Reading openssl X.509 cert. and RSAPrivateKey

Similar Messages

• X.509 cert from a CAC card?

  Our customer has multiple servers and the users will all soon be using their DOD CAC cards (SmartCards mandated by Dept of Defense) to provide an x.509 cert to the server. They don't like the fact that each time they move to another server, they have to pick the cert and provide a PIN number.
  Is there any way that a servlet can capture the user's cert and present it to the other servers in the farm so that the user only has to pick the cert once? I had thought about using an applet, but they are restricted in their connections to only hit the codebase server, therefore my only other real choice is a servlet running on their Domino server...(?)
  Thanks,
  Charlie

  Thanks Adriaan, to answer your questions:
  1) CAC is Common Access Card, it has a chip as would be found in some credit cards (like AMEX Blue). It holds a public and private keep of a user. I have been able to get the user certificate in a web application, but I did not have to go directly to the smart card reader for this.
  2) Right now I am developing on a Windows platform, but production is Linux and source code is open source. I have been leveraging javax.smartcardio
  3) Not sure about this one, I know that for my code to work, the CardTerminal .connect had to be "T=0", hope that helps.
  4) Not sure about the protocols really, but for DoD, each workstation has a card reader, and in order for you to log into the machine, you must have a valid CAC.
  Here's is the output of my test code so far:
  Card_Info: PC/SC card in SCM Microsystems Inc. SCRx31 USB Reader 0, protocol T=0, state OK
  Card Protocol: T=0
  ATR: [B@5afd29
  ATR historical bytes: [B@1a2961b
  response0: 6e 00

• Activate SSL with OpenSSL Self-Signed Cert

  Dear Expert,
  Anyone can give me guidance on how to activate and create ssl cert in Java IM using openssl self-signed cert.
  thanks

