Private key protection in Keychain
Hi!
I have a keypair for email in a MS environment (Entourage) so I know it is there and works.
Q1: When I open Keychain and expand my email certificate I can see that private key ( RSA, 1024-bit) and it looks very much like being the 'real thing' i.e. in clear, not protected by any passphrase. Is that the case? If I export this, then a passphrase seems to required.
Q2: How can I export only my public key part?
BR, Petri
This is what I do:
.- In Keychain Manager, create a new keychain (File->New Keychain). Choose any name you like (Confid in this example).
.- Move your sensistive keys from "login" to "Confid".
.- Change the properties to each private key, allowing their access in Access Control to each program (like Mail) which you want to use the keys with. Make sure you check "Ask for password" every time the programs access the key.
.- Finally, change the properties (Edit->Change Settings) of Confid. I use "Lock after 1 minute of inactivity" and "Lock when sleeping".
This way I am asked for a password every time that I try to sign a mail or read a ciphered message.
Good luck.
Similar Messages
-
Reconver SSL private key?
I have a bit of a dilemma since I tried to install an SSL certificate on my server that needs intermediate certs. Here's what I did:
1) In Server Admin, create a new key for my domain and use that key to create a CSR to send to a certificate authority. (This creates a public key, a private key and a self-signed certificate in the system keychain on the server).
2) Sent the CSR away and got the signed certificate back.
3) Used Server Admin to add the signed certificate to the existing domain cert (this replaces the self-signed cert). Restart services etc.
Here's the problem: the cert that I have needs intermediate certs installed in order to be functional- currently the certificate shows as an untrusted authority. If I delete the current certificate in Server Admin to start again from scratch, it will delete the private key that I need to reinstall. I downloaded the intermediate certificates from the CA's website, but now the certificate installed on the server can't be modified. Besides, there is no place to enter the intermediate certificates. My plan was to try to paste all the certs into the box where it asks for the new certificate, but no joy since it is now locked.
I would like to create a new certificate (there is a place in there to install intermediate certs), but I'll need to get my private key out of Keychain Access into a pem formatted file but I can't seem to get the thing to export.
Questions:
1) Is there a way to export a private key from Keychain Access so that it can be used for server admin?
2) Is there a way to get at this from the command line?
3) Is there some other procedure that can magically fix this problem?
Thanks,
MilesThanks,
This is the part that I was looking for:
Launch Keychain Access as root:
sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access &
I then went here http://www.gridsite.org/wiki/Convert_p12 and converted the p12 to pem so I could use it in server admin.
Thanks again,
Miles -
Deleted the public/private keys installed by iPCU & untrusted the certs
Hi;
it's early in the morning and i couldn't quite figure what was going on
when:
- new public and private keys "appeared" in keychain
- a certificate was installed almost as soon as a plugged
an iphone in while running iPhone Config Util (iPCU i now
realize)
From the console:
Tue Jun 30 02:39:45 unknown mcmobiletunnel[363] <Warning>: added object <NSCFType: 0x1073d0> to keychain as iPCUHost-D3FA2B23-E0D0-4C42-A48B-DFXXXXXXXX-HostCert success 1 error 0
What it looks like is on connecting the iPhone "phoned home" and snagged a certificate and public and private keys to install on my MacBook Pro.
I deleted these not realizing who iPCUHost was (an earlier cert was marked as untrusted on a pass trhough my certs earlier).
OK: so *how* do i recreate the public/private keys? the Certificates in Keychain?
Tried: downloading and re-installing iPCU
Tried: Time Machine to earlier version if iPCU & using Software update to Update.
This is where things look unhappy in the iPCU console:
Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Warning>: received request 4: (\n RequestType\n), keys {\n RequestType = GetProfileList;\n}
Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Warning>: processing request 4: ((\n RequestType\n))
Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Warning>: sending reply {\n OrderedIdentifiers = (\n );\n ProfileManifest = {\n };\n ProfileMetadata = {\n };\n Status = Acknowledged;\n}
Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Error>: receive_message: Could not receive size of message: 0 Operation not permitted
Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Warning>: received request 4: (null), keys (null)
Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Error>: main: Could not receive request from host.
