Generate a certificate request with API (CSR, PKCS#10)
Hi everybody,
I want to request for a certificate using a PKCS10 File.
I generate this file with this code :
package test;
import sun.security.pkcs.*;
import sun.security.x509.*;
import java.security.*;
import cryptage2.RSACryptor;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import com.sun.crypto.provider.SunJCE;
import java.io.*;
public class TestPKCS10
public static void main(String argv[]){
try{
// provider
SunJCE jce = new SunJCE();
Security.addProvider(new BouncyCastleProvider());
Security.addProvider(jce);
// generate KeyPair
KeyPair pair = RSACryptor.generateKeyPair();
// get Instance of signature with MD5 algorithm
Signature dsa = Signature.getInstance("MD5withRSA");
// get Private Key
PrivateKey priv = pair.getPrivate();
// init Signature with private Key
dsa.initSign(priv);
// sign
byte[] sig = dsa.sign();
// info for X509 are in X500Name Object
X500Name x500name = new X500Name(
"Nicolas LEFEUVRE","IN","InTech","Schifflange","Luxembourg","Luxembourg");
// signer : bind Signature and X500Name
X500Signer signer = new X500Signer(dsa,x500name);
// get public Key
PublicKey publicKey = pair.getPublic();
// create PKCS10 with public key
PKCS10 pk = new PKCS10(publicKey);
// sign and encode the PKCS10
pk.encodeAndSign(signer);
// save in file PKCS10_2
PrintStream out =
new PrintStream(new FileOutputStream("c:/temp/pkcs10_2"));
catch(Exception e){e.printStackTrace();}
The PKCS10 look like this :
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBuTCCASICAQAweTETMBEGA1UEBhMKTHV4ZW1ib3VyZzETMBEGA1UECBMKTHV4ZW1ib3VyZzEUMBIGA1UEBxMLU2NoaWZmbGFuZ2UxDzANBgNVBAoTBkluVGVjaDELMAkGA1UECxMCSU4xGTAXBgNVBAMTEE5pY29sYXMgTEVGRVVWUkUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMzTrStPIyUyygFTU5p6QjGyLfAXncUvwA/i+sK2wY1S6EFYGGd7luGXI3NekVvEEzwIZ+eQ+STB7J7XVik8REubJl6gXlZTcrOdVzg6JJtHwbDoTpZnB09hGGZUzdyKsnGVIwZ4Un54Z44BZBm5qeOqYMKLK50YCC6ACqdfu/rpAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBViesKVPfgkGSB2MYIln6yWPGmOjbLsdGdzSr/EWbtIAuT75ROZpeKKHzpfuHDC1xpbs0iZYvRACujyqeqRHIzomHu6NW7v2+B5CkoP5YsxXswr25fBMRawRckqnzMuZz79G1bi3CtQbh+MbdwvDvvs7DucPgsI7Cn8Fbg214C9Q==
-----END NEW CERTIFICATE REQUEST-----
I use Microsoft Certificate Server (a service of Microsoft NT2000 server) to generate certificate, I have this message :
�The request subject name is invalid or too long. 0x80094001 (-2146877439)C�
Any idea ?
Nicolas, i'm not sure but can you try it anyway?
replace Nicolas LEFEUVRE
with Nicolas_LEFEUVRE
There is something about blanks in the Common Name
I'm not sure how or what, but just give it a try!
Similar Messages
-
How to generate a certificate request with more than one OU?
We're using Sun Java System Web Server 6.1 SP4. The Corp. has it's own CA and organize their certificates in a hierarchical rule with more then one organization unit (OU) in a chain.
So what we need is generate a certificate requeste with more than one OU, but the Web Server wizard has only one text field for it. We've already tried to fill in this field the complete chain of OUs like "ou=orgX, ou=deptY, ou=secZ" and didn't work either.
Thank's in advance,
Jeff!Do you have tried with the command line "certutil" ?
