Private key protection in Keychain

Hi!
I have a keypair for email in a MS environment (Entourage) so I know it is there and works.
Q1: When I open Keychain and expand my email certificate I can see that private key ( RSA, 1024-bit) and it looks very much like being the 'real thing' i.e. in clear, not protected by any passphrase. Is that the case? If I export this, then a passphrase seems to required.
Q2: How can I export only my public key part?
BR, Petri

This is what I do:
.- In Keychain Manager, create a new keychain (File->New Keychain). Choose any name you like (Confid in this example).
.- Move your sensistive keys from "login" to "Confid".
.- Change the properties to each private key, allowing their access in Access Control to each program (like Mail) which you want to use the keys with. Make sure you check "Ask for password" every time the programs access the key.
.- Finally, change the properties (Edit->Change Settings) of Confid. I use "Lock after 1 minute of inactivity" and "Lock when sleeping".
This way I am asked for a password every time that I try to sign a mail or read a ciphered message.
Good luck.

Similar Messages

  • Reconver SSL private key?

    I have a bit of a dilemma since I tried to install an SSL certificate on my server that needs intermediate certs. Here's what I did:
    1) In Server Admin, create a new key for my domain and use that key to create a CSR to send to a certificate authority. (This creates a public key, a private key and a self-signed certificate in the system keychain on the server).
    2) Sent the CSR away and got the signed certificate back.
    3) Used Server Admin to add the signed certificate to the existing domain cert (this replaces the self-signed cert). Restart services etc.
    Here's the problem: the cert that I have needs intermediate certs installed in order to be functional- currently the certificate shows as an untrusted authority. If I delete the current certificate in Server Admin to start again from scratch, it will delete the private key that I need to reinstall. I downloaded the intermediate certificates from the CA's website, but now the certificate installed on the server can't be modified. Besides, there is no place to enter the intermediate certificates. My plan was to try to paste all the certs into the box where it asks for the new certificate, but no joy since it is now locked.
    I would like to create a new certificate (there is a place in there to install intermediate certs), but I'll need to get my private key out of Keychain Access into a pem formatted file but I can't seem to get the thing to export.
    Questions:
    1) Is there a way to export a private key from Keychain Access so that it can be used for server admin?
    2) Is there a way to get at this from the command line?
    3) Is there some other procedure that can magically fix this problem?
    Thanks,
    Miles

    Thanks,
    This is the part that I was looking for:
    Launch Keychain Access as root:
    sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access &
    I then went here http://www.gridsite.org/wiki/Convert_p12 and converted the p12 to pem so I could use it in server admin.
    Thanks again,
    Miles

  • Deleted the public/private keys installed by iPCU & untrusted the certs

    Hi;
    it's early in the morning and i couldn't quite figure what was going on
    when:
    - new public and private keys "appeared" in keychain
    - a certificate was installed almost as soon as a plugged
    an iphone in while running iPhone Config Util (iPCU i now
    realize)
    From the console:
    Tue Jun 30 02:39:45 unknown mcmobiletunnel[363] <Warning>: added object <NSCFType: 0x1073d0> to keychain as iPCUHost-D3FA2B23-E0D0-4C42-A48B-DFXXXXXXXX-HostCert success 1 error 0
    What it looks like is on connecting the iPhone "phoned home" and snagged a certificate and public and private keys to install on my MacBook Pro.
    I deleted these not realizing who iPCUHost was (an earlier cert was marked as untrusted on a pass trhough my certs earlier).
    OK: so *how* do i recreate the public/private keys? the Certificates in Keychain?
    Tried: downloading and re-installing iPCU
    Tried: Time Machine to earlier version if iPCU & using Software update to Update.
    This is where things look unhappy in the iPCU console:
    Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Warning>: received request 4: (\n RequestType\n), keys {\n RequestType = GetProfileList;\n}
    Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Warning>: processing request 4: ((\n RequestType\n))
    Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Warning>: sending reply {\n OrderedIdentifiers = (\n );\n ProfileManifest = {\n };\n ProfileMetadata = {\n };\n Status = Acknowledged;\n}
    Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Error>: receive_message: Could not receive size of message: 0 Operation not permitted
    Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Warning>: received request 4: (null), keys (null)
    Tue Jun 30 03:42:36 unknown mcmobiletunnel[432] <Error>: main: Could not receive request from host.
    Tue Jun 30 03:48:21 unknown /usr/libexec/notification_proxy[426] <Error>: Could not receive size of message
    Tue Jun 30 03:48:21 unknown /usr/libexec/notification_proxy[426] <Error>: Could not receive message
    Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Warning>: received request 4: (\n RequestType\n), keys {\n RequestType = GetProfileList;\n}
    Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Warning>: processing request 4: ((\n RequestType\n))
    Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Warning>: sending reply {\n OrderedIdentifiers = (\n );\n ProfileManifest = {\n };\n ProfileMetadata = {\n };\n Status = Acknowledged;\n}
    Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Error>: receive_message: Could not receive size of message: 0 Operation not permitted
    Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Warning>: received request 4: (null), keys (null)
    Tue Jun 30 03:51:02 unknown mcmobiletunnel[446] <Error>: main: Could not receive request from host.
    Thx
    Jim

