Generating Keypair and a certificate

Similar Messages

• ISE 1.2 and iPEP Certificate Requirements

  Hi,
  For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:
  Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur  certificate.
  [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..
  Any thoughts?
  Thank you,
  Octavian

  The EKU validation has been removed in version 1.2
  "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."
  Source:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

• How to generate self-signed CA certificate, client certifacate in pkcs12

  Based on the requirement, i need to generate self-signed CA certificate, client certificate, keystore type all in PKCS12 format.
  Below is the successful process of generating them in DER format
  1. openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 2190 -config openssl.cnf
  2. keytool -genkey -alias client -keyalg RSA -keystore client-keystore.jks
  3. keytool -certreq -keystore client-keystore.jks -storepass clientkeystore -alias client -file client.cert.req
  4. openssl ca -config openssl.cnf -out client.pem -days 2190 -infiles client.cert.req
  5. openssl x509 -outform DER -in client.pem -out client.cert
  openssl x509 -outform DER -in cacert.pem -out cacert.cert
  6. keytool -import -file cacert.cert -keystore client-keystore.jks -storepass clientkeystore -alias ca
  keytool -import -file client.cert -keystore client-keystore.jks -storepass clientkeystore -alias client
  So, i try to create them in PKCS12 format
  1. openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 2190 -config openssl.cnf
  2. keytool -genkey -alias client -keyalg RSA -keystore client-keystore.jks -storetype pkcs12
  3. keytool -certreq -keystore client-keystore.jks -storetype pkcs12 -storepass clientkeystore -alias client -file client.cert.req
  4. openssl ca -config openssl.cnf -out client.pem -days 2190 -infiles client.cert.req
  5. openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem -name "CA Certificate"
  cacert.p12 successfully created. but,
  openssl pkcs12 -export -out client.p12 -in client.pem -inkey cakey.pem -name "Client Certificate"
  error message said "No certificate matches private key"
  I have no idea that which step goes wrong....any advice or suggestion? importantly is to convert into pkcs12 format.
  Thanks

  Your last step should be to import the signed certificate back into your client PKCS#12 keystore, client-keystore.jks.
  This file contains the private key used to create your signing requets originally, and must be matched when importing the signed certificate back in.
  I think you will need to follow steps 5 & 6 in your DER example to complete the client PKCS12 keystore (including -storetype pkcs12 argument on the import statement).
  Another way is to simply convert the keystore created in your DER example into a pkcs#12, by using JRE1.6 command:
  keytool importkeystore -srckeystore [jks keystore] -srckeystoretype jks -destkeystore [pkcs12 keystore] -destkeystorestype pkcs12

• OBIEE 11g SSL how to generate self-signed/demo certificate

  Hi,
  We are enabling SSL for OBIEE 11.1.1.5 environment and want to generate self-signed or demo certificate.
  We are following note 1326781.1 and are at Step 1 - point 4 that says:
  4. Submit the Certification request to your Signing Authority (CA).
  Certification Authority(CA) is an valid signing authority of your choice (for example: OpenSSL, Verisign,
  Microsoft, etc)
  Upon submission of the certificate request, CA returns the certificate for the testmachine server (Server Certificate). Copy the CA certificate and Server Certificate to <MW_HOME>/SSL folder.
  How to gerenate self-signed or demo certificate?
  Thanks in advance.

