How to install PEM-format SSL private key from weblogic to NES
I have unexpired PEM-format certificates in my weblogic 8.1sp4 domain. Since the architecture requires us to use Iplanet 6.0sp2 as the http/https server, we have to move the certificates to iplanet side. Is that possible ? Especially the private key ? Iplanet has key8.db format files. How do I install a PEM key in iplanet and store it in key3.db file ? Thanks !
Hi
I've already found code to answer my second question, but my first question still remains, is there a way that I can change a Encrypted Private Key Info for PEM to DER format??? I tried to delete the header and footer of some key in PEM format and Base64 decode the body, but It launches a Exception when I'm trying to create the EncryptedPrivateKeyInfo object.
Thank you
Similar Messages
-
Reconver SSL private key?
I have a bit of a dilemma since I tried to install an SSL certificate on my server that needs intermediate certs. Here's what I did:
1) In Server Admin, create a new key for my domain and use that key to create a CSR to send to a certificate authority. (This creates a public key, a private key and a self-signed certificate in the system keychain on the server).
2) Sent the CSR away and got the signed certificate back.
3) Used Server Admin to add the signed certificate to the existing domain cert (this replaces the self-signed cert). Restart services etc.
Here's the problem: the cert that I have needs intermediate certs installed in order to be functional- currently the certificate shows as an untrusted authority. If I delete the current certificate in Server Admin to start again from scratch, it will delete the private key that I need to reinstall. I downloaded the intermediate certificates from the CA's website, but now the certificate installed on the server can't be modified. Besides, there is no place to enter the intermediate certificates. My plan was to try to paste all the certs into the box where it asks for the new certificate, but no joy since it is now locked.
I would like to create a new certificate (there is a place in there to install intermediate certs), but I'll need to get my private key out of Keychain Access into a pem formatted file but I can't seem to get the thing to export.
Questions:
1) Is there a way to export a private key from Keychain Access so that it can be used for server admin?
2) Is there a way to get at this from the command line?
3) Is there some other procedure that can magically fix this problem?
Thanks,
MilesThanks,
This is the part that I was looking for:
Launch Keychain Access as root:
sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access &
I then went here http://www.gridsite.org/wiki/Convert_p12 and converted the p12 to pem so I could use it in server admin.
Thanks again,
Miles -
Hello everyone,
I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
SSL certificate. By defaul the private key is not encrypted with password
(SSL.KeyEncrypted = false by default, according to the documentations) in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
following error:
<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key from file
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is the same
and IP address and the DNS entry hasn't been changed, either.
Any insight will be greatly appreciated. Thanks!
MakotoThanks Tony - it worked!!
"Tony" <TonyV> wrote in message news:[email protected]...
It may be because the private key is both unprotected and in DER format.
There are some things to try:
1) Convert the private key file from a DER file to a PEM file and try
that:
a) Follow the for converting an unprotected private key at:
http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
b) Look at the resulting PEM file, it should look something like
this:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
(Be sure there is no extra lines or whitespace after thefooter)
>
c) Change your configuration to point at the PEM file
If that doesn work, then you can try protecting the key with apassword
using
the wlkeytool utility (It should be in the server/bin directory). The
tool should prompt
for a password to use to protect it:
wlkeytool inputkey.pem outputkey.pem
Then change your configuration to use the protected private key, andset
the passwod to use.
Tony
"Makoto Suzuki" <[email protected]> wrote in message
news:[email protected]...
Hello everyone,
I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
same
SSL certificate. By defaul the private key is not encrypted withpassword
(SSL.KeyEncrypted = false by default, according to the documentations)in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script resultsthe
following error:
<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key fromfile
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword
is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure passwordspecified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true
and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is thesame
and IP address and the DNS entry hasn't been changed, either.
Any insight will be greatly appreciated. Thanks!