    I'm in the same situation here. While trying out the iPCU, I noticed my test devices were showing up with a certificate of "iPCUHost...". I was hoping to replace this default cert with one from our own CA, and in the process of messing around I tried deleting all of those certs from my Keychain. They deleted just fine, and after a sync the cert also disappeared from the connected iPhone. Unfortunately, there is no obvious way to replace that cert and as of now, I cannot install any profile to the device that has had the cert removed. If I select the device and click "Install" on a profile, nothing happens... no errors, no console messages, it just does nothing.
    I'm not quite sure how to replace the missing cert, and in particular how to replace it with one of our own rather than the default. Surely we don't have to actually develop a web service just to install certs... (see page 21 of the Enterprise Deployment Guide)
    -mike

  • NAC and SSL - fails to import password protected private key

    I am attempting to import an SSL certificate on my CCA Manager and Server. I purchased a wild card SSL cert *.domain.com. The private key used to generate the certificate was created on an Cisco ACS 3.2 server and has a password. When attempting to import the private key into the CCA Manager the browser times out and no error is reported.
    My guess is that it is waiting for the password to allow access to the private key. Unfortunately there is no place on the form and no pop-up to enter the password.
    Is there a command line option for importing a private key that may work for me?
    Thanks
    Sherm

    The best Possible way is to generate a CSR from the CCA server and then purchase a certificate using that CSR. Then you dont have problems with private keys.
    Regards
    sathappan

  • SSL private key password

    Hello everyone,
    I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
    with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
    SSL certificate. By defaul the private key is not encrypted with password
    (SSL.KeyEncrypted = false by default, according to the documentations) in
    both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
    following error:
    <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
    <Inconsistent se
    curity configuration, java.lang.Exception: Cannot read private key from file
    C:\
    bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
    sure pa
    ssword specified in environment property weblogic.management.pkpassword is
    valid
    .>
    java.lang.Exception: Cannot read private key from file
    C:\bea7\user_projects\age
    ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
    in en
    vironment property weblogic.management.pkpassword is valid.
    at
    weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
    ava:434)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
    at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
    at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
    at weblogic.Server.main(Server.java:32)
    Is this happening because the private key is actually encrypted with the
    password? It was working, although the KeyEncrypted is not set to true and
    the startup script for WLS 6.1 instance did have a line
    with -Dweblogic.management.pkpassword. Or could this error be result of
    something else? The physical machine the instances are located is the same
    and IP address and the DNS entry hasn't been changed, either.
    Any insight will be greatly appreciated. Thanks!
    Makoto

