Keytool seems to generate private key outside of HSM

Similar Messages

• SSL & generated private key

  I generated a CSR with the certificate servlet. I modified
  config.xml in order to set the right files :
  <SSL Enabled="true" ListenPort="7002" Name="test2" ServerCertificateChainFileName="config/mydomain/cacrt.pem"
  ServerCertificateFileName="config/mydomain/servercert.pem"
  ServerKeyFileName="config/mydomain/serverkey.der"/>
  The serverkey.der is a copy of the file generated by the
  certificate servlet.
  At startup the following error occurs :
  <30 juil. 01 20:23:26 CEST> <Alert> <WebLogicServer> <Security configuration problem
  with certificate file config/mydomain/serverkey.der, java.io.EOFException>
  java.io.EOFException
  at weblogic.security.Utils.inputByte(Utils.java:133)
  at weblogic.security.ASN1.ASN1Header.inputTag ASN1Header.java:125)
  at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
  at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
  at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:397)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1028)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
  at weblogic.Server.main(Server.java:35)
  More over the conversion of the serverkey.der in serverkey.pem
  with openssl gives the following error :
  openssl rsa -in serverkey.der -outform PEM -out serverkey.pem
  read RSA key
  unable to load key
  1276:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib
  .c:662:Expecting: ANY PRIVATE KEY
  and reading the file by the default W2K reader gives an error too.
  Need help !

  Agree with S Guna, the ISP/Certificate Authority won't generate the private key, the request from your Lync server does.  So the private key is already sitting on your Lync 2010 Server.  Once you import the certificate generated by the certificate
  authority, the private key and certificate should be paired and can be assigned to Lync.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Private key

  Hello people,
  i'm creating a program that needs to generate private keys,
  i've found out that java has built in libraries that support this so i've tried:
                  KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
                  keyGen.initialize(1024);
                  KeyPair keypair = keyGen.genKeyPair();
                  PrivateKey privateKey = keypair.getPrivate();
                  PublicKey publicKey = keypair.getPublic();but after i set the privateKey i can't find a way to retrieve the actual numbers used in the private key (probably to prevent attacks...)
  eventually, all my app really needs, is a table of , lets say, 100 private keys (each one as 2 big primes)
  is it possible for me to use the java.security to do that?
  thanks for your time.

  i still need small ones in the begining. a modolus in
  the size of 16 DWORDS is too big for me right now, i
  need something like 4.
  i guess i have no escape but to generate them myself,
  the problem is that i probably won't do it
  professionaly :(Well - nobody will generate 32-bit RSA keys "professionally", because it'd take about 2 CPU minutes to break your keys when they're that small. 512 bits was acceptable in the eighties - current best-practice, IIRC, is 2048 bit keys for anything you're serious about protecting, and 4096-bit keys for anything you want to protect for extended periods of time.
  Grant