#<SERVER-ROOT>/bin/https/admin/bin/certutil -
Problem Generating a certificate request
I have a couple of Windows 2003 R2 SP2 servers hosting several instances of ADAM. I am using certreq to generate the certificate requests for these servers so I can use SSL in connecting to ADAM but I am getting an error. This is the request.inf I am using (pretty much straight from an MS article...) to generate the request...
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=servername.childdomain.rootdomain.com" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
I am using this command.... certreq -new request.inf request.req
After hitting enter, it sits there for about 10 seconds and gives me this error back...
Certificate Request Processor: Access is denied. 0x80070005 (WIN32: 5)
[RequestAttributes]
I have searched on this error and have not found much of anything on it. This process seems to work fine on other servers that I have, but these two servers both generate this error. Both servers are clean builds and only have ADAM installed on them. I am a local admin on both servers so it doesn't appear that there should be any permission issues as implied by the error message.
Anyone have any ideas?
Thanks!Hello Bryan,
First of all, please make sure that the CA certificate is added into the Trusted Root certificate store on the servers. If the certificate web enrollment is enabled, please check how a certificate request works on that two server generate the error.
Meanwhile, please verify the security permission on the MachineKeys directory:
1. Open Windows Explorer, and find the MachineKeys directory in the following location:
Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys
2. Right-click the directory, and click Properties.
3. Click the Security tab, and ensure that the full control permission for the Administrators
How to: Change the Security Permissions for the MachineKeys Directory
http://msdn.microsoft.com/en-us/library/bb909654.aspx
Hope it helps. -
How to get provisioning process tasks of a request with API
Hi All,
I need to know the number of process tasks called during a provisioning process for a resource object and also the status of each task!
Which API is availabe for this?
Does any one have a psuedocode?
Regards,
SKhttp://docs.oracle.com/cd/E14571_01/apirefs.1111/e17334/Thor/API/Operations/tcProvisioningOperationsIntf.html#getProcessDetail_long_
and
http://docs.oracle.com/cd/E14571_01/apirefs.1111/e17334/Thor/API/Operations/tcProvisioningOperationsIntf.html#getProvisioningTaskDetails_long_
HTH,
Bikash -
Certificate request not working with web server v2 template on windows 2012 R2
I have tried to generate a certificate request on my domain joined Windows 2012 R2. I have tried both online and offline requests. I am using the web server v2 template.
Both Method fails with error message that the cryptographic algorithm is unknown. I am using these settings apart from the template:
This is the error Message in online request:
The error Message in the offline request is somewhat similar.
An event error is also appearing in the application log:
The CSPs from the template:
I am wondering if a cryptographic service provider or several of them are missing? They are installed With Windows update are they not? The strange thing is that this supposedly have worked before with another user. Could it be that I do not have the
correct permissions to request a certificate with this template, or has something happened with the server?Hey dag
Thanks for posting ,
If You try duplicate the web template for using it in version 4 - can You see any difference?
Also check the link below for certificate templates versions:
http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx#Version_4_Certificate_Templates
In previous operating system versions the configuration of CSPs and KSPs were on different tabs in the certificate properties. For version 2 certificate templates, CSPs were configured on the Request Handling tab. For version 3 certificate templates,
KSPs were configured on the Cryptography tab. Starting in Windows Server 2012, the configuration of the providers is consolidated on the Cryptography tab. To learn more about the cryptographic provider options present in previous operating systems
Notice later.
I'd be glad to answer any question -
SSL Cert. Request with multiple CNs?
Greetings to all of the Gurus out there!
Is it possible to generate a Certificate Request within iMS (version 5.2) that will handle multiple CNs? In other words, we could request a certificate that would work for mail.foo.com, pop.foo.com, imap.foo.com, etc., etc. Or, failing that, is it possible to somehow create and register multiple certs to accomplish this?
I know how to do this by using OpenSSL, but if I do that, then iPlanet doesn't know about the private OpenSSL key that I used to generate the certificate.
