Problem signing certificates from external token (smart card)
I can not sign PDF documents with an external token (smart card) through a card reader of a Cherry keyboard.
The card drivers perfectly detect the card and certificates in it, however when trying to sign a certificate in Adobe and select the location of the certificate click in the option "A device attached to this computer" ... I get an error indicating that no device is connected to the computer appears.
I have tried several different card readers, it seems a problem of drives because the middleware card recognizes all tested certificates readers, however it seems that Adobe is not able to find the card reader. It has happened with several teams. In one team made a clone and deploy it to another machine with the same hardware environment, the firm run properly in the pdf that clone, however on the original computer is not working.
You have any idea what could be the problem? Thank you very much in advance.
If the digital ID's corresponding public-key certificate is not getting added to either the Windows Certificate Store, or Mac Keychain Access when you plug the card into the card reader, then you need to load the PKCS#11 module via the Acrobat UI. The module will be a DLL on Windows or a bundle file on the Mac. The problem is there is no one file name to look for, you would need to consult the hardware's documentation to find the name of the file. Once you know the name you can add the P11 module from the Security Settings dialog and then Acrobat will then see the digital ID(s) loaded on the smart card.
Steve
Similar Messages
-
KDC Event ID 29 - The KDC cannot find a suitable certificate to use for smart card logons...
I am getting the event (below) every day on a new 2008 domain controller that I brought up recently. The DC has a domain controller certificate, that was automatically issued by an online enterprise CA. This CA is located in another domain (child domain) within the same forest. The 2008 DC is in the top-lvel domain. None of the other domain controllers , which are 2003, are reporting this message. I ran certutil.exe, and it successfully verifies all domain controller certificates, including the certificate on my new 2008 DC. Any ideas why these messages continue to appear?
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.Hi,
I have checked the file. Here is my findings:
1. The computer name of the domain controllers are different in this dcinfo.txt file. There is no Swampoak. I would like to confirm which one is Windows Server 2008 domain controller.
2. The domain controller Buckeye and Madrone both have 2 KDC certificates, one is expired and the other one is valid:
*** Testing DC[0]: MADRONE
** KDC Certificates for DC MADRONE
Certificate 0: -à Valid
Serial Number: 116bbdd90000000000b6
Issuer: ***
NotBefore: 12/15/2008 2:28 AM
NotAfter: 12/15/2009 2:28 AM
Subject: CN=madrone.****
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Certificate 1: --à Expired
Serial Number: 15c2f00b000000000028
Issuer: ****
NotBefore: 3/9/2007 3:05 PM
NotAfter: 3/8/2008 3:05 PM
Subject: EMPTY (DNS Name=madrone.****)
Non-root Certificate
Template: DomainControllerAuthentication, Domain Controller Authentication
*** Testing DC[1]: BUCKEYE
** KDC Certificates for DC BUCKEYE
Certificate 0: -à Expired
Serial Number: 15c4ddc2000000000029
Issuer: *****
NotBefore: 3/9/2007 3:07 PM
NotAfter: 3/8/2008 3:07 PM
Subject: EMPTY (DNS Name=buckeye.****)
Non-root Certificate
Template: DomainControllerAuthentication, Domain Controller Authentication
Certificate 1: -à Valid
Serial Number: 115f34ec0000000000b4
Issuer: ****
NotBefore: 12/15/2008 2:15 AM
NotAfter: 12/15/2009 2:15 AM
Subject: CN=buckeye.****
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Suggestion:
1. Please delete the expired certificate and then reboot the domain controller and test the issue again.
2. If the issue persists, please request a new Domain Controller Authentication certificate on the domian controller and check the result. -
Hi,
I Build an Lync 2013 set up with FEpool, Director pool and Exchange server is integrated. I have windows 8 client machine, with Lync client installed. When I try to login to the lync client, I am getting error like"There was a problem verifying
certificate from the server".
When I installed ROOT CA cert manually on client machine I am able to login to the lync client. similarly if I add my client machine in my domain, I am able to login to the Lync client.
Now is there any other way to send the certificate automatically to the client machine (Which are NOT part of the DOMAIN) from the server, instead of manual installation process.