• Private key from RSAKeyValue

  How to generate private key from <RSAKeyValue> generated by .net. in java? I got public/private key in following format.
  <RSAKeyValue>
  <Modulus>abcdyDdNySesa8sWsd8XRG9rFf1av
  hch9BSG+sgCSYumLm5gzeTxrrpSqUf2VYfLp8USqK4uFBX312368wOEfK+C/viScPZn/hKcq
  vFpd/gKyXJ0M6Oxybn7qJNjVjGtemQDJJdvUPNyV1bcTq0Ugw9lM2cDBVzqHjxxzzACJnab=
  </Modulus>
  <Exponent>AQAB</Exponent>
  <P>/UTBBgeTREzfbV9ev1tKwGtFovxi9BiK5
  crZ3Qns3rt+lrd6Xas6tJhAvedGakGP7eeaLHdXZjeXGnqvKzRHw==</P>
  <Q>8FBLHPccdNh//dRF7Uf6weB829bz+G+NvVrKJMcOzUr9QuKcyRqfZTslKiC/aG9p1PoFxWpeyoPFwDrqFzTYhw==</Q>
  <DP>MTvTPU3fnscdFbb3MaG4gzuArbgQNFc722pkgoakfOS9RQgf/VjKXoFllz7
  05d+z6SHvSGemnEcYtNcbscPt4Q==</DP>
  <DQ>0NOVUihSbB8uqe8sVZ11BEEFfyw9eafGrc
  NVYbww2qjNh+/QetlNpfRNiVxHuIMInnBdz31tveHgV/laLqyDxQ==</DQ>
  <InverseQ>X0KxLXzW2glIhkk5lP0OnQVWfTutwo9Qg4DSk/5MtbQMMek8SHju7X9Ae2iL4DDRbWG/5mbrPdQ1yQg+GXCWbw==</InverseQ>
  <D>NCBukE3dm5+xRXEY4qWk3Xe8XFvIHT5vENOzTZE4jz0aBPxzTYLIgbkZP+lXgllc4mricqYSsD3K8vCBMQXEhqHkc6pSiYfesZG3wlujJGRyVoT1pVk5M460RwJfwPsO0TxfYCYU80CIfZNzFIEpGEp6pAUF1TQbnTre11aFjU=</D>
  </RSAKeyValue>
  I was able to generate public key as below.
  BigInteger publicExponent = new BigInteger(new sun.misc.BASE64Decoder().decodeBuffer("AQAB"));
  RSAPublicKeySpec rsaPublicKeySpec = new RSAPublicKeySpec(modulus,publicExponent);
  But privateKey need privateExponent
  RSAPrivateKeySpec rsaPrivateKeySpec = new RSAPrivateKeySpec(modulus,privateExponent);
  How to get privateExponent from <RSAKeyValue> ?
  RSAPrivateCrtKeySpec need following parameters. Can not find where it map in <RSAKeyValue>
  RSAPrivateCrtKeySpec(BigInteger modulus,
  BigInteger publicExponent,
  BigInteger privateExponent,
  BigInteger primeP,
  BigInteger primeQ,
  BigInteger primeExponentP,
  BigInteger primeExponentQ,
  BigInteger crtCoefficient)
  Thanks,
  DP

  PKCS#1 1.5 definition:
     RSAPrivateKey ::= SEQUENCE {
       version Version,
       modulus INTEGER, -- n
       publicExponent INTEGER, -- e
       privateExponent INTEGER, -- d
       prime1 INTEGER, -- p
       prime2 INTEGER, -- q
       exponent1 INTEGER, -- d mod (p-1)
       exponent2 INTEGER, -- d mod (q-1)
       coefficient INTEGER -- (inverse of q) mod p }RSAParameters as documented in .NET Framework Class Library:
  D Represents the D parameter for the RSA algorithm.
  DP Represents the DP parameter for the RSA algorithm.
  DQ Represents the DQ parameter for the RSA algorithm.
  Exponent Represents the Exponent parameter for the RSA algorithm.
  InverseQ Represents the InverseQ parameter for the RSA algorithm.
  Modulus Represents the Modulus parameter for the RSA algorithm.
  P Represents the P parameter for the RSA algorithm.
  Q Represents the Q parameter for the RSA algorithm. The KeySpec (CRT = Chinese Remainder Theorem)
  RSAPrivateCrtKeySpec(BigInteger modulus, 
  BigInteger publicExponent,
  BigInteger privateExponent,
  BigInteger primeP,
  BigInteger primeQ,
  BigInteger primeExponentP,
  BigInteger primeExponentQ,
  BigInteger crtCoefficient)So we could try some guessing:
  modulus <- Modulus
  publicExponent <- Exponent
  privateExponent <- D
  primeP <- P
  primeQ <- Q
  primeExponentP <- DP
  primeExponentQ <- DQ
  crtCoefficient <- InverseQTry it and tell me if it worked. Good luck.

