Private Key for RSAalgorithm

Similar Messages

• Private key for encryption / decryption in PI

  Hi Experts,
  Where do we find the private key installed in PI system that is used for secur communication ?
  Thanks,
  Dhawal

  Hi Dhawal,
  Did you try to search on SDN before asking this ?
  There are many article available. Have a look at  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40a08db9-59b6-2c10-5e8f-a4b2a9aaa3d2?quicklink=index&overridelayout=true and http://help.sap.com/saphelp_NW04/helpdata/en/39/83682615cd4f8197d0612529f2165f/content.htm.
  Regards,
  Sunil Chandra

• I need to create public and private keys for security certificate and I can't find the certificate. Where is it?

  I purchased a security certificate, and the site tells me that it was successfully installed. I need to export the certificate so that I can create the public and private keys, but I cannot find the certificate to do so.

  Thank you.

• Create User for Target (Terminal Adapter) with private key authentication through web service

  Hi
  I have a question about Terminal adapter.
  My current aim is to create process "Execute script through ssh on remote Linux system" with  input parameters ( login, path to private key, path to script)
  It was very helpful to find this discussion https://supportforums.cisco.com/message/3543289#3543289 .
  Is  there a way to create  Public-key Authenticated Admin Runtime User with private key for authentication by using NB webservice ?

  I will second Shaun's comment...
  Unfortunately, it looks like this is not possible in 2.3.X. (That is you can create the user but the fields you need to use to configure that user properly do not appear to be exposed to the Northbound Web Service).
  It looks like something that will be fixed in a future release of Process Orchestrator.
  Svetlana

• Private key from 5.1 to 7.0

  Hi, we're currently upgrading from WebLogic server 5.1 to 7.0. The private
  key generated by WLS 5.1 does not use any password, and can therefore not be
  used with 7.0
  Do I have to generate a new private key and order a new SSL certificate, or
  is there a way I can assign a password to my existing private key so I can
  continue using this ??
  Thanx in advance !!!
  Jan Espen Hansen

  Thanks a lot Tony !!!!! This solved my problem.
  JEH
  "Tony" <TonyV> wrote in message news:[email protected]..
  Incorrect PEM headers/footers can confuse the tool.
  Double check that the header and footer for your PEM file match thecontents
  of the
  data in the file.
  If it was an unprotected RSA private key, the header and footer shouldlook
  like
  this:
  -----BEGIN RSA PRIVATE KEY-----
  -----END RSA PRIVATE KEY-----
  It should not say it is a certificate (which is the default for theder2pem
  utility), and it
  should not say it is an encrypted private key.
  Tony
  "a" <[email protected]> wrote in message news:3f9f7705$[email protected]..
  Hi, and thank you for your answer. I've tried the tool you mention, but
  I
  get the following error message:
  "Error parsing BER private key data 3000"
  Since my private key is in .der format I have first run the weblogicutil
  utils.der2pem on it, but I still get this error message.
  Any ideas ??
  JEH
  "Tony" <TonyV> wrote in message news:[email protected]..
  You should not have to generate a new key.
  There is a native tool that is supplied on the WLS kit that can
  protect
  an
  unprotected private key for you:
  wlkeytool inputkey.pem outputkey.pem
  It will prompt for passwords, I believe that will do what you want.
  Tools such as OpenSSL should also be able to protect the private key.
  Tony
  "Janne K" <[email protected]> wrote in message
  news:[email protected]..
  Hi, we're currently upgrading from WebLogic server 5.1 to 7.0. Theprivate
  key generated by WLS 5.1 does not use any password, and can
  therefore
  not
  be
  used with 7.0
  Do I have to generate a new private key and order a new SSL
  certificate,
  or
  is there a way I can assign a password to my existing private key so
  I
  can
  continue using this ??
  Thanx in advance !!!
  Jan Espen Hansen