Please help me troubleshoot this problemAgree with S Guna, there is no easy way to push a certificate automatically to a client that you don't control other than building an installer package and asking them to run it. In this situation, if there are a lot of non-domain joined machines
a third party certificate is the way you need to go.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
How to get alias name of stored certificate from iKey token 2032
Hi All,
Below is my code woks well to use the same keypair for both encrypt/decryprt-SunPKCS#11 in SDK1.5. In my code i hard coded alias name of certificate, kindly tell me how to read alias name of certificate from iKey token 2032??
import java.io.*;
import java.util.*;
import java.lang.*;
import java.sql.*;
import java.text.*;
import java.math.*;
import java.security.*;
import java.security.cert.*;
import java.security.interfaces.*;
import javax.crypto.interfaces.*;
import javax.net.ssl.*;
import javax.crypto.*;
import javax.crypto.spec.DESKeySpec;
import java.security.KeyStore.*;
public class Encrypt
public Encrypt(){}
public void loginToken() {
Provider p = new sun.security.pkcs11.SunPKCS11(MQConfig.getvalue("SecurityPropertyPath"));
String myAlias = "349eefd1-845b-4ba4-9f88-06e9f5cb82f6";
/** to view alias name
keytool -list -v -keystore NONE -storetype PKCS11 -storepass PASSWORD
Security.addProvider(p);
KeyStore ks = null;
PrivateKey privKey = null;
PublicKey pubKey = null;
try{
String password = General.ReadFiles(MQConfig.getvalue("logFilePath"),"Simple");
password = password.trim();
char pin[] = password.toCharArray();
ks = KeyStore.getInstance("pkcs11");
ks.load(null,pin);
java.security.cert.Certificate cert = ks.getCertificate(myAlias);
Key key = ks.getKey(myAlias, pin);
if(PrivateKey.class.isInstance(key)) {
privKey = (PrivateKey)key;
pubKey = cert.getPublicKey();
FileInputStream in = new FileInputStream("C:\\ReportDBBE.properties");
FileOutputStream out = new FileOutputStream("C:\\ReportDBAE.properties");
Cipher cp=Cipher.getInstance("RSA/ECB/PKCS1Padding", p);
cp.init(cp.ENCRYPT_MODE,pubKey);
CipherOutputStream cout=new CipherOutputStream(out,cp);
byte[] input=new byte[8];
int byteread=in.read(input);
while(byteread!=-1){
cout.write(input,0,byteread);
byteread=in.read(input);
cout.flush();
in.close();
cout.close();
catch(NoSuchAlgorithmException nsae)
System.out.println("No Such Algorithm Exception " + nsae.getMessage());
catch(NoSuchPaddingException nspe)
System.out.println("No Such Padding Exception " + nspe.getMessage());
catch(InvalidKeyException ike)
System.out.println("Invalid Key Exception " + ike.getMessage());
ike.printStackTrace();
catch(IllegalStateException ise)
System.out.println("Illegal State Exception " + ise.getMessage());
catch(KeyStoreException kse)
System.out.println("Key Store Exception " + kse.getMessage());
catch(CertificateException ce)
System.out.println("Certificate Exception " + ce.getMessage());
catch(IOException ioe)
System.out.println("IO Exception " + ioe.getMessage());
catch(UnrecoverableKeyException unrke)
System.out.println("Unrecoverable Key Exception " + unrke.getMessage());
public static void main (String args[]) throws Exception {
try{
Encrypt tl = new Encrypt();
tl.loginToken();
}catch(Exception e){
e.printStackTrace();
Your help is very much appreciated!!!!Hi All,
Now i managed to get alias name.
char pin[] = password.toCharArray();
ks = KeyStore.getInstance("pkcs11");
ks.load(null,pin);
Enumeration ea = ks.aliases();
while(ea.hasMoreElements()) {
myAlias = (String)ea.nextElement();
} -
Profile Manager Code Signing Certificate from GoDaddy .spc
Convert the .spc to .cer for Profile Manager compatability.
Thought I'd share how to convert a code signing certificate acquired from go daddy as it downloads as a .spc file that Profile manager will not accept.
