Generate a certificate request with API (CSR, PKCS#10)

Similar Messages

• How to generate a certificate request with more than one OU?

  We're using Sun Java System Web Server 6.1 SP4. The Corp. has it's own CA and organize their certificates in a hierarchical rule with more then one organization unit (OU) in a chain.
  So what we need is generate a certificate requeste with more than one OU, but the Web Server wizard has only one text field for it. We've already tried to fill in this field the complete chain of OUs like "ou=orgX, ou=deptY, ou=secZ" and didn't work either.
  Thank's in advance,
  Jeff!

  Do you have tried with the command line "certutil" ?
  #<SERVER-ROOT>/bin/https/admin/bin/certutil

• Problem Generating a certificate request

  I have a couple of Windows 2003 R2 SP2 servers hosting several instances of ADAM.  I am using certreq to generate the certificate requests for these servers so I can use SSL in connecting to ADAM but I am getting an error.  This is the request.inf I am using (pretty much straight from an MS article...) to generate the request...
  ;----------------- request.inf -----------------
  [Version]
  Signature="$Windows NT$
  [NewRequest]
  Subject = "CN=servername.childdomain.rootdomain.com" ; replace with the FQDN of the DC
  KeySpec = 1
  KeyLength = 1024
  ; Can be 1024, 2048, 4096, 8192, or 16384.
  ; Larger key sizes are more secure, but have
  ; a greater impact on performance.
  Exportable = TRUE
  MachineKeySet = TRUE
  SMIME = False
  PrivateKeyArchive = FALSE
  UserProtected = FALSE
  UseExistingKeySet = FALSE
  ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
  ProviderType = 12
  RequestType = PKCS10
  KeyUsage = 0xa0
  [EnhancedKeyUsageExtension]
  OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
  I am using this command....  certreq -new request.inf request.req
  After hitting enter, it sits there for about 10 seconds and gives me this error back...
  Certificate Request Processor: Access is denied.  0x80070005 (WIN32: 5)
  [RequestAttributes]
  I have searched on this error and have not found much of anything on it.  This process seems to work fine on other servers that I have, but these two servers both generate this error.  Both servers are clean builds and only have ADAM installed on them.  I am a local admin on both servers so it doesn't appear that there should be any permission issues as implied by the error message. 
  Anyone have any ideas?
  Thanks!

  Hello Bryan,
  First of all, please make sure that the CA certificate is added into the Trusted Root certificate store on the servers. If the certificate web enrollment is enabled, please check how a certificate request works on that two server generate the error.
  Meanwhile, please verify the security permission on the MachineKeys directory:
  1.    Open Windows Explorer, and find the MachineKeys directory in the following location:
  Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys
  2.    Right-click the directory, and click Properties.
  3.    Click the Security tab, and ensure that the full control permission for the Administrators
  How to: Change the Security Permissions for the MachineKeys Directory
  http://msdn.microsoft.com/en-us/library/bb909654.aspx
  Hope it helps.

• How to get provisioning process tasks of a request with API

  Hi All,
  I need to know the number of process tasks called during a provisioning process for a resource object and also the status of each task!
  Which API is availabe for this?
  Does any one have a psuedocode?
  Regards,
  SK

  http://docs.oracle.com/cd/E14571_01/apirefs.1111/e17334/Thor/API/Operations/tcProvisioningOperationsIntf.html#getProcessDetail_long_
  and
  http://docs.oracle.com/cd/E14571_01/apirefs.1111/e17334/Thor/API/Operations/tcProvisioningOperationsIntf.html#getProvisioningTaskDetails_long_
  HTH,
  Bikash

• Certificate request not working with web server v2 template on windows 2012 R2

  I have tried to generate a certificate request on my domain joined Windows 2012 R2. I have tried both online and offline requests. I am using the web server v2 template.
  Both Method fails with error message that the cryptographic algorithm is unknown. I am using these settings apart from the template:
  This is the error Message in online request:
  The error Message in the offline request is somewhat similar.
  An event error is also appearing in the application log:
  The CSPs from the template:
  I am wondering if a cryptographic service provider or several of them are missing? They are installed With Windows update are they not? The strange thing is that this supposedly have worked before with another user. Could it be that I do not have the
  correct permissions to request a certificate with this template, or has something happened with the server? 