• Having multiple CAs share the same private key

  We are developing a system which implements an HA cluster across two separate geographical locations.
  Each site will have several Windows Server 2012 machines and at least one DC, and we basically have to do a master-master replication between the two sites.
  The entire system will be under a single domain.
  We will be deploying AD CS since some of our sub-systems need certificates,
  but we want to limit the variety certificate to just one (i.e. we want all CAs to issue identical certificates).
  To do that, we have to setup AD CS so that all the DCs (both intra-site and inter-site) share the same private key.
  Is it possible to have all DCs in a domain to share a single private key?
  This article on TechNet suggests that we can do it within a cluster,
  https://technet.microsoft.com/en-us/library/cc742450%28v=ws.10%29.aspx
  but we are not sure if we can do it across different sites.
  Any advice and comments are highly appreciated.
  Wanko

  Hi Wanko,
  Its not much clear what you mean by "DCs to have single private key".
  However as per the article it indicates that you can use the same (SAN) certificate on both servers (nodes) of the cluster, the certificate SN will be the common clustername.
  This is common when you are using clustering or load-balanced system which requires you to have a common name, but individual nodes.
  Basically if you want to use single private key for the HA nodes, use the same certificate across all the nodes, that would be generated on the first node(generally). You don't need to issue identical certificates(this will not work as per my understanding)
  CA First Node: Export the Cert
  On the Welcome page of the CA Backup Wizard, click Next. Select
  Private key and CA certificate, and provide a directory name where you want to temporarily store the CA certificate and optionally the key. Click
  Next.
  Provide a password to protect the CA key, click Next, and then click
  Finish.
  CA Second Node: Import the Cert
  Open the Certificates snap-in for the computer account.
  In the console tree, double-click Certificates (Local Computer), and click
  Personal.
  On the Action menu, click All Tasks, and then click
  Import to open the Certificate Import Wizard. Click Next.
  Enter the file name of the CA certificate that was previously created on the first node, and click
  Next. If you click Browse to find the certificate, change the file type to
  Personal Information Exchange (*.pfx,*.p12).
  Type the password that you have previously used to protect the private key. The password is required even if there is no private key in the .pfx file. Do not mark this key as exportable. Click
  Next.
  Place the certificate in the Personal certificate store, and click
  Next. To complete the certificate import process, click
  Finish, and then click OK.
  Secondly I don't get what do you mean by: "we basically have to do a master-master replication between the two sites."
  Please note a Cluster can only run a single instance of Certificate Services. A failover cluster of any size can be used to provide a high availability environment for certificate services. However, Microsoft does not support more than one instance
  of certificate services on a cluster.
  References:
  Overview of CA Clustering-2003
  Active Directory Certificate Services (AD CS) Clustering - Requirements-2012
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• How to enter a Private key into a keystore

  Hi,
  We have a propriteary CA, developed by us. I need to use this CA for my Signed Applet. I would enter this CA's public key(a X509 certificate) into my cacerts file.
  Following is what I have done :
  1) I have generated my own keystore, public and private key for signing the applet.
  2) Signed the applet with the private key in the keystore.
  To Do :
  Now, the self generated public key(with which applet was signed) has to be signed by the properitary CA, so that when applet is downloaded my certificate is authenticated by the proprietary CA.
  The problem is :
  1) To get my public key certificate authenticated by the proprietary CA, I need the private key of proprietary CA.(so that I shall sign my public key file by the CA's private key) . The CA could give the private key as a byte array file. ( Or we could write a program to format the private key file, if any format exists and required). jarsigner requires keystore to sign. How could I create a keystore and enter my private key and public key into this keystore?
  2) Is there any other way to do this?
  Please help to resolve this problem.
  Rajesh

  Check this:
  <A HREF="http://java.sun.com/j2se/1.4/docs/guide/pugin/developer_guide/rsa_signing.html

• Installing Domain Controller certificates remotely - private key remains on local server!