Any help is appreciated.Hi,
If the installation is stand-alone I
don't know of a way to specify more then one
certificate for each service. So if I recall prperly, based on iMS 5.2 experience,
I can insert 1 Cert in the msg-serv and this is used
by all services: smtp,imap,http. Correct - for a stand-alone installation.
What I am not sure
of, and this is where someone who has taken this
further, is if I am obligated to use the hostname
that the msg-serv is running on as my cert's cn?No you aren't obligated to use the hostname. You can use any name you want - you specify the name to be presented to clients during the certificate request stage.
In my case the msg-serv instance is running on the
host: kady-amd.education.ucsb.edu and i would prefer
to have 1 cert that was listed as from
mail.education.ucsb.eduYep sounds like a plan to me. This way your users only have to remember one address. Also if you decide to expand later (e.g. add in a MMP proxy and multiple backend hosts) you can just copy the certificate database files to the MMP, repoint the mail.education.ucsb.edu IP address and away you go.
I am wondering if this will require at the OS level,
a virtual hostname set up or can I do this with
msg-serv ?All you need is the DNS record for mail.education.ucsb.edu to point at the IP address of the standalone system.
Regards,
Shane. -
How to generate a PKCS#10 certificate request
Hi:
does OWM generates certificate requests in PKCS#10 format?
TIADo you have tried with the command line "certutil" ?
#<SERVER-ROOT>/bin/https/admin/bin/certutil -
How to generate PKCS#10 ECDSA Certificate Requests?
Hi all,
Can any body please let me know how can I create ECDSA/RSA/DSA PKCS#10 certificate requests in Java using non-SUN providers?
I've looked at the Java API docs and couldn't find any class for this purpose. Is there any open-source Classes/Tools which can be used?
I've tried keytool with my provider which supports RSA and ECDSA, it works with RSA but not ECDSA.
I'd appreciate your help.
JoeHi all,
Can any body please let me know how can I create ECDSA/RSA/DSA PKCS#10 certificate requests in Java using non-SUN providers?
I've looked at the Java API docs and couldn't find any class for this purpose. Is there any open-source Classes/Tools which can be used?
I've tried keytool with my provider which supports RSA and ECDSA, it works with RSA but not ECDSA.
I'd appreciate your help.
Joe -
Certificate signing request with subject alternative names?
Has anyone been successful at generating a certificate signing request for a certificate that uses subject alternative names via the Server Manager GUI? It seems to skip the entire X509 section of the CSR for me.
Command line via openssl works but I'd like to stick with the GUI for the encryption on the certificates.I just checked the documentation and found that your code is incorrect. IAlternativeName::StrValue contains value for an email address, a Domain Name System (DNS) name, a URL, a registered object identifier (OID), or a user principal name (UPN). It doesn't
contain string value for directory name (and other non-mentioned types). Instead, you need to instantiate an IX500DistinguishedName interface and initialize it from an alternative name value:
class Program {
static void Main(string[] args) {
String RequestString = "Base64-encoded request");
CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10();
request.InitializeDecode(RequestString, EncodingType.XCN_CRYPT_STRING_BASE64_ANY);
Console.WriteLine("Subject: {0}", request.Subject.Name);
foreach (IX509Extension ext in request.X509Extensions) {
if (ext.ObjectId.Name == CERTENROLL_OBJECTID.XCN_OID_SUBJECT_ALT_NAME2) {
CX509ExtensionAlternativeNames extensionAlternativeNames = new CX509ExtensionAlternativeNames();
string rawData = ext.RawData[EncodingType.XCN_CRYPT_STRING_BASE64];
extensionAlternativeNames.InitializeDecode(EncodingType.XCN_CRYPT_STRING_BASE64, rawData);
foreach (CAlternativeName alternativeName in extensionAlternativeNames.AlternativeNames) {
switch (alternativeName.Type) {
case AlternativeNameType.XCN_CERT_ALT_NAME_DIRECTORY_NAME:
IX500DistinguishedName DN = new CX500DistinguishedName();
DN.Decode(alternativeName.RawData[EncodingType.XCN_CRYPT_STRING_BASE64]);
Console.WriteLine("SAN: {0}", DN.Name);
break;
default:
Console.WriteLine("SAN: {0}", alternativeName.strValue);
break;
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
Generate a Certificate Signing Request
Hey guys, I'm new to the Safari developer program and I'm having problems with the Generate a Certificate Signing Request for my PC. It worked fine on my Mac but not on my windows 7 PC. I follow the steps, saving the file then opening "CMD.exe" and type in the request and place "" with the path of the file saved in step one but once I hit enter it gives me a
Requires a Mac and your keychain.
