How to renewal SSO public key certificate ??

Similar Messages

• Renewing public key certificate used for Seeburger AS2

  My general question is when a public key certificate, used for Seeburger AS2 payload decryption and digital signatures, needs to be renewed, how carefully do the certificate renewal steps need to be coordinated for a seamless transition?  More specifically...
  1. Once we import the CSR response from the CA, will the public key currently used by our partner become invalid, or will it continue to work until its expiration date? 
  2. Will our partner be able to validate our signature after the new CSR has been imported, but prior to them applying the new public key certificate in their system? 
  3. Or can we renew the certificate, import the CSR request, provide our partner with the renewed certificate, and let them apply the certificate at their own volition, provided they do it prior to the original certificate expiration?

  Hi Kurt
  In my experience, the renewal/replacement of AS2 certificates for encryption/decryption & signing/authentication requires coordinated effort on both sides.
  This is because AS2 uses asymmetrical encryption, so both parties need to use the same pair of certificates at the same time, i.e. you encrypt on your private key, and partner decrypt on the public key matching your private key. If the keys used do not belong to the same pair, then decryption will not work.
  I'm not sure what AS2 software your partner uses and if it has the feature of automatic rollover of certificate, but PI/Seeburger does not. The approach in PI/Seeburger can either be one of the following:-
  i) import new cert replacing original cert of the same name
  ii) import new cert into new name, manually update sender/receiver agreements
  Due to the manual nature of the tasks, normally it requires coordinated effort during a cutover window.
  Rgds
  Eng Swee

• Importing public key certificate from external application

  Hello!
  I am trying to implement the following scenario:
  1. External client application sends it's public key certificate to SAP WAS
  2. SAP imports this certificate into its PSE
  3. External client application sends digitally signed messages to SAP (with <i>secKey</i> HTTP call parameter)
  4. SAP checks this signature and does whatever further action.
  For simplicity reason, I emulated this "external app" by using the ArchiveLink interface of the very same SAP system. So, I have one system which is at the same time client and server, but the communication works via HTTP.
  I started with step 1: The ArchiveLink (in my case "external app") uses the function SCMS_HTTP_PUT_CERT to send the public key certificate to the client via HTTP. It worked well - I received the message with HTTP service and it contained some binary content as expected (valid public key certificate - I suppose).
  Unfortunately, I was unsuccessfull with step 2: How to import the received certificate into my PSE?
  I debugged the STRUST transaction and saw that it uses the function SSFP_PUTCERTIFICATE to import public key certificate into SAP's own PSE. However, when I try to use it, I get error <i>No temporary PSE available</i>. I also tried to <i>encode-base64</i> this message with the same result. What does this mean?
  Does anyone has experience with this? Please share it.
  Thanks in advance and kind regards,
  Igor

  The key point was understanding the cleverly named parameter PROFILE in the function SSFC_PUT_CERTIFICATE. You'd never guess: it's a path to a PSE where you want to put the certificate, in my case: C:\usr\sap\NSP\DVEBMGS00\sec\SAPSYS.pse. There's one more step: updating database with the file system PSE.
  So, the test sequence that works is:
  1. SSFP_GETSAPCERTIFICATE
  2. SSFC_PUT_CERTIFICATE
  3. SSFPSE_STORE
  Regards,
  Igor
  P.S. Am I the only one playing with these things? I keep getting 0 replies to my questions.

• Logout from an "https client authentication (public key certificate)"

  Hi ,
  I am using an https client authentication (public key certificate) to login to my ADF faces website
  How can I logout form the application? It seems the session.invalidate() is not working because my login information is still displayed after running the logout method (below)
  Note that this logout method was working well with the Form-Based Authentication.
  Thank you
  Jamil
  public String logout() {
  ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
  HttpServletRequest request = (HttpServletRequest)ectx.getRequest();
  HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
  HttpSession session = (HttpSession)ectx.getSession(false);
  session.invalidate();
  String temp = request.getContextPath() + "/adfAuthentication?logout=true&end_url=/faces/logout";
  try {
  ectx.redirect(temp);
  FacesContext.getCurrentInstance().responseComplete();
  } catch (Exception ex) {
  System.out.println("Exception in logout()");
  return null;
  }

  Can you try with the null chk.. as this piece of code is working fine for us
  public void logout(ActionEvent evt) {> FacesContext fc = FacesContext.getCurrentInstance();
  > HttpSession session =
  > (HttpSession)fc.getExternalContext().getSession(false);
  > HttpServletRequest request =
  > (HttpServletRequest)fc.getExternalContext().getRequest();
  > HttpServletResponse response =
  > (HttpServletResponse)fc.getExternalContext().getResponse();
  > try {
  > if (session != null) {
  > session.invalidate();
  > }
  > fc.getExternalContext().redirect(request.getContextPath() +
  > "/faces/index");
  > } catch (Exception exp) {
  > try {
  > fc.getExternalContext().redirect("/faces/Error");
  > } catch (Exception ex) {
  }> }
  > }

