How to sign Certificate manually ?

Similar Messages

• How to replace an expiring self-signed certificate?

  Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
  First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
  It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
  The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
  It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
  I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
  I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
  Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
  http://screencast.com/t/zlVyR2Hsc
  Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
  Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
  http://screencast.com/t/54c2BUJuXO2
  Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
  Be aware that creating certificates starts to populate your server Keychain.
  http://screencast.com/t/JjLb4YkAM
  It appears that when you start to delete certificates, it leaves behind private keys.
  http://screencast.com/t/XD9zO3n16z
  If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
  OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
  In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
  Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
  Bypass "Introduction".
  In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
  The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
  You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
  In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
  The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
  (OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
  Pant, pant...
  The next window asks for an email address and location information - this appears to be optional.
  Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
  Key Usage Extension window
  Here's where it gets interesting...
  I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
  Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
  Extended Key Usage Extension...
  Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
  Sorry, folks, I just HAVE to show you the help for this window...
  +*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible.  EKU is defined with object identifiers called OIDs.  If the EKU extension is omitted, all operations are potentially valid.*+
  KILL ME NOW!!!
  OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
  Basic Constraints Extension...
  Well, there is no mention of that on the original certificate, so leave it unchecked.
  Subject Alternate Name Extension...
  Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
  DONE!!!! Let's see what the heck we got!
  http://screencast.com/t/QgU86suCiQH
  Well, I don't know about you but that looks pretty close for Jazz?
  I got some extra crap in there but the stuff from the original cert is all there.
  Think we're OK??
  Out with the old certificate (delete).
  Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
  http://screencast.com/t/bydMfhXcBFDH
  Oh yeah...one more thing in KeyChain Access...
  See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
  http://screencast.com/t/GdZfxBkHrea
  Select "Always Trust".
  I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
  I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
  Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
  If you want to see my rant on Apple's worthless documentation, it's here.
  http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

  to add to countryschool and john orban's experiences:
  using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
  in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
  when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
  supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
  you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
  now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
  after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
  lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
  maybe that's hopeful to somebody. but i stopped there since things seem to be working.
  last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
  now, we'll see how everything works once people start really using it...

• New self signed certificate, how to mark as trusted for all users on clients

  We have a new 10.8 server that we are currently using for iChat/Messages service.  We have created a self signed certificate to encrypt the traffic to the Messages service since we have the service accessible for internet and phone users.  We use network accounts and users need to log in on several different machines when in the office.
  Can anyone suggest how to tell a client machine to trust the certificate for all users?
  Currently, each user is asked to trust the certificate on each client they log into.
  I have imported the server certificate into the client's system keychain in Kechain Access and asked it to trust the certificate for all items manually.  This does not appear to allow all users to trust the certificate since subsequent users who have not yet trusted the certificate on the test client are still asked to confirm trust.  When opening the iChat.app the users are still propmpted to verify the certificate which now indicates that it is trusted for all users.

  Resolved.
  - Drag certificate from verification dialog.
  - Import into System Keychain
  - Select certificate in System Keychain and select "i" button at bottom of window.
  - Set all items to always trust.

• How to renew a self signed certificate

  Hello,
  Can someone tell me how I can renew a self signed certificate ? I can't find the relevant option with the certadmin command.
  thx,
  Tom.

  Hi,
  thanks I had scanned through that document, but it doesn't tell you how to renew a self signed certificate. I went through all the options of the certadmin tool, and renewing a certificate is not one of them. So I guess it must be done manually via some pki binary somewhere on my system, but which one and how ?

• How to register iOS device when using self signed certificate with apple Server?

  Hi,
  I have installed the server.app by Apple and used a slef signed certificate for my server. Now I want to register my different devices (iMac, iPhone etc.). I could register the iMac without problesm (I just had to add my self signed certificate to the trusted certificates)
  Sadly, with the iPhone it is not that easy. I can install the "trust profile", but still after that I can not register my device. It seems like it does not accept my self signed certificate for device registration. When adding a registration profile, I get the error "www._mydomain_.tld/devicemanagement/api/device/auto_join_ota_service" is not valid.
  Nethertheless, I can install a profile with setting, e.g. my imap settings, via the profile management without problems.
  Does anyone have an idea how to get around the problem with the self signed certificate?
  Best regards

  Try deleting the Server.app and download it again from the App Store, restart.
  My Server is also using self signed certificates and is working with iOS device (Trust Profile needed first).

