Generating a certificate

Similar Messages

• Problem with Generate a certificate and Key

  I have a Cisco S370 and generated a certificate Key to block HTTPS pages.
  I require a CA signs the certificate generated by the Cisco S370, but the CA returns me an error and asks the key is changed to 2048, but I have no option to do this in the GUI, look in the CLI but can not find any option to change the HTTPS certificate key 2048
  You can change the certificate that was generated by the WSA S370 to 2048

  In addtition to Kush's response, we had a similar thread in the past. Please refer to:
  https://supportforums.cisco.com/message/3900340?referring_site=bss&channel=bdp#3900340
  Also, please note it would be advisable to refer to this Feature Request using Cisco Bug ID CSCzv70884 instead of
  86121.
  You can search for Bug IDs using Cisco Bug Search Tool :
  https://tools.cisco.com/bugsearch/
  From this tool, you can not only obtain info about the bug but also open TAC cases and Save the bug so you can get updates.
  Regards,
  -Valter

• Problem Generating a certificate request

  I have a couple of Windows 2003 R2 SP2 servers hosting several instances of ADAM.  I am using certreq to generate the certificate requests for these servers so I can use SSL in connecting to ADAM but I am getting an error.  This is the request.inf I am using (pretty much straight from an MS article...) to generate the request...
  ;----------------- request.inf -----------------
  [Version]
  Signature="$Windows NT$
  [NewRequest]
  Subject = "CN=servername.childdomain.rootdomain.com" ; replace with the FQDN of the DC
  KeySpec = 1
  KeyLength = 1024
  ; Can be 1024, 2048, 4096, 8192, or 16384.
  ; Larger key sizes are more secure, but have
  ; a greater impact on performance.
  Exportable = TRUE
  MachineKeySet = TRUE
  SMIME = False
  PrivateKeyArchive = FALSE
  UserProtected = FALSE
  UseExistingKeySet = FALSE
  ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
  ProviderType = 12
  RequestType = PKCS10
  KeyUsage = 0xa0
  [EnhancedKeyUsageExtension]
  OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
  I am using this command....  certreq -new request.inf request.req
  After hitting enter, it sits there for about 10 seconds and gives me this error back...
  Certificate Request Processor: Access is denied.  0x80070005 (WIN32: 5)
  [RequestAttributes]
  I have searched on this error and have not found much of anything on it.  This process seems to work fine on other servers that I have, but these two servers both generate this error.  Both servers are clean builds and only have ADAM installed on them.  I am a local admin on both servers so it doesn't appear that there should be any permission issues as implied by the error message. 
  Anyone have any ideas?
  Thanks!

  Hello Bryan,
  First of all, please make sure that the CA certificate is added into the Trusted Root certificate store on the servers. If the certificate web enrollment is enabled, please check how a certificate request works on that two server generate the error.
  Meanwhile, please verify the security permission on the MachineKeys directory:
  1.    Open Windows Explorer, and find the MachineKeys directory in the following location:
  Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys
  2.    Right-click the directory, and click Properties.
  3.    Click the Security tab, and ensure that the full control permission for the Administrators
  How to: Change the Security Permissions for the MachineKeys Directory
  http://msdn.microsoft.com/en-us/library/bb909654.aspx
  Hope it helps.

• How to generate a certificate request with more than one OU?

  We're using Sun Java System Web Server 6.1 SP4. The Corp. has it's own CA and organize their certificates in a hierarchical rule with more then one organization unit (OU) in a chain.
  So what we need is generate a certificate requeste with more than one OU, but the Web Server wizard has only one text field for it. We've already tried to fill in this field the complete chain of OUs like "ou=orgX, ou=deptY, ou=secZ" and didn't work either.
  Thank's in advance,
  Jeff!

  Do you have tried with the command line "certutil" ?
  #<SERVER-ROOT>/bin/https/admin/bin/certutil

• Generate TDS certificate for which the spool already exists

  Hi,
  I have a query.
  Sometime back I have generated TDS certificate and the same was present in the spool.
  I did not take any print and it was deleted from spool and no more available.
  What can I do to generate the same certificate ?
  If I go for re-printing, I get it as a duplicate certificate.
  Kindly suggest
  Regards
  Sravan

  Hi Milind,
  Thanks for your prompt response.
  Though we go for a Z development the print we get will be a duplicate one which may not be acceptable.
  Is there any chance of retrieving the spool and generating it.
  Regards
  Sravan

• Generate a Certificate Signing Request

  Hey guys, I'm new to the Safari developer program and I'm having problems with the Generate a Certificate Signing Request for my PC. It worked fine on my Mac but not on my windows 7 PC. I follow the steps, saving the file then opening "CMD.exe" and type in the request and place "" with  the path of the file saved in step one but once I hit enter it gives me a

  Requires a Mac and your keychain.