• ArchiveLink security: sending public key certificate by SCMS_HTTP_PUT_CERT

  Hello!
  I have a question which I asked on ESA and Security forums and didn't get answer.
  I am trying to do a test program to check ArchiveLink security features. Namely, I am calling the function SCMS_HTTP_PUT_CERT which is supposed to send a public key certificate via HTTP. However, when I catch this call and want to import the certificate by using the function SSFC_PUT_CERTIFICATE, I get error message <i>SSF kernel error: invalid parameter</i>.
  Does anyone have experience with this?
  For more detailed description of my attempt, please see ArchiveLink security: sending public key certificate.
  Thanks and regards,
  Igor

  Hi
  SCMS_HTTP_PUT_CERT is used to send sap public key to Content server application. The  content server application makes use of this key to verify the incoming request ie the Content Server uses the public key to check URIs and signatures.
  SAP uses the Public/Private key security concept while communicating with Content server. Basically when SAP communicates with Content server it will be sending GET, PUT, POST requests. The URL from SAP will have field called secKey which contains the security key. secKey ensures that a URL cannot be changed after it has been generated by the SAP system. The private key is used by SAP to generate the secKey.
  The content server application will use the public key provided via SCMS_HTTP_PUT_CERT to check the URL and will be able to detect if the URL has been tampered.
  Refer SAP Content Server HTTP 4.5 Interface documentation  section Security for more details.
  http://help.sap.com/saphelp_nw04/helpdata/en/9b/e8c186eaf811d195580000e82deb58/frameset.htm
  Hope this helps
  Cheers,
  Samanjay
  Message was edited by:
          Samanjay Shenoy

• Anyone know how to renew an apple authority certificate on my computer so i can access a application form for website?

  Anyone know how to renew an apple authority certificate on my computer so i can access a application form for website?

  have you tried a hard reset, if not try this
  it doesn't matter whether the phone is on or not to start with
  Press-hold the Home button (big circle below the screen) and the Sleep/Wake button (on top of the iPhone) simultaneously.
  Continue holding both buttons (Ignore the "Slide to power off") until the iPhone shuts off and begins to restart.
  You may let go when you see the silver Apple logo.
  You have completed a hard reset successfully.

• How to renew a self signed certificate

  Hello,
  Can someone tell me how I can renew a self signed certificate ? I can't find the relevant option with the certadmin command.
  thx,
  Tom.

  Hi,
  thanks I had scanned through that document, but it doesn't tell you how to renew a self signed certificate. I went through all the options of the certadmin tool, and renewing a certificate is not one of them. So I guess it must be done manually via some pki binary somewhere on my system, but which one and how ?

• SSL: how to use Multiple Private key/Certificate pair for authentication.

  Hi all,
  i am implementing SSL in java using X509 Certificate/private key combination.
  i have two set of private key/certificate pair.
  one is factory default and another is generated at run time.
  my problem is to try ssl connection with both pairs on same tcp/ip connection.
  e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
  on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
  can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
  Thanks In Advance
  Saurabh Ahuja

  Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
  It's like this. The idea of PKI with SSL is as follows:
  - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
  - the client has a truststore that trusts the server, one way or the other, see above.
  - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
  - the server sends its cert to the client along with a digital signature signed by its private key.
  - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
  At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
  If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
  You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

• How encrypt msg with Public Key ?

  I want to encrypt my Session Key with the public key of the recipient but how can I do ?
  I know how to encrypt with the Secret Key but not with the Public Key.
  Thanks for response
  Nicolas

  It depends on the cryptosystem of which the public key you are having.
  If it is of RSA then you have to get the cipher of RSA and pass the session key bytes as input to it.

• How to renew the issuing CA certificate

  Hi,
  We have one root CA and two issuing CAs setup in our environment in Windows server 2003 platform. The CA certificate of one of the issuing CA has expired and the other will expire in two weeks. The root
  CA certificate is valid through 2018.  The MS PKI infrastructure is primarily used for issuing workstation certificates via GPO to client
  machines for VPN two factor authentication.
  Any help you can provide will greatly be appreciated.
  Thanks in advance,
  V

  The ship has sailed on the issuing CA that expired. You need to uninstall certificate services and reinstall ADCS (I would consider setting up a new CA (new name, newer OS)
  The second issuing CA can be renewed anytime within the next two weeks. After the certificate expires, renewal is not possible.
  There is no risk in setting up the new CA. All of the certificates are expired as well on the first issuing CA, so there will be no loss of functionality.
  That being said, this is a horribly managed PKI. A CA should be renewed when half of its lifetime has expired. To leave a CA to the point of two weeks left or worse yet, letting the CA certificate expired is terrible. Who is managing the service - they really
  need to step it up
  Brian

• How to renew your self-signed certificate p12 with Flash Builder

  I have been using a self-signed certificate (generated using Adobe Flash Builder 4.7) for my Android app. The app is live on Google Play market but the certificate is going to expire soon, and I know if I create new certificate and update my app, existing Android users will not be able to auto-update the app (as the App's Signature has been changed). I would like to know how can we re-new the self-signed Certificate .p12 with Flash Builder?
  Thank you very much.