• Err: The private key material is not exportable outside of the HSM

  Hi,
  I am working on weblogic 8.1 with sp4, Using keytool generated certificates with HardwareSecurityModule (HSM) and enabled ssl in weblogic admin console.
  Now while starting the server following error is displayed
  <Oct 4, 2005 3:18:44 PM GMT+05:30> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
  <Oct 4, 2005 3:18:44 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000327> <Starting WebLogic Admin Server "ncss" for domain "ncqa">
  <Oct 4, 2005 3:18:49 PM GMT+05:30> <Notice> <Security> <BEA-090170> <Loading the private key stored under the alias srinualias from the nCipher.SWorld keystore file E:\bea\user_projects\domains\ncqa\srinu.>
  <Oct 4, 2005 3:18:51 PM GMT+05:30> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias srinualias from the nCipher.SWorldkeystore file E:\bea\user_projects\domains\ncqa\srinu.>
  com.ncipher.provider.nCSecurityException: The private key material is not exportable outside of the HSM
  at com.ncipher.provider.km.KMDSAKey.getParams(KMDSAKey.java:59)
  at com.certicom.tls.interfaceimpl.CertificateSupport.CheckIfKeyMatch(Unknown Source)
  at com.bea.sslplus.CerticomSSLContext.doKeysMatch(Unknown Source)
  at weblogic.security.utils.SSLContextWrapper.doKeysMatch(SSLContextWrapper.java:93)
  at weblogic.t3.srvr.SSLListenThread.checkIdentity(SSLListenThread.java:323)
  at weblogic.t3.srvr.SSLListenThread.initSSLContext(SSLListenThread.java:169)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:140)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:126)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1637)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:1009)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:361)
  at weblogic.Server.main(Server.java:32)
  <Oct 4, 2005 3:18:52 PM GMT+05:30> <Warning> <Security> <BEA-090552> <The public and private key could not be checked for consistency.>
  <Oct 4, 2005 3:18:52 PM GMT+05:30> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the nCipher.SWorld keystore file E:\bea\user_projects\domains\ncqa\srinu.>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "ncss" for domain "ncqa" running in Development Mode>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default" listening on port 7001, ip address *.*>
  Please let me know if any clues.
  thanks
  Ceenu

  This is just a warning to let you know that the server was not able to verify whether the private key matches your public key, because it could not get the key from HSM. This is normal. SSL should still work.
  Pavel.

• Generate public private keys inside smart card

  Dear all,
  I am using this code to generate public and private key inside the smart card.
  KeyPair kp = new KeyPair(KeyPair.ALG_RSA_CRT, KeyBuilder.LENGTH_RSA_512);
  kp.genKeyPair();
  PrivateKey prikey = kp.getPrivate();
  PublicKey pubkey = kp.getPublic();
  This code is executing without errors.
  I need to get out the public key from the smart card. So I need to get public key to a byte array.
  But I can't get those keys to plain text byte array.
  The methods that I can get for pubkey object are
  pubkey.clearKey();
  pubkey.equals(obj);
  pubkey.getSize();
  pubkey.getType();
  pubkey.isInitialized(); only these.
  I am using
  Eclipse Version: 3.4.1 (Compiler complience level = 1.4)
  Jcop plugin (to communicate with the actual card and to test the java code in virtual card provided by JCOP)
  OmniKey5321 card reader (In contactless type)
  What is the reason to get only those above methods to pubkey object? Is it a version problem?
  How can I get the public key to plain byte array? Is it possible?
  If it is not possible Is there a way to get public key as a export certificate or something other solution?
  If my scenario is not a possible strategy, How can I use public private keys to send specific data to applet? Is there a better way to do this?
  Edited by: 863766 on Jun 6, 2011 12:16 AM

