Multiple certificate stored in Browser
I run certificate request using https://.../oca/sso_oca_link and also /oca/user.
eg. with these User DN:
=> cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
=> cn=tova,cn=users,dc=subdom,dc=mydomain,dc=com
=> cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
By requesting certificate several times from the same PC using several user account, have result in multiple certificate stored in Browser.
When visit my secure web using Internet Explorer 6, a window raised and lists these
"users"
"users"
"users"
By using Netscape Navigator 7.1: a window appear with a bit more information display
"users's myOrganisation"
"users's myOrganisation"
"users's myOrganisation"
and some explanation eg
Issued to:
Subject: CN=ferry, CN=users, DC=subdom, DC=domain, DC=com
Serial Number: 1C
Valid from 23/09/2005 14:53:42 to 23/09/2006 14:53:42
Issued by:
Subject: CN=MyCcertificate Authority,...
How to display USER NAME (according to CN) in the list instead of "users" ?
or this is the expected behaviour?
TIA,
ferry
Ok. I've found the solution.
For reference to all you guys:
ByteArrayInputStream bais = new ByteArrayInputStream( (byte[])attr.get() );
CertificateFactory cf = CertificateFactory.getInstance("X.509");
cert = (X509Certificate)cf.generateCertificate(bais);
Similar Messages
-
Multiple Certificates for the same WLS
Hi,
IHAC who asks the following:
Background
Bigshop Limited carried out a soft launch of our e-tailing website under
the
url fonzie.bigshop.com.au
We have a verisign certificate setup up for 128 bit ssl under the
knownname
fonzie.bigshop.com.au
All ssl connections that connect to the site with this url are able to
establish an SSL session.
Current Issue
Bigshop is now in the process of carrying out the public launch of the
website. The public url for the website will be www.bigshop.com.au
We have generated new public/private key pair and a Certificate Signing
Request (CSR) and have ordered a new certificate from verisign
Could you please advise if it is possible to operate two certificates
for
the one server. This will allow our www.bigshop.com.au and
fonzie.bigshop.com.au url's to operate concurrently and enable both to
establish SSL session with valid certificates.
Is what they want to do possible ?? any suggestions
appreciated,
regards,
Patrick.Did you ever figure out how to use multiple certificates to the sameserver? I have a need to do this also. Thanks a lot.
In current versions of weblogic (5.1,6.x,7.0,8.1), you can configure only
one certificate per server.
-utpal -
Is it possible to use certutil to export multiple certificates from a local client machine store, to a .p7b file?
Scenario: We have a few legacy certificates based on some legacy templates (2012 R2). Some belong to an old SubCA (2008 R2).
I’ve can manually export them using certmgr mmc on the local machine to a single .p7b e.g.
cert_backupNEW.p7b. But this is not a practical solution for me and I want to achieve this remotely via certutil or some other util that comes with Windows 7 machines.
I’ve already worked out how to run a certutil command to add the certs back into the store e.g.
certutil.exe -addstore -f my cert_backupNEW.p7b
Is there a way to export multiple certs to a single backup cert, or is what I’m trying to do not possible with multiple certs?
TCSomething like this:
$store = New-Object Security.Cryptography.X509Certificates.X509Store "my","localmachine"
$store.Open("ReadOnly")
Set-Content -Path exportedcerts.pfx -Value $store.Certificates.Export("pfx","password")
$store.Close()
note that this command will fail, if there are certificates with non-exportable keys. You cannot export certificates with non-exportable keys.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
Importing a lot of video clips from a Sony camera to FCE; during the Log and Transfer process, is there a way to add multiple clips to the browser instead of one at a time?
Select one and click cmd-A which selects them all.
Then click the import button if it hasn't started already. -
Get certificate from the browser
Hi friends!,
I am working with an application to get files from the client machine, to sign those files with the client's certificate and send those sign to the server.
The application get the client's certificate from a key store, but I want the applet will get the certificate from the browser.
Is that possible?.
Thanks and sorry for my little english. Greetings from Venezuela.If all you're looking for is Client SSL Authentication, then you don't need to access the digital certificates through an applet; just enable ClientAuth on your web-server and let the browser handle it for you. While I haven't tried this with Chrome, Safari or Opera, I know for a fact that this works on Firefox and IE.