Tue Jun 30 03:48:21 unknown /usr/libexec/notification_proxy[426] <Error>: Could not receive size of message
Tue Jun 30 03:48:21 unknown /usr/libexec/notification_proxy[426] <Error>: Could not receive message
Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Warning>: received request 4: (\n RequestType\n), keys {\n RequestType = GetProfileList;\n}
Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Warning>: processing request 4: ((\n RequestType\n))
Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Warning>: sending reply {\n OrderedIdentifiers = (\n );\n ProfileManifest = {\n };\n ProfileMetadata = {\n };\n Status = Acknowledged;\n}
Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Error>: receive_message: Could not receive size of message: 0 Operation not permitted
Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Warning>: received request 4: (null), keys (null)
Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Error>: main: Could not receive request from host.
Thx
JimI'm in the same situation here. While trying out the iPCU, I noticed my test devices were showing up with a certificate of "iPCUHost...". I was hoping to replace this default cert with one from our own CA, and in the process of messing around I tried deleting all of those certs from my Keychain. They deleted just fine, and after a sync the cert also disappeared from the connected iPhone. Unfortunately, there is no obvious way to replace that cert and as of now, I cannot install any profile to the device that has had the cert removed. If I select the device and click "Install" on a profile, nothing happens... no errors, no console messages, it just does nothing.
I'm not quite sure how to replace the missing cert, and in particular how to replace it with one of our own rather than the default. Surely we don't have to actually develop a web service just to install certs... (see page 21 of the Enterprise Deployment Guide)
-mike -
NAC and SSL - fails to import password protected private key
I am attempting to import an SSL certificate on my CCA Manager and Server. I purchased a wild card SSL cert *.domain.com. The private key used to generate the certificate was created on an Cisco ACS 3.2 server and has a password. When attempting to import the private key into the CCA Manager the browser times out and no error is reported.
My guess is that it is waiting for the password to allow access to the private key. Unfortunately there is no place on the form and no pop-up to enter the password.
Is there a command line option for importing a private key that may work for me?
Thanks
ShermThe best Possible way is to generate a CSR from the CCA server and then purchase a certificate using that CSR. Then you dont have problems with private keys.
Regards
sathappan -
Hello everyone,
I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
SSL certificate. By defaul the private key is not encrypted with password
(SSL.KeyEncrypted = false by default, according to the documentations) in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
following error:
<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key from file
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is the same
and IP address and the DNS entry hasn't been changed, either.
Any insight will be greatly appreciated. Thanks!
MakotoThanks Tony - it worked!!
"Tony" <TonyV> wrote in message news:[email protected]...
It may be because the private key is both unprotected and in DER format.
There are some things to try:
1) Convert the private key file from a DER file to a PEM file and try
that:
a) Follow the for converting an unprotected private key at:
http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
b) Look at the resulting PEM file, it should look something like
this:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
(Be sure there is no extra lines or whitespace after thefooter)
>
c) Change your configuration to point at the PEM file
If that doesn work, then you can try protecting the key with apassword
using
the wlkeytool utility (It should be in the server/bin directory). The
tool should prompt
for a password to use to protect it:
wlkeytool inputkey.pem outputkey.pem
Then change your configuration to use the protected private key, andset
the passwod to use.
Tony
"Makoto Suzuki" <[email protected]> wrote in message
news:[email protected]...
Hello everyone,
I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
same
SSL certificate. By defaul the private key is not encrypted withpassword
(SSL.KeyEncrypted = false by default, according to the documentations)in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script resultsthe
following error:
<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key fromfile
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword
is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure passwordspecified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true
and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is thesame
and IP address and the DNS entry hasn't been changed, either.
Any insight will be greatly appreciated. Thanks!
Makoto -
In the midst of an apocalyptic SSL install in 10.4 server. Currently, I am trying to install a wildcard cert via Server Admin, which may have been a mistake. After smashing my head for a week, I tried a new tack and rebuilt the system keychain and attempted to install the certificate; this failed at the level of Server Admin. However, in Keychain Access I am showing the SSL cert, public and private keys, and the CA's cert, all valid.
Since I know of no other way to do get KA talking to SA so that I can actually use this certificate, I am trying to export the valid certs and keys to import. My problem is this, the certs and public key export fine, the private key fails returning an error of Unable to Export CLINTERNALERROR. I double checked that root is enabled in netinfo. Any ideas on how to rectify this?I believe you have to run Keychain Access as root to export the private key.
sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access -
WebLogic and SSL: supplying private key password upon startup
Hello,
Does BEA have an API I can use to customize the WebLogic Server startup? I have
a password callback function that I would like the WebLogic Server to call when
it needs the password for decrypting the server certificate private key...