  Thank you very much!
  I used this code
  RandomData rand = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
            short lenBytes = (short) (KeyBuilder.LENGTH_DES/8);
            byte[] buffer = JCSystem.makeTransientByteArray(lenBytes,JCSystem.CLEAR_ON_DESELECT);
            DESKey key = (DESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_DES , KeyBuilder.LENGTH_DES,false);
            rand.generateData(buffer, (short) 0 ,lenBytes);
            key.setKey(buffer, (short) 0 ) ;
            byte keyData[]= new byte[256];
            key.getKey(keyData, (short) 0);
  Now I know how to initialize the key...
  Thank you again.
  Regards,
  Dushantha
  Edited by: 863766 on Jun 6, 2011 3:52 AM

• Certificate Assistant Generates it's own private key each time

  Here's the problem:
  1 create a certificate authority... ok.
  2.generate a certificate request from that certificate authority... ok... (DONE ON ANOTHER MAC like my laptop...)
  3.Send the certificate request to the certificate authority email ok...
  4. Receive the certificate request ok... (received on the main desktop machine)
  5. Double click on the certificate request... ok it launches the certificate assistant.... and it generates a certificate and mails it back to the other account.
  All appears fine.....
  EXCEPT that the certificate when imported does not work.... WHY?
  WELL
  Because a new private key was generated and used instead of simply signing the request....
  If of course you send the new public key and the certificate back to the laptop all is well...
  But this is NOT how it is supposed to work.
  if you get a certificate request you're not supposed to generate a new key pair at the Certificate authority!!! you're just supposed to sign the request
  generate the certificate with the given public key and be done with it... but no!!! osx lion insists on generating a new key pair it's self first!!!!
  Any help here?
  Steve

  Isn’t that special? I thought so… drove me crazy until i found a workaround. When the CA generates signed certificate from the CSR, they need to be mindful of whether their Certificate Assistant generates these spurious keys. If it does:
  Delete the spurious user keys and user certificate from the CA’s default (usually: login) keychain. Note that in some cases there will not be a user certificate, if Certificate Assistant presented the duplicate certificate in keychain error. Be sure to check carefully!
  If Certificate Assistant made it far enough to create the outgoing email message with the defective certificate, delete this message draft.
  Re-run the CSR your user sent in, as if you were doing so for the first time.
  In my testing, this workaround works 100% of the time: the second time the CSR runs on the CA’s system, the CA’s Certificate Assistant properly signs the user’s certificate and does not make any spurious keys on the CA’s system.
  BTW i have seen this happen with Certificate Assistant 2.0/10.5.8 Leopard, CA 3.0/10.6.8 Snow Leopard, and CA 4.4/10.7.5 Lion. I have not yet seen it with CA 5.0/10.8.3 Mountain Lion, though given the intermittent nature of this bug, my confidence is low that it is truly fixed.
  I’ve spent the last few years spending waaaaaaay too much time testing and documenting Apple’s OS X and Mail S/MIME implementation, and recently put up web pages with my findings, including this workaround. Hopefully the information will help some folks.
  ))Sonic((

• Private key import via ImportPrivateKey

  I used the Certificate web app included with WLS 7.0 SP1 to generate my private
  key and my CSR. I then used the CSR to request a certificate from my Dept. of
  Defense Certificate Authority. I received my certificate. I then tried to use
  the WLS ImportPrivateKey utility to import my key with the following steps as
  shown in the ImportPrivateKey reference example.
  1) I used keytool -printcert to verify the contents of my servercert.pem file
  and my CAcert.pem file.
  2) I combined the certificate returned for my server with the CA's root certificate
  cat servercert.pem CAcert.pem > combined.pem
  3) I converted my private key file produced by the Certificate web app to pem
  format using the WLS der2pem utility
  4) I ran the Import utility
  java utils.ImportPrivateKey serverkey.jks store_pwd key_alias key_pwd combined.pem
  server_private_key.pem.
  I received the following error.
  ImportPrivateKey will create serverkey.jks
  ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
  ASN.1 tag
  java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
  at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
  Source)
  at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
  Source)
  at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
  at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
  at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
  Does anyone have an idea where I went wrong? Can anyone offer an explanation?
  Thanks

  "Mallik" <[email protected]> wrote in message
  news:3f3274e9$[email protected]..
  >
  I am trying to install weblogic generated ssl certificate and because theprivate
  key needs to be encrypted with a password, i am loading this in a new JDKkeystore
  and trying to configure WL.
  I am running utils.CertGen from weblogic 7.0 sp3 on XP.
  X:\SSLTest>java utils.CertGen testpassword testcert testkey
  Creating Domestic Key Strength - 1024
  ..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
  Encoding
  Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
  in hostnames.

