Generate a Sha1 CSR on a ASA5520 8.2.1

Similar Messages

• How Do You Generate a 2048bit CSR for a Third Party SSL Certificate for LMS 4.0.1?

  Our site requires Third Party SSL certificates to be installed on our servers.  We have an agreement with inCommon. I have to supply a CSR in order to obtain the SSL certificate.
  My installation is on a Windows 2008 server and I had the self-signed CSR already but it is only 1024 bits.  Is there someplace in the GUI or OS where I can change the encryption?

  This is a shot in the dark, but since CiscoWorks is using (I believe) Tomcat as the web server, could you run keytool to generate the CSR?
  http://help.godaddy.com/article/5276
  You could also use an online CSR gererator such as:
  http://www.gogetssl.com/eng/support/online_csr_generator/
  The key (pun intended) is having the private key on your server so that when you get the signed certificate and install it (using sslutil) it will be usable.
  Hope this helps.

• Certiciate app generating vulnerable CSRs

  All,
  After generating a new CSR from WebLogic's (6.1/sp2) certificate app , and proceeding
  to submit the CSR at the Verisign WebSite, I get a cautionary message (below)
  from Verisign that the request is only 512 bit. They state there are know vulnerabilities
  with CSRs less than 512 bits and that they recommend 1024 bit CSRs.
  Can someone decipher this and explain what these "know vulnerabilities" are?
  Also, does this mean that that WebLogic would not be using the full encryption
  capabilities of a 128 bit certiciate?
  If 1024 bit CSRs are needed, why isn't this an option on the WebLogic certificate
  app? Also, can someone tell me how to get WebLogic to generate 1024 bit CSRs.
  TIA,
  John Hogan
  ===========================================================
  512 bit Key Detected
  We have detected the key length in the Certificate Signing Request (CSR) submitted
  is not greater than 512 bits. There are known vulnerabilities associated with
  keys up to this length. We recommend you submit CSR with a longer key (1024 bits
  recommended). You may do this by using your web server to generate another CSR.
  Refer to your server documentation for details.
  Note: Some older web servers are incapable of generating longer keys.

• How to generate a SSL certificate for Adobe Connect?

  My organization uses adobe connect across the internet and we
  would like to enable SSL on the server. I have instructions for
  enabling SSL once a CSR is generated, but I do not know how to
  actually generate the CSR using Adobe Connect.
  Any info on how to generate a SSL CSR would be great,
  thanks.

  There is no 'built-in' method in Connect to do this. We used
  a open-source product called OpenSSL to generate our CSR file for
  Connect. Just Google OpenSSL and download/install it (it's free).
  Then use something like this command for creating a cert:
  openssl
  req -new -key <exisiting private key file> -out <csr
  file you want to make>
  Example:
  OpenSSL> req -new -key privatekey.pem -out connectcert.csr
  After you get the new certificate from the CA, put in
  d:\breeze directory. Then update the adaptor.xml file with the new
  cert name (make sure backup the existing file).
  Make sure you REBOOT the server to enable changes! Simply
  restarting services will not work.
  Hope this helps!

• SHA1 Signature not in PKCS#7 Format

  Hello,
  we got a Problem with a Signet XML request.
  We want to Communicate with a service Provider via XML request. The interface of the Service Provider want to have a SHA1 signature of the Data we send. As fare es I now the SSF Library is only supporting Signatures in  PKCS#7 Format my question is if there is a solution just to gernerate the SHA1 Signature without having it in PKCS#7 Format.
  king regards
  Floran

  Hi oliver,
  thank you for your Answer. You are right. The Problem is the partner don't want the container format pkcs#7. He just want to have a SHA1/RSA signature value. No Container. Can I somhow extract the encryptet digest part out of the container in ABAP? Or is there a function module where I can generate a sha1/rsa signatur with the Keys from the SSF Keystore?
  king regards
  Florian