• How to generate CSR (certificate signing request) in PKCS#10 format

  Hi,
  First, I am a novice in security issues.
  Problem:
  I know how to generate CSR using PKCS#10 format with keytool. However I need to implement this functionality in my application. Unfortunately I can't find any docs describing this issue.
  Do anybody know about some API where I just pass data and it will generate CSR for me?
  Many Thanks,
  Miso

  Hi again,
  After a long research I am finally able to generate PKCS#10 cert. request files:
  public static void generatePKCS10() throws Exception {
          // generate PKCS10 certificate request
          KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
          String sigAlg = "MD5WithRSA";
          // generate private key - use java.util.SecureRandom for entropy
          keyGen.initialize(1024, new SecureRandom());
          KeyPair keypair = keyGen.generateKeyPair();
          PublicKey publicKey = keypair.getPublic();
          PrivateKey privateKey = keypair.getPrivate();
          PKCS10 pkcs10 = new PKCS10(publicKey);
          Signature signature = Signature.getInstance(sigAlg);
          signature.initSign(privateKey);
               //common, orgUnit, org, locality, state, country
          X500Name x500Name = new X500Name(
                    "CName",               // CN
                    "OUnit",               // OU
                    "Organization",          // O
                    "Bratislava",          // L
                    "Slovakia",               // S
                    "SK");               // C
          pkcs10.encodeAndSign(new X500Signer(signature, x500Name));
          // PKCS10 request generated
          pkcs10.print(System.out);
  Problem 1:
  However, this generates only a request with X500 subject's name ("CN, OU, O, ..."). But I also want to specify other things like "Key Usage" (example: "Digital Signature, Key Encipherment, etc.") or "Generic IA5 String" (example: "Only for test purposes."). How to do that?
  Problem 2:
  I'm also having trouble to find javadoc for "sun.security" package. As you can see, I'm using "sun.security.pkcs.PKCS10" class for generating CSR in PKCS10 format, but can't find any javadoc for it.
  Many thanks,
  Miso

• Is there a way to generate server certificates in a multi-controller environment?

  Q: Is there a way to generate server certificates in a multi-controller environment? 
  A: 1.  For PEAP, only the Radius Server needs a certificate, not the controller.  Managing a certificate for each controller for 802.1x when you can  alternatively manage a single certificate for each radius server is a mistake.
  2.  For Captive Portal, if you don't want your guest or company users to have an untrusted error every time they hit the captive portal you will need a public certificate that all your users will trust.  That could either involve (1) A  different certificate for each controller with the subject being the fqdn of each controller or (2) a single, identical certificate that has the SAN or Subject ALT Name filled out with the FQDN of each controller listed in the SAN field (https://www.digicert.com/subject-alternative-name.htm)
  Here is an example of a cert with multiple fqdns in the Subject Alternative Name field below:  Of course, you will have to pay for each SAN that you have added to the certificate.  If you will have an environment where you have a VRRP and that is the ip address that the clients will be redirected to, you should make the SAN point to the VRRP.
  A document on certificates that is specifically geared toward ClearPass, instead of controllers is here:  Certificates 101 V1.0  It speaks to certificates on ClearPass, but the concepts are the same...
  Solution:-
  We can use ClearPass server to generate the CSR, where the CN is named after the 1st controller, which included all the Subject Alternate Names (SANs) for the other 3 controllers as well as the master controllers (in case of an N+1 failover).  This allows to save/export the private key as a file.
  After submitting the CSR for a UCC and after receiving the cert,  then proceed to chain the cert to include server, all intermediate and root CAs.  Then copy the chained cert as well as the private key file to a MacBook so that we can use OpenSSL to create a PFX formatted cert as follows:
  sudo openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem
  Once this generated a PFX cert,  upload it to all controllers and used it under Configuration > Management > General for both “WebUI Management Authentication Method” as well as “Captive Portal Certificate” (even though the ClearPass Guest captive portal is using a different cert for the captive portal page itself).
  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/Create-a-CSR-with-multiple-SANs

  Sorry I'm still confused here.  What you are describing makes no sense for properly using TestStand.
  Maybe I can help you find the right solution if I can understand your goal?
  Do you want to dynamically populate the variables (Locals and FileGlobals) with values?  Or do you want to dynamically create the variables from scratch (i.e. add subproperties to the sequence file) based on some file?
  Generally what happens is people want an ASCII file (in your case I'm guessing CVS) such that they can change the values of variable so that when TS is executing it will load those values and use them.  In this case NI recommends the Property Loader.  There is an example for this in <TestStand>\Examples.  Open the workspace and look for the PropertyLoader example.  Also, if you google "proprety loader teststand" then you will find various articles which may assist you.
  When you say "define the variables for the sequence/sequence file"  Are you actually referring to manually right clicking in the sequence file and saying Insert Local?  or are you just saying that you change the value of a variable?
  Thanks,
  jigg
  CTA, CLA
  teststandhelp.com
  ~Will work for kudos and/or BBQ~