When you download your code signing certificate from go daddy it will be a .spc file as stated above, and profile manager needs a .cer file.
Take your .zip file over to a Windows 7 or better PC and double-click the .zip file.
Then double-click the enclosed certificate.
This will open the windows certmgr.
Expand the certificate and locate your certificate (Should be the one with your company name )
Right-Click the desired certificate, select all tasks, then Export
Export the certificate as a DER .cer file.
Now copy the exported .cer certificate to your Server App/Certificates and import it into the Pending Certificate.
Once that's done also add the .cer certificate to your keychain.
Remember to replace the expiring certificate if applicable
LJSAfter loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.
Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already.
Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap. (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)
If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.
{FWIW, this is a user forum and the folks from Apple may or may not see your report. If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.} -
Problem signing PDF from smart card - BouncyCastle, IAIK Wrapper, iText
Hello!
I need to sign and timestamp a PDF document with a smartcard. I'm using Java 1.6, iText to manage PDF, BouncyCastle to deal with cryptography and the free IAIK WRAPPER to access the smartcard.
I've already searched the Internet to solve my problem, read the PDF specifications about the signature and followed snippets that should've worked, but after a couple of weeks I still don't have working code, not even for the signature. All the tries I made yield messages like "Signature has been corrupted" or "Invalid signature" (I can't remember the exact messages, but they're not in English anyway :D ) when I verify the signature in Adobe Reader.
My first goal was to use an encapsulated signature, using filter Adobe.PPKLITE, subfilter adbe.pkcs7.sha1 and a DER-Encoded PKCS#7 object as content.
Among the tries I made, I used code such as (I don't include all modifications, just the ones I deem closer to the right approach):
// COMMON - START
///// selectedKey is a iaik.pkcs.pkcs11.objects.Key instance of the private key I'm taking from the SC
RSAPrivateKey signerPrivKey=(RSAPrivateKey)selectedKey;
CertificateFactory certificateFactory=CertificateFactory.getInstance("X.509");
///// correspondingCertificate is a iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate instance of the certificate I'm taking from the SC
byte[] derEncodedCertificate=correspondingCertificate.getValue().getByteArrayValue();
X509Certificate signerCert=(X509Certificate)certificateFactory.generateCertificate(new ByteArrayInputStream(derEncodedCertificate));
Provider provider=new BouncyCastleProvider();
Security.addProvider(provider);
///// session is an instance of iaik.pkcs.pkcs11.Session
session.signInit(Mechanism.SHA1_RSA_PKCS, signerPrivKey);
File theFile = new File("C:\\toSign.pdf");
FileInputStream fis = new FileInputStream(theFile);
byte[] contentData = new byte[(int) theFile.length()];
fis.read(contentData);
fis.close();
PdfReader reader = new PdfReader(contentData);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
PdfStamper stp = PdfStamper.createSignature(reader, baos, '\0');
PdfSignatureAppearance sap = stp.getSignatureAppearance();
// COMMON - END
java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
CertificateFactory factory=CertificateFactory.getInstance("X.509");
certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
sap.setSignDate(new GregorianCalendar());
sap.setCrypto(null, certs, null, null);
sap.setReason("This is the reason");
sap.setLocation("This is the Location");
sap.setContact("This is the Contact");
sap.setAcro6Layers(true);
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_SHA1);
dic.setDate(new PdfDate(sap.getSignDate()));
dic.setName(PdfPKCS7.getSubjectFields((X509Certificate)certs[0]).getField("CN"));
sap.setCryptoDictionary(dic);
int csize = 4000;
HashMap exc = new HashMap();
exc.put(PdfName.CONTENTS, new Integer(csize * 2 + 2));
sap.preClose(exc);
MessageDigest md = MessageDigest.getInstance("SHA1");
InputStream s = sap.getRangeStream();
int read = 0;
byte[] buff = new byte[8192];
while ((read = s.read(buff, 0, 8192)) > 0)
md.update(buff, 0, read);
byte[] signature=session.sign(buff);
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
ArrayList list = new ArrayList();
for (int i = 0; i < certs.length; i++)
list.add(certs);
CertStore chainStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(list), provider);
generator.addCertificatesAndCRLs(chainStore);
CMSProcessable content = new CMSProcessableByteArray(md.digest());
CMSSignedData signedData = generator.generate(CMSSignedDataGenerator.ENCRYPTION_RSA, content, true, provider);
byte[] pk = signedData.getEncoded();
byte[] outc = new byte[csize];
PdfDictionary dic2 = new PdfDictionary();
System.arraycopy(pk, 0, outc, 0, pk.length);
dic2.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true));
sap.close(dic2);
File newOne = new File("C:\\signed.pdf");
FileOutputStream fos = new FileOutputStream(newOne);
fos.write(baos.toByteArray());
fos.close();
I figured this is the right approach, but I need a way to generate the CMSSignedData instance, which can't be done using addSigner (the only documented way I found), since the private key is not extractable from a smart card...