• ISE CSR not being displayed

  I have an ISE Primary Monitor node that the Server Certificate has expired.  I generated a new CSR and it reported that it was created and could be viewed under the Certificate Signing Requests tab but it never showed up.  Tried to re-generate but it now states that it already exists.  Rebooted the device to see if that would fix the issue but the CSR is still not showing.  For a test I created another CSR using the ip address of the device as the CN; and again it reported that it could be viewed but is not being displayed under the CSR tab.  These are the log items when I created the initial CSR and what it shows when I tried to create another using the same CN. The version of ISE is 1.1.3.124.  I was able to create CSR and update Certificates on the Administration/Policy nodes.
  237 INFO  2014-09-22 11:43:07,237  [http-443-29][] cpm.admin.infra.action.LocalCertAddAction- Certificate Signing Request DC-ISE-2_int_fhfa_gov#PID$_NAC3315-SVR_______$_VID$_V01$_SN$_KQ586M0____ was created successfully. 2014-09-22 11:43:16,
  174 ERROR 2014-09-22 11:44:33,174  [http-443-29][] cpm.admin.infra.action.LocalCertAddAction- Unable to import certificate : com.cisco.cpm.infrastructure.certmgmt.api.CertMgmtException: Resource Name 'NAC Group:NAC:CertificateRequests:DC-ISE-2_int_fhfa_gov#PID$_NAC3315-SVR_______$_VID$_V01$_SN$_KQ586M0____' already exists. 2014-09-22 11:44:36,
  Thanks

  Tried generating another CSR from a different app but no success.
  Opened a TAC case and was told that this is a bug CSCuh91639,  Worked with TAC engineer to have them go into the DB with root access on this node and the primary node to delete the CSR.  Also had de-register the ISE from the deployment and then reset the ISE to default setting to have it create a new self signed cert to allow re-registering the device into the deployment.  After this I was able to create a CSR and generate a cert from our CA.  
  Will look into updating to 1.2 since this bug is fixed in that version.

• Adding SAN through web-security and Creating CSR for Tomcat (CUCM 10.5) to be signed by Third Party CA

  Hi Guys,
  Wondering if Any one has done this or could suggest the needful,
  We are running CUCM 10.5 cluster and currently using self-signed certificate for Tomcat. Now, we would like to get it signed by Third party CA.
  Just to be clear that we are doing this for Jabber clients so they should not get prompted for certificate Invalid.
  Now the issue; The CUCM is using IP address as hostname and for that reason we had to add the desired IP address under SAN (alternate name) through set web-security command. We did that successfully and restarted the Tomcat service and when we run the Show web-security command, it does show the added SAN;
   altNames: 2 names
            1) UCS-CUCM-UB.domain (dNSName)
            2) 10.x.x.x (dNSName)
  But when we try to generate the new CSR, it didn't contain the modified SAN, just the first one i.e only 1) UCS-CUCM-UB.domain (dNSName)
  Is there anything we missed here to get the added SAN being populated in the new CSR ?
  Regards
  M

  Hi Gordon,
  Thank you for your prompt response. For recommendation, you are right but we don't want to initiate that change for now unless, there is no other option left.
  While Generating new CSR, under SAN, there is only Parent Domain field which is populated with our domain name. How should I add the IP address there ?
  Regards