  As long as you have the keytool on that server (installed with WLS) , you can create the generate the certificate and import that into a keystore.
  Follow : Getting Started with WebLogic Server: How to Create and Configure Self Signed Certificates for WebLogic Server Environments [ID 1341192.1] , describes the two options.
  http://www.techpaste.com/2012/06/steps-configure-ssl-oracle-weblogic-server-custom-identity-java-trust-keystore/
  I am not sure how to generate self signed certs on IBM AIX machine.
  HTH,
  SVS

• Cisco Expressway C and E Certificates

  Hi
  I need some help on expressway C and E certificates. I need to know which certificates are reuired on both the systems.
  What is the complete procedure to generate the license from internal Microsoft CA server and upload these certificates to Expressway C and E?
  Regards
  Rohit Mahajan

  Here is the document Jamie is referring to:
  Expressway Certificate Creation and Use Deployment Guide

• Problems generating a self-signed certificate using SDK

  Adobe AIR 1.1 SDK was extracted to "D:\AIR\SDK\" in XP Pro
  SP2 system. Also Java 2 runtime version 1.4 installed.
  When I'm trying to generate a self-signed certificate I typed
  the following in command line:
  D:\AIR\SDK\bin\adt.bat -certificate -cn SelfSign 2048-RSA
  newcert.p12 pass123
  After a short delay an "unable to create output file" message
  appears in command console and an empty (0 byte length) newcert.p12
  created.
  What may be the problem?
  Also I would like to know if there was another way to create
  self-signed certificates or is it possible to build air packages
  without signing the source code?
  Thanks in advance and sorry for bad English!

  I haven't seen this error occur before. It could indicate a
  full drive or similar condition that might prevent writing to the
  file.
  Can you try using Java 1.5? Although 1.4 is officially
  supported, I think 1.5 receives much more testing.
  You can create self-signed certificates using other tools. If
  you do that, make sure the certificate is marked as usable for
  code-signing; otherwise, adt won't accept it.
  You cannot create air packages without signing them.

• SA540 and SSL certificate from DigiCert

  Has anyone succeeded in installing a SSL certificate from DigiCert on a SA540 router?
  The SSL certifcate is a wildcard variant (*.example.com).

  Hello Mr. ivar,
  In order to get a new SSL certificate please follow the next instructions:
  STEP 1 : Click Administration > Authentication.
  The Authentication (Certificates) window opens.
  STEP 2 For each type of certificate, perform the following actions, as needed:
  • To add a certificate, click Upload. You can upload the certificate from the PC or the USB device. Click Browse, find and select the certificate, and then
  click Upload.
  • To delete a certificate, check the box to select the certificate, and then click
  Delete.
  • To download the router’s certificate (.pem file), click the Download button under the Download Settings area.
  STEP 3 To request a certificate from the CA, click Generate CSR.
  The Generate Certification Signing Request window opens.
  a. Enter the distinguished name information in the Generate Self Certificate
  Request fields.
  • Name: Unique name used to identify a certificate.
  • Subject: Name of the certificate holder (owner). The subject field populates the CN (Common Name) entry of the generated certificate and can contain these fields:
  - CN=Common Name
  - O=Organization
  - OU=Organizational unit
  - L= Locality
  - ST= State
  - C=Country
  For example: CN=router1, OU=my_dept, O=my_company, L=SFO, C=US
  Whatever  name you choose will appear in the subject line of the generated CSR.  To include more than one subject field, enter each subject separated by a  comma. For example: CN=hostname.domain.com, ST=CA, C=USA
  • Hash Algorithm: Algorithm used by the certificate. Choose between MD5 and SHA-1
  •Signature Algorithm: Algorithm (RSA) used to sign the certificate.
  • Signature Key Length: Length of the signature, either 512 or 1024.
  • (Optional) IP Address, Domain Name, and Email Address
  b. Click Generate.
  A  new certificate request is created and added to the Certification  Signing Request (CSR) table. To view the request, click the View button  next to the certificate you just created.
  Or you could check it on the next link. please check page 191
  http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA500_AG_OL1911404.pdf
  If this answer was satisfactory for you, please mark the question as Answered.
  Diego Rodriguez
  Cisco network engineer
  Thank you