If you're trying to access the digital certificates/keys in the browser-keystore for digitally signing some content that the applet creates, you're going to have far more difficulty. About 10-12 years ago, Netscape provided an API that allowed you to digitally sign text-content through JavaScript. That died a quiet death, I think, since I don't know of anyone who used that capability (outside of test environments).
Years later, Mozilla added the ability to digitally sign XML content using XForms; there is even an add-on for Thunderbird (which uses the same libraries as Firefox for PKCS work): https://addons.mozilla.org/en-US/thunderbird/addon/4522/.
However, to the best of my knowledge, the only way you can get an applet to access the borwser's keystore today is to have the security policy on the client-machine modified to provide access to the local file-system, and the applet then pretty much deals with the keystore and its objects through JCE.
But, if I'm reading your post correctly, I think all you're looking for is SSL ClientAuth, for which you don't need to do anything other than enable it on your web-server that hosts the applets, and let the browser do the heavy lifting.
Arshad Noor
StrongAuth, Inc. -
Sharepoint 2010 document library pdf files are storing in browser cache when it is opened in browser
i have sharepoint 2010 site which consists of document library with pdf files if we click on pdf file it will open in browser .But the thing is it is storing in browser cache so i need to restrict that pdf to not store in browser cache.
A,ny suggestions pleaseHi,
We can use jQuery plugin to open the PDf file in browser.
The following link for your reference:
http://www.jqueryrain.com/2012/09/best-jquery-pdf-viewer-plugin-examples/
Best Regards
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Button links open in multiple tabs in my browser but links open same tab on co-worker's pc?
Mac OSX 10 .7.4 / Indesign CS 5.5
Exported inDesign to interactive pdf, button links are able to open in multiple tabs in my browser which is what I want, but on my co-workers windows PC, the same links open within that same tab?Which browser? Try configuring the browser as inthis
-
Problem using SmartCard with 2 Certificates stored and SunPKCS11
Hi,
I'm trying to access one SmartCard token in Java 1.5 using SunPKCS11 provider for crypt, decrypt and digital signature operations.
I have 2 certificates stored on Token:
- CertA;
- CertB.
There are also 2 PIN:
- PIN1;
- PIN2.
I use:
- PIN1 for logging into the token;
- PIN1 for operation involving CertA;
- PIN2 for operation involving CertB;
There is no problem to logging into the token using Java and, without any troubles, I can read certificates and key from the
cryptographic card.
There is no problem using CertA for all my operation, but every attempt of using Private Key of CertB (for the same operations) returns with an Exception:
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
Here there's an extract of my source code.
public void loginToken() {
Provider UserProvider = new sun.security.pkcs11.SunPKCS11(C:\\pkcs11.cfg);
Security.addProvider(UserProvider);
try {
KeyStore ks = null;
X509Certificate UserCert = null;
PrivateKey UserCertPrivKey = null;
PublicKey UserCertPubKey = null;
//PIN
char PIN1[] = "11111".toCharArray();
char PIN2[] = "22222".toCharArray();
//logging into token
ks = KeyStore.getInstance("PKCS11", UserProvider);
ks.load(null, PIN1);
//enumeration alias
String alias = "";
Enumeration e = ks.aliases();
while (e.hasMoreElements()) {
alias = (String) e.nextElement();
//Certificate
UserCert = (X509Certificate) ks.getCertificate(alias);
//PublicKey
UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();
if (alias.compareToIgnoreCase("Cert1") == 0) {
//PrivateKey reference
UserCertPrivKey = (PrivateKey) ks.getKey(alias, PIN1);
} else if (alias.compareToIgnoreCase("Cert2") == 0) {
//PrivateKey reference
UserCertPrivKey = (PrivateKey) ks.getKey(alias, PIN2);
} else {
System.out.println("ALIAS UNKNOW");
System.exit(1);
//Signature Test
if (!MakeSignature(UserCertPrivKey, UserProvider))
System.out.println(" *** SIGNATURE OK *** ");
else
System.out.println(" *** SIGNATURE KO *** ");
catch (Exception ex) {
System.out.println("ERROR: " + ex);
public boolean MakeSign(PrivateKey PrivKey, Provider p) {
try {
//File I/O
FileInputStream txtfis = new FileInputStream("C:\\Test.txt");
FileOutputStream sigfos = new FileOutputStream("C:\\Test_Signature.txt");
//Signature Obj init
Signature dsa = Signature.getInstance("SHA1withRSA", p.getName());
dsa.initSign(PrivKey);
//Update data
BufferedInputStream bufin = new BufferedInputStream(txtfis);
byte[] buffer = new byte[1024];
int len;
while (bufin.available() != 0) {
len = bufin.read(buffer);
dsa.update(buffer, 0, len);
bufin.close();
//Make signature
byte[] realSig = dsa.sign();
//save signature on file
sigfos.write(realSig);
sigfos.close();
return true;
catch (Exception ex) {
System.out.println("ERROR: " + ex);
return false;
Any help would be grateful...
