How to PrivateKey from Certificate or keystore
Hello,
I need to get a PrivateKey from my keystore, but neither of my attempts below were successful.
Any thoughts on how I can get around this?
Thanks
// this part appears to be working
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(ksbufin, ksPassword.toCharArray());
Certificate privCert = ks.getCertificate(ksPrivAlias);
PublicKey pubKey = privCert.getPublicKey();
The following two approaches fails:
PrivateKey privKey = (PrivateKey) ks.getKey(ksPrivAlias, ksPassword.toCharArray ());
privKey in this case is null.
I also tried:
KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)ks.getEntry (ksPrivAlias, new KeyStore.PasswordProtection(ksPassword.toCharArray ()));
PrivateKey privKey = pkEntry.getPrivateKey();
Here I get the following exception:
java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:438)
at java.security.KeyStore.getEntry(KeyStore.java:1218)
at ..AuthenticateImpl.createSignature(AuthenticateImpl.java:179)
enderw wrote:
Hello,
I need to get a PrivateKey from my keystore, but neither of my attempts below were successful.
Any thoughts on how I can get around this?
Thanks
// this part appears to be working
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(ksbufin, ksPassword.toCharArray());
Certificate privCert = ks.getCertificate(ksPrivAlias);
PublicKey pubKey = privCert.getPublicKey();I hope that your use of the prefix 'priv' is just a misnomer because certificates have nothing to do with 'private', they are always 'public'.
>
The following two approaches fails:
PrivateKey privKey = (PrivateKey) ks.getKey(ksPrivAlias, ksPassword.toCharArray ());There is no keystore key entry with the name referenced by ksPrivAlias. What makes you think there is a private key with that alias?
>
privKey in this case is null.
I also tried:
KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)ks.getEntry (ksPrivAlias, new KeyStore.PasswordProtection(ksPassword.toCharArray ()));
PrivateKey privKey = pkEntry.getPrivateKey();
Here I get the following exception:
java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:438)
at java.security.KeyStore.getEntry(KeyStore.java:1218)
at ..AuthenticateImpl.createSignature(AuthenticateImpl.java:179)It looks to me like the alias you are providing is that of a certificate and not a private key.
Similar Messages
-
How to add a certificate to keystore using keytool?
Hi all,
I am trying to connect a server from my application which requires a certificate for secure connection.
I am using Jdeveloper. Should I use command prompt and use keytool command after going to jdk home of jdeveloper and add the certificate?
What password should I use?
SamConsult for example:
http://www.thatsjava.com/java-tech/38248/
http://www.oracle.com/technology/sample_code/tech/java/codesnippet/ejb/applettoejb/HowTo_Applet_talks_to_Session_bean.html
http://oraforms.blogspot.com/2009/02/setting-up-jdeveloper-for-httpsssl.html
NA
http://nickaiva.blogspot.com -
How to import a password protected p12 certificate to keystore?
Hi all,
I am new in java security programming.
And I got something very urgent need your help..
How to import a password protected p12 certificate to keystore programmatically?
Does anyone have sample codes on this issue?
thanks very much
WyanHi omslion,
I responded to a similar post from you (and moved it to the Acrobat forums). Password protecting a file requires Adobe Acrobat. You are welcome to download a free 30-day trial of Acrobat. For more information, see www.adobe.com/products/acrobat.html.
Best,
Sara -
How to load the certificate authority into the keystore for the weblogic8.1
how to load the certificate authority into the keystore for the weblogic8.1
==================================================
Getting the message below when trying to improt the certificate to the weblogic 8.1 web server. Received this certificate from our internal IT certificate authority. Trying to import the certificate to our test sytem.
===================================================
keytool error: java.lang.Exception: Failed to establish chain from reply
Import failed. Verify that the Certificate Authority that signed 'certi.pem'
has been loaded into your keystore 'keystore\pskey'
To view keystore contents issue 'PSkeymanager -list -keystore keystore\pskey [-v
To preview a certificate file issue 'PSkeymanager -previewfilecert -file certi.pem'You need to populate that field using cmod code. Find out from which table that field is and go to transaction cmod then enter project name and select component radio button then display.
