Private key and digital certificate

Similar Messages

• I need to create public and private keys for security certificate and I can't find the certificate. Where is it?

  I purchased a security certificate, and the site tells me that it was successfully installed. I need to export the certificate so that I can create the public and private keys, but I cannot find the certificate to do so.

  Thank you.

• Ical and digital certificates

  I accidentally deleted the digital certificate that is buried someplace in a folder in the operating system, and now iCal won't sync, and it wont connect to the apple server. I have 6 other Macs and they all work fine. They are all pretty new. But my laptop won't sync and won't connect.
  Does anyone know how to get the digital certificates back into that folder?
  Also my MSN messenger won't work because I deleted that certificate.
  Thats the last time I play around with something I know nothing about.
  Thanks
  Rock

  I need to implement exactly the same thing and would appreciate some guidence as well.

• Forms and Digital Certificates

  can anyone provide insight into the ability of the Forms server to work with client side digital certificates? all of the 8i documentation seems to indicates compliance with standard PKI implementations, and even mentions client side certificates explicitely. However, nothing clearly indicates the ability to use client side certs with the Forms server.
  null

  I need to implement exactly the same thing and would appreciate some guidence as well.

• MobileMe mail and digital certificates

  Hi,
  Is there any way of digitally signing and encrypting MobileMe emails using a self-signed certificate?
  Thanks,
  Glyn

  Thanks for your reply, Dave - glad to hear it's not just me!
  I spoke to Apple and they say they've done nothing to the MobileMe servers that would cause this.
  The reject email I get is:
  Your message cannot be delivered to the following recipients:
   Recipient address: [email protected]
   Reason: SMTP transmission failure has occurred
   Diagnostic code: smtp;550 5.7.1 Command rejected
   Remote system: dns;email-lb-cpg.austin.hp.com (TCP|17.172.48.75|57574|15.217.96.213|25) (hpeprint.com ESMTP Postfix)
  Original-envelope-id: [email protected] Reporting-MTA: dns;st11b01mm-asmtp212.mac.com (tcp-daemon) Arrival-date: Wed, 12 Oct 2011 01:39:29 -0700 (PDT) Original-recipient: rfc822;[email protected] Final-recipient: rfc822;[email protected] Action: failed Status: 5.7.1 (SMTP transmission failure has occurred) Remote-MTA: dns;email-lb-cpg.austin.hp.com (TCP|17.172.48.75|57574|15.217.96.213|25) (hpeprint.com ESMTP Postfix) Diagnostic-code: smtp;550 5.7.1 Command rejected

• SSL: how to use Multiple Private key/Certificate pair for authentication.

  Hi all,
  i am implementing SSL in java using X509 Certificate/private key combination.
  i have two set of private key/certificate pair.
  one is factory default and another is generated at run time.
  my problem is to try ssl connection with both pairs on same tcp/ip connection.
  e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
  on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
  can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
  Thanks In Advance
  Saurabh Ahuja

  Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
  It's like this. The idea of PKI with SSL is as follows:
  - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
  - the client has a truststore that trusts the server, one way or the other, see above.
  - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
  - the server sends its cert to the client along with a digital signature signed by its private key.
  - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
  At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
  If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
  You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

• Encrypt text without full blown public/private keys or certificates?

  hello,
  i would like to encrypt small texts (up to about 1000 characters) to save them in a file and later load them and decrypt the text. what solutions in Java are available without setting up a full blown key store with public and private keys and/or certificates. i think about a small method/class that en- and decrypts arbitrary text.
  any suggestions?
  thanks in advance!

  okay, i found my solution:
  Blowfish (http://www.counterpane.com/blowfish.html) :
  BlowfishEasy be = new
  e = new BlowfishEasy("somekey");
  String crypted = be.encryptString(plaintext);
  Now, this I call easy and quite secure!
  :-)hey can u please tell me where u got the code from on
  blowfish website above
  I go there and click and the "Free source code" link.
  I then try and download the java implementation (which
  are packed as zip files), When I unzip them though
  the file just has up to the class declaration?????
  eg. public class BlowFish ... {
  and nothing else????
  Can u tell me what u did please

