Generate CSR on ACE

Similar Messages

• CUCM 8.6.2 Generating CSRs With Incorrect Country Code

  Hi folks, I'm running CUCM 8.6.2.25900-8 on a single cluster (1x pub, 4x sub). My CA certs for the tomcat service are due to expire shortly so I've generated CSRs for all the servers and submitted them to our provider. All but one of the requests went through with no issues but one failed because the CSR specified a country code of 'US'. We are in the UK and the four other servers all generated CSRs specifying C=GB.
  Examining the current tomcat cert or issuing "show web-security" on the command-line of the server who's CSR failed also show 'C=GB'
  Looking at the 'set web-security' command it appears that I cannot change the country code.
  Why is the server generating CSRs with 'C=US'?
  How do I change this behaviour such that they are generated with 'C=GB' instead?

  Surprisingly, it has made it all the way to 10.5(x) with the same info and the same error...
  I did found a method to change it via root access, and you might not require root access, but I can't tell for sure as I would need to look at exactly what the contents of the file that TAC changes, but apparently it's just the platformConfig.xml that they need to change and reboot.
  If that's the case, using the utils import config using pretty much all the same info, except the country, would end up with the same outcome.
  Again, not 100% sure but theory says that should do the trick, you can run that thru TAC if you open the case and see what they think about it.

• Generate CSR for Third-Party Certificates

  Hi All,
  i have an issue when i tried to Generate CSR for Third-Party Certificates,
  i follow step by step in the document of cisco until this step:
  3.
  Now that your CSR is ready, copy and paste the CSR information into any CA enrollment tool.
  In order to copy and paste the information into the enrollment form, open the file in a text editor that
  does not add extra characters. Cisco recommends that you use Microsoft Notepad or UNIX vi. Refer
  to the website of the third−party CA for more information on how to submit the CSR through the
  enrollment tool.
  After you submit the CSR to the third−party CA, the third−party CA digitally signs the certificate and
  sends back the signed certificate via e−mail.
  4.
  Copy the signed certificate information that you receive back from the CA into a file.
  This example names the file CA.pem.
  my issue is where i sould copy and paste the CSR information into any CA enrollment tool. i just have done create mykey.pem and myreq.pem in my folder OpenSSL\bin
  Please help and Thanks you.
  Regards,
  Jasa

  you have to do more steps using openssl.
  before you obtain the third−part certificate, you have to copy that on a notepad text, and you have to obtain an intermediate and root certificate from the company that gives you the certificate.
  Then you have to copy and paste on a notepad or gedit:
  SSL (the certificate that they give you)
  Intermediate (the certificate that you obtain from the company that gives you the certificate)
  Root (the certificate that you obtain from the company that gives you the certificate)
  name the text file like: allcerts.pem
  then... you have to run this commands:
  C:\OpenSSL\bin>openssl pkcs12 -export -in allcerts.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:yourpassword -passout pass:yourpassowrd
  C:\OpenSSL\bin>openssl pkcs12 -in All-certs.p12 -out finalcert.pem -passin pass:yourpassword -passout pass:yourpassword
  Then you are going to have a file named: finalcert.pem, thats the one you have to update to the WLC. please note that on those lines "yourpassword" is the password you use when you create the certificate and its going to be the same that you have to use for upload to WLC.
  Note that you have to use openssl version 0.9.8 because its the only version thats WLC support
  If you have doubts please contact me.
  Have fun!

• How to generate CSR (certificate signing request) in PKCS#10 format

  Hi,
  First, I am a novice in security issues.
  Problem:
  I know how to generate CSR using PKCS#10 format with keytool. However I need to implement this functionality in my application. Unfortunately I can't find any docs describing this issue.
  Do anybody know about some API where I just pass data and it will generate CSR for me?
  Many Thanks,
  Miso

