lib/ext):
  jcert.jar
  jnet.jar
  jsse.jar
  sunrsasign.jar
  Pierre
  #!/bin/ksh
  rm -f Keystore Config
  rm -rf certs
  mkdir certs
  touch certs/index
  echo "01" > certs/serial
  chmod 600 certs/*
  netstat > /tmp/.rnd
  echo "Creating config file for openssl"
  cat > Config <<EOCNF
  [ ca ]
  default_ca = CA_default
  [ CA_default ]
  dir = certs
  database = \$dir/index
  serial = \$dir/serial
  default_days = 365 # Duration to certify for
  default_crl_days= 30 # Time before next CRL
  default_md = SHA1 # Message digest to use.
  preserve = no # Keep passed DN ordering?
  policy = policy_anything
  [ policy_anything ]
  countryName = optional
  stateOrProvinceName = optional
  localityName = optional
  organizationName = optional
  organizationalUnitName = optional
  commonName = supplied
  emailAddress = optional
  [ req ]
  default_bits = 1024
  default_keyfile = privkey.pem
  distinguished_name = req_distinguished_name
  attributes = req_attributes
  [ req_distinguished_name ]
  countryName = Country Name (2 letter code)
  countryName_default = US
  countryName_value = US
  countryName_min = 2
  countryName_max = 2
  stateOrProvinceName = State or Province Name (full name)
  stateOrProvinceName_default = CA
  stateOrProvinceName_value = CA
  localityName = Locality Name (eg, city)
  localityName_default = Loc
  localityName_value = Loc
  0.organizationName = Organization Name (eg, company)
  0.organizationName_default = Org
  0.organizationName_value = Org
  organizationalUnitName = Organizational Unit Name (eg, section)
  organizationalUnitName_default = OrgUnit
  organizationalUnitName_value = OrgUni
  commonName = Common Name (eg, YOUR name)
  commonName_default = CN
  commonName_value = CN
  commonName_max = 64
  emailAddress = Email Address
  emailAddress_default = [email protected]
  emailAddress_value = [email protected]
  emailAddress_max = 40
  [ req_attributes ]
  EOCNF
  echo "Creating DSA params"
  openssl dsaparam -outform PEM -out DSAPARAM -rand /tmp/.rnd 1024
  echo "Creating CA key pair and cert request"
  openssl req -config Config -nodes -newkey DSA:DSAPARAM -keyout certs/caprivkey.pem -out certs/req.pem
  echo "Signing own CA cert"
  openssl x509 -req -in certs/req.pem -signkey certs/caprivkey.pem -out certs/cacert.pem
  echo "Generating client key pair and cert in keystore"
  keytool -genkey -alias myalias -keyalg DSA -keysize 1024 -keypass password -storepass password -keystore Keystore -dname "CN=Common Name, OU=Org Unit, O=Org, L=Locality, S=State, C=Country" -validity 365
  echo "Generating cert request"
  keytool -certreq -alias myalias -keypass password -storepass password -keystore Keystore -file certs/CertReq.csr
  echo "Signing client cert"
  openssl ca -config Config -policy policy_anything -batch -in certs/CertReq.csr -keyfile certs/caprivkey.pem -days 365 -cert certs/cacert.pem -outdir certs -out certs/public.pem -md SHA1
  echo "Importing CA cert into keystore"
  keytool -import -alias CA -keystore Keystore -storepass password -noprompt -file certs/cacert.pem
  # Clean the certificate file, contains extra stuff from openssl
  sed "/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/!d" \
       certs/public.pem > certs/tmp-public.pem
  cp certs/tmp-public.pem certs/public.pem
  rm certs/tmp-public.pem
  echo "Importing client cert into keystore"
  keytool -import -alias myalias -keystore Keystore -storepass password -noprompt -file certs/public.pem