• Having multiple CAs share the same private key

  We are developing a system which implements an HA cluster across two separate geographical locations.
  Each site will have several Windows Server 2012 machines and at least one DC, and we basically have to do a master-master replication between the two sites.
  The entire system will be under a single domain.
  We will be deploying AD CS since some of our sub-systems need certificates,
  but we want to limit the variety certificate to just one (i.e. we want all CAs to issue identical certificates).
  To do that, we have to setup AD CS so that all the DCs (both intra-site and inter-site) share the same private key.
  Is it possible to have all DCs in a domain to share a single private key?
  This article on TechNet suggests that we can do it within a cluster,
  https://technet.microsoft.com/en-us/library/cc742450%28v=ws.10%29.aspx
  but we are not sure if we can do it across different sites.
  Any advice and comments are highly appreciated.
  Wanko

  Hi Wanko,
  Its not much clear what you mean by "DCs to have single private key".
  However as per the article it indicates that you can use the same (SAN) certificate on both servers (nodes) of the cluster, the certificate SN will be the common clustername.
  This is common when you are using clustering or load-balanced system which requires you to have a common name, but individual nodes.
  Basically if you want to use single private key for the HA nodes, use the same certificate across all the nodes, that would be generated on the first node(generally). You don't need to issue identical certificates(this will not work as per my understanding)
  CA First Node: Export the Cert
  On the Welcome page of the CA Backup Wizard, click Next. Select
  Private key and CA certificate, and provide a directory name where you want to temporarily store the CA certificate and optionally the key. Click
  Next.
  Provide a password to protect the CA key, click Next, and then click
  Finish.
  CA Second Node: Import the Cert
  Open the Certificates snap-in for the computer account.
  In the console tree, double-click Certificates (Local Computer), and click
  Personal.
  On the Action menu, click All Tasks, and then click
  Import to open the Certificate Import Wizard. Click Next.
  Enter the file name of the CA certificate that was previously created on the first node, and click
  Next. If you click Browse to find the certificate, change the file type to
  Personal Information Exchange (*.pfx,*.p12).
  Type the password that you have previously used to protect the private key. The password is required even if there is no private key in the .pfx file. Do not mark this key as exportable. Click
  Next.
  Place the certificate in the Personal certificate store, and click
  Next. To complete the certificate import process, click
  Finish, and then click OK.
  Secondly I don't get what do you mean by: "we basically have to do a master-master replication between the two sites."
  Please note a Cluster can only run a single instance of Certificate Services. A failover cluster of any size can be used to provide a high availability environment for certificate services. However, Microsoft does not support more than one instance
  of certificate services on a cluster.
  References:
  Overview of CA Clustering-2003
  Active Directory Certificate Services (AD CS) Clustering - Requirements-2012
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• BizTalkServer 2010 SFTP Adapter from CodePlex - Configuring send and receive locations with SSH public and private keys

  Hi there,
  I am looking for step by step instrcutions on how to configure SFTP Codeplex adapter for both receive and send ports.
  Out business partner with whom we push/poll the files from wants us to use SSH encryption/decryption etc.
  Just wondering if the following functionality is supported in Codeplex SFTP adatper without having to write any code.
  Appreciate if there is manaul to do this for SFTP. BTW I do have all the our public and private keys and business partners Public key for configuring.
  For Send port: 1. we would need to encrypt the file with our business partners public key
                        2. sign the file with our private key.
                        3. Send the file through to SSH client which eventually transfers to Remote server.
  Receive port:   1. Connect to SSH Server with SSH-2 key and receive the file
                        2. Verify the file's digital signature agaisnt the Business partners PGP public key
                        3. Decrypt the file using our PGP Public key
  Thanks in advance

  Yes it is supported.
  You can find its documentation in this link 
  You can find section X.509 Certificate Identity Keys
  You can set public and private key in property SSH Identity thumbprint  of send and receive port
  I prefer to test it using client tool like
  FileZilla or WinSCP then test it using sftp adapter
  When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

• Certificate Assistant Generates it's own private key each time

  Here's the problem:
  1 create a certificate authority... ok.
  2.generate a certificate request from that certificate authority... ok... (DONE ON ANOTHER MAC like my laptop...)
  3.Send the certificate request to the certificate authority email ok...
  4. Receive the certificate request ok... (received on the main desktop machine)
  5. Double click on the certificate request... ok it launches the certificate assistant.... and it generates a certificate and mails it back to the other account.
  All appears fine.....
  EXCEPT that the certificate when imported does not work.... WHY?
  WELL
  Because a new private key was generated and used instead of simply signing the request....
  If of course you send the new public key and the certificate back to the laptop all is well...
  But this is NOT how it is supposed to work.
  if you get a certificate request you're not supposed to generate a new key pair at the Certificate authority!!! you're just supposed to sign the request
  generate the certificate with the given public key and be done with it... but no!!! osx lion insists on generating a new key pair it's self first!!!!
  Any help here?
  Steve