Then I decided to give up and try with a detached signature:
// COMMON - START
// Same as above
// COMMON - END
sap.setSignDate(new GregorianCalendar());
java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
CertificateFactory factory=CertificateFactory.getInstance("X.509");
certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
sap.setCrypto(null, certs, null, PdfSignatureAppearance.SELF_SIGNED);
sap.setSignDate(java.util.Calendar.getInstance());
sap.setExternalDigest (new byte[8192], new byte[20], "RSA");
sap.preClose();
MessageDigest messageDigest = MessageDigest.getInstance ("SHA1");
byte buff[] = new byte[8192];
int n;
InputStream inp = sap.getRangeStream ();
while ((n = inp.read (buff)) > 0)
messageDigest.update (buff, 0, n);
byte hash[] = messageDigest.digest();
byte[] signature=session.sign(hash);
PdfSigGenericPKCS sg = sap.getSigStandard ();
PdfLiteral slit = (PdfLiteral)sg.get (PdfName.CONTENTS);
byte[] outc = new byte[(slit.getPosLength () - 2) / 2];
PdfPKCS7 sig = sg.getSigner ();
sig.setExternalDigest (session.sign(hash), hash, "RSA");
PdfDictionary dic = new PdfDictionary ();
byte[] ssig = sig.getEncodedPKCS7();
System.arraycopy (ssig, 0, outc, 0, ssig.length);
dic.put (PdfName.CONTENTS, new PdfString (outc).setHexWriting(true));
sap.close (dic);
File newOne = new File("C:\\signed.pdf");
FileOutputStream fos = new FileOutputStream(newOne);
fos.write(baos.toByteArray());
fos.close();
I'm still stuck to the signature process, can anyone please tell me what I'm doing wrong and help me (snippets would be deeply appreciated), maybe even changing approach in order to be able to add a digital timestamp?
Thank you very much in advance!
PS: I had also tried to use the SunPKCS11 provider to access the smart card, I gave up for similar problems, but if someone has suggestions using it, they're welcome! :DHello!
I need to sign and timestamp a PDF document with a smartcard. I'm using Java 1.6, iText to manage PDF, BouncyCastle to deal with cryptography and the free IAIK WRAPPER to access the smartcard.
I've already searched the Internet to solve my problem, read the PDF specifications about the signature and followed snippets that should've worked, but after a couple of weeks I still don't have working code, not even for the signature. All the tries I made yield messages like "Signature has been corrupted" or "Invalid signature" (I can't remember the exact messages, but they're not in English anyway :D ) when I verify the signature in Adobe Reader.
My first goal was to use an encapsulated signature, using filter Adobe.PPKLITE, subfilter adbe.pkcs7.sha1 and a DER-Encoded PKCS#7 object as content.
