Save Client Certificate to pfx

Hi,
Is there a way to save a visitor's Certificate as a pfx?
I know I see some of the Certificate stuff in CGI, but I want it all!
The customer wants to sign a PDF on the website, and I found most of the code, but I need this one little part.
If anyone else knows how, can you help?
Thanks.

I'm pretty sure that a bug was fixed in this area in 6.0 SP1 when mutual
auth was being used. Which version of WLS are you running?
"Honbo Zhou" <[email protected]> wrote in message
news:XfDs6.3051$[email protected]..
The SimpleCertAuthenticator example that does the client certificate touser
mapping doesn't seem to work, how do I know (via debugging/logging) if the
program actually run on in the weblogic server?
Thanks,
Honbo

Similar Messages

How to install client certificate in Jdeveloper 10.1.3.41.57

Hi,
We need to connect to another website by presenting client certificate. This certifficate is provided by this website and password is required. Though I tried to tried to launch the JSP that redirects the page to the URL to connec to that website, and I imported the certifcate to the browser, I am still asked credential to connect.
I was told by other people I need to install the client certificate on the server.
My question is that how I install this client certificate on Jdeveloper 10.1.3.41.57 and launch JSP to connect to that website?
the certificate is like xxx2_x.509Cert.pfx.
Please help
Thank you.
jfu

First, thank you so much for your reply. Yes, it works. I did converted pfx to JKS successfully.
i use keytool -list to view this JKS file. I can see the content. The chain length is 2.
However, I got error same error message when I tried to use above command to import JKS to cacerts under jdk/jre/lib/security/; if I add -storetype pKCS12, I got another error keytool error: java.io.IOException: DerInputStream.getLength(): lengthTAg=109, too big.
Please help.
Thanks,
Jfu
Edited by: 872272 on Sep 20, 2011 8:58 AM

How to install IPSec Client Certificate for Apple products (iPad,iPhoe and Mac)

We need Ipsec vpn client authentication with certificate (instead of pre-shared key). We tested the same with Windows client and its works fine. However when we used the same certificates with Apple products (iPad, iPhoe and Mac) it doesnt work.
We have two types of certificates installed on the client from the CA server.
One is the root certificate with the extenstion .cer
and the other one is client certificate with the extension of .pfx (personal informaiton exchange)
We can not find a proper document to install certificates and client configuration for iPad,iPhoe and Mac. We need to know what type of certificates needed, what are the certificate formats and how to install etc.
Appreciate if someone has implemented this and share any documents.
thanks

This will be helpful for you :-
http://images.apple.com/iphone/business/docs/iOS_Certificates_Mar12.pdf
Manish

How to get the correct client certificate used in the two way ssl

how to export the certificate in browser to the correct client certificate format needed by the WLSSSLAdaptor?
I can export the certificate in browser to p12 or pfx format, but how to retrieve the private key from it and convert to PKCS#8?
anyone did this before?
Thanks

Hi,
Use the event after_user_command.When the user clicks any other buttons in the toolbar,this event will be triggered after the processing and you can handle the sub-total for % columns here.
Regards,
Archna Raja