  Isn’t that special? I thought so… drove me crazy until i found a workaround. When the CA generates signed certificate from the CSR, they need to be mindful of whether their Certificate Assistant generates these spurious keys. If it does:
  Delete the spurious user keys and user certificate from the CA’s default (usually: login) keychain. Note that in some cases there will not be a user certificate, if Certificate Assistant presented the duplicate certificate in keychain error. Be sure to check carefully!
  If Certificate Assistant made it far enough to create the outgoing email message with the defective certificate, delete this message draft.
  Re-run the CSR your user sent in, as if you were doing so for the first time.
  In my testing, this workaround works 100% of the time: the second time the CSR runs on the CA’s system, the CA’s Certificate Assistant properly signs the user’s certificate and does not make any spurious keys on the CA’s system.
  BTW i have seen this happen with Certificate Assistant 2.0/10.5.8 Leopard, CA 3.0/10.6.8 Snow Leopard, and CA 4.4/10.7.5 Lion. I have not yet seen it with CA 5.0/10.8.3 Mountain Lion, though given the intermittent nature of this bug, my confidence is low that it is truly fixed.
  I’ve spent the last few years spending waaaaaaay too much time testing and documenting Apple’s OS X and Mail S/MIME implementation, and recently put up web pages with my findings, including this workaround. Hopefully the information will help some folks.
  ))Sonic((

• JSSE: keys and certificates

  1)What exactly is the difference between a key and a certificate?
  2)Can both be used by JSSE?
  3)How can I obtain a key?
  4)A private and a public key? are it two separate files or what is it?

  The first (and until so far only time) that I used SSL was with a webapplication, running on tomcat on SSL. Then I was told to generate a keystore with the keytool command and that was all and everything worked fine. You would have had to import a certificate from the server to the client's truststore. If you worked at the server end you would have had to generate a key and either a self-signed cert or the whole CSR, get it signed, re-import sequence. This is a bit more than just 'generate a keystore with the keytool command'.
  if you never heard about the keytoolAre you kidding me?
  1)So this keystore was then a self-signed-certificate or even not a certificate at all???keytool -genkey generates a private/public key pair. keytool -selfcert generates a self-signed certificate for that keypair. Nobody in the world will trust that certificate unless you export it from this keystore and import it into their truststore. By contrast, if you generate a CSR, get it signed by a well-known CA, and import the signed cert into the same keystore the CSR came from, everybody will trust that cert, because they already trust the CA. BTW these things aren't they keystore, they are in the keystore.
  2)The keystore contains thus a private and public key, which ensure integrity and confidentiality.... but NOT client and server autentication?The public/private key system can give you integrity and confidentiality. The X.509 certificate system can be used for authentication. They are different things.

• WebVPN-Problem with Digital Certificate and AAA

  Hello everyone,
  I have a problem during configuring WebVPN on ASA 5520 using AAA and digital certificate of Microsoft. (MSCEP)
  Currently, The WebVPN service is enabled and it worked well with AAA (local or external) only,
  But now, I want to use both AAA and Certificate for most secure-I mean that the users will be authenticated 2 times (firstly, it is checked by valid certificate then user/pass is second one).
  Here are details:
  I tried installation CA server (Microsoft CA service combined with SCEP) and register ASA with CA server (ASA work as subordinate CA)-->these steps is ok, asa has registed, then client use web-browser request CA and it's issued by CA administrator then it is installed on web-browser.
  Testing:
  The Client tried to test with access SSL VPN, the welcome WEBVPN message prompt user/pass but the message is "Logon Failed" before I give user and pass,
  Does anyone know and advise ?
  Thanks
  Khanh

  Hi all,
  Here are attach files for my issuse,
  Khanh

• How to create table and digital signature ?