Among the tries I made, I used code such as (I don't include all modifications, just the ones I deem closer to the right approach):
// COMMON - START
///// selectedKey is a iaik.pkcs.pkcs11.objects.Key instance of the private key I'm taking from the SC
RSAPrivateKey signerPrivKey=(RSAPrivateKey)selectedKey;
CertificateFactory certificateFactory=CertificateFactory.getInstance("X.509");
///// correspondingCertificate is a iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate instance of the certificate I'm taking from the SC
byte[] derEncodedCertificate=correspondingCertificate.getValue().getByteArrayValue();
X509Certificate signerCert=(X509Certificate)certificateFactory.generateCertificate(new ByteArrayInputStream(derEncodedCertificate));
Provider provider=new BouncyCastleProvider();
Security.addProvider(provider);
///// session is an instance of iaik.pkcs.pkcs11.Session
session.signInit(Mechanism.SHA1_RSA_PKCS, signerPrivKey);
File theFile = new File("C:\\toSign.pdf");
FileInputStream fis = new FileInputStream(theFile);
byte[] contentData = new byte[(int) theFile.length()];
fis.read(contentData);
fis.close();
PdfReader reader = new PdfReader(contentData);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
PdfStamper stp = PdfStamper.createSignature(reader, baos, '\0');
PdfSignatureAppearance sap = stp.getSignatureAppearance();
// COMMON - END
java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
CertificateFactory factory=CertificateFactory.getInstance("X.509");
certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
sap.setSignDate(new GregorianCalendar());
sap.setCrypto(null, certs, null, null);
sap.setReason("This is the reason");
sap.setLocation("This is the Location");
sap.setContact("This is the Contact");
sap.setAcro6Layers(true);
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_SHA1);
dic.setDate(new PdfDate(sap.getSignDate()));
dic.setName(PdfPKCS7.getSubjectFields((X509Certificate)certs[0]).getField("CN"));
sap.setCryptoDictionary(dic);
int csize = 4000;
HashMap exc = new HashMap();
exc.put(PdfName.CONTENTS, new Integer(csize * 2 + 2));
sap.preClose(exc);
MessageDigest md = MessageDigest.getInstance("SHA1");
InputStream s = sap.getRangeStream();
int read = 0;
byte[] buff = new byte[8192];
while ((read = s.read(buff, 0, 8192)) > 0)
md.update(buff, 0, read);
byte[] signature=session.sign(buff);
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
ArrayList list = new ArrayList();
for (int i = 0; i < certs.length; i++)
list.add(certs);
CertStore chainStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(list), provider);
generator.addCertificatesAndCRLs(chainStore);
CMSProcessable content = new CMSProcessableByteArray(md.digest());
CMSSignedData signedData = generator.generate(CMSSignedDataGenerator.ENCRYPTION_RSA, content, true, provider);
byte[] pk = signedData.getEncoded();
byte[] outc = new byte[csize];
PdfDictionary dic2 = new PdfDictionary();
System.arraycopy(pk, 0, outc, 0, pk.length);
dic2.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true));
sap.close(dic2);
File newOne = new File("C:\\signed.pdf");
FileOutputStream fos = new FileOutputStream(newOne);
fos.write(baos.toByteArray());
fos.close();
I figured this is the right approach, but I need a way to generate the CMSSignedData instance, which can't be done using addSigner (the only documented way I found), since the private key is not extractable from a smart card...
Then I decided to give up and try with a detached signature:
// COMMON - START
// Same as above
// COMMON - END
sap.setSignDate(new GregorianCalendar());
java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
CertificateFactory factory=CertificateFactory.getInstance("X.509");
certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
sap.setCrypto(null, certs, null, PdfSignatureAppearance.SELF_SIGNED);
sap.setSignDate(java.util.Calendar.getInstance());
sap.setExternalDigest (new byte[8192], new byte[20], "RSA");
sap.preClose();
MessageDigest messageDigest = MessageDigest.getInstance ("SHA1");
byte buff[] = new byte[8192];
int n;
InputStream inp = sap.getRangeStream ();
while ((n = inp.read (buff)) > 0)
messageDigest.update (buff, 0, n);
byte hash[] = messageDigest.digest();
byte[] signature=session.sign(hash);
PdfSigGenericPKCS sg = sap.getSigStandard ();
PdfLiteral slit = (PdfLiteral)sg.get (PdfName.CONTENTS);
byte[] outc = new byte[(slit.getPosLength () - 2) / 2];
PdfPKCS7 sig = sg.getSigner ();
sig.setExternalDigest (session.sign(hash), hash, "RSA");
PdfDictionary dic = new PdfDictionary ();
byte[] ssig = sig.getEncodedPKCS7();
System.arraycopy (ssig, 0, outc, 0, ssig.length);
dic.put (PdfName.CONTENTS, new PdfString (outc).setHexWriting(true));
sap.close (dic);
File newOne = new File("C:\\signed.pdf");
FileOutputStream fos = new FileOutputStream(newOne);
fos.write(baos.toByteArray());
fos.close();
I'm still stuck to the signature process, can anyone please tell me what I'm doing wrong and help me (snippets would be deeply appreciated), maybe even changing approach in order to be able to add a digital timestamp?