Client certificate - response code: 403

Hi,
I'm hitting into a "Server returned HTTP response code: 403" when trying to access a site requiring a client cert/authentication. The site that I'm trying to access has provided me a client cert (public/private key) to use when accessing the site. The certificate is in .pfx-format. I know the cert works because if I install it in a browser (IE or Mozilla on Solaris) it works perfect to access the site. When I try to use it in my code I hit into a "Server returned HTTP response code: 403". Because the client certificate is in .pfx-format I could not use keytool to import it into a keystore so I used BouncyCastleProvider to access the .pfx file directly. Here's my code:
java.security.Provider provider =
new org.bouncycastle.jce.provider.BouncyCastleProvider();
java.security.Security.addProvider(provider);
System.out.print("creating secure random...");
SecureRandom secureRandom = new SecureRandom();
secureRandom.nextInt();
System.out.println("done!");
System.out.print("getting the server trust/keystore...");
KeyStore serverKeyStore = KeyStore.getInstance("JKS");
System.out.println("done!");
System.out.print("loading the servers public key...");
serverKeyStore.load(new FileInputStream("/usr/java/jre/lib/security/cacerts"),
"changeit".toCharArray() );
System.out.println("done!");
System.out.print("loading my private key...");
KeyStore clientKeyStore = KeyStore.getInstance("PKCS12", "BC");
clientKeyStore.load(
new FileInputStream("/home/mabe/clientcert.pfx" ),
"SV".toCharArray() );
System.out.println("done!");
System.out.print("initializing truststore...");
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509" );
tmf.init( serverKeyStore );
System.out.println("done!");
System.out.print("initializing keystore...");
KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
kmf.init( clientKeyStore, "".toCharArray() );
System.out.println("done!");
//print out the aliases from the client keystore, to see that we really got the cert
System.out.println("aliases in keystore:");
Enumeration e = clientKeyStore.aliases();
while(e.hasMoreElements())
System.out.println(e.nextElement());
System.out.print("getting the sslcontext...");
SSLContext sslContext = SSLContext.getInstance( "TLS" );
sslContext.init( kmf.getKeyManagers(),
tmf.getTrustManagers(),
secureRandom );
System.out.println("done!");
URL myUrl =
new java.net.URL("https://bla.bla.bla");
HttpsURLConnection conn =
(javax.net.ssl.HttpsURLConnection) myUrl.openConnection();
conn.setSSLSocketFactory(sslContext.getSocketFactory());
InputStream in = conn.getInputStream();
BufferedReader reader =
new BufferedReader(new InputStreamReader(in));
String tmp = "";
while ((tmp = reader.readLine()) != null)
System.out.println(tmp);
And here is the output:
creating secure random...done!
getting the keystore...done!
loading the servers public key...done!
loading my private key...done!
initializing truststore...done!
initializing keystore...done!
aliases in keystore:
57e720cd2a8b9abea9ac42c6a13aed40_67817e58-6eef-418c-93e8-bcd1b4604bb0
getting the sslcontext...done!
Boom!
java.io.IOException: Server returned HTTP response code: 403 for URL: https://bla.bla.bla.
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:791)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)
at Client.<init>(Client.java:81)
at Client.main(Client.java:11)
So it seems to me that I never send the client cert to the server... or am I missing something important? The strange alias you see in the output I think is a Microsoft thing (the cert was created, I think, in a Microsoft environment). If I use KeyStore explorer (http://www.lazgosoftware.com/kse/) I can load the .pfx-file into a keystore and view it, then I se another alias.
Is there any way to find out that the client cert is being sent? I tried to understand the output from javax.net.debug=ssl, but it was to much, If you are interested I will gladly post it.
So, do you guys have any clue why this aint working? Any help would be great!
regards
Mange

Hi,
found a soloution on this forum, I imported the .pfx-keypair in Netscape and then exported (used backup in Netscape) it as a .p12-file, then it worked!
/mange

Android Setting up mail requires a client certificate

I have just got a new Asus ZenFone 2 and trying to add an Exchange account to the built-in Email app. My Exchange Server is Office 365.
After entering Email address, Password and Server (https://outlook.office365.com/mapi/emsmdb/?Mailbox=....a-long-guid....), it insists on a Client certificate. Where do
I get this Client certificate? When I touch Select, it says:
Choose certificate
The app Email has requested a certificate. Choosing a certificate will let the app use this identity with servers now and in the future.
You can install certificates from a PKCS#12 file with a .pfx or a .p12 extension located in external storage.
What is going on here?
Thanks.