  Using a 3rd party CA (Entrust), I have successfully requested and installed Domain Controller certificates via the Certificates MMC snap-in.
  I did this from one Domain Controller, and then just used the (right click) "Connect to another computer" option to do the rest.  Everything looks absolutely fine, the certificates look ok.... certificate chain is complete, and valid (all
  CA certs are installed) and the certificates say "You have the private key that corresponds to this certificate".
  If I do a LDAPS bind using LDP.exe, it works fine on the first DC.
  Do this on the next and I get the error:
  Cannot open connection
  Error 81 = ldap_connect(hLdap, NULL);
  Server error: <empty>
  Error <0x51>: Fail to connect to DCHostname.
  After some checking I looked in the folder C:\ProgramData\Microsoft\Crypto\Keys
  This contains a lot of files on the DC I was logged onto when installing the certs, and no files on any of the other DCs.  I am guessing this is the private key file and it has stored all of them on the local machine I was running MMC from rather than
  on the machines I connected to from MMC.
  Is there any way to get these keys onto the correct DCs now - or will I have to re-request all of the others.  The private key was not exportable.
  I figured copying and pasting them was probably not going to work with a private key, but I tried it anyway just to be sure!
  It is pretty annoying as no clue was given during the process of requesting and installing the certificates, and there is no error when you look at the certificate - they all think they have the private key associated to them, even though it rather looks
  like they don't!
  It's a bit painful requesting certificates here, so any help in avoiding this would be appreciated!  Thank you

  Thank you Elke,
  So I copied the key files across from the server where they were all generated to the server I remotely connected to (which had no key files at all).  Copied all just to be sure, though I’m
  pretty sure which one actually relates to that server as I did them all in order - reflected by the time stamps.
  Ensured all the permissions were the same, and that they were marked as ‘system’ files.
  Ran the command
  certutil -repairstore my [SerialNumber of cert]as
  you suggested, but no luck unfortunately.
  So firstly, I get the same error message:
  Cannot find the certificate and private key for decryption.
  CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
  And then I get:
  CertUtil: Access denied.
  Not sure why the access denied, I am running elevated with full local and domain administration rights.
  Toby

• WLS 5.1 certificate issue: encrypted private key

  My organization has acquired some certificates for use with WLS. However, the private
  keys for these certs were inadvertently encrypted with a password. We have a mix
  of 5.1 and 6.1 servers. We got the keys working with our 6.1 servers, but 5.1
  is a little tougher. How can we use these keys with our 5.1 servers?

  I dont think 5.1 supports password encrypted private keys
  Jason Norman wrote:
  My organization has acquired some certificates for use with WLS. However, the private
  keys for these certs were inadvertently encrypted with a password. We have a mix
  of 5.1 and 6.1 servers. We got the keys working with our 6.1 servers, but 5.1
  is a little tougher. How can we use these keys with our 5.1 servers?

• Private key password for Default DemoIdentity Keystore?

  Hi
  I am trying to Configure SSL in ALSB. I have created the PKI Credential mapping for the Default DemoIdentity Keystore
  But it is asking for the password to access the Keypair.
  The document states that i need to provide the password set during the creation of the keystore
  but as i am using the default keystore i dont know where to look for the password.
  Error :
  [Security:090809|The key pair could not be retrieved from the keystore with the supplied alias demoidentity and its password
  I tried using the KeyStorePassphrase  but it didnt help me much ..
  Can any one help me on this?
  Regards
  Anusha                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  Jay is right
  To be more precise you can use something like
  keytool -list -keystore ${wl_home}/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrasewhich leads to the following output
  Keystore type: JKS
  Keystore provider: SUN
  Your keystore contains 4 entries
  certgenca, Mar 22, 2002, trustedCertEntry,
  Certificate fingerprint (MD5): 8E:AB:55:50:A4:BC:06:F3:FE:C6:A9:72:1F:4F:D3:89
  wlsdemocanew2, Jan 24, 2003, trustedCertEntry,
  Certificate fingerprint (MD5): 5B:10:D5:3C:C8:53:ED:75:43:58:BF:D5:E5:96:1A:CF
  wlsdemocanew1, Jan 24, 2003, trustedCertEntry,
  Certificate fingerprint (MD5): A1:17:A1:73:9B:70:21:B9:72:85:4D:83:01:69:C8:37
  wlscertgencab, Jan 24, 2003, trustedCertEntry,
  Certificate fingerprint (MD5): A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FEThe following list provides the location and passwords of the demo certificates:
  Trust store location: ${WL_HOME}/server/lib/DemoTrust.jks
  Trust store password: DemoTrustKeyStorePassPhrase
  Key store location: ${WL_HOME}/server/lib/DemoIdentity.jks
  Key store password: DemoIdentityKeyStorePassPhrase
  Private key password: DemoIdentityPassPhrase

• SSL: how to use Multiple Private key/Certificate pair for authentication.