  Hi again,
  After a long research I am finally able to generate PKCS#10 cert. request files:
  public static void generatePKCS10() throws Exception {
          // generate PKCS10 certificate request
          KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
          String sigAlg = "MD5WithRSA";
          // generate private key - use java.util.SecureRandom for entropy
          keyGen.initialize(1024, new SecureRandom());
          KeyPair keypair = keyGen.generateKeyPair();
          PublicKey publicKey = keypair.getPublic();
          PrivateKey privateKey = keypair.getPrivate();
          PKCS10 pkcs10 = new PKCS10(publicKey);
          Signature signature = Signature.getInstance(sigAlg);
          signature.initSign(privateKey);
               //common, orgUnit, org, locality, state, country
          X500Name x500Name = new X500Name(
                    "CName",               // CN
                    "OUnit",               // OU
                    "Organization",          // O
                    "Bratislava",          // L
                    "Slovakia",               // S
                    "SK");               // C
          pkcs10.encodeAndSign(new X500Signer(signature, x500Name));
          // PKCS10 request generated
          pkcs10.print(System.out);
  Problem 1:
  However, this generates only a request with X500 subject's name ("CN, OU, O, ..."). But I also want to specify other things like "Key Usage" (example: "Digital Signature, Key Encipherment, etc.") or "Generic IA5 String" (example: "Only for test purposes."). How to do that?
  Problem 2:
  I'm also having trouble to find javadoc for "sun.security" package. As you can see, I'm using "sun.security.pkcs.PKCS10" class for generating CSR in PKCS10 format, but can't find any javadoc for it.
  Many thanks,
  Miso

• Generate CSR using SAPGENPSE

  Dear all,
  Our SSL connection will be expired and I was told to generate CSR. However I could only find SAPGENPSE. How to generate CSR using SAPGENPSE? What the file name will be?
  Additional info. It is for our external Webdispatcher.
  Please help.
  Regards,
  Agoes
  Message was edited by:
          Agoes Boedi Poerwanto

  Hi,
  I think you problem is a kind of bug in STRUST.
  Here is the workaround, I use :
  Get the Verisign certificate on your Windows PC.
  Double click on the cer file, the certificate will be displayed.
  Click on "Certification path", you will see your certificate, the inermediate CA certificate and the root certificate.
  Double click on the Root CA certificate, click on "Details" then export it as Base 64 X.509 cer file.
  Do the same for the intermediate certificate anf for you certificate.
  Then with notepad concatenate the 3 files in one single file in this order :
  Your certificate,
  the intermediate certificate
  the root certificate.
  This will be a text file looking like
  BEGIN CERTIFICATE-----
  END CERTIFICATE-----
  BEGIN CERTIFICATE-----
  END CERTIFICATE-----
  BEGIN CERTIFICATE-----
  END CERTIFICATE-----
  Now try to import this new .cer file.
  It works for me !
  Good luck !
  Regards,
  Olivier

• MIDlet signing [openssl approach to generate CSR]

  Guys,
  Here are the questions that needs verification..
  1. Aside from Wireless Toolkit - JadTool.jar, What is another way to sign the MIDlet?
  a. the approach used to generate CSR was openssl.
  2. Is it possible to sign the MIDlet, if the CSR generated is from openssl approach? [Files generated r: .key and .csr] We know that on keytool approach [Files generated r: .keystore, .alias and .csr]
  3. Does Openssl technology is used only for web signing?
  4. Does certificate for web is different from mobile?
  5. Is it possible for one CRT file from Verisign, it can be use to certify WEB and mobile?
  Thanks in advance..
  Edited by: eesbee on Jul 30, 2009 3:03 AM

  Guys,
  Here are the questions that needs verification..
  1. Aside from Wireless Toolkit - JadTool.jar, What is another way to sign the MIDlet?
  a. the approach used to generate CSR was openssl.
  2. Is it possible to sign the MIDlet, if the CSR generated is from openssl approach? [Files generated r: .key and .csr] We know that on keytool approach [Files generated r: .keystore, .alias and .csr]
  3. Does Openssl technology is used only for web signing?
  4. Does certificate for web is different from mobile?
  5. Is it possible for one CRT file from Verisign, it can be use to certify WEB and mobile?
  Thanks in advance..
  Edited by: eesbee on Jul 30, 2009 3:03 AM