Makoto -
Hello. Is it possible to export the Private Key from, say, my J2EE engine (I'm running a dual stack) and import it into my ABAP instance so that both systems use the same Private Key? They both have the same host name.
I guess its possible. Please correct me if i am wrong.
Please keep in mind, that simply importing a certificate as a certificate response won't work in this situation, since the public key from your CA and the public key in the individual PSEs already existing on the respective servers won't match.
following steps all the key pairs and certificates that are currently stored in the SSL Server PSEs on the target systems will be removed. If you want to keep them, you'll need to export them to a safe place.
Step 1: import the key pair into a PSE
Since pl.16 of SAPCRYPTOLIB, key pairs given in the format PKCS#12 can be imported into a PSE (note 745063). Since pl.24 of SAPCRYPTOLIB, also the import of key pairs given as PKCS#5, PKCS#8 or OpenSSL-PEM is supported (note 1159829).
Step 2: import the PSE resulting from Step 1) into the system's database All PSEs that are known to transaction STRUST will be exported from the database and distributed to the application servers at system startup. The related PSE files will be overwritten. So, the PSE resulting from the key pair import in step 1) needs to be imported into the database.
You'll need to go through a procedure similar to the one described in note 1178155, step 3.
- Copy the PSE from step 1) to your workstation/PC
- Start transaction STRUST
- Doubleclick the "FILE" icon in the navigation area (left hand side)
- Select the PSE on your workstation/PC
- Execute the menu item "PSE --> save as..." and choose the SSL Server
PSE as target. This will save the PSE from step 1 as SSL Server
standard PSE.
- The following step is a modification from note 1178155 which is
only applicable in your special situation: right mouse button click
on the SSL Server PSE entry in the navigation area. From the context
menu appearing, select "Change".
- Remove the distinguished names from all application server specific
PSEs in the list. Pressing the green tick mark ('save') will remove
all application server specific SSL Server PSEs, so the system is
forced to use the SS Server standard PSE instead.
Don't forget to restart the ICM in order to make your changes become effective.
Regards,
Jazz -
WBL 7.0 and SSL private key problem
Having generated certificate request, and associated private key, I obtained
the corresponding server level certificate. I am having problems starting the
server with the cert. I have configured my server appropriately, here is the SSL
configuration from the domain config.xml
<SSL Enabled="true" HostnameVerificationIgnored="true"
ListenPort="8090" Name="SampleServer"
ServerCertificateChainFileName="nasaca.pem"
ServerCertificateFileName="mydomain-cert.pem"
ServerKeyFileName="mydomain-key.pem"/>
and I am using -Dweblogic.management.pkpassword=mypassword
in the startup script, however I get :
java.lang.Exception: Cannot read private key from file /usr/user_projects/Sample/mydomain-key.pem.
Make sure password specified in environment property weblogic.management.pkpassword
is valid.
I have given the right password. So the question is why am I seeing the error
I am running this server on Sun Solaris. The password contains the usual ascii
characters, including shell special characters.
Any way checking the private key file ?
Also as we have seen problems with the particular certificate we get from the
CA, I wanted to use "utils.ValidateCertChain", alas this documented utility is
conveniently missing from weblogic.jar. Oh big blue, why didn't we go with you
Seriously, please help
TarangDarkit,
I have the same problem. Let me know if you find a solution to this problem.
Thanks,
Bharathi -
dear all
I want to create rsa private key from .key file. I searched a lot but could not find a way to do so. how can i do that ???'pem' stands for Privacy Enhanced Mail and defines an encoding to ASCII of binary data and not the format of the content of the file. Having said that, it looks to me that your file is a PEM encoded SSLeay format RSA key generated using OpenSSL and encrypted using the '-des3' option. Before loading into Java I normally convert, using OpenSSL, SSLeay files to a PKCS8 format private key and an X509 format public key certificate file. These are then easily loaded into Java.
