How to sign a certificate signing request
Hi all,
In the PKI process, a client generates a PKCS#10 [certificate signing request|http://en.wikipedia.org/wiki/Certificate_signing_request] (CSR see [sun.security.pkcs.PKCS10|http://www.docjar.com/docs/api/sun/security/pkcs/PKCS10.html] ), sends it to the certification authority (CA), & once the identity has been checked by the CA, the client retrieves his X.509 certificate (signed by the CA), sometimes along with the CA X.509 self-signed certificate.
I am acting as a CA, the current only way I know to transform a CSR to a X.509 certificate is by using OpenSSL :
openssl ca -config X509CA/openssl.cnf -days 365 -in CertName_csr.pem -out CertName.pem (see here ).
Is there any keytool way or even better any sun.security.* way to do that operation programmatically using Java code ?
Thanks for your feedback.
Edited by: Le_Sage on 19 avr. 2010 12:12
That's right, found the doc here : [keytool -gencert|http://download.java.net/jdk7/docs/technotes/tools/windows/keytool.html#gencertCmd] .
I guess the underlying code must be found under sun.security.* or com.sun.* code. I'll try to have a look.
Thanks for your feedback.
Similar Messages
-
How to create a certificate signing request that works with Microsoft CA
Hi, I have created a certificate signing request file with keytool. When I try to create a certificate from it with CertReq (I use a Microsoft CA) I get the following error message:
Certificate not issued (Denied) Denied by Policy Module The request does not contain a certificate template extension or the CertificateTemplate request attribute. (The request contains no certificate template information. 0x80094801 (-214687 5391)) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module The request does not contain a certificate template extension or the CertificateTemplate request attribute.
How do I create a certificate signing request file so that a Microsoft CA will accept it and create a certificate from it. Thanks, Linh.I'm writing a applecation about x509 to deal with certificate and certificate request.
I found that DER format certificate request create by sun's software with no extensions.
I think this cause your error.My be MS CA can't identify such a request!So it's difficult to solve this problem unless MS or Sun change their codes.
JStranger -
Certificate Signing request on Wireless LAN controller
Does anyone know how to generate a Certificate Signing Request on 5508 controllers running 7.0.116??
it can't be done on the WLC itself, you need to have OpenSSL on a seperate device. Check the following link for a walk through
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
Steve -
Generating Certificate signing request (CSR)
Hello,
We need to buy https digital certificate for our LIVE Enterprise Portal
(http://<host>:<port>/irj/portal) which would be hosted on the
Internet.
Please let me know how to generate a certificate signing request (CSR)
for the same.
Thanks & Regards,
RatishHi rathish,
Have a look at this [Blog|http://www.sdn.sap.com/irj/scn/weblogs;jsessionid=(J2EE3417100)ID1193319850DB11798871903065480805End?blog=/pub/wlg/2586] .It might help you.
Regards,
Krishna kattu. -
Certificate Signing Request CSR
Hi All,
Anyone knew how to generate Certificate Signing Request (CSR) from Oracle OC4J Application server?
I'm using this command
"keytool -genkey -keyalg RSA -keystore.jks -storepass 123456"
Then I just complete the details before got this error
"keytool error: java.lang.IllegalStateException: masked envelope"
Am I doing the correct things or not?
TQ For your help.Sorry, it's my fault actually because run it in the wrong directory. I run it in ORACLE_HOME directory it should be in ORACLE_HOME/j2ee directory...
But if you use Oracle Wallet Manager, it's easier... -
How to sign a X.509 Certificate
Hi there!
Does anyone know how to sign a X.509 certificate. I have to do this in my application (keytool etc. is not possible).
I searched for hours but couldn't find any working code-samples.
Thanks1) Generate a CSR (Certificate Signing Request) using 'keytool'.
2) Go to the site of one of the major CA (Certification authorities) such as Verisign.
3) Apply for a signed certificate and post the CSR, your details and some money when requested.
4) Wait for the certificate. -
Certificate Signing Request file (CSR) with PIX
Hi everybody
Does anyone knows how to create a Certificate Signing Request from a PIX 515. I want to make a VPN tunnel between 2 PIX with certificates and the Onsite Verisign ask me for a CSR file witch must contain the public key and the name in an encrypted form.
Thank for your helpCheck out http://www.esign.com.au/custsupport/server/certsignreq/
-
How to view the certificate that a component has been signed with?
Hi all,
Been using java webstart deployment for a while so understand how to sign and deploy java applications.