I solved it by ignoring it.
Previously, I couldn't proceed as the Next button was disabled. I found that it was disabled because the server name is given in the wrong format. I got the
https://outlook.office365.com/mapi/emsmdb/?..... version from the configuration dialog in my desktop Outlook set up.
The proper way to enter the Exchange server for Office 365 is simply outlook.office365.com!

Asking specific client certificate (not certificates trusted by authority)

As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
For example:
Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?

I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
It might not be elegantBut it is!
See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources.

How to load a client certificate into a servlet to access a Web Service

Hi,
I am having the following problem:
I am trying to use a Web Service client (Axis) within a servlet running under
WebLogic 8.1.
I would like to have mutual SSL-based authentication between the client and the
server hosting the Web Service. Thus, my client has to send a certificate to the
server.
My problem is: how to get the certificate into the request? I know that, for example,
the HttpsURLConnection class of WebLogic has a loadIdentity method. But I can't
use this class.
Is there any other method to make sure that SSL requests use my client certificates?
By the way, I am receiving the following error message from the server:
<Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peer certificate
s not supplied by peer>
<Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508> <Certificate
ch
ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
Anyone has an idea?
Thanks for any hints,
Zoltan Schreter
Nokia

Hi all,
I have solved this problem basically by using weblogic's SSLSocketFactory instead
of the default one used by Axis. I created a custom HttpSender (MyHttpSender)
which uses this Factory. I then created a custom Config class which I pass to
the constructor of Service. The Config class looks like this:
public class MyConfig extends SimpleProvider {
* Constructor - deploy client-side basic transports.
public MyConfig() {
deployTransport("java", new SimpleTargetedChain(new JavaSender()));
deployTransport("local", new SimpleTargetedChain(new LocalSender()));
deployTransport("http", new SimpleTargetedChain(new MyHttpSender()));
The relevant code within MyHttpSender looks something like this:
SSLClientInfo sslinfo = new SSLClientInfo();
File ClientKeyFile = new File("C:/certificates/testkey.pem");
File ClientCertsFile = new File("C:/certificates/testcert.pem");
InputStream[] ins = new InputStream[2];
ins[0] = new FileInputStream(ClientCertsFile);
ins[1] = new FileInputStream(ClientKeyFile);
String pwd = "mykeypass";
sslinfo.loadLocalIdentity(ins[0], ins[1], pwd.toCharArray());
javax.net.SocketFactory sockf = weblogic.security.SSL.SSLSocketFactory.getJSSE(sslinfo);
sock = sockf.createSocket(host, port) ;
By the way, this change also solved the other problem I posted about (not being
able to tunnel through the https proxy).
Cheeers,
Zoltan Schreter
Nokia
"Tony" <TonyV> wrote:
Which API's are you currently using for the SSL communication in the
client
side?
Tony
"Zoltan Schreter" <[email protected]> wrote in message
news:[email protected]...
Hi,
I am having the following problem:
I am trying to use a Web Service client (Axis) within a servlet runningunder
WebLogic 8.1.
I would like to have mutual SSL-based authentication between the clientand the
server hosting the Web Service. Thus, my client has to send a certificateto the
server.
My problem is: how to get the certificate into the request? I knowthat,
for example,
the HttpsURLConnection class of WebLogic has a loadIdentity method.But I
can't
use this class.
Is there any other method to make sure that SSL requests use my clientcertificates?
By the way, I am receiving the following error message from the server:
<Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peercertificate
s not supplied by peer>
<Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508><Certificate
ch
ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
Anyone has an idea?
Thanks for any hints,
Zoltan Schreter
Nokia

Project Server 2010 Web services access with Client Certificate Authentication

We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.

what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

Help required with ADFS 3.0 client certificate authentication

Hi,
I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
federate user credentials to 3rd party trust for single-sign-on.
I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
Thanks!
-Chinmaya Karve