• SSL CertGen & Private key import errors - 7.0

  I am trying to install weblogic generated ssl certificate and because the private
  key needs to be encrypted with a password, i am loading this in a new JDK keystore
  and trying to configure WL.
  I am running utils.CertGen from weblogic 7.0 sp3 on XP.
  X:\SSLTest>java utils.CertGen testpassword testcert testkey
  Creating Domestic Key Strength - 1024
  ..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
  Encoding
  Created Private Key files - testkey.der and testkey.pem
  com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
  to encode X500Name.
  at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
  at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
  at utils.CertGen.createCertificateRequest(CertGen.java:312)
  at utils.CertGen.processCommand(CertGen.java:185)
  at utils.CertGen.main(CertGen.java:170)
  com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
  to encode X500Name.
  at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
  at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
  at utils.CertGen.createCertificateRequest(CertGen.java:312)
  at utils.CertGen.processCommand(CertGen.java:185)
  at utils.CertGen.main(CertGen.java:170)
  I went ahead and ran the same CertGen on unix and got the certificate file and
  the key file
  to my box to check to see if i can install it. I created a new keystore with keytool,
  loaded the private key with the alias and the password phrase, made this key store
  the default keystore, supplied the management password, changed the files to read
  the new cert file and key file.
  Attached is the log for the SSL debug.
  Do i need to import the private key stored in the JDK for weblogic ? I tried doing
  that by running.
  X:\>java utils.ImportPrivateKey X:\bea\user_projects\mydomain\mystore.jks mypass
  myalias pvtPasswd X:\bea\user_projects\mydomain\localcert.pem X:\bea\user_projects\mydomain\localkey.pem
  ImportPrivateKey will use existing X:\bea\user_projects\mydomain\mystore.jks
  ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
  ASN.1 tag
  java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
  at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
  Source)
  at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
  Source)
  at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
  at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
  at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
  X:\>
  Attached log is SSL debug enabled and it cant see the private key.
  Any help is appreciated.
  thanks,
  mallik
  [ssldebuglog.txt]

  "Mallik" <[email protected]> wrote in message
  news:3f3274e9$[email protected]..
  >
  I am trying to install weblogic generated ssl certificate and because theprivate
  key needs to be encrypted with a password, i am loading this in a new JDKkeystore
  and trying to configure WL.
  I am running utils.CertGen from weblogic 7.0 sp3 on XP.
  X:\SSLTest>java utils.CertGen testpassword testcert testkey
  Creating Domestic Key Strength - 1024
  ..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
  Encoding
  Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
  in hostnames.

• Certificate [Thumbprint SOME THUMBPRINT] issued to 'CLientMachineName' doesn't have private key or caller doesn't have access to private key.