  Hello,
  I would like to ask two questions regarding SAP interactive forms by adobe.
  1st question:
  How to create table in interactive form?
  Table that i can add rows and column and will show it in the form.
  Example the rows and columns that i want:
  <u><b>ID:</b></u>                <b><u>Name:  </u>  </b>               <u><b>DOB:</b></u>
  1                  Jack                      01/02/80
  2                  Ivy                         10/12/82
  2nd question:
  How to create digital signature ?
  I'm creating a adobe forms which need employee to sign on the form. I use signature field at my form. However, i don't know how to create a new signature and insert in the signature field.
  Can any one provide the answer with step by step guide?
  Thanks a lot

  Hi Pradeepa,
  you said you have your digital signature in
  BMP format? That means Bitmap and would mean you are actually talking about a picture! THIS IS NOT A DIGITAL SIGNATURE!
  A digital signature is a cryptographic key (aka public key cryptography) that is used to digitally sign a document, or at least a hash value derived from the document. Digitally signing means, applying the key in a well defined way (this is the algorithm used) to the document or hash value. You do this with your private key and the receiver of the document can then use your public key (which you can distribute in any way you want, even unsecure) to unencrypt the hash value. If this succeeds the receiver knows that the document was signed by you.
  This is because both keys are mathematically related in such a way, that what one key encrypted can only be decrypted by the corresponding other key and by no other key. You even can´t decrypt a document with the same key it was encrypted with, this is the difference to symmetric encryption - please have a look at help.sap.com and search for digital signatures.
  The named formats (afs, pfx and p12) are ways of coding the key, together with information about your person, such as email address and information about validity of the key into a
  certificate. This type of certificate is then called a x.509 certificate and is the same you might have seen when connecting to a secure webserver such as the one of your bank website. 
  Signing a form with such a certificate provides for mathematically and therefore business related proove of a users identity.
  In case you are really using a bitmap, this cannot work and would not serve you any good.
  Ask yourself this question: I want to make sure that the form was signed by a specific person. How can I make sure that the signing can only be done by the person pretending to have done so?
  A bitmap contains a picture, probably of the persons handwritten signature. How can I make sure that this picture was NOT recreated in MS Paint or Photoshop by someone else?
  The answer is:
  you can't! Therefore this way of prooving identity is useless. 
  You need to provide your users with digital signatures, put these in the certificate cache of your IE.  If a user then clicks on the signing field, the private key is used to digitally sign the form - create a hash value of the form and encrypt it with the private key. After the form is send back to the server or you, you use the corresponding public key to decrypt the hash value and, as said above, if this succeeds, identity of the signer is proven.
  THIS IS AN OVERSIMPLIFICATION! You might want to take a look at Adobe Reader Credentials.
  Regards,
     Christian

• Exporting SSL Private Key

  In the midst of an apocalyptic SSL install in 10.4 server. Currently, I am trying to install a wildcard cert via Server Admin, which may have been a mistake. After smashing my head for a week, I tried a new tack and rebuilt the system keychain and attempted to install the certificate; this failed at the level of Server Admin. However, in Keychain Access I am showing the SSL cert, public and private keys, and the CA's cert, all valid.
  Since I know of no other way to do get KA talking to SA so that I can actually use this certificate, I am trying to export the valid certs and keys to import. My problem is this, the certs and public key export fine, the private key fails returning an error of Unable to Export CLINTERNALERROR. I double checked that root is enabled in netinfo. Any ideas on how to rectify this?

  I believe you have to run Keychain Access as root to export the private key.
  sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

• Reconver SSL private key?

  I have a bit of a dilemma since I tried to install an SSL certificate on my server that needs intermediate certs. Here's what I did:
  1) In Server Admin, create a new key for my domain and use that key to create a CSR to send to a certificate authority. (This creates a public key, a private key and a self-signed certificate in the system keychain on the server).
  2) Sent the CSR away and got the signed certificate back.
  3) Used Server Admin to add the signed certificate to the existing domain cert (this replaces the self-signed cert). Restart services etc.
  Here's the problem: the cert that I have needs intermediate certs installed in order to be functional- currently the certificate shows as an untrusted authority. If I delete the current certificate in Server Admin to start again from scratch, it will delete the private key that I need to reinstall. I downloaded the intermediate certificates from the CA's website, but now the certificate installed on the server can't be modified. Besides, there is no place to enter the intermediate certificates. My plan was to try to paste all the certs into the box where it asks for the new certificate, but no joy since it is now locked.
  I would like to create a new certificate (there is a place in there to install intermediate certs), but I'll need to get my private key out of Keychain Access into a pem formatted file but I can't seem to get the thing to export.
  Questions:
  1) Is there a way to export a private key from Keychain Access so that it can be used for server admin?
  2) Is there a way to get at this from the command line?
  3) Is there some other procedure that can magically fix this problem?
  Thanks,
  Miles

  Thanks,
  This is the part that I was looking for:
  Launch Keychain Access as root:
  sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access &
  I then went here http://www.gridsite.org/wiki/Convert_p12 and converted the p12 to pem so I could use it in server admin.
  Thanks again,
  Miles