• How to use Java code signing certificate in oracle 11i

  Hello,
  I am try to configure java code signing certificate in 11.5.10.2 application. we got java sign certificate from verisgin. SA's imported the certificate and created alias XXX_XXX with password and passphrase.
  I am able to see the my certificate. keytool -list -v -keystore xxx_xxxx.jks -storepass Password.
  how do I use it. I am using Enhance Jar Signing for EBS DOC ID 1591073.1.
  could you please give me some advice on it?
  Thanks
  Prince

  Hussien,
  I find out apps keystore keypassword and storepassword, I imported the java code sign certificate. I generated Jar files through adadmin, but I am getting  warning error
  adogif() unable to generate Jar Filers under JAVA_TOP.
  executing /usr/jdk/jdk1.6.0_45/bin/java sun.security.tools.JarSigner keysotre **** -sigfile CUST Signer /apps/......
  Error JarSigner subcommand Exited With status 1.
  No standard output from jarsigner JarSigner error output: Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/tools/JarSigner Caused by: java.lang.ClassNotFoundException: sun.security.tools.JarSigner         at java.net.URLClassLoader$1.run(URLClassLoader.java:202)         at java.security.AccessController.doPrivileged(Native Method)         at java.net.URLClassLoader.findClass(URLClassLoader.java:190)         at java.lang.ClassLoader.loadClass(ClassLoader.java:306)         at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)         at java.lang.ClassLoader.loadClass(ClassLoader.java:247) Could not find the main class: sun.security.tools.JarSigner.  Program will exit. WARNING: The following path(s), defined in /apps2/property/product/tst/appl/cz/11.5.0/java/make/czjar.dep as elements of the output:   oracle/apps/cz/runtime/tag WARNING: Copying cztag.lst from the old fndlist.jar ...   About to Analyze flmkbn.jar : Fri Nov 22 2013 10:45:51
  Please let me know if you have any idea. Thanks Prince

• Does anyone know how to use a self signed certificate with apple mail??

  Ive read about it in mail's help and tried to set it up according to it. Ive created a self-signed certificate but have no idea how to set it up as it would work with Mail so that i would be able to send signed messages. could anyone help me??

  Hello rado:
  Welcome to Apple discussions.
  I am assuming this is what you read:
  http://docs.info.apple.com/article.html?path=Mac/10.5/en/8916.html
  If you follow the instructions when you set up the certificate, you should be fine.
  Incidentally, most +"ordinary users"+ (like me) do not use this function. I am curious as to why you want to jump through hoops in your Mail application.
  Barry

• RV120W- How to create new unique self-signed certificate?

  Hello,
  how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself. Any idea? Did I miss something? Many thanks!
  Abudef

  So basically RV120W does not support self-signed certificate? It only allows to generate private key and certificate signin request. There is no chance to replace default generic ssl/vpn certifice within router itself? Could you please give me an advice, how to sign that request by some "CA"? I mean no commercial CA, I need something free running under Windows os. Many thanks!

• How to access Flash Apps over https with a self signed certificate?

  I have a Flex app that needs to access data from a SOAP web service over https with a self signed certificate. The app needs to ignore the https warnings, just as a browser would warn & allow the user to proceed. Buying a valid signed certificate is not an option for us.
  It works fine over http.
  How can I achieve this?
  I read that URLRequest has a property: authenticate, that I can set to false. However, this property is available only for Adobe AIR applications from what I can see. This doesn't seem available for Flex apps.
  I have tried this in both Flex 3 & the latest Flash Builder 4. Have the same issue in both cases.
  Help appreciated.
  Thanks

  You'd really need to ask in the Flex or Flash Builder forums as this is a front end code modification and Flash Player can't do any of that.

• How to use self-signed Certificate or No-Check-Certificate in Browser ?

  Folks,
  Hello. I am running Oracle Database 11gR1 with Operaing System Oracle Linux 5. But Enterprise Manager Console cannot display in Browser. I do it in this way:
  [user@localhost bin]$ ./emctl start dbconsole
  The command returns the output:
  https://localhost.localdomain:1158/em/console/aboutApplication
  Starting Oracle Enterprise Manager 11g Database Control ... ...
  I open the link https://localhost.localdomain:1158/em/console/aboutApplication in browser, this message comes up:
  The connection to localhost.localdomain: 1158 cannot be established.
  [user@localhost bin]$ ./emctl status dbconsole
  The command returns this message: not running.
  [user@localhost bin]$ wget https://localhost.localdomain:1158/em
  The command returns the output:
  10:48:08 https://localhost.localdomain:1158/em
  Resolving localhost.localdomain... 127.0.0.1
  Connecting to localhost.localdomain|127.0.0.1|:1158... connected.
  ERROR: cannot verify localhost.localdomain's certificate, issued by `/DC=com/C=US/ST=CA/L=EnterpriseManager on localhost.localdomain/O=EnterpriseManager on localhost.localdomain/OU=EnterpriseManager on localhost.localdomain/CN=localhost.localdomain/[email protected]':
  Self-signed certificate encountered.
  To connect to localhost.localdomain insecurely, use `--no-check-certificate'.
  Unable to establish SSL connection.
  A long time ago when I installed Database Server Oracle 11gR1 into my computer, https://localhost.localdomain:1158/em in Browser comes up this message:
  Website certified by an Unknown Authority. Examine Certificate...
  I select Accept this certificate permanently. Then https://localhost.localdomain:1158/em/console/logon/logon in Browser displays successfully.
  But after shut down Operating System Oracle Linux 5 and reopen the OS, https://localhost.localdomain:1158/em/console/logon/logon in Browser returns a blank screen with nothing, and no more message comes up to accept Certificate.
  My browser Mozilla Firefox, dbconsole, and Database Server 11gR1 are in the same physical machine.I have checked Mozilla Firefox in the following way:
  Edit Menu > Preferences > Advanced > Security > View Certificates > Certificate Manager > Web Sites and Authorities
  In web sites tab, there is only one Certificate Name: Enterprise Manager on localhost.localdomain
  In Authorities tab, there are a few names as indicated in the above output of wget.
  My question is: How to use self-signed certificate and no-check-certificate in Mozilla Firefox for EM console to display ?
  Thanks.