-- POCOnope.. till now..
thanks
kiran
"POC" <[email protected]> wrote in message
news:3e258885$[email protected]..
>
Hello,
Does BEA have an API I can use to customize the WebLogic Server startup? Ihave
a password callback function that I would like the WebLogic Server to callwhen
it needs the password for decrypting the server certificate private key...
-- POCO -
Hello people,
i'm creating a program that needs to generate private keys,
i've found out that java has built in libraries that support this so i've tried:
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(1024);
KeyPair keypair = keyGen.genKeyPair();
PrivateKey privateKey = keypair.getPrivate();
PublicKey publicKey = keypair.getPublic();but after i set the privateKey i can't find a way to retrieve the actual numbers used in the private key (probably to prevent attacks...)
eventually, all my app really needs, is a table of , lets say, 100 private keys (each one as 2 big primes)
is it possible for me to use the java.security to do that?
thanks for your time.i still need small ones in the begining. a modolus in
the size of 16 DWORDS is too big for me right now, i
need something like 4.
i guess i have no escape but to generate them myself,
the problem is that i probably won't do it
professionaly :(Well - nobody will generate 32-bit RSA keys "professionally", because it'd take about 2 CPU minutes to break your keys when they're that small. 512 bits was acceptable in the eighties - current best-practice, IIRC, is 2048 bit keys for anything you're serious about protecting, and 4096-bit keys for anything you want to protect for extended periods of time.
Grant -
Hi Gurus,
Here is situation, I finding it hard to solve. Any assistnace will be helpful.
SSL is a transport level security solution and hence is independent of any application level protocol (where a standard protocol like HHTP, LDAP or non-standard like t3s).
I started my SSL skills with keystores for Weblogic and used kestore formats like JKS and JCEKS. Given that in an enterprise setup we use more infrastructure softwares than just Weblogic. Now please assume a hypothetical scenario
OS :: Windows
App Server #1 :: Weblogic
App Server #2 :: Websphere
App Server #3 :: Tomcat
Web Server #1 :: IIS
Web Server #1 :: Apache
Web Server #1 :: iPlanet
Web Server #1 :: IHS
SSH Server on Windows (its possible and we use it)
(reason to mention this ridicilous number of softwares is highlight that they all use different type of keystores)
Now given that I want to protect these services at transport layer using SSL or TLS by using some valid x.509 certificate from a internal PKI suite and cerificate will be for the hostname.
Is there a way I can standardize on a common format for keystore and common format for private key. (Server Cert and CA cert is almost a non issue, having a .pem format is almost portable to any type of keystore).
I want to keep SSL/TLS certs as host resource and not dedicated to a particular software or keystore type...
There are some workarounds in the internet...seems like they are mostly around java application servers and sun keystore formats(JKS JCEKS) and some java code has to written to create your own utility...or somthing like pkeytool etc....
Suggestions guys..PKCS#1 1.5 definition:
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER -- (inverse of q) mod p }RSAParameters as documented in .NET Framework Class Library:
D Represents the D parameter for the RSA algorithm.
DP Represents the DP parameter for the RSA algorithm.
DQ Represents the DQ parameter for the RSA algorithm.
Exponent Represents the Exponent parameter for the RSA algorithm.
InverseQ Represents the InverseQ parameter for the RSA algorithm.
Modulus Represents the Modulus parameter for the RSA algorithm.
P Represents the P parameter for the RSA algorithm.
Q Represents the Q parameter for the RSA algorithm. The KeySpec (CRT = Chinese Remainder Theorem)
RSAPrivateCrtKeySpec(BigInteger modulus,
BigInteger publicExponent,
BigInteger privateExponent,
BigInteger primeP,
BigInteger primeQ,
BigInteger primeExponentP,
BigInteger primeExponentQ,
BigInteger crtCoefficient)So we could try some guessing:
modulus <- Modulus
publicExponent <- Exponent
privateExponent <- D
primeP <- P
primeQ <- Q
primeExponentP <- DP
primeExponentQ <- DQ
crtCoefficient <- InverseQTry it and tell me if it worked. Good luck. -
Private key import via ImportPrivateKey
I used the Certificate web app included with WLS 7.0 SP1 to generate my private
key and my CSR. I then used the CSR to request a certificate from my Dept. of
Defense Certificate Authority. I received my certificate. I then tried to use
the WLS ImportPrivateKey utility to import my key with the following steps as
shown in the ImportPrivateKey reference example.