• How can we generate TDS Certificate in SAP

  Dear SAP Experts,
  Plz tell me how can we generate TDS Certificate in SAP. Thanks in advance

  Hi,
  Check the building block library under http://help.sap.com/bp_bblibrary/600/BBlibrary_start.htm  and filter on country india
  N70: External Financial Accounting Local
  Regards
  K.R

• How to re-generate Server Certificates for WL 6.1?(ca.pem, democert.pem, demokey.pem)

  Hello,
  How to re-generate Server Certificates fir WL 6.1?
  ca.pem
  democert.pem
  demokey.pem
  Our current Certificates will be expired soon.
  Thanks,
  Oleg.

   

• How do I generate a Certificate Signing Request (CSR)?

  If I buy an SSL in godaddy, how do I generate the CSR? If my site is hosted in BC, who is the web server? I've had a few sites search for the name of the web server and it comes up as unknown every time.

  Hi
  You can not host your own SSL certificate on Business Catalyst at this stage.
  When you upgrade your site with an online store and shopping cart, you don't need to worry about purchasing a SSL certificate. In fact, this system does not support SSL certificates from third-party vendors because each SSL certificate is set to a single server, and the hosting servers for the live site are built in large clusters; purchasing a certificate for every server would be cost prohibitive.
  When a customer purchases items from you, the system utilizes the secure URL that is included with every site to ensure that the customer's credit card number and other personal information entered ion a live site are protected using Secure Socket Layers (SSL) technology.
  More Details :
  http://forums.adobe.com/thread/984496
  http://kb.worldsecuresystems.com/kb/secure-urls.html
  If you need an update or more depth information regarding same, please get in touch with BC support team and they will help you out.
  Thanks,
  Sanjit

• Does a 2012 DC generate exchange certificates on Exchange 2007 server?

  The reason I ask is because we have a 2008 server environment with a few 2012 servers in the mix, one being a DC. It is time to renew our self-signed certificates on our exchange server and when I attempt to do this via the Get-ExchangeCertificate command,
  I get a warning stating the following: 
  WARNING: This certificate will not be used for external TLS connections with an FQDN of 'mail1.mymail.com.COM' because the self-signed certificate with thumbprint 'AAA-THUMBPRINT-AAAAAAA' takes precedence.
  On further investigation I noticed we have a certificate that I do not remember from years past nor do I ever remember getting that warning message before. We have not used third party CA's. Notice the items in bold, the certificate is an enterprise cert, not
  self signed and linked to our 2012 DC. There appear to be no services assigned to it but we still get that warning.
  AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {EXCHANGESERVERNAME.DOMAIN.NAME}
  HasPrivateKey : True
  IsSelfSigned : False
  Issuer : CN=DOMAIN-DC3-CA, DC=DOMAIN, DC=NAME
  NotAfter : 12/31/2014 4:36:02 PM
  NotBefore : 12/31/2013 4:36:02 PM
  PublicKeySize : 2048
  RootCAType : Enterprise
  SerialNumber : 2D00XXXXXXXXXXXXXXXXXXXXXXX
  Services : None
  Status : Valid
  Subject : CN=EXCHANGESERVERNAME.DOMAIN.NAME
  Thumbprint : 4886XXXXXXXXXXXXXXXXXXXXXXXXXX
  So my question is two-fold, why is this certificate here (was it generated by our 2012 DC) and will it effect anything when it expires? If so, how do I renew it?

  OK, so it is normal. We did add the 2012 DC to our existing server environment later on. It is not our primary DC.
  So, since there are no services assigned, when it expires in a few days, there will be no effect? If there will be an issue, how do I go about renewing it exactly?
  I am not aware of us requesting an Enterprise CA, however our previous manager could have. I am not familiar with the process.
  Basically, I ignored the "This certificate will not be used for external TLS connections warning" and created and enabled new self-signed certs for our mail server. The warnings in the event log that the old certs are about to expire have
  stopped. So that should be that then right?
  So as of now, we show 3 certificates, one being the enterprise one I mentioned which will expire in a few days. (Is this normal or should we just have one self signed cert that has all services?) I have a feeling this configuration isn't optimal.
  Thumbprint                                
  Services   Subject
  2038XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  ...WS     CN=WMSvc-MAILSERVERNAME
  B52BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  IP..S      CN=MAILSERVERNAME
  4886XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  .....        CN=MAILSERVERNAME.DOMAIN.NAME

• 'Generate your certificate' page never gets past 'generate'

  I've been waiting several hours now, and tried through various different paths, and on several different days.
  Generally, I've created a request (two now), following instructions, selected the file, and clicked on 'Generate'. 
  I'm stuck with a spinning 'Loading...' message.  The only thing I can think of that might otherwise break this is the fact that I have expired certificates and provisioning profiles in my account.
  How do I get past this?  Am I the only one with this problem?
  Thanks!
  - Arunas

  Use safari instead of chrome solve the problem for me...