Question I have is how to view the certificate that was used to Sign a jar. For example, if I signed a jar "myComponent.jar" how can I then view the certificate details within this jar. I currently have an old component which I signed with an old certificate and want to view the experation details.
Thanks in advance
Simon
Edited by: simon_seagroatt on Sep 22, 2009 4:20 AMYou can use command (it will show CN, OU, O, L, etc... and expiration date, of course):
jarsigner -certs -verify -verbose pathToYourJar.jarI'd suggest redirecting output (>>out.txt).
Bye. -
Generate a Certificate Signing Request
Hey guys, I'm new to the Safari developer program and I'm having problems with the Generate a Certificate Signing Request for my PC. It worked fine on my Mac but not on my windows 7 PC. I follow the steps, saving the file then opening "CMD.exe" and type in the request and place "" with the path of the file saved in step one but once I hit enter it gives me a
Requires a Mac and your keychain.
-
How to sign iPhone application using developer certificates
Hello,
will anyone tell me that how to sign the iPhone application using developer certificate and one more thing that how will i get the developer certificate.
Thanksya i got the solution, just go through the following link...
you will also know how we do that..
http://developer.apple.com/iphone/library/documentation/Xcode/Conceptual/iphonedevelopment/120-Running_Applications/runningapplications.html
http://developer.apple.com/iphone/library/documentation/Xcode/Conceptual/iphonedevelopment/128-Managing_Devices/devices.html#//appleref/doc/uid/TP40007959-CH4-SW38 -
Certificate signing request with subject alternative names?
Has anyone been successful at generating a certificate signing request for a certificate that uses subject alternative names via the Server Manager GUI? It seems to skip the entire X509 section of the CSR for me.
Command line via openssl works but I'd like to stick with the GUI for the encryption on the certificates.I just checked the documentation and found that your code is incorrect. IAlternativeName::StrValue contains value for an email address, a Domain Name System (DNS) name, a URL, a registered object identifier (OID), or a user principal name (UPN). It doesn't
contain string value for directory name (and other non-mentioned types). Instead, you need to instantiate an IX500DistinguishedName interface and initialize it from an alternative name value:
class Program {
static void Main(string[] args) {
String RequestString = "Base64-encoded request");
CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10();
request.InitializeDecode(RequestString, EncodingType.XCN_CRYPT_STRING_BASE64_ANY);
Console.WriteLine("Subject: {0}", request.Subject.Name);
foreach (IX509Extension ext in request.X509Extensions) {
if (ext.ObjectId.Name == CERTENROLL_OBJECTID.XCN_OID_SUBJECT_ALT_NAME2) {
CX509ExtensionAlternativeNames extensionAlternativeNames = new CX509ExtensionAlternativeNames();
string rawData = ext.RawData[EncodingType.XCN_CRYPT_STRING_BASE64];
extensionAlternativeNames.InitializeDecode(EncodingType.XCN_CRYPT_STRING_BASE64, rawData);
foreach (CAlternativeName alternativeName in extensionAlternativeNames.AlternativeNames) {
switch (alternativeName.Type) {
case AlternativeNameType.XCN_CERT_ALT_NAME_DIRECTORY_NAME:
IX500DistinguishedName DN = new CX500DistinguishedName();
DN.Decode(alternativeName.RawData[EncodingType.XCN_CRYPT_STRING_BASE64]);
Console.WriteLine("SAN: {0}", DN.Name);
break;
default:
Console.WriteLine("SAN: {0}", alternativeName.strValue);
break;
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
Generation of 1024 bits key certificate signing request-sun one app srvr 7
Kindly help to generate 1024 bits key certificate signing request in sun one application server 7. The problem faced by me is that during csr generation the key lengh is 512 as this is the default value.Now i would like to change this default value and would like to generate a key with length 1024.Kindly help me.
Thanks in advance
Vishnu PriyanOK, post a new Topic, title it Need help with self-signed certificate
Before you post, search the forums for the problem. Do the footwork.
Then, take your time, post exactly which of these steps you have taken, what the results were, and exactly where you are having problems, what the exact problem is (error message, whatever).
You are going to have much better response if someone can easily figure out what the problem you are having is. If you look at this thread, you will see "I have tried these 10 steps and they don't work". You are going to get nowhere with that.
I have to sleep now, good luck. -
Certificate Signing Request never arrives
I have created a CA using Certificate Assistant and have managed to create two certificates for myself locally and get Mail to recognise the keys and certificates for those email accounts. Everything works as expected.