  Hey dag 
  Thanks for posting ,
  If You try duplicate the web template for using it in version 4 - can You see any difference? 
  Also check the link below for certificate templates versions:
  http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx#Version_4_Certificate_Templates
  In previous operating system versions the configuration of CSPs and KSPs were on different tabs in the certificate properties. For version 2 certificate templates, CSPs were configured on the Request Handling tab. For version 3 certificate templates,
  KSPs were configured on the Cryptography tab. Starting in Windows Server 2012, the configuration of the providers is consolidated on the Cryptography tab. To learn more about the cryptographic provider options present in previous operating systems
  Notice later.
  I'd be glad to answer any question

• SSL Cert. Request with multiple CNs?

  Greetings to all of the Gurus out there!
  Is it possible to generate a Certificate Request within iMS (version 5.2) that will handle multiple CNs? In other words, we could request a certificate that would work for mail.foo.com, pop.foo.com, imap.foo.com, etc., etc. Or, failing that, is it possible to somehow create and register multiple certs to accomplish this?
  I know how to do this by using OpenSSL, but if I do that, then iPlanet doesn't know about the private OpenSSL key that I used to generate the certificate.
  Any help is appreciated.

  Hi,
  If the installation is stand-alone I
  don't know of a way to specify more then one
  certificate for each service. So if I recall prperly, based on iMS 5.2 experience,
  I can insert 1 Cert in the msg-serv and this is used
  by all services: smtp,imap,http. Correct - for a stand-alone installation.
  What I am not sure
  of, and this is where someone who has taken this
  further, is if I am obligated to use the hostname
  that the msg-serv is running on as my cert's cn?No you aren't obligated to use the hostname. You can use any name you want - you specify the name to be presented to clients during the certificate request stage.
  In my case the msg-serv instance is running on the
  host: kady-amd.education.ucsb.edu and i would prefer
  to have 1 cert that was listed as from
  mail.education.ucsb.eduYep sounds like a plan to me. This way your users only have to remember one address. Also if you decide to expand later (e.g. add in a MMP proxy and multiple backend hosts) you can just copy the certificate database files to the MMP, repoint the mail.education.ucsb.edu IP address and away you go.
  I am wondering if this will require at the OS level,
  a virtual hostname set up or can I do this with
  msg-serv ?All you need is the DNS record for mail.education.ucsb.edu to point at the IP address of the standalone system.
  Regards,
  Shane.

• How to generate a PKCS#10 certificate request

  Hi:
  does OWM generates certificate requests in PKCS#10 format?
  TIA

  Do you have tried with the command line "certutil" ?
  #<SERVER-ROOT>/bin/https/admin/bin/certutil

• How to generate PKCS#10 ECDSA Certificate Requests?

  Hi all,
  Can any body please let me know how can I create ECDSA/RSA/DSA PKCS#10 certificate requests in Java using non-SUN providers?
  I've looked at the Java API docs and couldn't find any class for this purpose. Is there any open-source Classes/Tools which can be used?
  I've tried keytool with my provider which supports RSA and ECDSA, it works with RSA but not ECDSA.
  I'd appreciate your help.
  Joe

  Hi all,
  Can any body please let me know how can I create ECDSA/RSA/DSA PKCS#10 certificate requests in Java using non-SUN providers?
  I've looked at the Java API docs and couldn't find any class for this purpose. Is there any open-source Classes/Tools which can be used?
  I've tried keytool with my provider which supports RSA and ECDSA, it works with RSA but not ECDSA.
  I'd appreciate your help.
  Joe

• Certificate signing request with subject alternative names?

  Has anyone been successful at generating a certificate signing request for a certificate that uses subject alternative names via the Server Manager GUI? It seems to skip the entire X509 section of the CSR for me.
  Command line via openssl works but I'd like to stick with the GUI for the encryption on the certificates.