  Neither problem nor solution do involve Oracle DB
  root cause of problem & fix is 100% external, detached, & isolated from Oracle DB.
  This thread is OFF TOPIC for this forum.

• How to sign iPhone application using developer certificates

  Hello,
  will anyone tell me that how to sign the iPhone application using developer certificate and one more thing that how will i get the developer certificate.
  Thanks

  ya i got the solution, just go through the following link...
  you will also know how we do that..
  http://developer.apple.com/iphone/library/documentation/Xcode/Conceptual/iphonedevelopment/120-Running_Applications/runningapplications.html
  http://developer.apple.com/iphone/library/documentation/Xcode/Conceptual/iphonedevelopment/128-Managing_Devices/devices.html#//appleref/doc/uid/TP40007959-CH4-SW38

• How to import the self-signed certificate in runtime

  HI.
  I work to connect between JSSE client and OpenSSL server with self-signed certificate.
  But I met the SSLSocketException during handshaking.
  Many Solutions registered in this page.
  But their are all using keytool.
  My application connect many site support the self-signed certificate.
  So, I want to import the certificate in run time.
  How Can I do??
  Please, answer me..
  Thanks,

  did you figure this out??? I need to know how to accept a self-signed certificate, otherwise it's this exception...
  D:\javatools\apis\jsse1.0.2\samples\urls>java -cp jcert.jar;jnet.jar;jsse.jar;. URLReader
  Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert chain
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
  at java.io.OutputStream.write(OutputStream.java:61)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-12019
  8])
  at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120
  198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V
  1.2-120198])
  at java.net.URL.openStream(URL.java:798)
  at URLReader.main(URLReader.java:46)

• Creating a self signed certificate - how do you set the 'storepass'

  Hi, I'm trying to use the ADT to create an AIR 2.7 file, but it's the first time i've used the command line tool to build one and am having problems understanding the signing process.
  I can generate a cert.p12 keystore file from within the flash IDE, and this asks for a password for the file (-storepass)
  I can also use ADT to create a self-signed certificate from the command line, here you can specify the -keystore (cert location) and -keypass (password for the key in the store)
  I cannot find a way of generating a self-signed certificate where you can specify both passwords though, one for the store (-storepass) and one for the key (-keypass).
  This is a problem because when i go to package my AIR file using ADT it needs both passwords -storepass and -keypass before it can publish it.
  Does anyone know how to generate a self-signed .p12 certificate and have control over both the keys...?
  I have spent hours playing and searching now so may have the wrong end of the stick, could do with some help getting past this issue.
  Thanks
  Sean

  There is only one password is required to package for ipa as far I know
  Sample command:
  C:\AdobeAIRSDK\bin\adt.bat -package -target ipa-test -storetype pkcs12 -keystore [KEYFILE].p12 -storepass [KEY PASSWORD] -provisioning-profile [MOBILE PROVISION FILE].mobileprovision [IPA NAME].ipa [XML FILE NAME].xml [SWF FILE NAME].swf Icon_29.png Icon_48.png Icon_57.png Icon_72.png Icon_512.png Default-Landscape.png Default-Portrait.png Default-PortraitUpsideDown.png Default-PortraitLandscapeLeft.png Default-PortraitLandscapeRight.png

• Is there a way to automate the installation/importing of a certificate. I know how to import on manually, but I need a way to import one via a script. How can I do this?

  I am looking for a way to import a certificate into FireFox 4.0.1 on XP. I know how to import them manually under tools>options, but I need a way to script the import process using something like a certutil for FF. Has anyone done this before? I need to hit several hundred workstations. Thanks for your time, suggestions and assistance.

  Thank you, that was perfect!
  Yoni

• How to sign a java applet using iPlanet SSL certificate?

  Dear all,
  I have a IPlanet web server with SSL installed,
  can I use the SSL certificate to sign my java applet which will run on the server? how to sign a java applet in this scenario? somebody please help me! thanks!
  yours sincerely
  dashel

  Why can't you create jar files?