• Generating CSRs for SSL Certificates

  Hi all,
  I am trying to generate CSRs for SSL Certificates, in order to set up a secure (https) dynamic dns connection to my router.
  I am supposed to access to the following directory through the Terminal:
  cd /usr/local/ssl/private
  But all I can access is /usr, I cannot go any further. I always get the message "/local: No such file or directory." Even if I am logged as root.
  I might be making some mistakes, but I do not understand what is going on.
  Thanks
  Enrique

  The error message you posted says there is no "/local" which is true.
  There is a "/usr/local"
  If you are cd'ing one directory at a time, don't lead them with a /
  For example:
  cd /usr
  cd /local
  Will give you the error you describe
  cd /usr
  cd local
  Will put you into /usr/local
  If this doesn't solve your issue, please post the exact steps you are taking.
  Jeff

• Server crashes generating CSR

  My server interface (not server admin) crashes when I try to generate a CSR. After it ask me to allow access to the key chain and I choose always allow it crashes. Any thoughts?
  Thank You.

  Akshay Gadre wrote:
  Hi,
  I get the following error message and server crashes.
  An unexpected exception has been detected in native code outside the VM.
  Unexpected Signal : 10 occurred at PC=0xff33189c
  Function name=memcpy
  Library=/usr/platform/SUNW,Ultra-4/lib/libc_psr.so.1
  Current Java thread:
  [error occured during error reporting]Hi. This doesn't yet have anything to do with JDBC, but it might. The problem is that
  some native code you're using killed the OS process running java. The output says
  it's not the JVM code that sufferered the problem. What JDBC driver(s) are you using?
  I ask that, because JDBC drivers (type-2) do use native code.
  Joe

• How to generate CSR on Weblogic 10.3

  I`m using Weblogic 10.3, I was able to configure it to use port 80, 443 for ssl and https access. Th problem in, I wasn`t able to generate a CSR for SSL certificate. According to the procedure, I can obtain this by accessing "https://myhostname:port/certificate" but I`m getting page error. According also to weblogic docs that weblogic should be installed with "certificate.war". Do I need to deploy certificate.war? Were there any pre-requisite that I should do first? Please help! I would appreciate it very much if you could send to me the step by step procedure.
  Thanks and Best Regards,
  Eric Gako

  Hi,
  As per my understanding you would like to configure SSL on weblogic server, for doing the same you would like to generate a CSR for getting it signed by signing team.
  Generally to create a CSR we use key tool utility. Follow the below keytool commands to create a CSR.
  keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname "CN=test.com, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US" -keypass mykeypass -keystore identity.jks -storepass mystorepass
  keytool -certreq -keystore identity.jks -keypass mykeypass -storepass mystorepass -file cert.cer
  By executing the above commands you can create a CSR with name cert.cer which can be forwarded to the signing team for further process of signing.
  Consider the below document as reference for keytool utility
  http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
  Regards,
  Hussain

• Generate CSR in SAP SSO 2.0

  Hi,
  We are working on a POC for SAP SSO 2.0
  I need to know whether the Secure Login Server can generate Certificate SIgning Request. (.CSR)
  I am aware of its capability to sign certificates.
  I am looking at options for SAP SSO 2.0 to generate Certificate Signing Request (.CSRs)
  Please note : - I am aware that the Secure Login Client is capable of Connecting to Secure Login Server and generate an X.509 Certificate.
  I am looking at options , where I am not going to Install the Client.
  Consider it some what similar to SAP Passports used at https://service.sap.com
  Regards,
  Ashish .A. Poojary

  Hi Stephan,
  We are basically looking at authenticating on SAP Systems (AS Java and AS ABAP ) using X.509 Certificates.
  Out first target is to acheive X.509 Authentication on SAP AS Java Systems. (NetWeaver 7.31 SPS09)
  We were able to achive this target.
  The next step was to decide a process for generation of X.509 Certificates for Users.
  That's when we came across SAP SSO 2.0
  With Installing Secure Login Client 2.0 SP03 Patch 1 , the client was able to provide the X.509 Certificate ( Short Lived Certificate)
  But as I said , I do not want to bring in the dependency of Client Installations.
  I was hoping if there could be any API / Interface which would help the User themselves to Create the X.509 Certificate just like the one in the Image I have posted below.
  Something which SAP Service Marketplace has in place today for generating SAP Passports (X.509 Cert)
  The image relates to a similar interface , but with Microsoft Active Directory
  Let me check the Web Client. Shall let you know after testing it tonight.
  Thanks and Regards,
  Ashish .A. Poojary