Hi Yan,
Thanks for your response. I have gone through the posts that you have suggested, and my setup looks pretty much as expected.
So, as I mentioned earlier, I have 2 parallel setups with 3rd party service(SalesForce). Once of them is running ADFS 2.0 and another one has ADFS 3.0. I can logon to the third-party services, from both the setups using username/format. I can logon to SF
using client authentication certificate from ADFS 2.0 setup, but from the same client machine, when I try to logon SF via ADFS 3.0, the browser just does not pick up any certificate. The page just shows message of "Select a certificate that you want to use
for authentication. If you cancel the operation, please close your browser and try again.".
I have checked the browser, and it has the right certificates. Also, the same browser/machine is used to logon to SF through ADFS 2.0 via client certificate, which works just fine !
I am really confused now, as to whose issue this really is...
Just to confirm, I am using Certificate Authentication from ADFS 3.0 Authentication Methods for both Intranet and Extranet.
Any suggestion or inputs where I could have gone wrong in the setup?
Thanks!

IPhone Mail app; IMAP; x509 client certificate?

The title says it all really.
I have an x509 client certificate happily installed in my iPhone's keychain. This certificate works correctly in Safari, allowing access to sites which demand it. When I try to collect mail from an IMAP server which also requires a client certificate, it doesn't work.
As far as I can work out, the Mail app is not sending my client certificate when the server requests it to do so. Is this true? Is there a way to configure the Mail app to respond correctly to the server's client certificate request? Any pointers or information welcome!

I think so.
Actually I think I need to get the App Password for Mail on my phone. It generates the app password and I enter it into the password in the gmail setup for mail.
The problem is that when I hit next on that page, I get the message:
"my name" is already added" and I cannot proceed.
Before doing this setup I deleted my gmail account by tapping the email address and hitting delete in the Mail, Contact and Calendars setup..
but, there is something hiding in my iPhone that remembers my old gmail password (I guess) and doesn't let me proceed.
If I enter my gmail iChain password I get the same thing.
If i do this in airplane mode (no connection to google) i also get the same.
I talked to an apple care person who had me reset all my settings... still the same thing.
I am trying to avoid a gull reset of the iPhone, but that may be in the cards.
Going to go to the apple store and ask there, but i am not hopeful.
Barry

Problem in reading client certificate

Hi,
I am developing an web app. where client will use smart card for authentication.
And server will read the clients certificate. All the application will run in https.
So please guide me to develop such a system. I am using tomcat 6x and have created a server certificate by keytool.
I am not using openssl.
Please help me....
Thanx in advance.

hi
when you pass the manual entry posting date will be 31.03.2009 and period will be 13 because when we close the year still open 4 special period to post further entries.
Regards
Tanmoy

How can I prevent client certificate information from being written to kjs log?

I have an application running on iPlanet Application server 6.0 that makes an SSL connection to an external site using client certificate. Problem : Every time the connection is wrapped in a client certificate, the entire SSL handshake including the key-exchange information is automatically being logged in the kjs log. How do I prevent the kjs from writing this inormation to the log ?

How are you making this SSL connection? Whatever library you are using must be writing to System.out().
You could avoid logging these messages by using file logs rather than console logs. But you could probably disable these messages by working with your SSL libraries as well.

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Client certificate authentication on ASA 5520

Hi,
We have configured certificate authentication for remote access IPSEC vpn and it is working fine. This is using the same internal Certificate Authority server for both the identity certificate of the ASA and the client certificates issued to remote clients.
We now wish to use a different CA which is a subordinate of the existing CA for client certificates - we want to keep the existing identity certificate using the root CA.
How do we ensure that the ASA will authenticate clients using certificates published by the old root CA and the new subordinate CA? What is the process to follow on the GUI to do this? Do I just add another CA certificate under the 'certificate management>CA certificates' window with a new ADSM trustpoint, or is there more steps?

Hi Paul,
I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.
I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.
Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.
And that it.
Vincent

Save Client Certificate to pfx

Similar Messages

Maybe you are looking for