-
Can't run wallet manager to generate certificate request
Hi!
I'm having some trouble running the wallet manager to generate a security certificate on a live application server box.
No matter what I do from the GUI I can't set the display variable correctly. I have tried EVERYTHING. It won't be set. And I can't restart or turn off the box as its a production machine and it's currently heavily in use.
If I try to use mkwallet logged in as oracle I just get 2 "Failed to create a certificate request" messages after:
1. running:
mkwallet -e pwd wrl
to generate an empty wallet
and 2. running:
mkwallet -r pwd wrl CN=domain.com, O=Business Name, L=Suburb, ST=State, C=AU 1024 certReqLoc
and if I try to run mkwallet as root I just get:
error while loading shared libraries: libclntsh.so.10.1: cannot open shared object file: No such file or directory
Advice greatly appreciated!!You must repeatedly tap the F11 key at boot to get to the recovery manager.
Did you make recovery disks when you got the computer?
If not you may order them. If you live in the USA/Canada, call this number... 1-800-334-5144.
If you do not live in the USA/Canada, call the HP business PC support number for the country you live in.
http://h50146.www5.hp.com/lib/doc/manual/desktop/business_desktops/6005us_332630_007.pdf
Please mark my post as SOLVED if it has resolved your problem. It helps others with similar situations. -
WLS70 SSL encrypted keys and Certificate Request Generator
Hi,
we are trying to certificate our WLS 7.0. We use the Certificate Request Generator
webapp for generating the request. The generator forces the user to give in a
private key password. But in the server's SSL config tab the field "Use encrypted
Keys" is fixed to "false" (in WLS 6.1 this field is a checkbox). Is this a bug
in WLS7.0?Hi Alain,
thanks for your workaround. We will check it out ... although I've been instructed
on the BEA admin trainee to never change config.xml manually :)
"Alain Hsiung" <[email protected]> wrote:
Hi Joern
consider it a bug or not, you can go to the file config.xml and edit
the
XML attribute "KeyEncrypted" of the XML element "SSL" to "true".
Hope this helps.
Regards
Alain Hsiung, Ideartis Inc.
"Joern Wohlrab" <[email protected]> wrote in message
news:[email protected]..
Hi,
we are trying to certificate our WLS 7.0. We use the Certificate RequestGenerator
webapp for generating the request. The generator forces the user togive
in a
private key password. But in the server's SSL config tab the field"Use
encrypted
Keys" is fixed to "false" (in WLS 6.1 this field is a checkbox). Isthis a
bug
in WLS7.0? -
SAS Token failed with 403 error while generating for each request using ARR module
Hi,
We are doing an e-Learning application, which plays a course on the browser (inside a div control). The course contains list of static contents such as html, js, css etc., and media files .mp4. We are hosting the static contents (.html, .js, .css etc) into
Azure blob storage and media files into Media Service and CDN.
When user triggers to take a course, the browser first request the Web Role with landing page (Ex: FirstPage.html) and with Course Unique Id - Ex:
https://cloudservice1.cloudapp.net/course/courseid/firstpage.html. We have written a custom ARR Module (http://www.iis.net/learn/extensions/url-rewrite-module/developing-a-custom-rewrite-provider-for-url-rewrite-module),
which receives the request, parse it and generate blob storage url with SAS token using C# code for each file. Then route to blob storage. (we have already passing storage account details to ARR Module using Web.config)
For single user, the course plays fine. But we do the load testing with > 400 user load (with 5 instances), we are getting many 403 errors (and not all files). If the load is less than 200, we don’t get such issue.