• Unable to generate csr, Please use a valid file name

  I've been attempting to generate a new certificate signing request on our Exchange 2013 server.  In the past we've never had a problem but we seem to be stuck today.  When we try to output the new csr to one of our network shares we see the following
  error.  
  "Please use a valid file name when you run the New-ExchangeCertificate cmdlet on server server1 with the -RequestFile parameter. The file should not exist in target folder. Parameter name: RequestFile"
  We've use this share location before without problems, the Exchange Trusted Subsystem has write intermissions on this location as described online but we still receive the error.  I've tried creating new locations but haven't had any success.
  Any suggestions?
  Thanks

  Hi,
  We can access the Exchange Certificate Management UI through the EAC in Exchange 2013 by selecting
  Servers and then Certificates to create a new certificate to have a try.
  Alternatively, we can try the following command:
  $Data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=contoso inc, cn=server.contoso.com" -DomainName mail.contoso.com, contoso.com, autodiscover.contoso.com -PrivateKeyExportable $true
  Set-Content -path "C:\Certificates\MyCertRequest.req" -Value $Data
  Regards,
  Winnie Liang
  TechNet Community Support

• Generate CSR using API method??

  Hi all ,
  I have this piece of code below using JDK 1.3 and BouncyCastel Provider
  //some other import ... i am using bouncyCastle Provider
  import javax.crypto.Cipher;
  import org.bouncycastle.jce.PKCS10CertificationRequest;
  import org.bouncycastle.asn1.x509.X509Name;
  public class test
  public static void main(String []args) throws Exception
  Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
  KeyStore ks=KeyStore.getInstance("JKS");
  ks.load(new FileInputStream("test.keystore"),"one1234".toCharArray());
  Enumeration e = ks.aliases();
  X509Certificate c=null;
  while(e.hasMoreElements())
  String alias = e.nextElement().toString();
  if(ks.isKeyEntry(alias))
  c = (X509Certificate) ks.getCertificate(alias);
  break;
  String subject = c.getSubjectDN().getName();
  X509Name xname = new X509Name(subject);
  PrivateKey priv = (PrivateKey) ks.getKey("mykey","one1234".toCharArray());
  PublicKey pub = (PublicKey) c.getPublicKey();
  PKCS10CertificationRequest csr = new PKCS10CertificationRequest("MD5WithRSA",xname, pub,null,priv);
  byte buf[] = csr.getEncoded();
  FileOutputStream os = new FileOutputStream("request.crt");
  OutputStreamWriter wr = new OutputStreamWriter(os);
  wr.write("-----BEGIN NEW CERTIFICATE REQUEST-----\n");
  wr.write(new sun.misc.BASE64Encoder().encode(buf));
  wr.write("\n-----END NEW CERTIFICATE REQUEST-----\n");
  wr.flush();
  The coding Was OKAY and ran successfully...
  The Problem is i want to get the same result as if i generate a csr using KEYTOOL utility...
  BUT somehow i got different result , is it due because of signature algorithm or encoding??
  Please help me ....
  Thanks....

  Unfortunately, I don't believe this can be done conveniently using the JCE providers from Sun. The dname components are actually kept in a self-signed certificate that is bound to the alias for the key. The KeyStore class lets you do this using the KeyStore.setKeyEntry methods, and perhaps also the KeyStore.setCertificateEntry method (caveat: I haven't actually tested this).
  The difficulty lies in the need to generate a certificate: there's no API for this. keytool evidently implements some custom method to generate a certificate. You can try something similar, but I suspect it would be quite painful.
  Possibly less painful is to use the bouncycastle provider. It contains classes and methods to generate certificates. See http://www.bouncycastle.org/docs/docs1.5/index.html and in particular the certificate generators at http://www.bouncycastle.org/docs/docs1.5/org/bouncycastle/x509/package-summary.html

• Generate CSR using API problem??