  Hi all,
  i am implementing SSL in java using X509 Certificate/private key combination.
  i have two set of private key/certificate pair.
  one is factory default and another is generated at run time.
  my problem is to try ssl connection with both pairs on same tcp/ip connection.
  e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
  on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
  can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
  Thanks In Advance
  Saurabh Ahuja

  Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
  It's like this. The idea of PKI with SSL is as follows:
  - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
  - the client has a truststore that trusts the server, one way or the other, see above.
  - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
  - the server sends its cert to the client along with a digital signature signed by its private key.
  - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
  At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
  If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
  You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

• SFTP adapter(file path for private key)

  Guys,
    Can anyone help me in uderstand usage of file path for private key in SFTP adpter, who would provide this key file.
  When this file is kept on Transaction AL11 is this format specifc? only .ppk files should be kept.
  Should i ask my FTP vendor for this key file ? is it script or something like that . everytime my file is picked up from my mentioned  directory what does this private key option searched for?
  Appreciate your thoughts in this..
  Regards
  Chaithanya

  Hey,
  SFTP is not supported by XI / PI , Supports  FTPS -  FTP with SSL.
  Check this Links,
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51?overridelayout=true
  http://help.sap.com/saphelp_nw04/helpdata/en/e3/94007075cae04f930cc4c034e411e1/frameset.htm
  Cheers
  Agasthuri

• Cannot export private key: "key not valid for use in specified state"

  Hi,
  This is a bit of a long story but I hope someone can give us some guidance.
  We use authentication certificates issued from our own Enterprise CA to control user and machine authentication via RADIUS/NPS for our wireless network.  Certificates are deployed via group policy/autoenrollment. In general this works well but
  we have an intermittent problem where user authentication stops working for a user who was fine before. The user certificate looks OK via Certmgr (shows as valid, shows that there is a private key associated with the certificate).  The NPS server
  logs show that the machine has been authenticated and granted access, but the user in this situation doesn't show up in the server logs at all. 
  The only solution in this case is to connect to the wired network and request a new certificate for the user (either via certmgr or just by deleting the duff cert and logging off/on again to get the cert via autoenrollment).
  The interesting thing is that while a "working" certificate can be exported with no problem, a duff certificate cannot be exported with its private key, giving the error "key not valid for use in specified state". (Obviously the certificates
  come from the same template, and the key is not marked unexportable).  The key files are present in %userprofile%\Appdata\Roaming\Microsoft\Crypto\RSA and the user permissions on these files look correct.
  After much searching of the forums I tried running certutil-repairstore on the duff certificate and that also returned the same error.  I also tried an undocumented switch Certutil -user -key -v and again, got a very similar error "Loadkeys returned
  key not valid for use in specified state. 0x8009000b (-2146893813)".
  I'm assuming that the fact that the key is unexportable/corrupt is also the reason why the certificate can no longer be used for authentication.
  Does anyone have any clues as to what might be causing this, and/or if a certificate with a key in this state can be repaired?
  Thanks!