• Need Help about Certificate based Authentication

  Hi friends..
  Currently, i'm trying to develop an applet that using Certificate Based Authentication..
  i have looked at this thread : http://forums.sun.com/thread.jspa?threadID=5433603
  these is what Safarmer says about steps to generate CSR :
  0. Generate key pair on the card.
  1. Get public key from card
  2. Build CSR off card from the details you have, the CSR will not have a signature
  3. Decide on the signature you want to use (the rest assumes SHA1 with RSA Encryption)
  4. Generate a SHA1 hash of the CSR (without the signature section)
  5. Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
  6. Send DigestInfo to the card
  7. On the card, the matching private key to encrypt the DigestInfo
  8. Return the encrypted digest info to the host
  9. Insert the response into the CSR as the signature
  Sorry, i'm a little bit confused about those steps.. (Sorry i'm pretty new in X509Certificate)..
  on step 4,
  Generate a SHA1 hash of the CSR (without the signature section)
  Does it mean we have to "build" CSR looks like :
  Data:
  Version: 0 (0x0)
  Subject: C=US, ST=California, L=West Hollywood, O=ITDivision, OU=Mysys, CN=leonardo.office/[email protected]
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  RSA Public Key: (1024 bit)
  Modulus (1024 bit):
  00:be:a0:5e:35:99:1c:d3:49:ba:fb:2f:87:6f:d8:
  ed:e4:61:f2:ae:6e:87:d0:e2:c0:fd:c1:0f:ed:d7:
  84:04:b5:c5:66:cd:6b:f0:27:a2:cb:aa:3b:d7:ad:
  fa:f4:72:10:08:84:88:19:24:d0:b0:0b:a0:71:6d:
  23:5e:53:4f:1b:43:07:98:4d:d1:ea:00:d1:e2:29:
  ea:be:a9:c5:3e:78:f3:5e:30:1b:6c:98:16:60:ba:
  61:57:63:5e:6a:b5:99:17:1c:ae:a2:86:fb:5b:8b:
  24:46:59:3f:e9:84:06:e2:91:b9:2f:9f:98:04:01:
  db:38:2f:5b:1f:85:c1:20:eb
  Exponent: 65537 (0x10001)
  Attributes:
  a0:00
  on step 5, Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
  How DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) looks like?
  And what is the DigestInfo Contains, and what is TAG for DigestInfo?..
  Please help me regarding this..
  Thanks in advance..
  Leonardo Carreira

  Hi,
  Leonardo Carreira wrote:
  Sorry, Encode the Public Key is handled by On Card Application or Off Card Application?..
  I think its' easier to encode the public key by Off Card app..
  Could you guide me how to achieve this?, i think Bouncy Castle can do this, but sorry, i don't know how to write code for it.. :( All you need to do is extract the modulus and exponent of the public key. These will be in a byte array (response from your card) that you can use to create a public key object in your host application. You can then use this key to create a CSR with bouncycastle.
  I have several some questions :
  1. Does Javacard provide API to deal with DER data format?JC 2.2.1 does not buy JC 2.2.2 does, however I believe this is an optional package though. You can implement this in your applet though.
  2. Regarding the Certificate Based Authentication, what stuff that need to be stored in the Applet?..
  - I think Applet must holds :
  - its Private Key,
  - its Public Key Modulus and its Public Key Exponent,
  - its Certificate,
  - Host Certificate
  i think this requires too much EEPROM to store only the key..This depends on what you mean by Certificate Based Authentication. If you want your applet to validate certificates it is sent against a certificate authority (CA) then you need the public keys for each trust point to the root CA. To use the certificate for the card, you need the certificate and corresponding private key. You would not need to use the public key on the card so this is not needed. You definitely need the private key.
  Here is a rough estimate of data storage requirements for a 2048 bit key (this is done off the top of my head so is very rough):
  ~800 bytes for your private key
  ~260 bytes per public key for PKI hierarchy (CA trust points)
  ~1 - 4KB for the certificate. This depends on the amount of data you put in your cert
  3. What is the appropriate RSA key length that appropriate, because we have to take into account that the buffer, is only 255 bytes (assume i don't use Extended Length)..You should not base your key size on your card capabilities. You can always use APDU chaining to get more data onto the card. Your certificate is guaranteed to be larger than 256 bytes anyway. You should look at the NIST recommendations for key strengths. These are documented in NIST SP 800-57 [http://csrc.nist.gov/publications/PubsSPs.html]. You need to ensure that the key is strong enough to protect the data for a long enough period. If the key is a transport key, it needs to be stronger than the key you are transporting. As you can see there are a lot of factors to consider when deciding on key size. I would suggest you use the strongest key your card supports unless performance is not acceptable. Then you would need to analyse your key requirements to ensure your key is strong enough.
  Cheers,
  Shane