  Hi all ,
  I have this piece of code below using JDK 1.3 and BouncyCastel Provider
  //some other import ... i am using bouncyCastle Provider
  import javax.crypto.Cipher;
  import org.bouncycastle.jce.PKCS10CertificationRequest;
  import org.bouncycastle.asn1.x509.X509Name;
  public class test
  public static void main(String []args) throws Exception
  Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
  KeyStore ks=KeyStore.getInstance("JKS");
  ks.load(new FileInputStream("test.keystore"),"one1234".toCharArray());
  Enumeration e = ks.aliases();
  X509Certificate c=null;
  while(e.hasMoreElements())
  String alias = e.nextElement().toString();
  if(ks.isKeyEntry(alias))
  c = (X509Certificate) ks.getCertificate(alias);
  break;
  String subject = c.getSubjectDN().getName();
  X509Name xname = new X509Name(subject);
  PrivateKey priv = (PrivateKey) ks.getKey("mykey","one1234".toCharArray());
  PublicKey pub = (PublicKey) c.getPublicKey();
  PKCS10CertificationRequest csr = new PKCS10CertificationRequest("MD5WithRSA",xname, pub,null,priv);
  byte buf[] = csr.getEncoded();
  FileOutputStream os = new FileOutputStream("request.crt");
  OutputStreamWriter wr = new OutputStreamWriter(os);
  wr.write("-----BEGIN NEW CERTIFICATE REQUEST-----\n");
  wr.write(new sun.misc.BASE64Encoder().encode(buf));
  wr.write("\n-----END NEW CERTIFICATE REQUEST-----\n");
  wr.flush();
  The coding Was OKAY and ran successfully...
  The Problem is i want to get the same result as if i generate a csr using KEYTOOL utility...
  BUT somehow i got different result , is it due because of signature algorithm or encoding??
  Please help me ....
  Thanks....
  God Bless..

  Hi,
  I think you problem is a kind of bug in STRUST.
  Here is the workaround, I use :
  Get the Verisign certificate on your Windows PC.
  Double click on the cer file, the certificate will be displayed.
  Click on "Certification path", you will see your certificate, the inermediate CA certificate and the root certificate.
  Double click on the Root CA certificate, click on "Details" then export it as Base 64 X.509 cer file.
  Do the same for the intermediate certificate anf for you certificate.
  Then with notepad concatenate the 3 files in one single file in this order :
  Your certificate,
  the intermediate certificate
  the root certificate.
  This will be a text file looking like
  BEGIN CERTIFICATE-----
  END CERTIFICATE-----
  BEGIN CERTIFICATE-----
  END CERTIFICATE-----
  BEGIN CERTIFICATE-----
  END CERTIFICATE-----
  Now try to import this new .cer file.
  It works for me !
  Good luck !
  Regards,
  Olivier

• How to generate csr for third party code signing cert?

  I've been reading about code signing, but can't see how to generate a csr to use with a third party CA. Does someone have a tutorial, link, suggestion?

  Hi,
  Here is an document which discussed on how to implement code signing with using third party certificate for you reference:
  http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/best_practices.doc
  For further suggestions, it is recommend you to get further support in the MSDN Forum so that you can get the most qualified pool of respondents.
  http://social.msdn.microsoft.com/forums/en-US/categories/
  Thanks
  Tiger Li 
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• How to generate CSR for APS?

  How do I generate a CSR file for Policy Server on a automatic installation of ASP?
  I have to install a thirdparty SSL sertificate.
  I used the automatic install. Im guessing that tomcat and apache are optional webservers and not the one currently running.
  Michael

  You can list all keystore entries with:<br /><br />keytool -list -keystore <Keystore> -storepass <Storepass><br /><br />and delete with <br /><br />keytool -delete -alias <Alias> -keystore <Keystore> -storepass <Storepass>]<br /><br />Michael