The OpenSSL documentation will tell you how to generate the PKCS8 and X509 files but there are numerous sites that will hand-hold you through the commands. Google is your friend. Once you have generated these files then Google will also provide source code for loading them into Java. -
How to generate private key from <RSAKeyValue> generated by .net. in java? I got public/private key in following format.
<RSAKeyValue>
<Modulus>abcdyDdNySesa8sWsd8XRG9rFf1av
hch9BSG+sgCSYumLm5gzeTxrrpSqUf2VYfLp8USqK4uFBX312368wOEfK+C/viScPZn/hKcq
vFpd/gKyXJ0M6Oxybn7qJNjVjGtemQDJJdvUPNyV1bcTq0Ugw9lM2cDBVzqHjxxzzACJnab=
</Modulus>
<Exponent>AQAB</Exponent>
<P>/UTBBgeTREzfbV9ev1tKwGtFovxi9BiK5
crZ3Qns3rt+lrd6Xas6tJhAvedGakGP7eeaLHdXZjeXGnqvKzRHw==</P>
<Q>8FBLHPccdNh//dRF7Uf6weB829bz+G+NvVrKJMcOzUr9QuKcyRqfZTslKiC/aG9p1PoFxWpeyoPFwDrqFzTYhw==</Q>
<DP>MTvTPU3fnscdFbb3MaG4gzuArbgQNFc722pkgoakfOS9RQgf/VjKXoFllz7
05d+z6SHvSGemnEcYtNcbscPt4Q==</DP>
<DQ>0NOVUihSbB8uqe8sVZ11BEEFfyw9eafGrc
NVYbww2qjNh+/QetlNpfRNiVxHuIMInnBdz31tveHgV/laLqyDxQ==</DQ>
<InverseQ>X0KxLXzW2glIhkk5lP0OnQVWfTutwo9Qg4DSk/5MtbQMMek8SHju7X9Ae2iL4DDRbWG/5mbrPdQ1yQg+GXCWbw==</InverseQ>
<D>NCBukE3dm5+xRXEY4qWk3Xe8XFvIHT5vENOzTZE4jz0aBPxzTYLIgbkZP+lXgllc4mricqYSsD3K8vCBMQXEhqHkc6pSiYfesZG3wlujJGRyVoT1pVk5M460RwJfwPsO0TxfYCYU80CIfZNzFIEpGEp6pAUF1TQbnTre11aFjU=</D>
</RSAKeyValue>
I was able to generate public key as below.
BigInteger publicExponent = new BigInteger(new sun.misc.BASE64Decoder().decodeBuffer("AQAB"));
RSAPublicKeySpec rsaPublicKeySpec = new RSAPublicKeySpec(modulus,publicExponent);
But privateKey need privateExponent
RSAPrivateKeySpec rsaPrivateKeySpec = new RSAPrivateKeySpec(modulus,privateExponent);
How to get privateExponent from <RSAKeyValue> ?
RSAPrivateCrtKeySpec need following parameters. Can not find where it map in <RSAKeyValue>
RSAPrivateCrtKeySpec(BigInteger modulus,
BigInteger publicExponent,
BigInteger privateExponent,
BigInteger primeP,
BigInteger primeQ,
BigInteger primeExponentP,
BigInteger primeExponentQ,
BigInteger crtCoefficient)
Thanks,
DPPKCS#1 1.5 definition:
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER -- (inverse of q) mod p }RSAParameters as documented in .NET Framework Class Library:
D Represents the D parameter for the RSA algorithm.
DP Represents the DP parameter for the RSA algorithm.
DQ Represents the DQ parameter for the RSA algorithm.
Exponent Represents the Exponent parameter for the RSA algorithm.
InverseQ Represents the InverseQ parameter for the RSA algorithm.
Modulus Represents the Modulus parameter for the RSA algorithm.
P Represents the P parameter for the RSA algorithm.