Thanks in advance.
P.S. Sorry for my EnglishThis is the same my initial problem.
I resolved it using IAIK-PKCS#11Wrapper (it is FREE) insted of sun.security.pkcs11.SunPKCS11.
You can find it here:
http://jce.iaik.tugraz.at/sic/products/core_crypto_toolkits/pkcs_11_wrapper
Here an exemple of code.
The main class:
import iaik.pkcs.pkcs11.Module;
import iaik.pkcs.pkcs11.DefaultInitializeArgs;
import java.util.Hashtable;
import iaik.pkcs.pkcs11.Token;
import iaik.pkcs.pkcs11.Slot;
import iaik.pkcs.pkcs11.Session;
import iaik.pkcs.pkcs11.objects.RSAPrivateKey;
import java.util.Vector;
import iaik.pkcs.pkcs11.objects.PrivateKey;
import iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate;
import java.util.Enumeration;
import iaik.pkcs.pkcs11.objects.Key;
import java.security.cert.CertificateFactory;
import java.io.ByteArrayInputStream;
import iaik.pkcs.pkcs11.Mechanism;
import java.security.Security;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.io.File;
import java.io.FileInputStream;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSProcessableByteArray;
import java.util.ArrayList;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import org.bouncycastle.cms.CMSSignedData;
import java.io.FileOutputStream;
import java.security.cert.X509Certificate;
import iaik.pkcs.pkcs11.TokenInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
public class MakeSignature {
public static void main(String[] args) {
String USER_PIN = "12345678";
String DLL_NAME = "C:\\windows\\system32\\dll_P11_name.dll";
String OBJ_LABEL1 = "CNS0"; //this is the label of my 1th cert
String OBJ_LABEL2 = "CNS1"; //this is the label of my 2th cert
String INPUT_FILE = "C:\\Temp\\test.txt";
String OUTPUT_FILE = "C:\\Temp\\test.p7m";
try {
// ********** INITIALIZE PKCS#11 MODULE WITH DEFAULT PARAMETERS **********
Module pkcs11Module = Module.getInstance(DLL_NAME);
pkcs11Module.initialize(new DefaultInitializeArgs());
// ********** SELECT TOKEN **********
Slot[] slotsWithToken = pkcs11Module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT);
Token[] tokens = new Token[slotsWithToken.length];
Hashtable tokenIDtoToken = new Hashtable(tokens.length);
long tokenID = -1;
Token tokenUsed = null;
//enum readers
for (int i = 0; i < slotsWithToken.length; i++) {
tokens[i] = slotsWithToken.getToken();
tokenID = tokens[i].getTokenID();
tokenIDtoToken.put(new Long(tokenID), tokens[i]);
System.out.println("Active tokens:");
System.out.println("Token ID: " + tokenID);
if (tokens.length == 0) { //No SC found
System.out.println("No SC presents");
else {
System.out.println("Using token: " + tokens[0].getTokenID());
tokenUsed = tokens[0];
//Note: if you have more reader and more SC inserted, you have to write
//here the code for select the right token
// ********** OPEN SESSION VS THE TOKEN AND IF REQUIRED SUBMIT PIN **********
TokenInfo tokenInfo = tokenUsed.getTokenInfo();
Session session = tokenUsed.openSession(Token.SessionType.SERIAL_SESSION, false, null, null);
if (tokenInfo.isLoginRequired()) {
session.login(Session.UserType.USER, USER_PIN.toCharArray());
// ********** SET SEARCH TEMPLATE FOR THE P11 OBJECT **********
RSAPrivateKey privateSignatureKeyTemplate = new RSAPrivateKey();
privateSignatureKeyTemplate.getSign().setBooleanValue(Boolean.TRUE);
privateSignatureKeyTemplate.getLabel().setCharArrayValue(OBJ_LABEL2.toCharArray());
// ********** SEARCH P11 OBJECT USING TEMPLATE **********
Vector keyList = new Vector(4);
session.findObjectsInit(privateSignatureKeyTemplate);
Object[] matchingKeys;
while ( (matchingKeys = session.findObjects(1)).length > 0) {
keyList.addElement(matchingKeys[0]);
session.findObjectsFinal();
//Try to find the corresponding certificates for the signature keys
Hashtable keyToCertificateTable = new Hashtable(4);
Enumeration keyListEnumeration = keyList.elements();
while (keyListEnumeration.hasMoreElements()) {
PrivateKey signatureKey = (PrivateKey) keyListEnumeration.nextElement();
byte[] keyID = signatureKey.getId().getByteArrayValue();