    Thanks Tony - it worked!!
    "Tony" <TonyV> wrote in message news:[email protected]...
    It may be because the private key is both unprotected and in DER format.
    There are some things to try:
    1) Convert the private key file from a DER file to a PEM file and try
    that:
    a) Follow the for converting an unprotected private key at:
    http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
    b) Look at the resulting PEM file, it should look something like
    this:
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
    (Be sure there is no extra lines or whitespace after thefooter)
    >
    c) Change your configuration to point at the PEM file
    If that doesn work, then you can try protecting the key with apassword
    using
    the wlkeytool utility (It should be in the server/bin directory). The
    tool should prompt
    for a password to use to protect it:
    wlkeytool inputkey.pem outputkey.pem
    Then change your configuration to use the protected private key, andset
    the passwod to use.
    Tony
    "Makoto Suzuki" <[email protected]> wrote in message
    news:[email protected]...
    Hello everyone,
    I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0SP2
    with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
    same
    SSL certificate. By defaul the private key is not encrypted withpassword
    (SSL.KeyEncrypted = false by default, according to the documentations)in
    both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script resultsthe
    following error:
    <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
    <Inconsistent se
    curity configuration, java.lang.Exception: Cannot read private key fromfile
    C:\
    bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
    sure pa
    ssword specified in environment property weblogic.management.pkpassword
    is
    valid
    .>
    java.lang.Exception: Cannot read private key from file
    C:\bea7\user_projects\age
    ncyPortal\portal_islandinsurance_com-key.der. Make sure passwordspecified
    in en
    vironment property weblogic.management.pkpassword is valid.
    at
    weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
    ava:434)
    atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
    atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
    atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
    at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
    at weblogic.Server.main(Server.java:32)
    Is this happening because the private key is actually encrypted with the
    password? It was working, although the KeyEncrypted is not set to true
    and
    the startup script for WLS 6.1 instance did have a line
    with -Dweblogic.management.pkpassword. Or could this error be result of
    something else? The physical machine the instances are located is thesame
    and IP address and the DNS entry hasn't been changed, either.
    Any insight will be greatly appreciated. Thanks!
    Makoto

  • Exporting SSL Private Key

    In the midst of an apocalyptic SSL install in 10.4 server. Currently, I am trying to install a wildcard cert via Server Admin, which may have been a mistake. After smashing my head for a week, I tried a new tack and rebuilt the system keychain and attempted to install the certificate; this failed at the level of Server Admin. However, in Keychain Access I am showing the SSL cert, public and private keys, and the CA's cert, all valid.
    Since I know of no other way to do get KA talking to SA so that I can actually use this certificate, I am trying to export the valid certs and keys to import. My problem is this, the certs and public key export fine, the private key fails returning an error of Unable to Export CLINTERNALERROR. I double checked that root is enabled in netinfo. Any ideas on how to rectify this?

    I believe you have to run Keychain Access as root to export the private key.
    sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

  • WebLogic and SSL: supplying private key password upon startup

    Hello,
    Does BEA have an API I can use to customize the WebLogic Server startup? I have
    a password callback function that I would like the WebLogic Server to call when
    it needs the password for decrypting the server certificate private key...
    -- POCO

    nope.. till now..
    thanks
    kiran
    "POC" <[email protected]> wrote in message
    news:3e258885$[email protected]..
    >
    Hello,
    Does BEA have an API I can use to customize the WebLogic Server startup? Ihave
    a password callback function that I would like the WebLogic Server to callwhen
    it needs the password for decrypting the server certificate private key...
    -- POCO

  • Private key

    Hello people,
    i'm creating a program that needs to generate private keys,
    i've found out that java has built in libraries that support this so i've tried:
                    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
                    keyGen.initialize(1024);
                    KeyPair keypair = keyGen.genKeyPair();
                    PrivateKey privateKey = keypair.getPrivate();
                    PublicKey publicKey = keypair.getPublic();but after i set the privateKey i can't find a way to retrieve the actual numbers used in the private key (probably to prevent attacks...)
    eventually, all my app really needs, is a table of , lets say, 100 private keys (each one as 2 big primes)
    is it possible for me to use the java.security to do that?
    thanks for your time.

    i still need small ones in the begining. a modolus in
    the size of 16 DWORDS is too big for me right now, i
    need something like 4.
    i guess i have no escape but to generate them myself,
    the problem is that i probably won't do it
    professionaly :(Well - nobody will generate 32-bit RSA keys "professionally", because it'd take about 2 CPU minutes to break your keys when they're that small. 512 bits was acceptable in the eighties - current best-practice, IIRC, is 2048 bit keys for anything you're serious about protecting, and 4096-bit keys for anything you want to protect for extended periods of time.
    Grant