  Here how I make it work. Some of the tips is from jay in this forum
  Instant Messaging with SSL
  Let say I have Messaging, Directory, IM server in 1 box.
  Let's create a cert
  # cd /etc/opt/SUNWiim/default/config/
  a) Sun [TM] ONE Messaging Server 6.1 and Sun [TM] ONE Directory Server 5.2 were installed from JES2 on the same box
  b) The server_root directory for Directory Server is the default: /var/opt/mps/serverroot
  c) The server_root directory for Messaging Server is also the default: /opt/SUNWmsgsr
  1. Login to the console and do a Certificate Request
  a) cd /var/opt/mps/serverroot
  b) ./startconsole &
  c) Login to the main console as "cn=Directory Manager"
  d) Select and open the "Messaging Server" console
  e) Highlight the tab called "Tasks" at the top
  f) Select "Manage Certificates"
  g) Console will ask for a password for the security database. Please enter a password twice and make sure that you remember it. This will create the following two files under "/var/opt/mps/serverroot/alias" directory:
  -rw------- 1 mailsrv other 65536 Aug 12 13:57 msg-config-cert8.db
  -rw------- 1 mailsrv other 32768 Aug 12 13:57 msg-config-key3.db
  NOTE: Please make sure that:
  - either the owner of the files is the messaging server user ( mailsrv in this case ),
  -or the permission is appropriate for the mail server user to at least read it.
  h) Once you reach the "Manage Certificate" window, please make a "Certificate Request" by filing up the appropriate questions
  i) Once you are done, you get a CSR , which looks something like this:
  -----BEGIN NEW CERTIFICATE REQUEST-----
  MIIBszCCARwCAQAwczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWE x
  DzANBgNVBAcTBm5ld2FyazEMMAoGA1UEChMDc21pMQ0wCwYDVQQLEwRhdGFjMSEw
  HwYDVQQ DExhwb3BleWUuYXRhYy5lYmF5LnN1bi5jb20wgZ8wDQYJKoZIhvcNAQEB
  BQADgY0AMIGJAoGBALF eXVTFDj/1eONPzV/dAZ0dBKdstl+u+L/DTdw1sCXXOdNG
  MzYeTUu9g/g0dXL/bniF31M0OkoW+6O 5mshySv/KXS9QcoPngSKS6wuL8kNlYKQR
  Dw97WCS1uaqubAK/kir4hDmL7X9Rf29EFHDSFOWjeOJ /M7aqFWCfR5sTeSIFAgMB
  AAGgADANBgkqhkiG9w0BAQQFAAOBgQCeYwptiL/j7Bcs0DtGYiOlMMs utezF1COC
  4+wHt/p+LtQkvQWBoXisqN6YlGfZPXOCdUyA+RwU7BxjX9IQLP+9HLHfQyLzvCKb
  boKKpjIc8Ci+tmibM5QkgTxu4L7yeCR/PiplgVPttHNT2Qr9cxHLLBvIO6N1GOE8
  VBoq0pC5SA= =
  -----END NEW CERTIFICATE REQUEST-----
  Please maintain and preserve this CSR , since you will be sending it to the Certificate Authority ( CA ) so they can issue you a Certificate
  # openssl genrsa -des3 -out ca.key 4096
  # openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
  # openssl x509 -req -days 3650 -in file.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server-cert.crt
  # cp -p /var/opt/mps/serverroot/alias/msg-config-key3.db key3.db
  # cp -p /var/opt/mps/serverroot/alias/msg-config-cert8.db cert8.db
  # cp -p /var/opt/mps/serverroot/alias/secmod.db .
  # cat sslpassword.conf
  Internal (Software) Token:password
  # cat /etc/opt/SUNWiim/default/config/iim.conf
  iim.comm.modules = "iim_server,iim_mux,iim_wd"
  iim.smtpserver = "www.esuria.com.bn"
  iim.instancedir = "/opt/SUNWiim"
  iim.instancevardir = "/var/opt/SUNWiim/default"
  iim.user = "root"
  iim.group = "root"
  iim.config.version = "1.1"
  iim_ldap.host = "www.esuria.com.bn:389"
  iim_ldap.searchbase = "o=esuria.com.bn,dc=esuria,dc=com,dc=bn"
  iim_ldap.loginfilter = "(&(objectclass=inetorgperson)(uid={0}))"
  iim_ldap.usergroupbyidsearchfilter = "(|(&(objectclass=groupofuniquenames)(dn={0
  }))(&(objectclass=inetorgperson)(uid={0})))"
  iim_ldap.usergroupbynamesearchfilter = "(|(&(objectclass=groupofuniquenames)(cn=
  {0}))(&(objectclass=inetorgperson)(cn={0})))"
  iim_ldap.allowwildcardinuid = "False"
  iim_ldap.userclass = "inetOrgPerson"
  iim_ldap.groupclass = "groupOfUniqueNames"
  iim_ldap.groupbrowsefilter = "(objectclass=groupofuniquenames)"
  iim_ldap.searchlimit = "40"
  iim_ldap.userdisplay = "cn"
  iim_ldap.groupdisplay = "cn"
  iim_ldap.useruidattr = "uid"
  iim_ldap.groupmemberattr = "uniquemember"
  iim_ldap.usermailattr = "mail"
  iim_ldap.resynctime = "720"
  iim_ldap.usergroupbinddn = "cn=Directory Manager"
  iim_ldap.usergroupbindcred = "password"
  iim_ldap.useidentityadmin = "false"
  iim.log.iim_server.severity = "INFO"
  iim.log.iim_mux.severity = "ERROR"
  iim.log.iim_wd.severity = "ERROR"
  iim_server.domainname = "esuria.com.bn"
  iim_server.useport = "True"
  iim_server.port = "5269"
  iim_server.usesslport = "False"
  iim_server.sslport = "5223"
  iim_server.enable = "True"
  iim_server.clienttimeout = "15"
  iim_server.usesso = "0"
  iim.policy.modules = "iim_ldap"
  iim.userprops.store = "file"
  iim_mux.listenport = "www.esuria.com.bn:5222"
  iim_mux.serverport = "www.esuria.com.bn:45222"
  iim_mux.enable = "true"
  iim_mux.numinstances = "2"
  iim_mux.maxthreads = "10"
  iim_mux.maxsessions = "1000"
  iim_mux.usessl = "on"
  iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config"
  iim_mux.keydbprefix =
  iim_mux.certdbprefix =
  iim_mux.secmodfile = "secmod.db"
  iim_mux.certnickname = "server-cert"
  iim_mux.keystorepasswordfile = "sslpassword.conf"
  iim_wd.enable = "true"
  iim_wd.period = "300"
  iim_wd.maxRetries = "10"
  -open http://www.esuria.com.bn/im/en/im.jnlp
  -click More Detail and enable Use SSL