X509PublicKeyCertificate certificateTemplate = new X509PublicKeyCertificate();
certificateTemplate.getId().setByteArrayValue(keyID);
session.findObjectsInit(certificateTemplate);
Object[] correspondingCertificates = session.findObjects(1);
if (correspondingCertificates.length > 0) {
keyToCertificateTable.put(signatureKey, correspondingCertificates[0]);
session.findObjectsFinal();
//There are three cases now: 1 no obj found; 2 found only one obj, 3 found more obj
Key selectedKey = null;
X509PublicKeyCertificate correspondingCertificate = null;
//no object found for template
if (keyList.size() == 0) {
System.out.println("No object found for template");
throw new Exception("No object found for template");
//Founf only one object
else if (keyList.size() == 1) {
selectedKey = (Key) keyList.elementAt(0);
// create a IAIK JCE certificate from the PKCS11 certificate
correspondingCertificate = (X509PublicKeyCertificate)keyToCertificateTable.get(selectedKey);
System.out.println("One object Found");
//Found more object ... user can select one
else {
System.out.println("Many obj found!!!");
//write here the code for select the right object
// ********** GET THE OBJECT **********
RSAPrivateKey signerPriKey = (RSAPrivateKey) selectedKey;
java.security.cert.CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
byte[] derEncodedCertificate = correspondingCertificate.getValue().getByteArrayValue();
//Cast to java.security.cert.X509Certificate
java.security.cert.X509Certificate signerCert = (java.security.cert.X509Certificate) certificateFactory.
generateCertificate(new ByteArrayInputStream(derEncodedCertificate));
// ********** SIGNATURE OPERATION **********
//Add BouncyCastle as provider
Security.addProvider(new BouncyCastleProvider());
//initialize signature operation
session.signInit(Mechanism.RSA_PKCS, (PrivateKey) signerPriKey);
//get input data
File src = new File(INPUT_FILE);
int sizecontent = ( (int) src.length());
byte[] contentData = new byte[sizecontent];
FileInputStream freader = new FileInputStream(src);
freader.read(contentData, 0, sizecontent);
freader.close();
//calculate digest of the input data
byte[] toEncrypt = buildBits(contentData); //I've already posted the code for this function
//make signature
byte[] signature = session.sign(toEncrypt);
// ********** MAKE P7 WELL FORMAT DOCUMENT **********
//CMSSignedDataGenerator fact = new CMSSignedDataGenerator();
Signature2CMSSignedData fact = new Signature2CMSSignedData();
CMSProcessableByteArray content = new CMSProcessableByteArray(contentData);
//Creation of BC CertStore
ArrayList certList = new ArrayList();
certList.add(signerCert);
CertStore certs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), "BC");
//Signature Alg
String algorithm = CMSSignedDataGenerator.DIGEST_SHA1;
//add element to P7
fact.addSignature(signature, signerCert, algorithm);
fact.addCertificatesAndCRLs(certs);
//generate enveloped using Bouncycastle provider
CMSSignedData envdata = fact.generate(PKCSObjectIdentifiers.data.getId(), content, true);
byte[] enveloped = envdata.getEncoded();
//Write P7 file
FileOutputStream efos = new FileOutputStream(OUTPUT_FILE);
efos.write(enveloped);
efos.close();
// ********** END **********
session.closeSession();
pkcs11Module.finalize(null);
catch (Exception ex) {
ex.printStackTrace();
}Main class uses buildBits function (already posted in this topic) and Signature2CMSSignedData class.import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.security.cert.CertStore;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.BERConstructedOctetString;
import org.bouncycastle.asn1.DEREncodable;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.cms.SignerIdentifier;
import org.bouncycastle.asn1.cms.SignerInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.TBSCertificateStructure;
import org.bouncycastle.asn1.x509.X509CertificateStructure;
import org.bouncycastle.cms.CMSProcessable;
import org.bouncycastle.cms.CMSSignedData;
* class for generating a RSA pkcs7-signature message.