  Hi,    We are trying to get a client to communicate with the primary Config Manager Site System(MP/DP).
  We have a Config Manager Client Template that was setup using this guide. 
  http://technet.microsoft.com/en-us/library/gg682023.aspx
  We have a Client Cert on the primary site system server (primary config manager server)  based on this template and it meets the requirements specified in this document
  http://technet.microsoft.com/en-us/library/gg699362.aspx
           Enhanced Key Usage value must contain
  Client Authentication (1.3.6.1.5.5.7.3.2).   
           Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.
           SHA-1and SHA-2 hash algorithms are supported.
           Maximum supported key length is 2048 bits.
  The Cert that we generated for the client meets the same requirements and shows the exact same template id but has a different subject name and alternate name (which is the clients machine name).
  With this setup, we still get the following error
  Certificate [Thumbprint  SOME THUMBPRINT] issued to 'CLientMachineName' doesn't have private key or caller doesn't have access to private key.
  Both the site system and client have the same trusted root cert installed.
  What are we missing or what can we check?    Does the cert check process only need the client certs on both the site system and the client to be from the same template?
  Here is a snippet of the clientidmanagerstartup.log
  <![LOG[HTTPS is enforced for Client. The current state is 63.]LOG]!><time="15:02:32.057+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716" file="ccmutillib.cpp:395">
  <![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time="15:02:32.058+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716"
  file="ccmcert.cpp:3833">
  <![LOG[Certificate Issuer 1 [CN=THE_NAME_OFTHE_CA; DC=DOMAIN; DC=LOCAL]]LOG]!><time="15:02:32.058+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716"
  file="ccmcert.cpp:3849">
  <![LOG[Based on Certificate Issuer 'THE_NAME_OFTHE_CA' found Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME']LOG]!><time="15:02:32.082+300" date="03-12-2014" component="ClientIDManagerStartup"
  context="" type="1" thread="716" file="ccmcert.cpp:3931">
  <![LOG[Begin validation of Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME']LOG]!><time="15:02:32.082+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1"
  thread="716" file="ccmcert.cpp:1245">
  <![LOG[Completed validation of Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME']LOG]!><time="15:02:32.085+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1"
  thread="716" file="ccmcert.cpp:1386">
  <![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time="15:02:32.085+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716"
  file="ccmcert.cpp:3992">
  <![LOG[Begin to select client certificate]LOG]!><time="15:02:32.085+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716" file="ccmcert.cpp:4073">
  <![LOG[Begin validation of Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME']LOG]!><time="15:02:32.085+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1"
  thread="716" file="ccmcert.cpp:1245">
  <![LOG[Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME' doesn't have private key or caller doesn't have access to private key.]LOG]!><time="15:02:32.086+300" date="03-12-2014" component="ClientIDManagerStartup"
  context="" type="2" thread="716" file="ccmcert.cpp:1372">
  <![LOG[Completed validation of Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME']LOG]!><time="15:02:32.086+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1"
  thread="716" file="ccmcert.cpp:1386">
  <![LOG[Raising event:
  instance of CCM_ServiceHost_CertRetrieval_Status
      ClientID = "GUID:GUID";
      DateTime = "20140312200232.090000+000";
      HRESULT = "0x87d00283";
      ProcessID = 6380;
      ThreadID = 716;
  ]LOG]!><time="15:02:32.090+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716" file="event.cpp:706">
  <![LOG[Failed to submit event to the Status Agent. Attempting to create pending event.]LOG]!><time="15:02:32.092+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="2" thread="716"
  file="event.cpp:728">
  <![LOG[Raising pending event:
  instance of CCM_ServiceHost_CertRetrieval_Status
      ClientID = "GUID:GUID";
      DateTime = "20140312200232.090000+000";
      HRESULT = "0x87d00283";
      ProcessID = 6380;
      ThreadID = 716;
  ]LOG]!><time="15:02:32.092+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716" file="event.cpp:761">
  <![LOG[Unable to find PKI Certificate matching SCCM certificate selection criteria. 0x87d00283]
  Thanks Lance

  Hi,
  It seems that there are something wrong with you PKI system.
  Here are some steps for your reference.
  SCCM 2012: Part II – Certificate Configuration
  http://gabrielbeaver.me/2012/08/sccm-2012-part-ii-certificate-configuration/
  Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to find programatically the length of a private key?