• Private key and digital certificate

  I have a keystore . in ordeer to know what it contains ,i opened this keystore with this command ...keytool -list -keystore DemoIdentity.jks
  and i got,
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 1 entry
  demoidentity, Jan 4, 2007, keyEntry, // is it called private key ?
  Certificate fingerprint (MD5): 60:42:75:33:31:AA:9A:C6:9D:1A:CD:9F:22:8D:4A:6A // is it called certificate ?
  Question :
  I still dont understand what a keystore contains. does it contains "private key" + "digital certificate" ?
  If so , what are private keys and digital certificate in the above contents ?
  Message was edited by:
  Unknown_Citizen
  Message was edited by:
  Unknown_Citizen

  The content of a 'keystore' is what you, or the person who provided it, put in it. In this case it looks like all it contains it a public key certificate with an alias of 'demoidentity' .

• Generate pdf and html(urgent)

  can anybody tell how to generate pdf and html from a single report,
  thanks in adv

  From a single report, you can generate outputs to html, htmlcss, pdf, rtf, XML and text formats.
  If you use rwclient, rwrun or rwservlet methods, specify desformat=pdf/html and the destination file name in desname command line parameters.
  If you use Reports Builder, open a report, select File->Generate to file and select html/pdf. Then give the file name.
  For more details, Refer to Reports Tutorial / Publishing Reports document from this site.
  http://otn.oracle.com/docs/products/reports/content.html
  Thanks,
  The Oracle Reports team

• How to generate Header and Trailer for a file

  Hi Guru
  How can we generate header and Trailer for a file
  EX:
  i want to generate header with date and trailer with record count from table.
  Sample file :
  20120120
  fwsfs
  adfwsfd
  adff
  afsadf
  afdwsg
  adgsg
  adgsgg
  asgdsag
  sdgasgdaf
  sdfsagfadf
  10

  Hi ,
  1.Create an interface to load data from oracle to file and set generate header as false option in IKM .
  2.Create variable get_current_date of alphanumeric datatype and implement logic SELECT to_Char(SYSDATE,'yyyymmdd') FROM DUAL under refreshing tab
  3.Create variable get_record_count of numeric datatype and implement logic SELECT '<%=odiRef.getPrevStepLog("INSERT_COUNT")%>' FROM DUAL under refreshing tab
  4.Create a package
  Drag the get_current_date variable ,
  Drag odioutfile and paste the below logic OdiOutFile "-FILE=D:\ODI_TEST\emp.txt" "-CHARSET_ENCODING=ISO8859_1" "-XROW_SEP=0D0A" #GET_current_date in command tab
  Drag the interface
  Drag another variable get_Record_count
  Drag the odioutfile and paste the below logic OdiOutFile "-FILE=D:\ODI_TEST\emp.txt" -APPEND "-CHARSET_ENCODING=ISO8859_1" "-XROW_SEP=0D0A"
  #GET_RECORD_COUNT in command tab
  Link all these in sequence,save and run the package.
  OR Modify the IKM SQL to File Append to achieve same functionality.
  Thanks,
  Anuradha

• How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

  Hi,
  I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
  Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
  Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
  Please suggest how to pass both the certs from client Application..

  Hi,
  This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
  And for more information, you could refer to:
  http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
  Regards

• ISE 1.2 and multiple certificates

  Hello,
  Hopefully someone can answer this question.  We have ISE 1.2 setup and running, 802.1x and user and computer certificates.  All is working fine except some users have two user certificates, one from our server the other from our parent company.  When these users log in they get a bubble message saying "additional information is required to connect to the network", they click on this and they are asked to pick a certificate.  If they pick the one from us all works. 
  Question, is there a way either in Windows or ISE to use our certificate by default?  The PCs in question all have the cisco NAC agent, 4.9.43, and are either XP, Windows 7 or 8. 
  Thanks

  Thanks for the response but it's wrong. Cisco supports stacked ports in 1.2 for wired users. They carried over 1.1documentation to 1.2 and never updated it. We have it in writing from Cisco tac. 