public class Signature2CMSSignedData2 {
CertStore certStore;
List certs = new ArrayList();
List crls = new ArrayList();
List signerInfs = new ArrayList();
List signers = new ArrayList();
public static final String DATA = PKCSObjectIdentifiers.data.getId();
public static final String ENCRYPTION_RSA = "1.2.840.113549.1.1.1";
private byte[] signatureData = null;
private X509Certificate cert = null;
private String digestOID = null;
private String encOID = null;
public Signature2CMSSignedData2() {
public void addSignature(byte[] signatureData, X509Certificate cert, String digestOID) {
this.signatureData = signatureData;
this.cert = cert;
this.digestOID = digestOID;
this.encOID = ENCRYPTION_RSA;
public void addCertificatesAndCRLs(CertStore certStore) throws Exception{
try {
Iterator it = certStore.getCertificates(null).iterator();
while (it.hasNext()) {
X509Certificate c = (X509Certificate) it.next();
certs.add(new X509CertificateStructure((ASN1Sequence) makeObj(c.getEncoded())));
Iterator it2 = certStore.getCRLs(null).iterator();
while (it2.hasNext()) {
X509CRL c = (X509CRL) it2.next();
crls.add(new CertificateList((ASN1Sequence) makeObj(c.getEncoded())));
catch (Exception e) {
throw new Exception(e.getMessage());
private DERObject makeObj(byte[] encoding) throws Exception {
if (encoding == null) {
return null;
ByteArrayInputStream bIn = new ByteArrayInputStream(encoding);
ASN1InputStream aIn = new ASN1InputStream(bIn);
return aIn.readObject();
public CMSSignedData generate(String signedContentType, CMSProcessable content, boolean encapsulate) throws Exception {
try {
ASN1EncodableVector digestAlgs = new ASN1EncodableVector();
ASN1EncodableVector signerInfos = new ASN1EncodableVector();
DERObjectIdentifier contentTypeOID = new DERObjectIdentifier(signedContentType);
// add the SignerInfo objects
Iterator it = signerInfs.iterator();
AlgorithmIdentifier digAlgId = new AlgorithmIdentifier(new DERObjectIdentifier(digestOID), new DERNull());
AlgorithmIdentifier encAlgId;
encAlgId = new AlgorithmIdentifier(new DERObjectIdentifier(encOID), new DERNull());
digestAlgs.add(digAlgId);
ASN1Set signedAttr = null;
ASN1Set unsignedAttr = null;
ASN1OctetString encDigest = new DEROctetString(signatureData);
ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getTBSCertificate());
ASN1InputStream aIn = new ASN1InputStream(bIn);
TBSCertificateStructure tbs = TBSCertificateStructure.getInstance(aIn.readObject());
IssuerAndSerialNumber encSid = new IssuerAndSerialNumber(tbs.getIssuer(), tbs.getSerialNumber().getValue());
signerInfos.add(new SignerInfo(new SignerIdentifier(encSid), digAlgId, signedAttr, encAlgId, encDigest, unsignedAttr));
ASN1Set certificates = null;
if (certs.size() != 0) {
ASN1EncodableVector v = new ASN1EncodableVector();
it = certs.iterator();
while (it.hasNext()) {
v.add( (DEREncodable) it.next());
certificates = new DERSet(v);
ASN1Set certrevlist = null;
if (crls.size() != 0) {
ASN1EncodableVector v = new ASN1EncodableVector();
it = crls.iterator();
while (it.hasNext()) {
v.add( (DEREncodable) it.next());
certrevlist = new DERSet(v);
ContentInfo encInfo;
if (encapsulate) {
ByteArrayOutputStream bOut = new ByteArrayOutputStream();
content.write(bOut);
ASN1OctetString octs = new BERConstructedOctetString(bOut.toByteArray());
encInfo = new ContentInfo(contentTypeOID, octs);
else {
encInfo = new ContentInfo(contentTypeOID, null);
SignedData sd = new SignedData(new DERSet(digestAlgs), encInfo, certificates, certrevlist, new DERSet(signerInfos));
ContentInfo contentInfo = new ContentInfo(PKCSObjectIdentifiers.signedData, sd);
return new CMSSignedData(content, contentInfo);
catch (Exception e) {
throw new Exception(e.getMessage());
}Bye. -
Hello,
I'm trying to do machine and user authentication using EAP-TLS and digital certificates. Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
In ISE, I can define multiple Certificate Authentication Profiles (CAP). For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
Problem is how do you specify ISE to check both in the Authentication Policy? The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.