  Hello,
  I generate a keystore and a private key in it with the command:
  keytool -genkey -v -alias myPrivKey -keyalg RSA -keysize 4096I then can access the private key with the following code:
  KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
  InputStream is = new FileInputStream("/path/to/keystore", keyStorePassword);
  ks.load(is);
  KeyStore.PasswordProtection protParam = new KeyStore.PasswordProtection(privKeyPassword);
  KeyStore.PrivateKeyEntry privKeyEntry = (KeyStore.PrivateKeyEntry)ks.getEntry("myPrivKey", protParam);
  PrivateKey privKey = privKeyEntry.getPrivateKey();How can I get the length of the private key using the PrivateKey privKey object in my code? In this case I know it is 4096, but how can I find the lengths of arbitrary rsa private keys?
  Thank you very much for your answers in advance.
  Regards
  Rambius

  RSAPrivateKey privKey = (RSAPrivateKey)privKeyEntry.getPrivateKey();
  BigInteger modulus = privKey.getModulus();
  int length = modulus.bitLength(); // See the Javadoc for details

• IPCU (v2.1) - deploying client certificates w/o private keys

  Hi all,
  We're in the process of trialling iPhones with Exchange ActiveSync at work. However, it's been mandated by our security team that we must issue SSL client certificates to the iPhones as part of the deployment (2-factor auth). We them have an ISA server in the DMZ validating these SSL certificates, before taking the users credentials and authenticating them against Active Directory.
  To that end, I am using the iPhone Configuration Utility to package up a profile for deployment. The ActiveSync payload includes the configuration settings required to connect to Exchange, and I've also associated the SSL client certificate with it. However, when I choose the SSL client cert, it throws up an error if the private keys have not been marked as "exportable".
  The error is: "Certificate exception: Key not valid in specified state". As soon as I generate the client cert, and make the private keys as exportable.... I can associate the client certificate OK using the configuration utility.
  Why do the client keys have to be marked as exportable? This just means that if the phone is jailbroken the keys can be exported and moved to another device - not exactly ideal.
  Does anyone know any specifics around how these client certificates should be generated.... is there a way to avoid having the private keys marked as exportable?
  Regards, James.

  It would seem, according to p.39 of the Enterprise Deployment Guide, this is only necessary on Windows, not on Mac. Just speculating, but maybe this is the only way a third-party app (iPCU) can get what it needs from the Windows Certificate Store?

• Generate DES key with java card with JCRE 2.1.2

  Hi everyone,
  I want to generate DES key in my applet . my card supports GP 2.0.1 and JCRE 2.1.2 .
  I have tested my applet with JCRE 2.2.1 and used this JCSystem class functions to generate DES key and it compiles and works correctlly .
  but when I want to compile my applet with JCRE 2.1.2 I recieve an error which says that API 2.1.2 doesn't support JCSystem class .
  so I'll really appreciate it if anyone could tell me how can I generate DES key with JCRE 2.1.2
  and also I use JCSystem class functions to get my card's persistent and transistent memory , so with this class not working on JCRE 2.1.2 I have problem to read my free memories too .
  So I'll appreciate your help on this matter too.
  Best Regards,
  Vivian

  Hi Vivian,
  I don't seem to have any problem with the code you posted. What is the error you are getting? Is it with the compiler or with the CAP file converter? If it is a compiler error, you will need to ensure that the Java Card API jar is in your build path.
  Here is a simple class that works with JC 2.1.1 (which will work with JC 2.1.2 as well). I have confirmed that this applet compiles and will return encrypted data to the caller.
  package test;
  import javacard.framework.APDU;
  import javacard.framework.Applet;
  import javacard.framework.ISO7816;
  import javacard.framework.ISOException;
  import javacard.framework.JCSystem;
  import javacard.security.DESKey;
  import javacard.security.KeyBuilder;
  import javacard.security.RandomData;
  import javacardx.crypto.Cipher;
  * Test JC2.1.1 applet for random DES key.
  * @author safarmer - 1.0
  * @created 24/11/2009
  * @version 1.0 %PRT%
  public class TestApplet extends Applet {
      private DESKey key;
      private Cipher cipher;
       * Default constructor that sets up key and cipher.
      public TestApplet() {
          RandomData rand = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
          short lenBytes = (short) (KeyBuilder.LENGTH_DES / 8);
          byte[] buffer = JCSystem.makeTransientByteArray(lenBytes, JCSystem.CLEAR_ON_DESELECT);
          key = (DESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_DES, KeyBuilder.LENGTH_DES, false);
          rand.generateData(buffer, (short) 0, lenBytes);
          key.setKey(buffer, (short) 0);
          cipher = Cipher.getInstance(Cipher.ALG_DES_CBC_ISO9797_M1, false);
      public static void install(byte[] bArray, short bOffset, byte bLength) {
          // GP-compliant JavaCard applet registration
          new TestApplet().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
      public void process(APDU apdu) {
          // Good practice: Return 9000 on SELECT
          if (selectingApplet()) {
              return;
          byte[] buf = apdu.getBuffer();
          switch (buf[ISO7816.OFFSET_INS]) {
              case (byte) 0x00:
                  cipher.init(key, Cipher.MODE_ENCRYPT);
                  short len = cipher.doFinal(buf, ISO7816.OFFSET_CDATA, buf[ISO7816.OFFSET_LC], buf, (short) 0);
                  apdu.setOutgoingAndSend((short) 0, len);
                  break;
              default:
                  // good practice: If you don't know the INStruction, say so:
                  ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
  }Cheers,
  Shane