• Nagios, certs, and NRM/ Remote Manager

  We just created a brand new xen guest OES11sp2/SLES11sp3 server, and already the certs for the NRM are no good, they're still using the ones created in YAST during the SLES install portion.
  (eDirectory certs were created and all four validate just fine)
  For now, I just made an exception in my browser, but when I go to the NRM and go to check Health status, I get a nagios login window. that's new.. and if I try to log in with my eDir credentials, it fails, and now I just see a 500 error. The rest of NRM works okay though.
  If I export the eDir certs and use keytool to export them to server.pem and server.key and overwrite the ones at
  /etc/opt/novell/httpstkd (well, actually, /etc/ssl/servercerts) will that fix nagios or is there another issue here?
  And I'm wondering why the eDirectory certs didn't overwrite the YAST certs.. we always have the install do that.

  This gets weirder.
  I used "openssl x509 -in servercert.pem -text" on the new server to check the servercert.pem cert under /etc/ssl/servercerts, and it turns out it IS the eDirectory cert.
  I've restarted both nagios and httpstkd, but the httpstkd configure page claims it's using the old Yast cert; it is configured to use the /etc/ssl/servercerts (through a softlink).
  Firefox accepts the cert fine, Chrome complains that the certificate doesn't match the URL, which is ridiculous. It's absolutely the same.
  I hate certs.
  Anyway, in either case, I still get the 500 error with nagios. It asks for a login, I have no idea what it wants. My edir user doesn't work, and neither does root.

• X.509 cert

  Hi,
  Has anyone know or have a simulator to generate an X.509 cert please?
  Basically, I m after a tool which takes a RSA KEy pair & generate an X.509 cert?
  Only used for testing purposes
  Many thanks in advance

  Read the J2SE Security Tutorial to learn about the security APIs and how to use them. You'll see the keygen tool and the X.509 Cert class.

• What are the recommended methods to keep CA Certs and CRLs updated in Account Forests for a Cross Forest Enrollment implementation?

  Hello,
  We have 1 resource Forest and multiple account Forests. We've reviewed the Cross-Forest Cert Enrollment with Windows Server 2008 R2 doc and followed steps 8 and 9 under the 'Deploying AD CS for Cross Forest Cert enrollment' regarding publishing
  the root CA Cert and Enterprise CA certs.  We run PKISync.psi to copy objects from the resource to the account Forest, and understand Certs and CRLs are not copied from the resource to the account Forests.  We are trying to figure out the best way
  of keeping the Root and SubCA Certs and CRLs updated in the account Forests.
  1. Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
  2. Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
  3. Any other suggestions/references regarding best practices on how to do this?
  Thanks for your help! SdeDot

  > Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
  yes. Though, we do not bother with CRL copy as it published to HTTP location only.
  > Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
  I would suggest to not use LDAP URLs in favor to HTTP.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• What is the Best Practice for publishing Offline Root CA Cert and CRL to Active Directory?

  Hi,
  I've read and seen in a few labs different approaches to what is published in Active Directory for a Offline Root CA.  I've seen just the Root Cert published to AD as well as the Root Cert and the Root CRL published to AD. 
  I can understand why the Root Cert is published to AD, but why would the Root CRL need to be published to AD, especially if my Offline Root CA just issues the Cert for my Subordinate Issuing CA?  So looking for Best Practices here.
  Thanks for your help! SdeDot

  On Sun, 22 Feb 2015 18:44:25 +0000, Andrzej Kazmierczak wrote:
  Best practice is to publish CRL to 2 alternative paths - LDAP for your internal users to access them on the first place and HTTP as an alternative option to LDAP and as the only option for your external users.
  No, the current recommended best practice is to publish to a highly
  available HTTP location first (and possibly the only CDP) that is available
  both internally and externally. This covers Windows and non-Windows
  devices, domain joined and non-domain joined devices and internal and
  external devices as well as multi-forest scenarios with no trust between
  forests.
  Paul Adare - FIM CM MVP