Any way to resolve this?
Thanks,
SteveYou need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
an example (uses user/pass though, but same concept)
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf -
KeyStore/ Certificates stored by the JRE Runtime
Hi!
I use this code
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream("test.p12", "password".toCharArray());
to load a certificate for signing a PDF with the help of iText. The code works fine.
The same certificate was imported via Java Control Panel (Tab Certificates) into the JRE/System.
Can I access the certificates stored in the JRE/System for signing, instead of loading the certificate directly?
The Java API for Keystore says:
Before a keystore can be accessed, it must be LOADED.
and LOADED ist linked to the method ks.load()
There is not hint for accessing the JRE certificates.
Peterif you have a support or CSI then you can log a bug against them for oracle to support you..
Or you can wait for some product manager here to respond to this and they will take it forward from there to resolve the issue by creating internal SR or bug for you. -
Where is the certificate stored?
In my jnlp file, I have set
<security>
<all-permissions/>
</security>
So the first time the user attempts to use the jnlp file, the user is asked if they would like to accept the certificate. After they have done so, where is that certicate stored? In a cacerts file? If so, which one?You may get certificates as "EC" (meaning Extension, certificate) or "AC" (meaning Application Certificate).
Some earlier versions of javaws had a bug where they are allwase put in as "EC"
for understanding the cache contents:
the first leter is taken from the following:
/** Main type of entries */
char DIRECTORY_TYPE = 'D'; // Used internally
char TEMP_TYPE = 'X'; // Used internally
char VERSION_TYPE = 'V'; // Used internally
char INDIRECT_TYPE = 'I'; // Used internally
// Main JNLP types for downloaded resources
char RESOURCE_TYPE = 'R'; // JAR/CLASS/IMAGE
char APPLICATION_TYPE = 'A'; // Application-Desc
char EXTENSION_TYPE = 'E'; // Extension-Desc
char MUFFIN_TYPE = 'P'; // Muffins! (PersistenceService)
the second leter comes from:
char MAIN_FILE_TAG = 'M'; // The main resource
char NATIVELIB_FILE_TAG = 'N'; // A dir for native jar expantion
char TIMESTAMP_FILE_TAG = 'T'; // The timestamp file
char CERTIFICATE_FILE_TAG = 'C'; // A certificate stored
char LAP_FILE_TAG = 'L'; // LocalApplicationProperties
char MAPPED_IMAGE_FILE_TAG = 'B'; // Translated images (such as bmp)
char MUFFIN_ATTR_FILE_TAG = 'U'; // running out - U is for mUffin
this is taken from the DiskCache.java in the SCSL rleases of 1.4.2 available at:
http://wwws.sun.com/software/communitysource/j2se/index.html
/Dietz -
Multiple certificates on Issuing CA server
Hi,
Due to errors multiple certificates were issued from Root CA server for SubCA. Although old certificate was revoked from Root, but I see 2 certificates on Issuing CA. Also, because of 2 certificates, 2 CRLs are getting published everytime for each. Although
when I see web server certificate issued for IIS, it was signed by new certificate of Issuing CA. Also, in PKIview, I see CDP path for this CA with new CRL.
But my questions is that how shall I remove old one from Issuing CA as I am not gettign that option. Also, in AD i see 2 certficaates published for that CA. Will that cause any issue.
Thanks
Neha GargThis is actually a normal state in PKI. When you renew a sub CA with a new key pair, ot will result in multiple CRL files.
- there is no need to remove the previous subca cert
- there is no need to revoke the previous subca cert (unless there are config or security issues)
- make sure the AIA paths use %4 in the paths to keep separate versions
- make sure that the CDP paths use %9 in the paths to keep separate versions
- make sure you publish *all* versions of .crts and .crls to *all* publication points
You need to leave all versions of the CA certs in play so that both current and previously issued certs can be validated
Brian -
Keychain Access: Adding multiple Certificates, signed by the same CA
Hello, Community.