1) I used keytool -printcert to verify the contents of my servercert.pem file
and my CAcert.pem file.
2) I combined the certificate returned for my server with the CA's root certificate
cat servercert.pem CAcert.pem > combined.pem
3) I converted my private key file produced by the Certificate web app to pem
format using the WLS der2pem utility
4) I ran the Import utility
java utils.ImportPrivateKey serverkey.jks store_pwd key_alias key_pwd combined.pem
server_private_key.pem.
I received the following error.
ImportPrivateKey will create serverkey.jks
ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
ASN.1 tag
java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
Source)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
Does anyone have an idea where I went wrong? Can anyone offer an explanation?
Thanks"Mallik" <[email protected]> wrote in message
news:3f3274e9$[email protected]..
>
I am trying to install weblogic generated ssl certificate and because theprivate
key needs to be encrypted with a password, i am loading this in a new JDKkeystore
and trying to configure WL.
I am running utils.CertGen from weblogic 7.0 sp3 on XP.
X:\SSLTest>java utils.CertGen testpassword testcert testkey
Creating Domestic Key Strength - 1024
..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
Encoding
Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
in hostnames. -
hey folks,
i would like to store a certificate's private key in a mysql db.
my problem is that i don't know how to convert it back to a PrivateKey when i extract it from the db.
i use the function Base64.encode(userPrivKey.getEncoded()); (org.bouncycastle.util.encoders.Base64; to store the private key base64 encoded in the db.
when i extract the key from the db i can decode it with Base64.decode(). the problem is that the decode function only returns a byte array.
so does anybody know how i can convert that byte array back to a private key?
or is there any other (better) solution to store and retrieve private keys from a mysql db?
many thanks
totoI've been looking to do the same thing, and your code is helpful.
If you do not want to pull in the BouncyCastle library, you can extract the RSA private key from the PKCS8 key format by parsing the DER directly. Here is some code that does it. All you need to add is the Base64 encode, and RSA begin and end flags.
import java.util.*;
import java.io.*;
public class Pkcs8ToRsa {
// rsaEncrytion is { pkcs-1 1 }
// pkcs-1 is { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) 1 }
private static final byte[] OID_rsaEncryption = {
(byte)0x2a, (byte)0x86, (byte)0x48, (byte)0x86,
(byte)0xf7, (byte)0x0d, (byte)0x01, (byte)0x01,
(byte)0x01 };
private static final byte[] INTEGER_v1 = { (byte)0x00 };
private static final int TAG_INTEGER = 0x02;
private static final int TAG_OCTET_STRING = 0x04;
private static final int TAG_OID = 0x06;
private static final int TAG_SEQUENCE = 0x30;
private byte[] buffer;
private int offset;
protected Pkcs8ToRsa(byte[] pkcs8key) {
this.buffer = pkcs8key;
this.offset = 0;
public static byte[] convert(byte[] pkcs8key) {
return (new Pkcs8ToRsa(pkcs8key)).extractPrivateKey();
private int extractTag() {
// Assume single octet tag
return ((int)buffer[offset++]) & 0xff;
private void matchTag(int tag) {
if (extractTag() != tag) {
throw new IllegalArgumentException("Bad input");
private int extractLength() {
int lengthOfLength = ((int)buffer[offset++]) & 0xff;
if ((lengthOfLength & 0x80) == 0) {
// Single octet
return lengthOfLength;
} else {
// Multiple-octet
lengthOfLength = lengthOfLength & 0x7f;
int length = 0;
for (int i = 0; i < lengthOfLength; i++) {
length = (length << 8) | (((int)buffer[offset++]) & 0xff);
return length;
private void matchLength(int length) {
if (extractLength() != length) {
throw new IllegalArgumentException("Bad input");
private byte[] extractValue(int length) {
byte[] value = new byte[length];
System.arraycopy(buffer, offset, value, 0, length);
offset += length;
return value;
private void matchValue(byte[] value) {
for (int i = 0; i < value.length; i++) {
if (buffer[offset+i] != value) {
throw new IllegalArgumentException("Bad input");
offset += value.length;
public byte[] extractPrivateKey() {
// Encoding should be
// SEQUENCE {
// version INTEGER,
// privateKeyAlgorithm SEQUENCE {
// id OBJECT IDENTIFIER,
// Type OPTIONAL
// privateKey OCTET STRING
// attributes [0] Attributes OPTIONAL
// We are after the contents of privateKey
// Outer sequence
matchTag(TAG_SEQUENCE);
int totalLength = extractLength();
if ((offset + totalLength) > buffer.length) {
throw new IllegalArgumentException("Bad input");
// Check version == v1
matchTag(TAG_INTEGER);
matchLength(INTEGER_v1.length);
matchValue(INTEGER_v1);
// Check algorithm
matchTag(TAG_SEQUENCE);
int algorithmLength = extractLength();
int keyOffset = offset + algorithmLength;
matchTag(TAG_OID);
matchLength(OID_rsaEncryption.length);
matchValue(OID_rsaEncryption);
// Skip to privateKey
offset = keyOffset;
// Get it.