However, when I send a CSR (Certificate Signing Request) from Certificate Assistant on another computer, nothing ever shows up in my inbox for me to sign.
What happened to the CSR? I'm pretty sure it left because I locked the keychain with my email password on first and Certificate Assistant asked me to unlock it, presumably to send the message as there's nothing else on that keychain (I've been trying to debug this for a couple of hours now). Regular email sent from the second computer arrives almost instantaneously at the first.
Any ideas / similar experiences?tried the same thing, same issue. there is not even anything about sending mail in the logs. I wonder ... is this actually implemented?
Apple help! -
Submit Certificate Signing Request - INVALID?
Okay, I'm at the stage of the Flash-to-iOS process of submitting my Certificate Signing Request (CSR) thru the "Developing Provision Assistant" ("Wizard") in the Provisioning Portal of the Apple iOS developer site. I've followed the instructions, made the CSR, yet when an attempt is made to upload and process it, I get this error:
"The Certificate file selected is invalid. Please check the file and try again."
What might be wrong?i've reviewed the file, and it looks fine to me. the file name is:
thenamechosen1.certSigningRequest
and has this general content (the key identity here, of course, is fake and not included from my actual CSR file):
-----BEGIN CERTIFICATE REQUEST-----
dhdFj47dFKbyrFUS7dUD&$HD/djdOS4@jd77s99d8dhfjs2873hdydp74hdlndgdDDshs
d8dhfjs2873hdydp74hdlndgdDDshsrFUS7dUD&$HD/djdOSAAsjsjdbdTTjj63hdodk
bcCf8d/djsAAEd8jfndKDhiuRTY79dhdVDjrys%kdndrFUS7dUD&$HD/djdOS
dUD&$HD/djdOSAAsjsjdbdTTjj63hdodkydp74hdlndgdDDsUD&$HD/djdOS4@jd7
7s99d8dhfjs2873hdydp74hdl3hdydp74hdlndgdDDshsrFUS7dFUS7dUD&$HD/djd
S7dUD&$HD/djdOS4@jd77s99d8Ed8jfndKDhiuRTY79dhdVDjrys%kdndrFUS7dUD
873hdydp74hdlndgdDDshsrFUS7US7dUD&$HD/djdOSAAsjbcCf8d/djsAAEd8jfndKD
dp74hdl3hdydp74hdlndgdDDshsrFUS7dFUS7dUD&lndgdDDshsrFUS7dUD&$HD/Fss4
DhiuRTY79dhdVDjrys%kdndrFUS7dUD&$HD/djdp74hdlndgdDDshsrFUS7d
dTTjj63hdodkydp74hdlndgdDDsUD&$H7dUD&$HD/djdOKDhiuRTY79dhdlndgdDDsUD2hi
bcCf8d/djsAAEdfjs2873hdydp79dhdVDjrys%kddp74hdlndgdDDshs
-----END CERTIFICATE REQUEST----- -
How to sign a java applet using iPlanet SSL certificate?
Dear all,
I have a IPlanet web server with SSL installed,
can I use the SSL certificate to sign my java applet which will run on the server? how to sign a java applet in this scenario? somebody please help me! thanks!
yours sincerely
dashelWhy can't you create jar files?
Maybe you are looking for
-
GarageBand 08 not working on PowerPC
Hi, I have a refurbished G4 iBook with PowerPC that I purchased online and GarageBand has never worked properly on my iBook. The OS is Leopard 10.5.8 and GarageBand is 4.1.2. I downloaded the 4.1.2 update and reinstalled it (already had it) just to c
-
10.3.9 to 10.4 update
Hey guys ... I have a running system on OS 10.3.9 and I have no experience with the update process on macs. Because I have no backup mac and I desperatly need my current to work I'd appreciate if someone could ellaborate on the update process towards
-
Hi,When I use the following code to send Email,Certificates are required.If no attachment,the delivery will succeed.If attached,the program failed as the following "javax.mail.MessagingException: IOException while sending message; nested exception is
-
Error occurred downloading os x mountain lion
Can any one help - when trying to download os x Mountain lion i get a message in the purchase tab of the app store that says 'error occurred' and i cannot download the app. All app updates are up to date and i have signed in and out of the account -
-
Are my read/write speeds up to snuff? MacPro Octo 2.26
What are typical and good read/write speeds I can expect on my MacPro Octo 2.26 10GB Ram. According to iStat, on a simple copy, I get about 65-70 MB/s read from a WD 640 caviar black internal bay, and 65-70 MB/s write to a WD 640 caviar black interna