• ACE SSL - Modifying certs and keys

  I'm having a problem updating the certs and keys I have in my ssl-proxy service.
  My cert is about to expire and I've purchased a new cert. I've uploaded the new cert and key, but I still see the old cert when I go to the VIP with my browser. I thought that by deleting the proxy-service and re-adding I could get the ACE to recognize that it's got new certs but that didn't seem to work.
  Is there a trick to make the ACE see the new certs? Does it cache the certs instead of reading them from flash? What's going on here.
  Thanks!

  I changed my certs hot while the application was still running worked like a charm.
  What i did was.
  - import the new certificate into the crypto store (pkcs12)
  - prepare a textfile with the necessary commands
  no key old
  key new
  no cert old
  cert new
  - paste the commands into the running config.
  I had several Customers and Application Admins test the App. while i was changing certs. They didn't even notice something happened. After approx. 60 seconds all new connections were using the new cert old connections were using the old cert. No trouble at all.
  And yes the ACE caches the certs if i am not mistaken.
  If you want to make sure that it works just create a test context or try it on a test farm first. That's what i did prior to changing the certs and the config on the production enviroment.
  Hope it helps.
  Roble

• Exchange 2010, Outlook Anywhere, Autodiscover, SAN Certs and ISA 2004

  Hi
  Everything I have read says that SAN certs do not work with ISA 2004.  However I have read through the "White Paper: Understanding the Exchange 2010 Autodiscover Service" document to understand my options (url below) and notice that the SAN
  cert option in the "Summary of supported scenarios for connecting to the Autodiscover service from the Internet" section implies that ISA 2004 may be able to work:
  "Requires additional configuration if used together with either ISA Server 2004 or ISA Server 2006"
  http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx
  Does anyone know if there is a supported ISA 2004 scenario where SAN certs can work?
  Thanks!

  It's highly doubtful, since ISA 2004 has been in extended support for two years.  See
  http://blogs.technet.com/b/isablog/archive/2009/10/05/mainstream-support-ending-for-isa-server-2004-standard-edition-sp3.aspx for details about ISA 2004 support - it goes totally out of support next year.

• CUP. Replaced cert and now services diag page shows issues

  Hey all,
  i used the os page to generate a CSR, had it signed, uploaded the cert to the server and rebooted.  I also uploaded the cert to the cucm publisher.  the following lines are showing on the CUP diag page.  the docs i have found thus far are not very clear on what all needs to be replaced.
  Verify Cisco XCP Connection Manager's service status
  Cisco XCP Connection Manager service is currently down.service state=[UNKNOWN] reason=[null]
  To start the Cisco XCP Connection Manager service, please use the Serviceability application 
  Verify Cisco XCP Authentication's service status
  Cisco XCP Authentication service is currently down.service state=[UNKNOWN] reason=[null] 
  Verify Cisco IM and Presence Data Monitor service is running on all nodes.
  Could not determine the status of the Cisco IM and Presence Data Monitor service on the following nodes192.168.10.3
  On all impacted nodes verify that no other services are currently starting, stopping or restarting. Wait until all service operations have completed and retry the test. Check System > Notifications and verify that communication between IM and Presence and the CUCM publisher node is working. If the CUCM publisher node has been upgraded to a Maintenance Release or Service Update and the IM and Presence nodes in the cluster are not being upgraded, you must reboot them.

  bump.   
  has anyone replaced the certs and ran into this issue?  if not, what process did you follow?
  jabber is working fine...  would like to clear up the errors.

• Activate https webmail using openssl self-signed cert

  Dear expert,
  Anyone can give me guidance on how to create and activate https webmail, pops using openssl self-signed cert
  thanks

  Thanks jay for your rocket respond
  I make it work after following your guide and follow this link:
  http://swforum.sun.com/jive/thread.jspa?forumID=16&threadID=52981
  Basically the csr created in mail startconsole, I self signed using openssl.
  One more question, can I use the same cert to enable ssl in ldap encryption tab in ldap console.
  thanks

• Adobe Reader has encountered a problem and needs to close.