  • Private Key Anomaly

    Hi Gurus,
    Here is situation, I finding it hard to solve. Any assistnace will be helpful.
    SSL is a transport level security solution and hence is independent of any application level protocol (where a standard protocol like HHTP, LDAP or non-standard like t3s).
    I started my SSL skills with keystores for Weblogic and used kestore formats like JKS and JCEKS. Given that in an enterprise setup we use more infrastructure softwares than just Weblogic. Now please assume a hypothetical scenario
    OS :: Windows
    App Server #1 :: Weblogic
    App Server #2 :: Websphere
    App Server #3 :: Tomcat
    Web Server #1 :: IIS
    Web Server #1 :: Apache
    Web Server #1 :: iPlanet
    Web Server #1 :: IHS
    SSH Server on Windows (its possible and we use it)
    (reason to mention this ridicilous number of softwares is highlight that they all use different type of keystores)
    Now given that I want to protect these services at transport layer using SSL or TLS by using some valid x.509 certificate from a internal PKI suite and cerificate will be for the hostname.
    Is there a way I can standardize on a common format for keystore and common format for private key. (Server Cert and CA cert is almost a non issue, having a .pem format is almost portable to any type of keystore).
    I want to keep SSL/TLS certs as host resource and not dedicated to a particular software or keystore type...
    There are some workarounds in the internet...seems like they are mostly around java application servers and sun keystore formats(JKS JCEKS) and some java code has to written to create your own utility...or somthing like pkeytool etc....
    Suggestions guys..

    PKCS#1 1.5 definition:
       RSAPrivateKey ::= SEQUENCE {
         version Version,
         modulus INTEGER, -- n
         publicExponent INTEGER, -- e
         privateExponent INTEGER, -- d
         prime1 INTEGER, -- p
         prime2 INTEGER, -- q
         exponent1 INTEGER, -- d mod (p-1)
         exponent2 INTEGER, -- d mod (q-1)
         coefficient INTEGER -- (inverse of q) mod p }RSAParameters as documented in .NET Framework Class Library:
    D Represents the D parameter for the RSA algorithm.
    DP Represents the DP parameter for the RSA algorithm.
    DQ Represents the DQ parameter for the RSA algorithm.
    Exponent Represents the Exponent parameter for the RSA algorithm.
    InverseQ Represents the InverseQ parameter for the RSA algorithm.
    Modulus Represents the Modulus parameter for the RSA algorithm.
    P Represents the P parameter for the RSA algorithm.
    Q Represents the Q parameter for the RSA algorithm. The KeySpec (CRT = Chinese Remainder Theorem)
    RSAPrivateCrtKeySpec(BigInteger modulus, 
    BigInteger publicExponent,
    BigInteger privateExponent,
    BigInteger primeP,
    BigInteger primeQ,
    BigInteger primeExponentP,
    BigInteger primeExponentQ,
    BigInteger crtCoefficient)So we could try some guessing:
    modulus <- Modulus
    publicExponent <- Exponent
    privateExponent <- D
    primeP <- P
    primeQ <- Q
    primeExponentP <- DP
    primeExponentQ <- DQ
    crtCoefficient <- InverseQTry it and tell me if it worked. Good luck.

  • Private key import via ImportPrivateKey

    I used the Certificate web app included with WLS 7.0 SP1 to generate my private
    key and my CSR. I then used the CSR to request a certificate from my Dept. of
    Defense Certificate Authority. I received my certificate. I then tried to use
    the WLS ImportPrivateKey utility to import my key with the following steps as
    shown in the ImportPrivateKey reference example.
    1) I used keytool -printcert to verify the contents of my servercert.pem file
    and my CAcert.pem file.
    2) I combined the certificate returned for my server with the CA's root certificate
    cat servercert.pem CAcert.pem > combined.pem
    3) I converted my private key file produced by the Certificate web app to pem
    format using the WLS der2pem utility
    4) I ran the Import utility
    java utils.ImportPrivateKey serverkey.jks store_pwd key_alias key_pwd combined.pem
    server_private_key.pem.
    I received the following error.
    ImportPrivateKey will create serverkey.jks
    ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
    ASN.1 tag
    java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
    at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
    Source)
    at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
    Source)
    at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
    at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
    at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
    Does anyone have an idea where I went wrong? Can anyone offer an explanation?
    Thanks

    "Mallik" <[email protected]> wrote in message
    news:3f3274e9$[email protected]..
    >
    I am trying to install weblogic generated ssl certificate and because theprivate
    key needs to be encrypted with a password, i am loading this in a new JDKkeystore
    and trying to configure WL.
    I am running utils.CertGen from weblogic 7.0 sp3 on XP.
    X:\SSLTest>java utils.CertGen testpassword testcert testkey
    Creating Domestic Key Strength - 1024
    ..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
    Encoding
    Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
    in hostnames.