Now select the FM EXIT_SAPLRSAP_001 if your datasource is transactional dataource
EXIT_SAPLRSAP_002 for master data attibute
EXIT_SAPLRSAP_003 for Hierarchies
EXIT_SAPLRSAP_004 for text
then populate code .
After your code then delete data from ods then reinit to populate the enhanced field.
Hope it helps.. -
How to use Chained Certificates from CA (Thawte) ?
Hi,
I have an application which does the communication over secured channel to another site(Say www.XYZ.com) over internet, for this xyz.com has given a certificate which is used for secured communication. Till the time certificate was self signed certificate i did not have any problem. I use to import certificate in trusted store and use it with the help of JSSE.
Now the problem is xyz.com has given a new certificate, which is chained and issued by Thawte. Now as i understand JDK Does not come with thawte as trusted CA. so we need to add the same in the keystore. The problem i am facing is how do the chain certificates work under JAVA i.e. how the chain of certificates is created in keystore file. When i import CA's self signed certificate as documented in keytool tools documentation this completes without problem. In the documentation theres is a mention regarding importing "Certificate Reply from the CA" but there is no mention about how to import a certificate given by 3rd Party i.e. xyz.com in our case. Is "Certificate Reply from the CA" and certificate from 3rd party the same. or there is some specific way in which we have to do the import to keystore?
Thanks in advance
SachinThank you for taking time to reply, but this is solved now. You are right, need to import all the certificates. So what is did is exported all the certificates which were in chain from IE. Then starting from Root's self signed certificate imported all of them one by one into keystore and then provided this keystore while communication and it works
Thanks once again
Sachin -
How to transfer my certificate to this new account from old acount
how to transfer my certificate to this new account from old acount
You don't. Registration is a one time thing that you do the first time you install an application. Once registered it does not need to be done again.
You should see if yoiu can have the activations reset before you try installing on a new machine so that you still have the two activations that are available to you. If not, you should still have an activation available for use with the new installation.
To reset activations contact Adobe Support and ask them to reset your activations.... For the link below click the Still Need Help? option in the blue area at the bottom and choose the chat option...
Serial number and activation chat support (non-CC)
http://helpx.adobe.com/x-productkb/global/service1.html ( http://adobe.ly/1aYjbSC )
To get it working on the new machine you just install and activate using the serial number you should already have. -
How to add a certificate to IIS global "Server Certificates" list using PowerShell?
Hi, been surfing the web for an example on how to add a certificate to the "global" IIS "Server Certificates" list using PowerShell but to no luck. I already have code in place on how to tie / associate a specific website with a specific cert but not how
to add the new .cer file using the "Complete Certificate Request..." wizard using PowerShell.... I dont expect the final code to become published but if someone had an idea on howto integrate / get an entry point on where to interact between the "Server Certificate"
list in IIS and POSH I would be super happy! :|
I am runnign IIS on a Windows 2008R2 x64 Standard Edition if that helps..... of course, I would saddle for an CLI if there is no other way, but POSH is of course the way to go! :)
Thanks for the help in advance guys, take care!
br4tt3Hi and thanks for the suggestions!
Although it comes close, the suggested code example points on howto import / incorporate .pfx files - I am getting fed by .cer files which I need to add into the IIS console using POSH.