• Cannot use blowfish with key size 448 bit length

  I can run it with at most 128 bits key size. I have tried it with 256 and 448 bits key size, all are failed. I'm using j2sdk1.4.1_01. How can I fixed this?
  import java.io.*;
  import javax.crypto.*;
  import java.security.*;
  public class MBlowfish {
       String m_sKeyFile = "";
       public MBlowfish (String sKeyFile) {
            m_sKeyFile = sKeyFile;
       * method genKey()
       public boolean genKey () {
            try {
                 KeyGenerator keygen = KeyGenerator.getInstance ("Blowfish");
                 keygen.init (448);
                 SecretKey key = keygen.generateKey ();
                 ObjectOutputStream keyFile = new ObjectOutputStream (
                      new FileOutputStream (m_sKeyFile)
                 keyFile.writeObject (key);
                 keyFile.close ();
                 return true;
            } catch (Exception e) {
                 //System.out.println (e.getMessage ());
                 return false;
       * method readKey (String sKeyFile)
       private SecretKey readKey () {
            SecretKey key = null;
            try {
                 ObjectInputStream keyFile = new ObjectInputStream (
                      new FileInputStream (m_sKeyFile)
                 key = (SecretKey)keyFile.readObject ();
                 keyFile.close ();
            } catch (Exception e) {
                 //System.out.println (e.getMessage());
            return key;
       public byte[] encrypt (String sInput) {
            Provider sunJce = new com.sun.crypto.provider.SunJCE();
            Security.addProvider (sunJce);
            Cipher cipher = null;
            try {
                 cipher = Cipher.getInstance ("Blowfish/ECB/PKCS5Padding");
                 cipher.init (Cipher.ENCRYPT_MODE, readKey ());
            } catch (Exception e) {
                 System.out.println (e.getMessage());
                 return null;
            try {
                 ByteArrayOutputStream bos = new ByteArrayOutputStream ();
                 ByteArrayInputStream bis = new ByteArrayInputStream (
                      sInput.getBytes());
                 CipherOutputStream cos = new CipherOutputStream (
                      bos, cipher);
                 int length = 0;
                 byte[] buffer = new byte[8192];
                 while ((length = bis.read(buffer)) != -1) {
                      cos.write (buffer, 0, length);
                 cos.close ();
                 bis.close ();
                 bos.close ();
                 return bos.toByteArray();
            } catch (IOException e) {
                 System.out.println (e.getMessage());
                 return null;
       public String decrypt (byte[] baInput) {
            Provider sunJce = new com.sun.crypto.provider.SunJCE();
            Security.addProvider (sunJce);
            Cipher cipher = null;
            try {
                 cipher = Cipher.getInstance ("Blowfish/ECB/PKCS5Padding");
                 cipher.init (Cipher.DECRYPT_MODE, readKey ());
            } catch (Exception e) {
                 System.out.println (e.getMessage());
                 return null;
            try {
                 ByteArrayOutputStream bos = new ByteArrayOutputStream ();
                 ByteArrayInputStream bis = new ByteArrayInputStream (
                      baInput);
                 CipherOutputStream cos = new CipherOutputStream (
                      bos, cipher);
                 int length = 0;
                 byte[] buffer = new byte[8192];
                 while ((length = bis.read(buffer)) != -1) {
                      cos.write (buffer, 0, length);
                 cos.close ();
                 bis.close ();
                 bos.close ();
                 return new String(bos.toByteArray());
            } catch (Exception e) {
                 System.out.println (e.getMessage());
                 return null;
       public static void main (String args[]) {
            MBlowfish m = new MBlowfish ("BlowfishKey.ser");
            boolean result = m.genKey ();
            if (result) {
                 System.out.println ("OK");
            } else {
                 System.out.println ("Fail");
            byte[] baEncrypted = m.encrypt ("Hello this is a test message.");
            System.out.println (m.decrypt (baEncrypted));
  }

  Hi vorrarit,
  sorry I couldn't help you. I tried your code one-to-one on my system and everything worked fine, which means that your configuration is somewhat messy.
  BTW I read a little about jce and java 1.4.x (for I have java 1.3.06 and extra jce package), the documentation says, the SUN JCE providers are statically preconfigured, so a Security.addProvider(..) is not necessary. Have a look in the java.security file and check if the sun provider is contained. Are you sure, your runtime version points to the directory where the jce is installed, maybe you had installed other java-versions and the pathes got mixed up?
  Good luck,
  sebastian

• How to obtain public key from a .crt file

  Hi
  I am new to cryptography Please correct me if my understanding regarding the digital signature is correct and i need help to get the public key.
  I have a x.crt file which contains following fields
  1) x
  2)y
  3) Certificate
  this certificate contains following fields
  certificate version
  owner id
  name
  public key
  signature (which is obtained by signing from start of x.crt till public key with private key)
  now i need to verify whether the signature for that i need to get the public key & signature from this .crt file. Is it how i need to verify the certificate ?? please help me as I am a newbie in cryptography

  Hi all
  Thanks for the reply
  So to get the public key now i used the following code
  byte[] dataPub = new byte[256]; // size of the public key
  try {
                      byteArrayInputStream.read(dataPub);
                 } catch (IOException e1) {
                      // TODO Auto-generated catch block
                      e1.printStackTrace();
            BigInteger modulus = new BigInteger(dataPub);
       BigInteger exponent = new BigInteger("65537"); // specified in the document
       RSAPublicKeySpec rpks = new RSAPublicKeySpec(modulus, exponent);
       KeyFactory kf = null;
                 try {
                      kf = KeyFactory.getInstance("RSA");
                 } catch (NoSuchAlgorithmException e1) {
                      // TODO Auto-generated catch block
                      e1.printStackTrace();
       try {
                      pk = kf.generatePublic(rpks);
                      System.out.println("Pb Key----------------:"+pk.toString());
                 } catch (InvalidKeySpecException e) {
                      // TODO Auto-generated catch block
                      e.printStackTrace();
  When I convert the pk.toString I am getting a negative modulus value . Can the modulus value be negative ??
  Edited by: 800317 on Oct 8, 2010 5:51 AM

• How to get Public Key Remainder?

  Hi Friends..
  Sorry, i have a little doubt regarding the Public Key Remainder..
  What is Public Key Remainder used for?.. is it a part of Public Key?.. How to get it from Public Key, especially in Java?
  As far as i know that the Public Key is constructed with Modulus and Exponent, and with this we can Encrypt and Verify data was signed by Private Key..
  In Java, we can expose Public Key's modulus and public exponent using RSAPublicKey, there's no method to expose Public Key's Remainder..
  Please help me regarding this..
  Thanks

  Leonardo Carreira wrote:
  Hi Shane,
  Thanks for your reply.. :)
  safarmer wrote:
  In that case the exponent and remainder are you public key (exponent and modulus) and the certificate is defined in the definitions section of Book 3. It is a secure way of verifying the public key and it's owner through a trusted certification authority.
  EMV Book 3 tends to use Remainder and Modulus interchangeably.You mean, the Issuer (in this case one of E,M, and V) should provide 2 certificates for 1 card?..
  This is implemented on SDA or DDA?..
  Sorry, i'm still have no idea..
  The Remainder and Modulus should be used interchangeably?..
  How the Host and Card can decides in each transaction whether it will use Remainder or Modulus?..I mean that the terminology is used interchangeably. They refer to the same thing as far as the actual key is concerned.
  Cheers,
  Shane