• Channel 0 deselection and JCSystem.makeTransientByteArray memory issues

  Hi,
  I am writing an applet that should among other things generate HMAC-SHA1 value. However, JCDK 3.02 Classic edition RI does not support Signature.ALG_HMAC_SHA1. That is why I had to make my own HMAC-SHA1 based on MessageDigest.getInstance(MessageDigest.ALG_SHA,false)The problem is that when I transfer data to my HMAC-SHA1 function I create byte [] workbuffer = JCSystem.makeTransientByteArray((short)(blockLength + datalength), JCSystem.CLEAR_ON_DESELECT); inside of my HMAC-SHA1 function. I cannot do memory allocation in constructor since I don't know the data length in advance. This function works fine only the first time, on the second run the apllet runs out of memory.
  From my MIDlet I call myConnection.close() to close the connection and deselect the applet before passing new data to applet for HMAC generation. But according to Security and Trust Services APIs for Java 2 Platform "the application selected on channel 0 is not deselected at the time the connection is closed but remains selected until a new connection is established on channel 0". So, the next time I open connection to my applet and pass data to HMAC-SHA1 I get throw_error(SYSTEMEXCEPT_NO_TRANSIENT_SPACE) from cref in the console window.
  Is there anything I can do with this memory problem? How can I eventually deselect the applet to free the memory?
  //Aleksandr

  Argh! Poor card :-)
  NEVER allocate memory outside of the constructor or initialization methods (called once then disabled)! Forget JavaCard 3, use 2.2 and remember you have 2KB RAM in all cards of these world. The 2MB-RAM/16MB-Flash cards simulated in the javacard SDK for netbeans exists only in the imagination of this spec creators.
  Allocate a fixed size buffer and process data in blocks. The update() method is here for this purpose.
  This is not java desktop, memory is more than scarce!
  transient memory allocated with the TRANSIENT_DESELECT flag is allocated for every logical channels to allow implementing multi selectable applets with independent contexts.
  transient memory allocated with the TRANSIENT_RESET flag is allocated once for every channels.

• How do i install a self signed server certificate

  After using the admin tool to generate a request CSR, how do I sign this myself for testing purposes so I can install it and therefore run using https?
  I have keytool and certutil both available on the system.
  My most recent solution was to cut and paste the request to www.thawte.com/cgi/server/test.exe and it would return a certificate that was good for 21 days. This however is not the solution I am looking for.
  Thanks

  Hi,
  I recently found out a way how to install test or self-signed certificates and use it with S1SE.
  See:
  http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html
  Follow the instructions there
  1. Create CA
  2. Create root ca certificate
  Now install the root-ca-certificate in S1SE -> Security>Certificate Management and Install a "Trusted Certificate Authority".
  Paste the contents of the file: cacert.pem into the message-text box.
  Then restart the server. Now your CA-Cert should be visible in the Manage Certificates menu.
  The next step is to send a certificate-request from S1SE to your e-mail-address.
  The contents of the e-mail the server sends to you (certificate request) must be pasted into the file: newreq.pem.
  Now just sign the Request:
  CA.pl -sign
  The last step is that you have to paste the contents of the file newcert.pem into the message-box of the Security>Certificate Management - now under the option Certificate for "This Server".
  Then you have to reboot the server/instance again and it should work with your certificate.
  Regards,
  Dominic

• CA-signed certificate for admin server

  hi,
  how can i make the admin-server use a CA signed certificate instead of self-signed? i only see an option to renew the self-signed certificates.

  okay, this is the method i used:
  webserver$ cd /var/opt/SUNWwbsvr7/admin-server/config
  # Save the CA certificate in cacert.crt, and import it into the database:
  webserver$ certutil -d . -A -n Example-Inc-CA -t CTu -a -i cacert.crt
  # Generate a new CSR on stdout:
  webserver$ certutil -R -d . -s 'CN=ws.example.org,O=Example, Inc.' -a -g 2048 -k rsa
  # Sign the CSR and save the certificate to 'newcert.crt', then import it:
  webserver$ certutil -d . -A -n cert-ws.example.org -t u -a -i newcert.cert
  webserver$ vi server.xml
  # Look for <server-cert-nickname>, and change it from 'Admin-Server-Cert' (the default)
  # to 'cert-ws.example.org'.
  webserver$ ../bin/stopserv
  webserver$ ../bin/startservreplace 'ws.example.org' with the hostname the admin server runs on.
  this seemed to work for me; after the restart, the admin server was using the new certificate, and the browser accepted it.