Also, we are using REST code to generate the SAS token. When the SAS token expiration time extending more than 60 min, getting error “Access without signed identifier cannot have time window more than 1 hour”. As the code is exist in ARR Module, unable to
refer the Storage Client assembly. This 60 min time interval is for each file request – so there could not be an issue on expiration, but feeling this might be an issue?
Can you please point me what could be the issue and how to solve this. Is the ARR Module caching the SAS token and providing the same even after the expiration time?
Many Thanks, Thirumalai Mhi,
There is a similar thread (http://stackoverflow.com/a/17572316 ), I recommend you could refer to it.
And I'd like to know how to set the expiry time in your code, and you could see this page (http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/
Regards,
Will
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
How to generate multiple "gift certificate" pdfs with unique serial #s
I am a new Acrobat user (have Adobe Acrobat 9 Pro) and poked around a bit to see if I could find out how to do this, but found nothing.
I assume this has been done before and hope someone can point me in the right direction.
Here's what I am trying to do:
1. I currently have a pdf doc with a field for a unique serial # (let's call the doc a "Gift Certificate" for simplicity, though that's not quite what it is).
2. I want to generate multiple pdf files, say 100 of them, based on this original Gift Certificate, but with each one having a unique serial # in the appropriate field, say starting at ser # 1001, and running through to ser # 1100.
3. I want to be able to save each of these new files on a hard drive - not outputting them to a printer (though this might come in handy in the future too).
Is this something I can do in Adobe Acrobat Pro 9? I looked at the Batch Processing tool, but that didn't seem to have any ability to create new files.
Or do I need a plug-in? Or a separate software altogether?
Any help for this novice would be greatly appreciated.
Thanks
keithProblem solved.
Forum member try67 wrote me a script, complete with simple installation instructions.
It works perfectly right out of the box. Great stuff!!!
Wish it always worked that way.
Keith -
Problem with Generate a certificate and Key
I have a Cisco S370 and generated a certificate Key to block HTTPS pages.
I require a CA signs the certificate generated by the Cisco S370, but the CA returns me an error and asks the key is changed to 2048, but I have no option to do this in the GUI, look in the CLI but can not find any option to change the HTTPS certificate key 2048
You can change the certificate that was generated by the WSA S370 to 2048In addtition to Kush's response, we had a similar thread in the past. Please refer to:
https://supportforums.cisco.com/message/3900340?referring_site=bss&channel=bdp#3900340
Also, please note it would be advisable to refer to this Feature Request using Cisco Bug ID CSCzv70884 instead of
86121.
You can search for Bug IDs using Cisco Bug Search Tool :
https://tools.cisco.com/bugsearch/
From this tool, you can not only obtain info about the bug but also open TAC cases and Save the bug so you can get updates.
Regards,
-Valter
Maybe you are looking for
-
my imessage shows my old phone # and my iCloud email to send messages but my old # is blocked out so I can't delete or choose it , only lets me use my icloud for iMessages and it's driving me nuts!!
-
IOS Address book with empty contact
I saw some issues in the iPhone address book. I am not sure it is issue or not. We can create the contact without any information. I mean click the create button and just save. It is saving. what is the reason? Are their any particular purpose?
-
Problem install the new version of PC Suite
hi i'm italian boy and sorry for my english. i have this problem. i tried to update pcsuite (version 6.82.27.0_ita) in a new version( 6.84.10.3_ita)1, but the installation stopped and i recived this message: "the older version of nokia connectivity c
-
Problem with updating records in database
Hello everyone, I have a question, i have a database and in the database I want to update some records. Now, in my database I have refnr, vnr, etc� it is possible that I have 3 the same refnr (example) 98765A 001 98765A 002 98765B 00
-
I just bought an external HD to back up my files but its in ntfs how to i reformat it to work for tiger?