• 'Error while signing data-Private key or certificate of signer not availabl

  Hello All,
  In my message mapping I need to call a web service to which I need to send a field value consist of SIGNED DATA.
  I am using SAP SSF API to read the certificate stored in NWA and Signing the Data as explained in
  http://help.sap.com/saphelp_nw04/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm,
  when I have tested using Test tab of message mapping  it is working fine and I am able to access the certificate Keystore of NWA(we have created a keystore view and keystore entry to store the certificate) and generate the signed data ,but when I test end to end scenario from ECC system,it is getting failed in mapping with the error
  ' Error while signing data - Private key or certificate of signer not availableu2019.
  Appreciate your expert help to resolve this issue urgently please.
  Regards,
  Shivkumar

  Hi Shivkuar,
  Could you please let me know how you were trying to achieve the XML signature.
  We have a requirement where we have to sign the XML document and need to generate the target document as following structure.
  <Signature>
       <SignedInfo>
           <CanonicalizationMethod />
           <SignatureMethod />
           <Reference>
                   <Transforms>
                   <DigestMethod>
                   <DigestValue>
           </Reference>
      <Reference /> etc.
    </SignedInfo>
    <SignatureValue />
    <KeyInfo />
    <Object>ACTUAL PAYLOAD</Object>
  </Signature>
  I am analyzing the possibility of using the approach that is given in the help sap link that you have posted above. Any inputs will be apprecited.
  Thanks and Regards,
  Sami.

• Reading private key: works in jdk 1.5, but throws exception in 1.4

  Hello,
  I am trying to read an RSA private key from a file. I am using the following code snippet:
  KeySpec spec = new RSAPrivateKeySpec(modulus, pExp);
  KeyFactory factory = KeyFactory.getInstance("RSA");
  PrivateKey key = factory.generatePrivate(spec);
  This runs perfectly fine under jdk 1.5 on keys I generate with OpenSSL. However, if I recompile and run under jdk 1.4, I get the following exception:
  java.security.spec.InvalidKeySpecException: Unknown key spec.
       at com.sun.net.ssl.internal.ssl.JS_KeyFactory.engineGeneratePrivate(DashoA6275)
       at com.sun.net.ssl.internal.ssl.JSA_RSAKeyFactory.engineGeneratePrivate(DashoA6275)
       at java.security.KeyFactory.generatePrivate(KeyFactory.java:237)
  I have also tried using RSAPrivateCrtKeySpec but I get the same error. Can anyone shed some light on what is going on?
  Thank you.

  'Unlimited Strength Jurisdiction Policy Files 1.4' Could be the solution.
  I had a similar problem with java 1.4 and those files do the work.
  ... finally the problem was that the password that protectd the keystore had 7 characters, using one of 5 characters works ok...