  • Private key problem

    hey folks,
    i would like to store a certificate's private key in a mysql db.
    my problem is that i don't know how to convert it back to a PrivateKey when i extract it from the db.
    i use the function Base64.encode(userPrivKey.getEncoded()); (org.bouncycastle.util.encoders.Base64; to store the private key base64 encoded in the db.
    when i extract the key from the db i can decode it with Base64.decode(). the problem is that the decode function only returns a byte array.
    so does anybody know how i can convert that byte array back to a private key?
    or is there any other (better) solution to store and retrieve private keys from a mysql db?
    many thanks
    toto

    I've been looking to do the same thing, and your code is helpful.
    If you do not want to pull in the BouncyCastle library, you can extract the RSA private key from the PKCS8 key format by parsing the DER directly. Here is some code that does it. All you need to add is the Base64 encode, and RSA begin and end flags.
    import java.util.*;
    import java.io.*;
    public class Pkcs8ToRsa {
        // rsaEncrytion is { pkcs-1 1 }
        // pkcs-1 is { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) 1 }
        private static final byte[] OID_rsaEncryption = {
            (byte)0x2a, (byte)0x86, (byte)0x48, (byte)0x86,
            (byte)0xf7, (byte)0x0d, (byte)0x01, (byte)0x01,
            (byte)0x01 };
        private static final byte[] INTEGER_v1 = { (byte)0x00 };
        private static final int TAG_INTEGER      = 0x02;
        private static final int TAG_OCTET_STRING = 0x04;
        private static final int TAG_OID          = 0x06;
        private static final int TAG_SEQUENCE     = 0x30;
        private byte[] buffer;
        private int offset;
        protected Pkcs8ToRsa(byte[] pkcs8key) {
            this.buffer = pkcs8key;
            this.offset = 0;
        public static byte[] convert(byte[] pkcs8key) {
            return (new Pkcs8ToRsa(pkcs8key)).extractPrivateKey();
        private int extractTag() {
            // Assume single octet tag
            return ((int)buffer[offset++]) & 0xff;
        private void matchTag(int tag) {
            if (extractTag() != tag) {
                throw new IllegalArgumentException("Bad input");
        private int extractLength() {
            int lengthOfLength = ((int)buffer[offset++]) & 0xff;
            if ((lengthOfLength & 0x80) == 0) {
                // Single octet
                return lengthOfLength;
            } else {
                // Multiple-octet
                lengthOfLength = lengthOfLength & 0x7f;
                int length = 0;
                for (int i = 0; i < lengthOfLength; i++) {
                    length = (length << 8) | (((int)buffer[offset++]) & 0xff);
                return length;
        private void matchLength(int length) {
            if (extractLength() != length) {
                throw new IllegalArgumentException("Bad input");
        private byte[] extractValue(int length) {
            byte[] value = new byte[length];
            System.arraycopy(buffer, offset, value, 0, length);
            offset += length;
            return value;
        private void matchValue(byte[] value) {
            for (int i = 0; i < value.length; i++) {
                if (buffer[offset+i] != value) {
    throw new IllegalArgumentException("Bad input");
    offset += value.length;
    public byte[] extractPrivateKey() {
    // Encoding should be
    // SEQUENCE {
    // version INTEGER,
    // privateKeyAlgorithm SEQUENCE {
    // id OBJECT IDENTIFIER,
    // Type OPTIONAL
    // privateKey OCTET STRING
    // attributes [0] Attributes OPTIONAL
    // We are after the contents of privateKey
    // Outer sequence
    matchTag(TAG_SEQUENCE);
    int totalLength = extractLength();
    if ((offset + totalLength) > buffer.length) {
    throw new IllegalArgumentException("Bad input");
    // Check version == v1
    matchTag(TAG_INTEGER);
    matchLength(INTEGER_v1.length);
    matchValue(INTEGER_v1);
    // Check algorithm
    matchTag(TAG_SEQUENCE);
    int algorithmLength = extractLength();
    int keyOffset = offset + algorithmLength;
    matchTag(TAG_OID);
    matchLength(OID_rsaEncryption.length);
    matchValue(OID_rsaEncryption);
    // Skip to privateKey
    offset = keyOffset;
    // Get it.
    matchTag(TAG_OCTET_STRING);
    int keyLength = extractLength();
    if ((offset + keyLength) > buffer.length) {
    throw new IllegalArgumentException("Bad input");
    return extractValue(keyLength);