Thank you very much in advance!
PS: I had also tried to use the SunPKCS11 provider to access the smart card, I gave up for similar problems, but if someone has suggestions using it, they're welcome! :D -
Problem reading IdP Partner signing certificate from metadata
We're trying to set up SAML 2.0 based authentication on WLS 11g (10.3.5.0).
We are now stuck for the reason that we can't enable IdP Partner because there is no signing certificate visible in WLS allthough it is in the metadata. Everything else is being read from the metadata just fine.
We haven't been able to find anyhting related through Google, has anybody had similar problems?Hi Trina,
> in the Token Signing certificate there is no option to export the private key
Please locate certificate template which you used to issue the Token Signing certificate, then expand the Request Handling tab of its properties. After that, check the Allow private key to be exported option as below:
Best Regards,
Amy -
Access certificate from a DoD CAC card with Sun Java 1.4.2 Plug-in
We are using CAC cards with ActivCard Software. We are using Sun Java JVM 1.4.2 with Internet Explorer. The problem is that Sun Java does not use the certificate in the browser certificate store for HTTPS client authentication.
The solution from Sun is to export the certificate as a PKCS12 format and add 3 parameters to the Java Plug-in. The parameters are
-Djavax.net.ssl.keyStore=<client_keystore_file_path>
-Djavax.net.ssl.keyStorePassword=<password to access the client keystore file>
-Djavax.net.ssl.keyStoreType=<keystore_type>
Exporting the certificate from the CAC card is not an option for us.
This is a big problem for us. Does anyone have any ideas on a way to get the Java Plug-in to access the CAC card without having to export the certificate?You could use JVM 1.3.X because it uses SSL from the Internet Explorer, not the JSSE SSL.
Apart of this, you could see if the implementation of PKCS#11 for the forthcoming J2SDK 1.5 works with your card AND if JSSE can use the PKCS#11 Sun Provider. Download the beta and try it. -
Problem with CertificateRequest when using a smart card
Hello,
I have used the ssl debug statement to determine that ssl server is sending a CertificateRequest and a list of CAs. The smart card is opened via a password and I think X509KeyManagerImpl compares the Issuer of the smart card certificates with the server sent CAs. However since the issuer is an intermediate CA and only the root CA is in this list, the smartcard certificates are rejected. I CAN'T have the intermediate CA place in the ssl server list.
Using SSLConnect (KeyManager, X509TrustManager, null). The KeyManager is using NSS and the TrustManager is using opensc-pkcs11 via SunPKCS11. The OS is Linux, kernel 2.6.35.10-74.fc14.i686.
The intermediate CA is in the local cert store.
The application being used is DavMail.
Am I correct in stating that the the smart card certificates are checked against the server sent CAs?
Does anyone know how to get Java to use he local cert store to find the intermediate CA and then verify it against the Root CA in the server sent list?Placed in wrong forum. Moved it to Security Java Secure Socket Extension (JSSE)
-
Problems trusting certificates from other users
I'm unable to trust certificates from users when the email address on their certificate does not precisely match the From address of the message. The mismatch is typically something like a From address of [email protected] and a certificate address of doe.john.12345.
Mail says "Unable to verify message signature" when I select the message. I click "Show Details" followed by "Show Certificate". I then get an option to check "Messages from xxx are valid if signed by yyy", which I do followed by clicking "OK".