matchTag(TAG_OCTET_STRING);
int keyLength = extractLength();
if ((offset + keyLength) > buffer.length) {
throw new IllegalArgumentException("Bad input");
return extractValue(keyLength); -
A private Key in my user name was created without my knowledge that expired after one month. It is in my keychain as a Root Certification in the System Keychain. I checked all of the Console Logs and could not find any mention at the date and time of its creation. Concerned about Malware, I also checked emails from that date and ran ClamXAV -nothing suspicious. I have Googled the issue thinking that someone else has noted this-no luck.
I hope it was not Hacker activity. I checked another Mac in the house and there is no similar Certificate. MacPro OS 10.8.5
Any Ideas?
Thanksuse openssl to convert your private key into a pkcs#12 format file. keytool should able to treat this file as a keystore. Then run keytool -importkeystore, specifying the pkcs#12 file as the source keystore.
-
Private key from 5.1 to 7.0
Hi, we're currently upgrading from WebLogic server 5.1 to 7.0. The private
key generated by WLS 5.1 does not use any password, and can therefore not be
used with 7.0
Do I have to generate a new private key and order a new SSL certificate, or
is there a way I can assign a password to my existing private key so I can
continue using this ??
Thanx in advance !!!
Jan Espen HansenThanks a lot Tony !!!!! This solved my problem.
JEH
"Tony" <TonyV> wrote in message news:[email protected]..
Incorrect PEM headers/footers can confuse the tool.
Double check that the header and footer for your PEM file match thecontents
of the
data in the file.
If it was an unprotected RSA private key, the header and footer shouldlook
like
this:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
It should not say it is a certificate (which is the default for theder2pem
utility), and it
should not say it is an encrypted private key.
Tony
"a" <[email protected]> wrote in message news:3f9f7705$[email protected]..
Hi, and thank you for your answer. I've tried the tool you mention, but
I
get the following error message:
"Error parsing BER private key data 3000"
Since my private key is in .der format I have first run the weblogicutil
utils.der2pem on it, but I still get this error message.
Any ideas ??
JEH
"Tony" <TonyV> wrote in message news:[email protected]..
You should not have to generate a new key.
There is a native tool that is supplied on the WLS kit that can
protect
an
unprotected private key for you:
wlkeytool inputkey.pem outputkey.pem
It will prompt for passwords, I believe that will do what you want.
Tools such as OpenSSL should also be able to protect the private key.
Tony
"Janne K" <[email protected]> wrote in message
news:[email protected]..
Hi, we're currently upgrading from WebLogic server 5.1 to 7.0. Theprivate
key generated by WLS 5.1 does not use any password, and can
therefore
not
be
used with 7.0
Do I have to generate a new private key and order a new SSL
certificate,
or
is there a way I can assign a password to my existing private key so
I
can
continue using this ??
Thanx in advance !!!
Jan Espen Hansen -
I have Weblogic Server Version 6.0. I created Private Key File using Certificate
Request Generator Servlet. It created the the private key file (.der) file &
CSR using which I got the Trial Server Certificate from Verisign. I installed
the certificate (.pem) and configured the server. When I restarted the server
it gives the following EOFException while reading the Private Key File : (I gave
the Private Key password while generating the private key file from the servlet)
<Dec 21, 2001 7:43:08 PM GMT+05:30> <Alert> <WebLogicServer> <Security configura
tion problem with certificate file config/mydomain/TTI-D066-key.der, java.io.EOF
Exception>
java.io.EOFException
at weblogic.security.Utils.inputByte(Utils.java:133)
at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:398)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Thanks in advance for any solutions...
Regards,
VenkatesanHi,
please check if you provided the private key password which was used to
create the file in the following property
-Dweblogic.management.pkpassword
on the command line correctly.