  I just checked the documentation and found that your code is incorrect. IAlternativeName::StrValue contains value for an email address, a Domain Name System (DNS) name, a URL, a registered object identifier (OID), or a user principal name (UPN). It doesn't
  contain string value for directory name (and other non-mentioned types). Instead, you need to instantiate an IX500DistinguishedName interface and initialize it from an alternative name value:
  class Program {
  static void Main(string[] args) {
  String RequestString = "Base64-encoded request");
  CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10();
  request.InitializeDecode(RequestString, EncodingType.XCN_CRYPT_STRING_BASE64_ANY);
  Console.WriteLine("Subject: {0}", request.Subject.Name);
  foreach (IX509Extension ext in request.X509Extensions) {
  if (ext.ObjectId.Name == CERTENROLL_OBJECTID.XCN_OID_SUBJECT_ALT_NAME2) {
  CX509ExtensionAlternativeNames extensionAlternativeNames = new CX509ExtensionAlternativeNames();
  string rawData = ext.RawData[EncodingType.XCN_CRYPT_STRING_BASE64];
  extensionAlternativeNames.InitializeDecode(EncodingType.XCN_CRYPT_STRING_BASE64, rawData);
  foreach (CAlternativeName alternativeName in extensionAlternativeNames.AlternativeNames) {
  switch (alternativeName.Type) {
  case AlternativeNameType.XCN_CERT_ALT_NAME_DIRECTORY_NAME:
  IX500DistinguishedName DN = new CX500DistinguishedName();
  DN.Decode(alternativeName.RawData[EncodingType.XCN_CRYPT_STRING_BASE64]);
  Console.WriteLine("SAN: {0}", DN.Name);
  break;
  default:
  Console.WriteLine("SAN: {0}", alternativeName.strValue);
  break;
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Generate a Certificate Signing Request

  Hey guys, I'm new to the Safari developer program and I'm having problems with the Generate a Certificate Signing Request for my PC. It worked fine on my Mac but not on my windows 7 PC. I follow the steps, saving the file then opening "CMD.exe" and type in the request and place "" with  the path of the file saved in step one but once I hit enter it gives me a

  Requires a Mac and your keychain.

• Can't run wallet manager to generate certificate request

  Hi!
  I'm having some trouble running the wallet manager to generate a security certificate on a live application server box.
  No matter what I do from the GUI I can't set the display variable correctly. I have tried EVERYTHING. It won't be set. And I can't restart or turn off the box as its a production machine and it's currently heavily in use.
  If I try to use mkwallet logged in as oracle I just get 2 "Failed to create a certificate request" messages after:
  1. running:
  mkwallet -e pwd wrl
  to generate an empty wallet
  and 2. running:
  mkwallet -r pwd wrl CN=domain.com, O=Business Name, L=Suburb, ST=State, C=AU 1024 certReqLoc
  and if I try to run mkwallet as root I just get:
  error while loading shared libraries: libclntsh.so.10.1: cannot open shared object file: No such file or directory
  Advice greatly appreciated!!

  You must repeatedly tap the F11 key at boot to get to the recovery manager.
  Did you make recovery disks when you got the computer?
  If not you may order them.  If you live in the USA/Canada, call this number...  1-800-334-5144.
  If you do not live in the USA/Canada, call the HP business PC support number for the country you live in.
  http://h50146.www5.hp.com/lib/doc/manual/desktop/b​usiness_desktops/6005us_332630_007.pdf
  Please mark my post as SOLVED if it has resolved your problem. It helps others with similar situations.

• WLS70 SSL encrypted keys and Certificate Request Generator

  Hi,
  we are trying to certificate our WLS 7.0. We use the Certificate Request Generator
  webapp for generating the request. The generator forces the user to give in a
  private key password. But in the server's SSL config tab the field "Use encrypted
  Keys" is fixed to "false" (in WLS 6.1 this field is a checkbox). Is this a bug
  in WLS7.0?

  Hi Alain,
  thanks for your workaround. We will check it out ... although I've been instructed
  on the BEA admin trainee to never change config.xml manually :)
  "Alain Hsiung" <[email protected]> wrote:
  Hi Joern
  consider it a bug or not, you can go to the file config.xml and edit
  the
  XML attribute "KeyEncrypted" of the XML element "SSL" to "true".
  Hope this helps.
  Regards
  Alain Hsiung, Ideartis Inc.
  "Joern Wohlrab" <[email protected]> wrote in message
  news:[email protected]..
  Hi,
  we are trying to certificate our WLS 7.0. We use the Certificate RequestGenerator
  webapp for generating the request. The generator forces the user togive
  in a
  private key password. But in the server's SSL config tab the field"Use
  encrypted
  Keys" is fixed to "false" (in WLS 6.1 this field is a checkbox). Isthis a
  bug
  in WLS7.0?