  • Private Key Created

    A private Key in my user name was created without my knowledge that expired after one month. It is in my keychain as a Root Certification in  the System Keychain. I checked all of the Console Logs and could not find any mention at the date and time of its creation. Concerned about Malware, I also checked emails from that date and ran ClamXAV -nothing suspicious. I have Googled the issue thinking that someone else has noted this-no luck.
    I hope it was not Hacker activity. I checked another Mac in the house and there is no similar Certificate. MacPro OS 10.8.5
    Any Ideas?
    Thanks

    use openssl to convert your private key into a pkcs#12 format file. keytool should able to treat this file as a keystore. Then run keytool -importkeystore, specifying the pkcs#12 file as the source keystore.

  • Private key from 5.1 to 7.0

    Hi, we're currently upgrading from WebLogic server 5.1 to 7.0. The private
    key generated by WLS 5.1 does not use any password, and can therefore not be
    used with 7.0
    Do I have to generate a new private key and order a new SSL certificate, or
    is there a way I can assign a password to my existing private key so I can
    continue using this ??
    Thanx in advance !!!
    Jan Espen Hansen

    Thanks a lot Tony !!!!! This solved my problem.
    JEH
    "Tony" <TonyV> wrote in message news:[email protected]..
    Incorrect PEM headers/footers can confuse the tool.
    Double check that the header and footer for your PEM file match thecontents
    of the
    data in the file.
    If it was an unprotected RSA private key, the header and footer shouldlook
    like
    this:
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
    It should not say it is a certificate (which is the default for theder2pem
    utility), and it
    should not say it is an encrypted private key.
    Tony
    "a" <[email protected]> wrote in message news:3f9f7705$[email protected]..
    Hi, and thank you for your answer. I've tried the tool you mention, but
    I
    get the following error message:
    "Error parsing BER private key data 3000"
    Since my private key is in .der format I have first run the weblogicutil
    utils.der2pem on it, but I still get this error message.
    Any ideas ??
    JEH
    "Tony" <TonyV> wrote in message news:[email protected]..
    You should not have to generate a new key.
    There is a native tool that is supplied on the WLS kit that can
    protect
    an
    unprotected private key for you:
    wlkeytool inputkey.pem outputkey.pem
    It will prompt for passwords, I believe that will do what you want.
    Tools such as OpenSSL should also be able to protect the private key.
    Tony
    "Janne K" <[email protected]> wrote in message
    news:[email protected]..
    Hi, we're currently upgrading from WebLogic server 5.1 to 7.0. Theprivate
    key generated by WLS 5.1 does not use any password, and can
    therefore
    not
    be
    used with 7.0
    Do I have to generate a new private key and order a new SSL
    certificate,
    or
    is there a way I can assign a password to my existing private key so
    I
    can
    continue using this ??
    Thanx in advance !!!
    Jan Espen Hansen

  • Private Key File problem

    I have Weblogic Server Version 6.0. I created Private Key File using Certificate
    Request Generator Servlet. It created the the private key file (.der) file &
    CSR using which I got the Trial Server Certificate from Verisign. I installed
    the certificate (.pem) and configured the server. When I restarted the server
    it gives the following EOFException while reading the Private Key File : (I gave
    the Private Key password while generating the private key file from the servlet)
    <Dec 21, 2001 7:43:08 PM GMT+05:30> <Alert> <WebLogicServer> <Security configura
    tion problem with certificate file config/mydomain/TTI-D066-key.der, java.io.EOF
    Exception>
    java.io.EOFException
    at weblogic.security.Utils.inputByte(Utils.java:133)
    at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
    at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
    at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
    at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:398)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
    at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
    at weblogic.Server.main(Server.java:35)
    Thanks in advance for any solutions...
    Regards,
    Venkatesan