• I have new Adobe premier Elements13 and Photoshop elements 12, but Cannot access website to generate code and register

  I have new Adobe premier Elements13 and Photoshop elements 12, (Download from Amazon) but Cannot access website to generate code and register. Please help if you can.
  I do not know how to find my PC specific code, nor can I simply use another PC if the programs are then only for use on that (not my main) PC!. I have entered the correct serial/codes which came in the download files but simply cannot go further as each time I try it fails to connect with the website?
  Vince

  Please post Photoshop Elements related queries over at
  http://forums.adobe.com/community/photoshop_elements

• While doing F-32 residual payment - Two documents generated AB and RV

  Hi all,
  While Clearing partial payment with respect to Invoice thorough F-32 ( As residual )- Two documents generated AB and RV in development system.
  where as in Quality and Production system there is only one AB document generated.
  Is it standard behavior to generate AB and RV?
  Customer don't what that RV document to be generated.

  Hi,
  This is  one of the option given by SAP to manage your  open items in case of  partial payments. In this  process when you go for residual payment, your original open item against which partial payment is made gets cleared &  system automatically creates a new  open item with the balance amount.
  e.g  you have an open item of Rs 10,000/- since  01.03.2014 & today i.e on 01.04.2014 you are making an payment of Rs 6,000/- against the said  item & you  opt for residual payment. In this case the original open item   i.e Rs 10,000/- gets cleared  & a new open item of  i.e Rs 4,000/-  get created . Note that this new open item created by the system  will have  the new document date (01.04.2014) and new baseline date, i.e here aging of your receivable/payable does not reflects the true picture.
  But this  is not the case when you opt for partial clearing method. In partial clearing method , the original open item is not cleared, instead  both the items are shown as open items.
  If you take the case of above example, after making the partial payment of Rs 6,000/- against Rs 10,000/- you will have two open items. One the original one of Rs 10,000/- since 01.03.2014 and another for Rs 6,000/- on 01.04.2014.In this case the aging of your receivable/payable shows the true picture.
  Yes its  a business decision ,which method to  adopt.
  Thanks & regards
  Deepak

• Generated files and layout

  After generating automatic documents in Frame9 suchs as TOC, List of Figures and the like I have saved these as templates. Trying to import these formats into newly generated documents will not import the chapter and pagenumbers nor their layout even though these have been included on the reference pages. Adjusting these afterwards often does not affect position, style or layout. More concrete: the numbers in front of the titles are specified yet missing, the page numbers are directly behind the titles instead of at the configured tab stop. Moreover, titles are in Arial, while the pagenums having the same paragraph tag are times new roman. Something I cannot seem to change.  Why does Frame not import the settings from the template or respond to my adjustments after updating. Sometimes it only partly updates.
  Any help and ideas are welcome

  Pieter van de Sande wrote:
  Ok that's what I thought when posing the question. Index and TOC are incompatible. To me they are simply generated files and if I configure the page numbers to be on the right in the Arial font in the TOC I expect these to be the same after importing formats into another generated file. I guess I need to change my train of thought.
  Yes, the're independent from each other. If you look on the TOC reference page, you'll find entries like:
  <$paratext>(tab character) <$pagenum>
  This entry is formatted using the assigned "TOC" paragraph style, e.g. if you're reading a paragraph style named "Heading1", this entry is formatted using the "Heading1TOC" paragraph style. If this style is set to Arial, the whole line (paragraph text and page number) will be formatted using the Arial font, as long as you don't use separate character styles for the placeholders (<$paratext> or <$pagenum>).
  Looking on the SIX reference page, there are other entries. You'll see e.g.
  Level1SIX (tab character)
  (tab character)<$pagenum>
  In this case the text entry is formatted using the "Level1SIX" paragraph format, and the page number is formatted using the "IndexSIX" format. These may specify different fonts. You see, there are completely different formats and "building blocks" which are used to create a TOC and an Index entry.
  Bernd