I tried explore the IIS.CertObj object but was not able to work out if this one could be used for importing / adding .cer files into IIS! However, launching the following command from a POSH console with Import-Module Webadministration already
loaded into that shell;
$certMgr = New-Object -ComObject IIS.CertObj returns the following error message:
New-Object : Cannot load COM type IIS.CertObj
From an IIS perspective I have the following components installed;
[X] Web Server (IIS) Web-Server
[X] Web Server Web-WebServer
[ ] Common HTTP Features Web-Common-Http
[ ] Static Content Web-Static-Content
[ ] Default Document Web-Default-Doc
[ ] Directory Browsing Web-Dir-Browsing
[ ] HTTP Errors Web-Http-Errors
[ ] HTTP Redirection Web-Http-Redirect
[ ] WebDAV Publishing Web-DAV-Publishing
[X] Application Development Web-App-Dev
[ ] ASP.NET
Web-Asp-Net
[X] .NET Extensibility Web-Net-Ext
[ ] ASP
Web-ASP
[ ] CGI
Web-CGI
[ ] ISAPI Extensions Web-ISAPI-Ext
[ ] ISAPI Filters Web-ISAPI-Filter
[ ] Server Side Includes Web-Includes
[ ] Health and Diagnostics Web-Health
[ ] HTTP Logging Web-Http-Logging
[ ] Logging Tools Web-Log-Libraries
[ ] Request Monitor Web-Request-Monitor
[ ] Tracing
Web-Http-Tracing
[ ] Custom Logging Web-Custom-Logging
[ ] ODBC Logging Web-ODBC-Logging
[X] Security
Web-Security
[ ] Basic Authentication Web-Basic-Auth
[ ] Windows Authentication Web-Windows-Auth
[ ] Digest Authentication Web-Digest-Auth
[ ] Client Certificate Mapping Authentic... Web-Client-Auth
[ ] IIS Client Certificate Mapping Authe... Web-Cert-Auth
[ ] URL Authorization Web-Url-Auth
[X] Request Filtering Web-Filtering
[ ] IP and Domain Restrictions Web-IP-Security
[ ] Performance Web-Performance
[ ] Static Content Compression Web-Stat-Compression
[ ] Dynamic Content Compression Web-Dyn-Compression
[X] Management Tools Web-Mgmt-Tools
[X] IIS Management Console Web-Mgmt-Console
[X] IIS Management Scripts and Tools Web-Scripting-Tools
[ ] Management Service Web-Mgmt-Service
[ ] IIS 6 Management Compatibility Web-Mgmt-Compat
[ ] IIS 6 Metabase Compatibility Web-Metabase
[ ] IIS 6 WMI Compatibility Web-WMI
[ ] IIS 6 Scripting Tools Web-Lgcy-Scripting
[ ] IIS 6 Management Console Web-Lgcy-Mgmt-Console
[X] FTP Server Web-Ftp-Server
[X] FTP Service Web-Ftp-Service
[X] FTP Extensibility Web-Ftp-Ext
[ ] IIS Hostable Web Core Web-WHC
More or less the one thing that I am trying to get up and running is an automated FTPS solution - I just use the IIS console to be able to troubleshoot / compare how things scripted from POSH interacts in the MMC representation. The error I am getting
might be that I am lacking some IIS components to be in place to be able to automate some parts of the IIS - as suggested by the IIS.CertObj object listed in the example..... I will get back if I can track down which component needs to be added to be
able to reference the IIS.CertObj object.
Br4tt3 signing out...
br4tt3 -
How to install SSL certificate on the second ACE in the HA pair
Hi,
I'm struggling to figure out how to install a certificate (.p7b and .crf) on my second ACE in a HA pair.
On ACE01 i generated a CSR and gave the details to our SSL provider, they provided the certificates and i imported them. All good there.
How can i install the same SSL on ACE02 if i haven't generated a CSR on my backup devicde, or do i generate a CSR and import the same certificate?
Since bringing the ACE's into HA all contexts have sync'd and the backup ACE is in 'hot standby' state. But one context fails the sync and i think this is because the SSL certificate is not installed correctly on the second ACE02.
Anybody got any ideas, suggestions?
CheersHi,
If you already have the cert and key on the Active ACE, then you just need to export them using "crypto export ..." command from Active ACE and then import to the standby ACE using "crypto import ..."
Regards,
Siva -
Plz Help! How to Store digital certificate on to java card?
We are working on java cards.......
But i don't know how to store digital certificate on to java card?
Any "step-by-step procedure" to follow after getting the certificate will be appriciated.....
Plz any relative information if u have do reply...............
Its urgent..............
Thanks in advance..........I'm not understanding the confusion. Instead of storing a picture you are storing a certificate. Treat it as a blob of data. You will send data, approx 250 bytes in length, then send the next blob beginning from previous offset, etc. On the card, you store data into a large byte array beginning at the offsets. Read the picture sample again.
You would generate the key pair using the KeyPair class. Send that public key to the CA and store the cert returned from the CA.