• SAS Token failed with 403 error while generating for each request using ARR module

  Hi,
  We are doing an e-Learning application, which plays a course on the browser (inside a div control). The course contains list of static contents such as html, js, css etc., and media files .mp4. We are hosting the static contents (.html, .js, .css etc) into
  Azure blob storage and media files into Media Service and CDN.
  When user triggers to take a course, the browser first request the Web Role with landing page (Ex: FirstPage.html) and with Course Unique Id - Ex:
  https://cloudservice1.cloudapp.net/course/courseid/firstpage.html. We have written a custom ARR Module (http://www.iis.net/learn/extensions/url-rewrite-module/developing-a-custom-rewrite-provider-for-url-rewrite-module),
  which receives the request, parse it and generate blob storage url with SAS token using C# code for each file. Then route to blob storage. (we have already passing storage account details to ARR Module using Web.config)
  For single user, the course plays fine. But we do the load testing with > 400 user load (with 5 instances), we are getting many 403 errors (and not all files). If the load is less than 200, we don’t get such issue.
  Also, we are using REST code to generate the SAS token. When the SAS token expiration time extending more than 60 min, getting error “Access without signed identifier cannot have time window more than 1 hour”. As the code is exist in ARR Module, unable to
  refer the Storage Client assembly. This 60 min time interval is for each file request – so there could not be an issue on expiration, but feeling this might be an issue?
  Can you please point me what could be the issue and how to solve this. Is the ARR Module caching the SAS token and providing the same even after the expiration time?
  Many Thanks, Thirumalai M

  hi,
  There is a similar thread (http://stackoverflow.com/a/17572316 ), I recommend you could refer to it.
  And I'd like to know how to set the expiry time in your code, and you could see this page (http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/
  Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• How to generate multiple "gift certificate" pdfs with unique serial #s

  I am a new Acrobat user (have Adobe Acrobat 9 Pro) and poked around a bit to see if I could find out how to do this, but found nothing.
  I assume this has been done before and hope someone can point me in the right direction.
  Here's what I am trying to do:
  1. I currently have a pdf doc with a field for a unique serial # (let's call the doc a "Gift Certificate" for simplicity, though that's not quite what it is).
  2. I want to generate multiple pdf files, say 100 of them, based on this original Gift Certificate, but with each one having a unique serial # in the appropriate field, say starting at ser # 1001, and running through to ser # 1100.
  3. I want to be able to save each of these new files on a hard drive - not outputting them to a printer (though this might come in handy in the future too).
  Is this something I can do in Adobe Acrobat Pro 9?  I looked at the Batch Processing tool, but that didn't seem to have any ability to create new files.
  Or do I need a plug-in?  Or a separate software altogether?
  Any help for this novice would be greatly appreciated.
  Thanks
  keith

  Problem solved.
  Forum member try67 wrote me a script, complete with simple installation instructions.
  It works perfectly right out of the box.  Great stuff!!!
  Wish it always worked that way.
  Keith

• Problem with Generate a certificate and Key

  I have a Cisco S370 and generated a certificate Key to block HTTPS pages.
  I require a CA signs the certificate generated by the Cisco S370, but the CA returns me an error and asks the key is changed to 2048, but I have no option to do this in the GUI, look in the CLI but can not find any option to change the HTTPS certificate key 2048
  You can change the certificate that was generated by the WSA S370 to 2048

  In addtition to Kush's response, we had a similar thread in the past. Please refer to:
  https://supportforums.cisco.com/message/3900340?referring_site=bss&channel=bdp#3900340
  Also, please note it would be advisable to refer to this Feature Request using Cisco Bug ID CSCzv70884 instead of
  86121.
  You can search for Bug IDs using Cisco Bug Search Tool :
  https://tools.cisco.com/bugsearch/
  From this tool, you can not only obtain info about the bug but also open TAC cases and Save the bug so you can get updates.
  Regards,
  -Valter