The yellow "Unable verify message signature" bar stays in place. Repeating the above process shows that the the option to trust the validity is again unchecked. However, in the area with certificate, it lists that the certificate is trusted for the email address in the From field.
Any idea what's going on here?
Thanks,
AndreasI should add that this happens when using certs that were signed with a CAC. I have an ORC ECA cert.
—Andreas -
Problem importing photos from Extreme Pro SD Card
Sorry if this has been covered. I atempted to import photos from my new CF card via a Griffin card reader into my iMAC. Never had a problem before, but iPhoto won't respond and won't recognize the card. Was able to import to my wife's MacBook Pro with no problem. Any thoughts? Thanks
My appologies for wasting your time. The card reader has given up the ghost!
-
Removing Self-Signed Certificates from Personal Store (Lync)
I believe a member of my team has a solution to the below but I wanted to weigh in on the PS forum area and see if there were additional thoughts.
Short story, the Lync client self-signed cert is creating an issue with our updated PKI infrastructure. In testing, when a user logs in with the new Infra. PKI chain the Lync client give a certificate error. When the *usersup*.cer is deleted
from the personal store, everything is fine. I've turned off the issuing of the client cert on the server side and running off AD authentication is fine. I need to automate the removal of 6K+ user's personal certs. Below is a PS script
that does what I need to do but the prompt has to be elevated and elevating prompts for that many users poses an issue, if anyone has experience with this and has an alternative solution, please feel free to share.
$certs = Get-ChildItem cert:\CurrentUser\My | where { $_.Issuer –like 'CN=Communications Server' }
foreach ($cert in $certs) {
$store = Get-Item $cert.PSParentPath
$store.Open('ReadWrite')
$store.Remove($cert)
$store.Close()Since you're trying to remove certificates from the user store, elevation shouldn't be required. I'm able to remove certs from a non-elevated prompt. What's the error you're getting?
Also, you might be able to simplify your script to the following:
Get-ChildItem cert:\CurrentUser\My | where { $_.Issuer –like 'CN=Communications Server' } | Remove-Item -WhatIf
If that looks right, you can remove the -WhatIf and let it do its thing (you can also add the -Confirm switch if you want to answer Yes/No to each certificate). -
Getting self-signed certificates from an internal server...
Hi!
Thanks to the beautiful [Andreas Sterbenz's|http://blogs.sun.com/andreas/entry/no_more_unable_to_find] article I was able to download the two self generated certificates from the mail server and store them in a single file. So I expected things to work like a charm but soon I had to change my mind due to the (usual) error:
javax.mail.MessagingException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:571)
at javax.mail.Service.connect(Service.java:288)
at javax.mail.Service.connect(Service.java:169)
at com.agiletec.plugins.webmail.aps.system.services.webmail.WebMailManager.initInboxConnection(Unknown Source)
at com.agiletec.plugins.webmail.aps.tags.WebmailIntroTag.doStartTag(Unknown Source)
[etc etc]
So here's the first question: Is it correct to store the certificates in the system properties with the following code?
System.setProperty("javax.net.ssl.trustStore", certificateInUse); // <--- path of the file where I've stored the certificates
System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); // password used
System.setProperty("javax.net.ssl.trustStoreType","JKS");
I haven't gone in the depth of the SSL theory but it seems to me that my webapp stores the certificates and keeps on connecting in the standard (non SSL) way....
Thanks in advance for the time spent reading!
MatteoHave you tried setting the "Always trust" property? Double click the certificate in Keychain Access and allow it to have always trust for email.
Also, make sure that bundles are enabled for mail.
(Forget the command, google for "defaults write com.apple.mail enableBundles")
That did it for me.
Br,
T -
Help needed on using hardware tokens / Smart Cards for encryption
I need help in filling the following gap in my understanding
I know about
1. Using keys in Java keystores to encrypt/decrypt data (Signing, symmetric encryption)
2. Using Keytool to export a digital certificate to a keystore.
I need help in knowing
1. How the certificate stored in secret device is shared with java key stores. Do I need to use some special library.
2. Is the process of encrypting Secret Key bytes defferent from wrapping the key?
Specifically, I want to use iKey (USB based security hardware token) in my system, which says that it supports
�� The PKCS#11 standard library
�� The MSCAPI and CSP standard libraries
�� Using automatic certificate registration> We have a current Server with 4 x 4 cores, 64 GB RAM, 6TB HDD, Windows 2K8 R2 and SQL Server 2K8 R2. On this server we have installed 6 SAP Servers(both ABAP and JAVA based). We want to install two more SAP servers on this machine but planning to use the Hyper-V Mode to ensure that there is no conflict. With this background here are my queries.