  After doing my research about the self-signed certificate created by Adobe Flash Builder , I realized that was my mistake to think that the certificate would expire soon. I doubled check the expiration date of my self-signed certificate and the date was set to 35 years after I generated it using flash builder 4.7 (which is very safe).
  For anyone who wants to check the self-signed .p12 expiration date you follow the instruction from this link:
  http://bsdsupport.org/how-do-i-determine-the-expiration-date-of-a-p12-certificate/
  Hope it helps

• How to enter a Private key into a keystore

  Hi,
  We have a propriteary CA, developed by us. I need to use this CA for my Signed Applet. I would enter this CA's public key(a X509 certificate) into my cacerts file.
  Following is what I have done :
  1) I have generated my own keystore, public and private key for signing the applet.
  2) Signed the applet with the private key in the keystore.
  To Do :
  Now, the self generated public key(with which applet was signed) has to be signed by the properitary CA, so that when applet is downloaded my certificate is authenticated by the proprietary CA.
  The problem is :
  1) To get my public key certificate authenticated by the proprietary CA, I need the private key of proprietary CA.(so that I shall sign my public key file by the CA's private key) . The CA could give the private key as a byte array file. ( Or we could write a program to format the private key file, if any format exists and required). jarsigner requires keystore to sign. How could I create a keystore and enter my private key and public key into this keystore?
  2) Is there any other way to do this?
  Please help to resolve this problem.
  Rajesh

  Check this:
  <A HREF="http://java.sun.com/j2se/1.4/docs/guide/pugin/developer_guide/rsa_signing.html

• Renew sample trusted key to sign midlet

  Hi,
  is there anyone know how to renew the testing key for midlet signing?
  iv installed Sun Java Wireless Toolkit 2.5.2_01 version but the key only valid from 2/28/07 4:49 PM to 8/20/12
  Edited by: tslee on Jan 16, 2013 7:21 PM

  1. What is the benifit to get MIDlet signed.
  No warning after you sign the MIDlet!
  2. how to do it? Can I do it with keytool? or J2ME toolkit?
  You should buy a VeriSign or Thawte Java code signing to sign it. please refer the guide in this website: http://www.wotrust.com/support/Nokia_MIDlet_signing_guide.htm
  3. I tried to sign my midlet suite with a self signed cert and using keytool, jarsigner and JadTool in WTK22. I export the cert to a .crt file and installed it on my 6630 and give all permission to it. My midlet is installed successfully as a trusted third party. But it still ask for internet access permissio everytime, which is what I want to get rid of.
  Will a real Certificate from a CA get rid of the warning dialogs?
  Self-signed cert don't support in any mobile phone! you should buy a real cert from CA to get rid of the warning dialos.!

• Identifying Public keys??

  How to identify the public keys if there are many public keys at the client side???
  plz do let me know how to find the wanted public keys...
  asap
  thnx in advnce
  Subhash

  No a person A (other than yourself) creates a key pair. Person A submits
  his/her public key to get a certificate through a certificate request
  protocol. Once that certificate is returned to person A he/she can
  distribute his/her public key to anyone he/she wishes through whatever
  mechanisms he/she wishes. (aka email, floppy, whatever..)
  If you trust the CA who provided the certificate then it is likely you
  will trust the public key associated with it as being from person A. If
  so you can then encrypt messages to person A using his/her publickey/certificate.
  You can use keytool to take an X509 encoded public key/certificate and add
  it to your keystore locally. Once it is in your keystore you can access
  it at will for whatever operations you chose to do including encryption
  or signature verification.
  This all assumes you start out with the public certificate of the CA for
  which signed your friends public key (otherwise known as certifying) already
  on your machine. Java comes with a set of CA certificates of the most common
  CAs including verisign etc..
  If you are the CA then keep a copy of the certificate in your keystore
  and then send it to person A. Now you can get the cert from your local
  keystore anytime you need to encrypt data to be sent to person A.
  Person A should NEVER provide anyone access to his/her private key. That
  defeats the whole process. In fact person A should encrypt his/her private
  key so that should it somehow wind up exposed it is difficult for the key
  itself to be retrieved. This is typically done with PBE...

• How Sign Message with Certificate (public key)?

  Hi, I need to to send Sign xml message by Certificate file (public key) and read sign message
  so how can i do it ??
  and i should have 2 public key ?? or what ??
  please help :)
  Thanks

  ejp has answered your question, but it seems you did not understand. This forum is not a good place to learn about public key cryptography and message encryption. You should already understand these fundamentals before asking questions here. This forum is about how to implement these crypto operations in the Java programming language. If you are cheap or poor, you can try googling for the more information; wikipedia is good starting point also. If you can afford it, I recommend you buy Practical Cryptography_ by Schneier.