Q Represents the Q parameter for the RSA algorithm. The KeySpec (CRT = Chinese Remainder Theorem)
RSAPrivateCrtKeySpec(BigInteger modulus,
BigInteger publicExponent,
BigInteger privateExponent,
BigInteger primeP,
BigInteger primeQ,
BigInteger primeExponentP,
BigInteger primeExponentQ,
BigInteger crtCoefficient)So we could try some guessing:
modulus <- Modulus
publicExponent <- Exponent
privateExponent <- D
primeP <- P
primeQ <- Q
primeExponentP <- DP
primeExponentQ <- DQ
crtCoefficient <- InverseQTry it and tell me if it worked. Good luck. -
How to install only Roxio CD Burner Program from the Recovery CDs?
I bought a T400 a few weeks ago in Korea.
But my company uses English, so I had to install a Windows XP English version.
However, at that time I lost the Roxio software.
I have the recovery CDs for T400 Windows XP PRO SP2.
If it is possible, then please let me know how to install only Roxio CD Burner Programs from the Recovery CDs.
Thanks.Hello,
unfortunately it´s not possible to install just one program from recovery cd´s.
But on Lenovo support pages, there you should find your software and applications.
Please visit with IE and let autodetect your system.
Then you should able to choose which type of software is availible for you.
Choose CD and DVD drives.
Hopefully the T400 department is up to date now.
Follow @LenovoForums on Twitter! Try the forum search, before first posting: Forum Search Option
Please insert your type, model (not S/N) number and used OS in your posts.
I´m a volunteer here using New X1 Carbon, ThinkPad Yoga, Yoga 11s, Yoga 13, T430s,T510, X220t, IdeaCentre B540.
TIP: If your computer runs satisfactorily now, it may not be necessary to update the system.
English Community Deutsche Community Comunidad en Español -
How do i change the Std. confirm key from 'AB' to 'Z1', receiving ACK IDOC.
Hi,
How do i change the Std. confirm key from 'AB' to 'Z1', when loading ACK IDOC.
ThanksHi Jorge,
Thanks for your help.
I change the output mode to "Collect IDocs" method, if I use SAP standard function POIM (RCCLMDAT), it will depend on change pointer to generate IDoc, and it includes function: RSEOUT00 ( and MASS_RSEOUT00 ) to collect and send IDoc.
The collect table is BDCP.
BR, -
How to install Mac ADOBE CREATIVE SUITE 4 from DVD on W7
How to install Mac ADOBE CREATIVE SUITE 4 from DVD on OS Window 7
Cannot be done.
Creative Suite 4 is a single platform license: Mac only (in your case) or Windows only.
You must either
purchase a new full version of CS6 for Windows, or
purchase a "Crossgrade" from CS4 Mac to CS6 Windows, or
join the Creative Cloud -
How do I recover vault 2 encryption key from apple
Please show me how I can
Recover vault2 encryption key
from apple.how do I recover vault 2 encryption key from apple,
read the “Retrieving your recovery key from Apple” section of this Apple page. -
In the midst of an apocalyptic SSL install in 10.4 server. Currently, I am trying to install a wildcard cert via Server Admin, which may have been a mistake. After smashing my head for a week, I tried a new tack and rebuilt the system keychain and attempted to install the certificate; this failed at the level of Server Admin. However, in Keychain Access I am showing the SSL cert, public and private keys, and the CA's cert, all valid.
Since I know of no other way to do get KA talking to SA so that I can actually use this certificate, I am trying to export the valid certs and keys to import. My problem is this, the certs and public key export fine, the private key fails returning an error of Unable to Export CLINTERNALERROR. I double checked that root is enabled in netinfo. Any ideas on how to rectify this?I believe you have to run Keychain Access as root to export the private key.
sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access -
Hi,
I would like to export my Portal private key, so that it can be used for network traffic capture (Wire shark).
Can anyone point me in the direction as to where this file can be exported.