    Hi,
    please check if you provided the private key password which was used to
    create the file in the following property
    -Dweblogic.management.pkpassword
    on the command line correctly.
    In addition, please check "Use Encrypted Keys" to "true" in <server>->SSL
    tab from the admin console.
    Maria
    Developer Relations Engineer
    BEA Support
    Venkatesan schrieb in Nachricht <3c234536$[email protected]>...
    >
    I have Weblogic Server Version 6.0. I created Private Key File usingCertificate
    Request Generator Servlet. It created the the private key file (.der) file&
    CSR using which I got the Trial Server Certificate from Verisign. Iinstalled
    the certificate (.pem) and configured the server. When I restarted theserver
    it gives the following EOFException while reading the Private Key File : (Igave
    the Private Key password while generating the private key file from theservlet)
    >
    <Dec 21, 2001 7:43:08 PM GMT+05:30> <Alert> <WebLogicServer> <Securityconfigura
    tion problem with certificate file config/mydomain/TTI-D066-key.der,java.io.EOF
    Exception>
    java.io.EOFException
    at weblogic.security.Utils.inputByte(Utils.java:133)
    at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
    at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
    at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
    at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
    atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:398)
    atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
    at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
    at weblogic.Server.main(Server.java:35)
    Thanks in advance for any solutions...
    Regards,
    Venkatesan

  • SSL CertGen & Private key import errors - 7.0

    I am trying to install weblogic generated ssl certificate and because the private
    key needs to be encrypted with a password, i am loading this in a new JDK keystore
    and trying to configure WL.
    I am running utils.CertGen from weblogic 7.0 sp3 on XP.
    X:\SSLTest>java utils.CertGen testpassword testcert testkey
    Creating Domestic Key Strength - 1024
    ..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
    Encoding
    Created Private Key files - testkey.der and testkey.pem
    com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
    to encode X500Name.
    at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
    at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
    at utils.CertGen.createCertificateRequest(CertGen.java:312)
    at utils.CertGen.processCommand(CertGen.java:185)
    at utils.CertGen.main(CertGen.java:170)
    com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
    to encode X500Name.
    at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
    at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
    at utils.CertGen.createCertificateRequest(CertGen.java:312)
    at utils.CertGen.processCommand(CertGen.java:185)
    at utils.CertGen.main(CertGen.java:170)
    I went ahead and ran the same CertGen on unix and got the certificate file and
    the key file
    to my box to check to see if i can install it. I created a new keystore with keytool,
    loaded the private key with the alias and the password phrase, made this key store
    the default keystore, supplied the management password, changed the files to read
    the new cert file and key file.
    Attached is the log for the SSL debug.
    Do i need to import the private key stored in the JDK for weblogic ? I tried doing
    that by running.
    X:\>java utils.ImportPrivateKey X:\bea\user_projects\mydomain\mystore.jks mypass
    myalias pvtPasswd X:\bea\user_projects\mydomain\localcert.pem X:\bea\user_projects\mydomain\localkey.pem
    ImportPrivateKey will use existing X:\bea\user_projects\mydomain\mystore.jks
    ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
    ASN.1 tag
    java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
    at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
    Source)
    at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
    Source)
    at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
    at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
    at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
    X:\>
    Attached log is SSL debug enabled and it cant see the private key.
    Any help is appreciated.
    thanks,
    mallik
    [ssldebuglog.txt]

    "Mallik" <[email protected]> wrote in message
    news:3f3274e9$[email protected]..
    >
    I am trying to install weblogic generated ssl certificate and because theprivate
    key needs to be encrypted with a password, i am loading this in a new JDKkeystore
    and trying to configure WL.
    I am running utils.CertGen from weblogic 7.0 sp3 on XP.
    X:\SSLTest>java utils.CertGen testpassword testcert testkey
    Creating Domestic Key Strength - 1024
    ..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
    Encoding
    Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
    in hostnames.

Maybe you are looking for

  • I'm in need of a variable that I can use to display total time spent in a course.

    I'm attempting to create a custom certificate of completion that a learner can print at the end of a course. I'd like to have the total time spent in the course displayed on it but am not sure about the variable to use.

  • Links in an email suddenly don't work.

    Suddenly the links in an email don't work. The URL shows when I put the curser on the link but it doesn't open the browser and nothing happens when I click on it.

  • KDEConnect file browsing not working between PCs

    Hello, Recently I've noticed that browsing files in KDEConnect doesn't work between PCs. PC is showed in the list, ping is working, but when I try to browse the files either by button from KDEConnect menu either direcly from Dolphin, system is trying

  • SAP PP question

    hi experts, i have a program XXX for changing from planned order to production order. i have problem wth one material kkk ,but rest of the materials its changing correctly... its doing changing correctly for the problem materail in pre-production,but

  • When in sleep mode..

    When my imac sleeps, I'll come in the office and it says "LOOKING FOR PICTURES" on the black screen. Any idea what that could mean? Thanks!