I have recently posted my request for help in this thread:
http://discussions.apple.com/thread.jspa?messageID=10448884
Now, I am facing a new problem: I wish to add a new Certificate to the Keychain, but whenever I try, it tells me the item exists, and does not add it to the Keychain. It adds the keys perfectly fine, both public and private, but not the Certificate.
What can I do to have multiple Certificates, signed by the same CA.
I cannot add them to my Keychain, so that will be of no help. And I have tried to create every Certificate anew in the same Keychain, but this will not work, either. I created they Certificates and exported them before I went on to the next and they are now on my desktop. This is very inconvenient, as the keychain is distributed over a network as a shared Keychain and resides in a Snow Leopard Server (Domestic version, not Snow Leopard Server). Our business is one day behind, but since it is now weekend, I hope to get this issue resolved by Monday morning, send out the e-mails we should have and update our register with sales.
Could I please have some advice?
Also, if this topic is handled in full in another thread, please post the links, so I can read up on this topic and try to find a solution.
Thank you for your time.
Kashidom Nenakh
Mantha Designs incorporated
http://www.manthadesigns.net
[email protected]http://www.isi.edu/~brian/security/kerberos.html
-
Input of Multiple values in BEX Browser
Dear All,
Can I input multiple values i.e Can I copy values from a excel or a data base which are at random and paste in BEX Browser as a input variable. is there any way to do this operation.
Note:- Values need not be in series as stored in table.Hi Abhijit,
I hope u are asking about input multiple values in data selection of the Query (Infact at selection screen, where u input the value for the query).
Well u can do this if u are using BW3.5 or Above. What u need to do is copy all those selection values from Excell sheet then at selection screen u have to there is a button of multiple copies which will suck values even more than 12 in numbers.
This functionality is perticularly benefial when u want to check the status BW for randon numbers of document numbers.
Hope this works for u.
Kindly assign the points if u feel this solution workable for u.
Regards.
Sunil Tayade Alias Sun Raj . -
Opening multiple PDFs outside of browser in Acrobat 9 Std/Pro
Just got off the phone with Adobe's TS and was unhappy that they took the functionality of opening multiple PDFs outside of the browser and have it be contained in ONE window from Adobe 9. Unless someone else can tell me how to set this option up again, I'm sticking with 8 until there's an update to this.
I believe this was a permanent change. See the following link and conversation thread:
http://www.adobeforums.com/webx/.59b5f77b/7
"Atin Wadehra - 2:39am Jul 30, 08 PST (#9 of 16)
Aandi,
The failure reason suggested by you provided me the solution for getting my my code to work. There is a setting in Acrobat to either open the each document in separate window or to share Acrobat's window.
The setting is Edit->Preferences->Documents->Open Settings section "Show each document in its own window (requies restart)"
Thanks for the help again
Post Reply
Leonard Rosenthol - 6:16pm Jul 30, 08 PST (#10 of 16)
However, that preference is NO LONGER present in Acrobat/Reader 9. In version 9, we ONLY operate in SDI mode. So even with that fix for Acrobat/Reader 8 - you will STILL break in version 9.
You MUST rethink your code...
Leonard"
Sabian
Maybe you are looking for
-
ERROR 1402 Could Not Open Key:
Having Problems loading QUICKTIME. There was an older version but was deleted a while ago. I have used the Windows Install Clean Up. but still get 'ERROR CODE 1402 COULD NOT OPEN KEY' "HKEYLOCALMACHINE\Software\Microsoft\Windows\Current Version\Unins
-
I was asked to update my Firefox today. The prompts said the yahoo and norton toolbars would be disabled during the update and ENABLED after. They did not reset and do not appear in view drop down menu. How to I reset the toolbars? I am a novice user
-
IOS 4.2.1, first song will not repeat
Every since I updated to 4.2.1, the first song does not repeat even though it is fixed to repeat itself. When it is done playing, it goes to the next song and this is where the Repeat setting works or any song after that. It happens whenever I reconn
-
Replication of account master with 2 diff number ranges to ECC.
HI All, Wish you happy new Year.... I have a doubt in Master Data replicating from CRM to ECC. Here is a situation where i have to create 2 number ranges with groupings in CRM for prospects and has to replicate to ECC SD. I heard that only one numbe
-
Adding custom navigation to the script
One of the scripts which I am preparing at the moment is giving me some problems. This script has 5 nodes. In the first three, a new user account is created, and in the 3rd node I get a special user ID (it can be found in the pages html source). Then