• Thawte SSL cert

  We're interested in getting an SSL certificate with Thawte for our Snow Leopard Server. The default self signed certificate generated during setup seems to only have the Common Name and Country fields so when you generate a CSR, you aren't able to send them the State, Locality, Organisational Name and Organisational Unit that's required for them to issue you a cert. They do have instructions on generating a CSR via the CLI (referencing Tiger Server), but we're wondering how well that integrates with the GUI tools and whether that can cause problems with services which may need to interact with the issued cert (we're planning on doing Web, Mail, iChat, iCal, Wiki and of course Open Directory). We'd imagine that doing it via Server Admin's GUI would cover our bases, but how does one get a more complete CSR to submit? Otherwise are there any gotchas with doing this all via the CLI?
  Thanks!

  Thanks for the reply Strontium90. That's basically what Thawte said with the Tiger instructions:
  https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id =SO2721
  However, we're embarrassed to say that this was a boneheaded question. It appears that you can just delete the self-signed certificate that was created during server setup and then click on the + symbol to Create a Certificate Identity. That will start the Certificate Assistant and walk you through the process of creating a new self-signed cert with the required fields from which you can generate a 'correct' CSR. Duh.
  Thanks for your help!

• Problem installing Sun Java Web Server

  Hi
  I'm trying to install Sun Identity Server which need Sun Java Web Server...
  I try to install identity server and web server using Sun Java Enterprise System Install Wizard...
  When I came to page Identity Server:Sun Java System Web Server (3 of 6 ) and I entered Hostname, dir1.usmnet, I get an error pop-up window stating Host Name is not valid......but if I typed dir1.domain.com the error message didn' t appear.....
  I'm using Solaris 9 on Intel platform. I have setup my network and able to ping to other valid hostname in my LAN....
  FYI my network information are as follows
  /etc/hosts
  127.0.0.1 localhost
  <my ip > dir dir.usmnet loghost
  /etc/hostname.elxl0
  dir1
  /etc/resolv.conf
  domain usmnet
  nameserver <dns server ip>
  search usmnet
  I have also setup /etc/netmasks and /etc/defaultrouter
  When I type the domainname command, nothing appeared
  What when wrong, I could ping to my dns server and to other computer in this LAN, could anybody give a suggestion ?

  OK, found the solution by myself.
  The Administrator's Guide mentiones the possibility to install a certificate with the wadm CLI, so I tried that:
  wadm> install-cert -v --config=www -y server -n Server-Cert /www.crt    
  Please enter token-pin>
  ADMIN4086: The Certificate could not be installedThe CLI Reference Manual says for the command install-cert, option --replace*:
  "Note – --replace option of install-cert CLI is deprecated
  and currently using this option may not work as expected.
  For replacing a CA-signed certificate, users should delete the
  cert using delete-cert CLI and then install the new one
  using install-cert CLI."
  wadm> install-cert -v --config=www -y server -n Server-Cert --replace /www.crt 
  Please enter token-pin>
  ADMIN4112: No Private key foundOK, so maybe if I had installed the first certificate (before generating the new CSR) that would have worked, I don't know.
  Deleting the old cert doesn't work at once:
  wadm> delete-cert -v --config=www Server-Cert
  Please enter token-pin>
  ADMIN4139: Certificate Server-Cert is being referred to by listeners: http-listener-2So before deleting you have to remove the certificate from the listener. Then:
  wadm> delete-cert -v --config=www Server-Cert                                           
  Please enter token-pin>
  CLI201 Command 'delete-cert' ran successfully
  wadm> install-cert -v --config=www -y server -n Server-Cert /www.crt  
  Please enter token-pin>
  CLI201 Command 'install-cert' ran successfullyAfter re-adding the certificate to the ssl listener and deploying all the changes to the servers
  everything is fine.
  F.D.