Thanks
Kai
PS. Points will be awarded.....The Path to export the certificate is:
On the Portal
System administration -> system configuration -> Keystore administration -> download verify.der file
Regards,
Chengappa -
Private key from 5.1 to 7.0
Hi, we're currently upgrading from WebLogic server 5.1 to 7.0. The private
key generated by WLS 5.1 does not use any password, and can therefore not be
used with 7.0
Do I have to generate a new private key and order a new SSL certificate, or
is there a way I can assign a password to my existing private key so I can
continue using this ??
Thanx in advance !!!
Jan Espen HansenThanks a lot Tony !!!!! This solved my problem.
JEH
"Tony" <TonyV> wrote in message news:[email protected]..
Incorrect PEM headers/footers can confuse the tool.
Double check that the header and footer for your PEM file match thecontents
of the
data in the file.
If it was an unprotected RSA private key, the header and footer shouldlook
like
this:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
It should not say it is a certificate (which is the default for theder2pem
utility), and it
should not say it is an encrypted private key.
Tony
"a" <[email protected]> wrote in message news:3f9f7705$[email protected]..
Hi, and thank you for your answer. I've tried the tool you mention, but
I
get the following error message:
"Error parsing BER private key data 3000"
Since my private key is in .der format I have first run the weblogicutil
utils.der2pem on it, but I still get this error message.
Any ideas ??
JEH
"Tony" <TonyV> wrote in message news:[email protected]..
You should not have to generate a new key.
There is a native tool that is supplied on the WLS kit that can
protect
an
unprotected private key for you:
wlkeytool inputkey.pem outputkey.pem
It will prompt for passwords, I believe that will do what you want.
Tools such as OpenSSL should also be able to protect the private key.
Tony
"Janne K" <[email protected]> wrote in message
news:[email protected]..
Hi, we're currently upgrading from WebLogic server 5.1 to 7.0. Theprivate
key generated by WLS 5.1 does not use any password, and can
therefore
not
be
used with 7.0
Do I have to generate a new private key and order a new SSL
certificate,
or
is there a way I can assign a password to my existing private key so
I
can
continue using this ??
Thanx in advance !!!
Jan Espen Hansen -
How to provide text formatting options to user from a text field
Hi,
My requirement is - in the interactive form, a comments field needs to be provided where user should be able to enter text with formatting options like
Headers
indentations
bold/italic
bullet points and numbers
Once user enters the formatted texts in a text field, data needs to be displayed/printed in the same format. Could you help me on how to provide these formatting options to the user for a particular text field?
I understand that once I define the text field with format XHTML (with RTF), user formatting can be captured and displayed in the same way. But I am not sure on how to provide the formatting options for the text field.
Thank you,
MadhuHi,
if you select a text field for Rich Text and the press Ctrl + E you'll get a bar for all available text formatting options in Acrobat/Reader.
Maybe you are looking for
-
Creating Line Graphs in Portal
Is it possible to create line graphs in Portal, I can create the bar graphs but they dont suit my needs. If not in Portal, are there any Oracle products that can create line graphs on data in a database? Thanks
-
I am using border lines in the footer of a Word document and they are not showing up when creating a PDF. Increasing the line size or reducing the resolution to 300dpi does not help. Any other suggestions?
-
Hello Team I created a trial instance fro SAP HANA Cloud Platform and I want to know that how i can get the host name,IP address,system password for SAP HANA cloud platform so that i will add system to SAP HANA Studio.Please help me regarding this. T
-
Using Lexical Parameters in OBIEE 11g Publisher
Hello All, I want to know if there is a provision to use lexical parameters to be used in 11g Publisher. I know we could do this in 10g Publisher with the use of data template and database package. This is a very useful functionality to dynamically d
-
Grading Layers with Direct Link
As the grading layers can not be created if I use the direct link for my project from premiere to speedgrade. Can I create 3-4 adjustment layers in premiere pro and then send my project to speedgrade and use my these adjustment layers as regular grad