In addition, please check "Use Encrypted Keys" to "true" in <server>->SSL
tab from the admin console.
Maria
Developer Relations Engineer
BEA Support
Venkatesan schrieb in Nachricht <3c234536$[email protected]>...
>
I have Weblogic Server Version 6.0. I created Private Key File usingCertificate
Request Generator Servlet. It created the the private key file (.der) file&
CSR using which I got the Trial Server Certificate from Verisign. Iinstalled
the certificate (.pem) and configured the server. When I restarted theserver
it gives the following EOFException while reading the Private Key File : (Igave
the Private Key password while generating the private key file from theservlet)
>
<Dec 21, 2001 7:43:08 PM GMT+05:30> <Alert> <WebLogicServer> <Securityconfigura
tion problem with certificate file config/mydomain/TTI-D066-key.der,java.io.EOF
Exception>
java.io.EOFException
at weblogic.security.Utils.inputByte(Utils.java:133)
at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:398)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Thanks in advance for any solutions...
Regards,
Venkatesan -
SSL CertGen & Private key import errors - 7.0
I am trying to install weblogic generated ssl certificate and because the private
key needs to be encrypted with a password, i am loading this in a new JDK keystore
and trying to configure WL.
I am running utils.CertGen from weblogic 7.0 sp3 on XP.
X:\SSLTest>java utils.CertGen testpassword testcert testkey
Creating Domestic Key Strength - 1024
..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
Encoding
Created Private Key files - testkey.der and testkey.pem
com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
to encode X500Name.
at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
at utils.CertGen.createCertificateRequest(CertGen.java:312)
at utils.CertGen.processCommand(CertGen.java:185)
at utils.CertGen.main(CertGen.java:170)
com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
to encode X500Name.
at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
at utils.CertGen.createCertificateRequest(CertGen.java:312)
at utils.CertGen.processCommand(CertGen.java:185)
at utils.CertGen.main(CertGen.java:170)
I went ahead and ran the same CertGen on unix and got the certificate file and
the key file
to my box to check to see if i can install it. I created a new keystore with keytool,
loaded the private key with the alias and the password phrase, made this key store
the default keystore, supplied the management password, changed the files to read
the new cert file and key file.
Attached is the log for the SSL debug.
Do i need to import the private key stored in the JDK for weblogic ? I tried doing
that by running.
X:\>java utils.ImportPrivateKey X:\bea\user_projects\mydomain\mystore.jks mypass
myalias pvtPasswd X:\bea\user_projects\mydomain\localcert.pem X:\bea\user_projects\mydomain\localkey.pem
ImportPrivateKey will use existing X:\bea\user_projects\mydomain\mystore.jks
ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
ASN.1 tag
java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
Source)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
X:\>
Attached log is SSL debug enabled and it cant see the private key.
Any help is appreciated.
thanks,
mallik
[ssldebuglog.txt]"Mallik" <[email protected]> wrote in message
news:3f3274e9$[email protected]..
>
I am trying to install weblogic generated ssl certificate and because theprivate
key needs to be encrypted with a password, i am loading this in a new JDKkeystore
and trying to configure WL.
I am running utils.CertGen from weblogic 7.0 sp3 on XP.
X:\SSLTest>java utils.CertGen testpassword testcert testkey
Creating Domestic Key Strength - 1024
..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
Encoding
Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
in hostnames.
Maybe you are looking for
-
I'm in need of a variable that I can use to display total time spent in a course.
I'm attempting to create a custom certificate of completion that a learner can print at the end of a course. I'd like to have the total time spent in the course displayed on it but am not sure about the variable to use.
-
Links in an email suddenly don't work.
Suddenly the links in an email don't work. The URL shows when I put the curser on the link but it doesn't open the browser and nothing happens when I click on it.
-
KDEConnect file browsing not working between PCs
Hello, Recently I've noticed that browsing files in KDEConnect doesn't work between PCs. PC is showed in the list, ping is working, but when I try to browse the files either by button from KDEConnect menu either direcly from Dolphin, system is trying
-
hi experts, i have a program XXX for changing from planned order to production order. i have problem wth one material kkk ,but rest of the materials its changing correctly... its doing changing correctly for the problem materail in pre-production,but
-
When in sleep mode..
When my imac sleeps, I'll come in the office and it says "LOOKING FOR PICTURES" on the black screen. Any idea what that could mean? Thanks!