• Using a SHA2 certificate with 12.1.1 (Oracle Wallet Manager 10.1.0.5)

  Hi folks,
  I'm trying to enable SSL on my 12.1.1 system, but I've got a bit of a problem.
  I've already logged a SR on this, so I already know that you cannot use SHA2 SSL certificates with Oracle Wallet Manager 10.1.0.5, which is part of the 10.1.3 tech stack. I started the SR on the EBS side, but it was passed on to the security group, and closed there. My question is, is there something that I don't know? Is there an upgrade path in 12.1.x that would include an upgrade to the OWM, or is there some sort of workaround? I'll be opening another SR tomorrow, but wanted to see if I was missing something simple.
  We have an internal certificate server (Microsoft AD), and the root certificate, which I need to import, is SHA2. I'm being told that they cannot generate a SHA1 root certificate, and would have to stand up another certificate authority. OWM 10.1.0.5 can't handle SHA2, so I'm stuck.
  Anybody been there done that?
  Thanks very much,
  -Adam vonNieda

  I'm trying to enable SSL on my 12.1.1 system, but I've got a bit of a problem. What kind of problems?
  I've already logged a SR on this, so I already know that you cannot use SHA2 SSL certificates with Oracle Wallet Manager 10.1.0.5, which is part of the 10.1.3 tech stack. I started the SR on the EBS side, but it was passed on to the security group, and closed there. My question is, is there something that I don't know? Is there an upgrade path in 12.1.x that would include an upgrade to the OWM, or is there some sort of workaround? I'll be opening another SR tomorrow, but wanted to see if I was missing something simple.
  We have an internal certificate server (Microsoft AD), and the root certificate, which I need to import, is SHA2. I'm being told that they cannot generate a SHA1 root certificate, and would have to stand up another certificate authority. OWM 10.1.0.5 can't handle SHA2, so I'm stuck. I am not sure if SHA2 is certified with EBS R12 so you might need to ask this question to Oracle Support. According to the following docs, SHA1 can be used with no issues.
  Enabling SSL in Oracle E-Business Suite Release 12 [ID 376700.1]     To BottomTo Bottom     
  SSL Primer: Enabling SSL in Oracle E-Business Suite Release 12 (Trial Certificate Example) [ID 1425103.1]
  Thanks,
  Hussein

• Timestamp and signature problems

  Hello, everybody!
  I have a problem when attaching a timestamp to a signature using the BouncyCastle provider.
  I have read the [RFC 3161|http://www.ietf.org/rfc/rfc3161.txt] and in chapter 2.4.1 it states that the messageImprint contained in the request "SHOULD contain the hash of the datum to be time-stamped."
  Also, in the appendix A of the same RFC, it's stated: "The value of messageImprint field within TimeStampToken shall be a hash of the value of signature field within SignerInfo for the signedData being time-stamped."
  My problem is as follows:
  I'm creating a request generator, using TimeStampRequestGenerator class in the org.bouncycastle.tsp package of the BouncyCastle provider. Then the request is created using the generate method of the TimeStampRequestGenerator object
  TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
  reqGen.setCertReq (true);
  TimeStampRequest request = reqGen.generate(TSPAlgorithms.SHA1, hash, BigInteger.valueOf(100));Please, be aware that the hash variable is generic. But what value must this variable have? The value of the a hash function for the unsigned data or the value of a hash function for the signature field in the SignerInfo? What is the right way to build the request?
  The request should be build using the hash of the unsigned data? Then, after generating the pkcs7 file with the timestamped attached as an unsigned attribute, when a verification is performed, should I verify that the value in the messageImprint has the same value with the hash of the signature field in the SignerInfo? If so, it means I'm doingsomething wrong,because those values cannot be equal at all.
  Or the request should be built using the hash of the signature. And when the verification is performed, the messageImprint will contain the correct value, as stated in the Appendix A of the RFC3161?
  So my problem is what value must be passed for the hash when building the request?
  Any help qould be appreciated.
  Thank you!

  problem solved
  I had interpreting in the wrong way the RFC3161 that states that if adding the timestamp to a signature in a pkcs7 file the hash that needs to be sent to the TSA must be the hash of the signature field in the SignerInfo of the data.
  Which is correct if I stay a little bit to think because the timestamp is for the signature, not for the unsigned data.
  So, when creating the request for the TSA, the hash has to be the the hash for the signature.