If you are attempting PKCS#15, I wouldn't go that route until you understand Java Cards and the PKCS specification. -
How to import a certificate verify.der.cer to enable SSO
How to import a certificate verify.der.cer to enable SSO
Hi Chitrangada,
You havent mentioned if you need to configure SSO between which two systems. However, assuming that you are configuing the access of an ABAP system from a portal, you can import the verify.der file in TA STRUSTSSO2.
The entire procedure is available at:
http://help.sap.com/saphelp_nw70/helpdata/en/12/9f244183bb8639e10000000a1550b0/frameset.htm
Hope it helps!
Best Regards,
Srividya.R -
How to revoke machine certificates quickly?
We are planning to start using device certificates for the first time for the following purposes:
Exchange ActiveSync certificate based authentication.
Wireless authentication for laptops that are not members of our domain.
System Center Configuration Manager Internet based clients to authenticate from the Internet through a reverse proxy to receive Windows and software updates.
Allow Chromebooks to authenticate to Cisco ASA L2TP with IPSEC VPN with device certificate instead of PSK.
If any of the devices or certificates get stolen, we would need to revoke the certificates so the devices can no longer authenticate.
I have already seen links that give steps on how to revoke the certificate on the issuing CA server, but how to you make this change happen right away? If we go through the steps to revoke the certificate, how can we make sure the devices that are
providing the certificate authentication (RADUIS server for wireless and for VPN, reverse proxy, SCCM, Exchange etc.) know the certificate is revoked and immediately stop allowing connections?Certificate revocation is not an immediate process. At first, you need to disable computer account in Active Directory and/or edit VPN connection policies.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
Request Smartcard Logon certificates for more than 2 years from Certificate Authority
Dear all,
I have setup a Certificate Services in a Windows Server 2008 R2 domain and I request certificates via the CA webpage
http://ipofdomainserver/certsrv using the SmartCard logon custom template.
The problem is that my certificates are only valid for 2 years even though when I created my custom Smartcard logon I selected for validity period 5 years.
I read in documentation that issued certificates cannot have a greater validity than the root that signed them.
What and where I should modify to be able to request certificates from the template for more years than standard 2 ?
Ps: WINSC-CA is valid for 5 years. Should I generate a new WINSC-CA ? How ?I was successfully able to create a root CA for 20 years, issued a certificate and login using smartcard using the following procedure:
1. I increased the CA lifetime to 20 years by using this link http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html
Created the file CAPolicy.inf in %SYSTEMROOT% with following content
[Version]
Signature=”$Windows NT$”
[certsrv_server]
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
2. Renew CA root using this guide https://technet.microsoft.com/en-us/library/cc780374(v=ws.10).aspx
Console Root -> Certification Authority -> select domain -> Right click -> All Tasks ->
Renew CA certificate
3. Delete from Console Root -> Certificates (local computer) -> Trusted Root Certification
Authority -> Certificates the *WINSC-CA that has the previous lower validity, and from
Certificates (local computer) -> Personal, the *WINSC-CA that was lower validity
4. I performed a reboot here
5. Change in Console Root -> Certificate Templates -> Smartcard Logon Custom Template (my custom duplicate template) -> Properties -> Validity 10 years
6. Change in registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriod
to value 10 for 10 years.
7. Request a new certificate from CA webpage http://ipofdomain/certsrv and let the webpage write it to
smartcard (I was making sure there is no other certificate on the smartcard)
8. Try to log in. At this point it should throw an erorr that smartcard logon is not supported for this
account type. This is becuase we need to enroll it again for domain authentication
9. Console Root -> Certificates (local Computer) -> Personal -> Right click -> All Tasks ->
Request new Certificate -> Next -> Active Directory Enrollment -> Next -> Select Domain Controller Authentication -> Enroll -> Finish.
Now you should be able to login using your smartcard and 10 years generated certificate.
Though I have a problem at step 3, after CA server reboots the *WINSC-CA certificate with lower
validity is restored automatically, but the certificates are generated for 10 years.
What am I doing wrong ? How can I delete the lower validity root CA ? -
How to embedd author certificate and user digital signature?
Hi,
I want to implement Digital Signature in my pdf using Netweaver technology. I am working on an offline scenario.
I have few question on this topic.