  I can just share an experience I once had that was somewhat similar:
  In this case certificates could sometimes not be enrolled and the CSP came up with a related error message.
  The root was the software / driver (?) for a hardware dongle required to run some software. This "driver" added a registry key to the list of CSPs (under these HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider - but I have seen this with
  XP, so the exact location might be different now).
  This fake CSP entry that had quite a weird name effectively broke other CSPs. After removing the access to / generation of keys worked fine.
  So it would be interesting to know if you run some software that is "close to CSPs or cryptography".
  Elke

• SSL private key password

  Hello everyone,
  I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
  with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
  SSL certificate. By defaul the private key is not encrypted with password
  (SSL.KeyEncrypted = false by default, according to the documentations) in
  both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
  following error:
  <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
  <Inconsistent se
  curity configuration, java.lang.Exception: Cannot read private key from file
  C:\
  bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
  sure pa
  ssword specified in environment property weblogic.management.pkpassword is
  valid
  .>
  java.lang.Exception: Cannot read private key from file
  C:\bea7\user_projects\age
  ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
  in en
  vironment property weblogic.management.pkpassword is valid.
  at
  weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
  ava:434)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
  at weblogic.Server.main(Server.java:32)
  Is this happening because the private key is actually encrypted with the
  password? It was working, although the KeyEncrypted is not set to true and
  the startup script for WLS 6.1 instance did have a line
  with -Dweblogic.management.pkpassword. Or could this error be result of
  something else? The physical machine the instances are located is the same
  and IP address and the DNS entry hasn't been changed, either.
  Any insight will be greatly appreciated. Thanks!
  Makoto

  Thanks Tony - it worked!!
  "Tony" <TonyV> wrote in message news:[email protected]...
  It may be because the private key is both unprotected and in DER format.
  There are some things to try:
  1) Convert the private key file from a DER file to a PEM file and try
  that:
  a) Follow the for converting an unprotected private key at:
  http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
  b) Look at the resulting PEM file, it should look something like
  this:
  -----BEGIN RSA PRIVATE KEY-----
  -----END RSA PRIVATE KEY-----
  (Be sure there is no extra lines or whitespace after thefooter)
  >
  c) Change your configuration to point at the PEM file
  If that doesn work, then you can try protecting the key with apassword
  using
  the wlkeytool utility (It should be in the server/bin directory). The
  tool should prompt
  for a password to use to protect it:
  wlkeytool inputkey.pem outputkey.pem
  Then change your configuration to use the protected private key, andset
  the passwod to use.
  Tony
  "Makoto Suzuki" <[email protected]> wrote in message
  news:[email protected]...
  Hello everyone,
  I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0SP2
  with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
  same
  SSL certificate. By defaul the private key is not encrypted withpassword
  (SSL.KeyEncrypted = false by default, according to the documentations)in
  both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script resultsthe
  following error:
  <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
  <Inconsistent se
  curity configuration, java.lang.Exception: Cannot read private key fromfile
  C:\
  bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
  sure pa
  ssword specified in environment property weblogic.management.pkpassword
  is
  valid
  .>
  java.lang.Exception: Cannot read private key from file
  C:\bea7\user_projects\age
  ncyPortal\portal_islandinsurance_com-key.der. Make sure passwordspecified
  in en
  vironment property weblogic.management.pkpassword is valid.
  at
  weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
  ava:434)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
  atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
  at weblogic.Server.main(Server.java:32)
  Is this happening because the private key is actually encrypted with the
  password? It was working, although the KeyEncrypted is not set to true
  and
  the startup script for WLS 6.1 instance did have a line
  with -Dweblogic.management.pkpassword. Or could this error be result of
  something else? The physical machine the instances are located is thesame
  and IP address and the DNS entry hasn't been changed, either.
  Any insight will be greatly appreciated. Thanks!
  Makoto

• Exporting SSL Private Key

  In the midst of an apocalyptic SSL install in 10.4 server. Currently, I am trying to install a wildcard cert via Server Admin, which may have been a mistake. After smashing my head for a week, I tried a new tack and rebuilt the system keychain and attempted to install the certificate; this failed at the level of Server Admin. However, in Keychain Access I am showing the SSL cert, public and private keys, and the CA's cert, all valid.
  Since I know of no other way to do get KA talking to SA so that I can actually use this certificate, I am trying to export the valid certs and keys to import. My problem is this, the certs and public key export fine, the private key fails returning an error of Unable to Export CLINTERNALERROR. I double checked that root is enabled in netinfo. Any ideas on how to rectify this?

  I believe you have to run Keychain Access as root to export the private key.
  sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access