  When reading PDF attachments, I get the following:  Adobe Reader has encountered a problem and needs to close. I have tried to remove Adobe Reader via Control Panel, Add or Remove Programs but that won't work.  I get this:  This patch package could not be opened.  Verify that the patch package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer patch package. I don't know how to do what is being asked.  I have tried to download Adobe Reader again but get this when I do:  Note:  this application already installed.
  I have Adobe Reader X (10.0.1) with an update installed on 2/19/2011.  I have Windows XP SP3.
  Anyone who can help me get Adobe Reader working correctly again or uninstalling it so I can reinstall.
  Thanks for any help.

  Thanks for the input.  Did you remove Adobe Reader 10 first before you downloaded the older version?  If you removed it, how did you do that?  The add/remove programs in control panel won't let me remove it -- it says a patch package can't be opened.
  Date: Mon, 9 May 2011 00:12:41 -0600
  From: [email redacted by moderator]
  To: [email redacted by moderator]
  Subject: Adobe Reader Adobe Reader has encountered a problem and needs to close.
  hi
  i had also the same problem with that version.
  so i download older version and this solved the problem.
  >

• Getting "adobe Reader has encountered a problem and needs to close

  On Windows XP service pack 3. Adobe Reader X
  Get "Adobe Reader has encountered a problem and needs to close." . I have uninstalled adibe and reinstalled it and problem came back within 2 weeks after working for a short time.

  Try the following:
  Uninstall Adobe Reader X
  Reboot your computer
  Delete directory C:\Program Files\Adobe\Reader 10.0
  Download the EXE or the MSI installer from ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.1.0/ and execute e.g. either of the following files:
  AdbeRdr1010_en_US.exe
  AdbeRdr1010_en_US.msi
  Good luck!

• Who worked with ICS' Model 4896 GPIB? I can not count the data from the module. Can prompt as it to make. It is desirable with examples (data read-out from the module and data transmission between channels. It is in advance grateful.

  I can not count the data from the module. Can prompt as it to make. It is desirable with examples (data read-out from the module and data transmission between channels. It is in advance grateful.

  Hello. Most of the engineers in developer exchange are more familiar
  with NI products. Contacting ICS for technical support is a better
  course of action.

• I am trying to build a basic TCL skeleton script that reads a remote SNMP OID and displays the value on the screen.

  I am trying to build a basic TCL skeleton script that reads a remote SNMP OID and displays the value on the screen.
  I don't want it to be an EEM Event, I just want to run it from the (tcl)# prompt.
  So I guess I'm asking if you can use cli_exec and other commands in the "namespace import ::cisco::eem::*" in a normal non-EEM script - can I do that?
  This is the error I get:
  OTN.159(tcl)#source flash:TCL_SNMP_Remote_Read.tcl
  invalid command name "::cisco::eem::event_register_none"             ^
  % Invalid input detected at '^' marker.
  What am I missing?
  =================  TCL_SNMP_Remote_Read.tcl  ==============================
  ::cisco::eem::event_register_none
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  if [catch {cli_open} RESULT]
      { error $RESULT $errorInfo }
      else { array set cli1 $RESULT }
  if [catch {cli_exec $cli1(fd) "snmp get v2c 192.168.1.100 public timeout 1 oid 1.3.6.1.2.1.1.1.0" } RESULT]
         { error $RESULT $errorInfo  }
         else { set SnmpSysDesc $RESULT }
  if [catch {cli_close $cli1(fd) $cli1(tty_id)} RESULT] {
              error $RESULT $errorInfo
  puts $SnmpSysDesc
  =========================================================================
  In the sho-run config I have:
  event manager directory user policy "flash:/"
  event manager session cli username "cisco"
  Any help to get me started would be greatly appreciated!
  Tim

  If you don't want an EEM policy, then don't use any of the EEM constructs.  Instead, all you need is this:
  set output [exec "snmp get v2c 192.168.1.100 public timeout 1 oid 1.3.6.1.2.1.1.1.0"]puts $output