1) Once I sign the pdf do the input-fields in them get locked? Is no then how do I lock them to ensure that they are not tampered?
2) How to pass the certificate along with the pdf? Can I pass it through an email?
3) Is the digital signature completely done on Adobe Reader side or the program side?
Please reply urgently...
Thanks,
Vishalhi
i've the same problem. i've found this solution, but you need download a JCE Provider that allow you to read the explorer certificate store.
You can try this one: https://download.assembla.se/jceprovider/
and the code:
import se.assembla.*;
public class Listcerts {
public static void list() throws Exception{
java.security.Security.insertProviderAt(new se.assembla.jce.provider.ms.MSProvider(), 2);
KeyStore ks = KeyStore.getInstance("MSKS","assembla");
ks.load(null,null);
X509Certificate cert=null;
String alias=null;
int count=0;
for (java.util.Enumeration e=ks.aliases();e.hasMoreElements();){
alias=(String)e.nextElement();
cert=(X509Certificate)ks.getCertificate(alias);
System.out.println("\n Certificado alias"+alias+":");
System.out.println(cert);
count++;
System.out.println ("NUM CERTS="+count);
now, i need the same solution for Firefox browser XP
good luck
Message was edited by:
meteko -
How to Configuring external certificate for MEP
Hi,
I want to configuring external certificate to my mep gateway tier , can any one tell me procedure how to configure the certificate.
I am configuring behind the firewall I cannot run default port no 8181 for https , so where can I change https port no for MEP after installation and I need to import external certificates in to keystore.Hi Jayanth,
Both issues you raise are GlassFish issues rather than MEP issues per se.
To change the port, after doing 'asadmin stop-domain mep' you just edit the
domain.xml file in the .../domains/mep/config directory manually. Search for
8181 and change it to whatever you want, then restart GlassFish (asadmin start-domain mep).
In the MEP Installation Guide, there is a section on establishing trust between
tier1 and tier2 in a two-tier configuration. See http://docs.sun.com/app/docs/doc/820-7203/ggxmb?a=view
Hopefully, you can generalize that procedure to your situation. -
How to migrate from exchange 2007 to 2013 step by step tutorials please
Hi
I am running Windows Server 2008 standard, with exchange 2007 SP2 on it.
We have 800 mailbox in total
Our domain controllers are
Win2012 R2 and I would like to upgrade to Exchange 2013 on Windows server 2012 R2.
I am running a VM, on VMware environment, so my Windows 2012 R2 is a VM.
Is there a website or document that explains in detail, step by step how to upgrade from 2007 to 2013.
I currently only have 1 exchange server 2007, with all the roles on the one server. I would like to keep that same as
well with exchange 2013.
ThanksExchange server deployment assistant is always a good service provider to achieve this task as it simply ask few questions about your current environment and proceed further accordingly.
You can refer to this blog explained by technet team that will assist you further to gather more information in depth : http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-1-step-by-step-exchange-2007-to-2013-migration.aspx
Moreover, to avoid the interruptions and proceed a hassle-free migration from exchange 2007 to 2013, this application (http://www.exchangemigrationtool.com/) could also be a good approach to accomplish
migration task in more secure way.
Maybe you are looking for
-
Why do I need a degree from M.I.T. to change my passwords in Thunderbird?
With all the brouhaha about NSA and Heartbleed, and with all the recent problems with hacked emails, one would think the developers at Thunderbird would figure out an easier way for us to change our passwords on a regular basis. I use the Master pass
-
can anyone suggest a FM for finding the type of attribute of a program: if it is a module pool, executable , etc. thanks!
-
The handler of the client doesn't work
the client is a java application, and I have add the handler to de handlerchain of the client's registry, but it just doesn't work. What's the matter? This is my code: String url = "http://127.0.0.1:8080/HelloWorld/HelloWorld?wsdl"; String namespace
-
Cant get songs from from OSx 10.4.11 to iphone 4s
why cant i get my macbook pro itunes tiger OSx 10.4.11 to recognize iphone 4s?
-
Hello I just preordered the Nikon D600 and unbelievably it will be here next week some time. My question is how long after it comes out before Lightroom 4 supports the raw file? I know its short notice but is there any chance that it will be in the n