• Generate a certificate request with API (CSR, PKCS#10)

  Hi everybody,
  I want to request for a certificate using a PKCS10 File.
  I generate this file with this code :
  package test;
  import sun.security.pkcs.*;
  import sun.security.x509.*;
  import java.security.*;
  import cryptage2.RSACryptor;
  import org.bouncycastle.jce.provider.BouncyCastleProvider;
  import com.sun.crypto.provider.SunJCE;
  import java.io.*;
  public class TestPKCS10
  public static void main(String argv[]){
            try{
       // provider
                 SunJCE jce = new SunJCE();
  Security.addProvider(new BouncyCastleProvider());
  Security.addProvider(jce);
                 // generate KeyPair
       KeyPair pair = RSACryptor.generateKeyPair();
       // get Instance of signature with MD5 algorithm
       Signature dsa = Signature.getInstance("MD5withRSA");
                 // get Private Key
                 PrivateKey priv = pair.getPrivate();
            // init Signature with private Key
                 dsa.initSign(priv);
       // sign
  byte[] sig = dsa.sign();
                 // info for X509 are in X500Name Object
                 X500Name x500name = new X500Name(
  "Nicolas LEFEUVRE","IN","InTech","Schifflange","Luxembourg","Luxembourg");
                 // signer : bind Signature and X500Name
                 X500Signer signer = new X500Signer(dsa,x500name);
                 // get public Key
                 PublicKey publicKey = pair.getPublic();
                 // create PKCS10 with public key
                 PKCS10 pk = new PKCS10(publicKey);
                 // sign and encode the PKCS10
                 pk.encodeAndSign(signer);
                 // save in file PKCS10_2
  PrintStream out =
  new PrintStream(new FileOutputStream("c:/temp/pkcs10_2"));
  catch(Exception e){e.printStackTrace();}
  The PKCS10 look like this :
  -----BEGIN NEW CERTIFICATE REQUEST-----
  MIIBuTCCASICAQAweTETMBEGA1UEBhMKTHV4ZW1ib3VyZzETMBEGA1UECBMKTHV4ZW1ib3VyZzEUMBIGA1UEBxMLU2NoaWZmbGFuZ2UxDzANBgNVBAoTBkluVGVjaDELMAkGA1UECxMCSU4xGTAXBgNVBAMTEE5pY29sYXMgTEVGRVVWUkUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMzTrStPIyUyygFTU5p6QjGyLfAXncUvwA/i+sK2wY1S6EFYGGd7luGXI3NekVvEEzwIZ+eQ+STB7J7XVik8REubJl6gXlZTcrOdVzg6JJtHwbDoTpZnB09hGGZUzdyKsnGVIwZ4Un54Z44BZBm5qeOqYMKLK50YCC6ACqdfu/rpAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBViesKVPfgkGSB2MYIln6yWPGmOjbLsdGdzSr/EWbtIAuT75ROZpeKKHzpfuHDC1xpbs0iZYvRACujyqeqRHIzomHu6NW7v2+B5CkoP5YsxXswr25fBMRawRckqnzMuZz79G1bi3CtQbh+MbdwvDvvs7DucPgsI7Cn8Fbg214C9Q==
  -----END NEW CERTIFICATE REQUEST-----
  I use Microsoft Certificate Server (a service of Microsoft NT2000 server) to generate certificate, I have this message :
  �The request subject name is invalid or too long. 0x80094001 (-2146877439)C�
  Any idea ?

  Nicolas, i'm not sure but can you try it anyway?
  replace Nicolas LEFEUVRE
  with Nicolas_LEFEUVRE
  There is something about blanks in the Common Name
  I'm not sure how or what, but just give it a try!

• How tt generate default certificate

  Hi,
  I'm trying to generate my own certificate but getting error while running the command on cmd
  javatool -genkey -alias tomcat -keyalg RSA as i'm running this command it prompts for password immidiately after.
  I'm not getting what is the default password and if there was any pre entered password then how can i remove that password?
  I want to create a certificate so that i can import it with my application and make ssl level connection with tomcat server running behind.
  Thanks in advance

  Hi,
  I don't know if this can help you a little bit. It is about generate certificate for Application Server.
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html
  Good luck.