You should not run SAP instances on the server with the hypervisor (the OS running on the metal). If you want to virtualize, then do it for all instances.
Read
Note 1246467 - Hyper-V Configuration Guideline
Note 1570141 - Key Figures of Virtualization on Hyper-V
> u2022 Is it possible to take a Image of existing installation (6 SAP Servers and SQL Server) that we have done?
If they are running on the same OS you will always take images of everything.
> I think this was possible in VMWare.
So those 6 servers are virtualized already??
> The issue I foresee is that in this image the servers are using Machine Name as host. In the Hyper V mode the host name will change. So how will this work?
The safest way is to do a homogeneous system copy.
> u2022 Can I run the normal windows mode along with Hyper V. Basically we want to keep our 6 SAP servers running and for the two new servers create two hyper V instances and allocate 2 cores and 4GB RAM each. Is this possible? Or as per Microsoft on the root we should not run any server?
According to
Note 1246467 - Hyper-V Configuration Guideline
this should not be done.
Markus -
Problem running Itunes from external hard drive- Please Help!
So, last night I transferred my entire music folder over to an external hard drive. It copied all the files and I then proceeded to tell itunes where my new music folder was located. The problem I ran into was when I actually deleted the music files from my internal hard drive my library won't automatically find the files. When I click on a song it comes up with an error message saying, "original file cannot be found, would you like to locate file?". If I tell it yes, I can then manually tell it where the file is, and it will play. I'm really hoping there is an easier way around this issue because going in and doing this for every song in my library would take years. Should I clear out the library and then drag it from the external hard drive? Any help would be greatly appreciated. Thanks a lot.
SeanI am experiencing a similar problem. I already had all my files on an external drive, where I had transfered them a few months back, and everything was working fine. I have now moved them, again, to a larger external drive, did everything the same, but now receive the message "original file cannot be found, would you like to locate file?" I was advised to use the "add to library" button under "FILE" in the menu bar and all the music was finally imported into iTunes, but the problem now is that the new data on the music files is missing all the metadata, and I am still stuck with all the original files with the "!" in front of each file that is going to have to be manually deleted one file at a time, all 30,000 of them. I would like a way to start over and get it right the first time. Anyone have any solutions? I have found a program, "Super Remove Dead Tracks" which should solve the problem of eliminating the "!" tracks, but so too all the metadata. Ideally I'd like to be able to locate the original files with all the attached metadata and get back to where I was 24 hours ago.
Maybe you are looking for
-
Pavillion dv9810us DVD/CD-ROM Drive and Vista Device Manager Question.....HELP!!!!!
I have a Laptop, just over a year old, runs Vista Home Premium SP2. Here is the scenario Hadn't used the DVD/CD-ROM drive for 3 or 4 weeks at which time it worked fine. Tried to use it a couple of days ago and discovered it wouldn't respond. I figure
-
Won't power on, just get spinning wheel
Help. I turned on my iPad this morning and only get a black screen with a spinning wheel. It won't turn off/on. What do I do to fix this?
-
Why are my Indesign files not showing up in Bridge
I downloaded CC 2014 at the same time as transferring my files to a new computer. Now on Bridge, the only files showing up are jpgs and pdfs. Any idea how to integrate the indesign and photoshop into Bridge?
-
PO Release Strategy for 3 company codes
Hi I am working on PO release procedure for 3 company codes in a client.I have created a one charecteristics called Order Type & assigned to class -POVALUE_NEW .I am using the same charecteristics & class in 3 company codes. I have created a differen
-
My Blocked Sender list got erased. How can I restore it from backup?
Where is the Blocked Sender List file located and what is it's name?