Signing a x509 certificate

Similar Messages

• Problem with creating a third party signed x509 certificate

  Dear all
  I'm working on pki project, in which i need to generate a key pair and and using it to create a self-signed x509 certificate, it will act as the CA and using it private key to sign all other x509 certificate, I have no problem on creating the self-signed cert, but when try to create other cert using CA private, I got the following exception
  Caught exception: java.security.InvalidKeyException: Public key presented not for certificate signature
  I'm using bouncycastle to do the cert generation, here is an example of my code
     Security.addProvider(new BouncyCastleProvider());
     //be sign key pair
     KeyPairGenerator keyGen=KeyPairGenerator.getInstance("DSA");
     keyGen.initialize(1024, new SecureRandom());
     KeyPair keypair=keyGen.generateKeyPair();
     PrivateKey prikey=keypair.getPrivate();
     PublicKey pubkey=keypair.getPublic();
     //ca key pair
     KeyPair cakeypair=keyGen.generateKeyPair();
     PrivateKey caprikey=cakeypair.getPrivate();
     PublicKey capubkey=cakeypair.getPublic();
     Hashtable attrs = new Hashtable();
     attrs.put(X509Principal.CN, "Test");
     //generate cert
     X509V3CertificateGenerator certGen=new X509V3CertificateGenerator();
     certGen.setSerialNumber(BigInteger.valueOf(1));
     certGen.setIssuerDN(new X509Principal(attrs ));
     certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
     certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
     certGen.setSubjectDN(new X509Principal(attrs));
     certGen.setPublicKey(pubkey);
     //certGen.setSignatureAlgorithm("MD5WithDSAEncryption");
     certGen.setSignatureAlgorithm("SHA1withDSA");
     X509Certificate cert=certGen.generateX509Certificate(caprikey);
     cert.checkValidity(new Date());
     cert.verify(pubkey);
     Set dummySet=cert.getNonCriticalExtensionOIDs();
     dummySet=cert.getNonCriticalExtensionOIDs();I have no idea what problem is
  I hope that bouncycastle supporter or anyone could help me or give some guidance and I'm much appreciate that.

  Hi tkfi
  your problem is you'er not using the ca public key to do the verification, replace the
  cert.verify(pubkey);
  to
  cert.verify(capubkey);
  and it should be work

• X509 certificate in SAML2 assertions

  I'm wondering if anyone knows whether Oracle 10g identity management systems can be configured to include an X509 certificate in SAML2 assertions. I'm being told that it can't be done in 10g. Oracle11g appears to have support, and Oracle 10g seems to do it for SAML1.x profiles, but not for SAML2. Is there anyway to configure Oracle 10g systems (either by metadata or by some other config?) to support X509 certificate inclusions?
  If you happen to know why there's such a limitation, would much appreciate it. More background/context below.
  Thanks!
  Roger
  Background:
  Oracle 11g has this option for configuring SAML2 assertions to include the X509 certificate:
  http://docs.oracle.com/cd/E23549_01/oim.1111/e13400/configoif.htm
  Include Signing Certificate in XML Signatures
  If checked, Oracle Identity Federation will add its signing certificate to the XML Digital Signature element of outgoing messages. This can be useful when the remote provider needs the signing certificate included in the message to be able to verify the signature created by Oracle Identity Federation.
  Oracle 10g has this option for SAML 1.x (under Assertion Signing -- "include the certificate in signing"):
  http://docs.oracle.com/cd/E23549_01/oim.1111/e13400/configoif.htm
  ...so can X509 certificates be included for SAML2 in Oracle 10g? If so, how?
  Edited by: 947616 on Jul 19, 2012 12:54 PM

  I'm wondering if anyone knows whether Oracle 10g identity management systems can be configured to include an X509 certificate in SAML2 assertions. I'm being told that it can't be done in 10g. Oracle11g appears to have support, and Oracle 10g seems to do it for SAML1.x profiles, but not for SAML2. Is there anyway to configure Oracle 10g systems (either by metadata or by some other config?) to support X509 certificate inclusions?
  If you happen to know why there's such a limitation, would much appreciate it. More background/context below.
  Thanks!
  Roger
  Background:
  Oracle 11g has this option for configuring SAML2 assertions to include the X509 certificate:
  http://docs.oracle.com/cd/E23549_01/oim.1111/e13400/configoif.htm
  Include Signing Certificate in XML Signatures
  If checked, Oracle Identity Federation will add its signing certificate to the XML Digital Signature element of outgoing messages. This can be useful when the remote provider needs the signing certificate included in the message to be able to verify the signature created by Oracle Identity Federation.
  Oracle 10g has this option for SAML 1.x (under Assertion Signing -- "include the certificate in signing"):
  http://docs.oracle.com/cd/E23549_01/oim.1111/e13400/configoif.htm
  ...so can X509 certificates be included for SAML2 in Oracle 10g? If so, how?
  Edited by: 947616 on Jul 19, 2012 12:54 PM

• X509 certificates, hostname verification and SunCluster 3.1 failover.

  Hi,
  A newbie question - having an existing non clustered architecture and trying to decide how to use the SunCluster features.
  I have some self signed x509 certificates that are used by a process. When this process is (going to be) failed over to another machine, and the filsystem that contains the certificates also follows, what is the recommened way of ensuring that I can use the same certificates and that hostname verification etc still works.
  When I define a resource group for the filesystem and network interfaces required by this, can I also create a virtual hostname that will work on either of my cluster machines and will not confuse my SSL code when it verifies the certificates and the host?
  I think this is not a question of DNS, but a question of what happens when I want to type 'hostname' and would like to get the same result on either box that is part of our cluster. This way my certificates and application configuration would not need to be changed during a failover event.
  Thanks!

  Forget about the local hostname question - all that is important at the moment is that my keystores and truststores (created using Sun JVM keytool) are transportable and usuable on the other host without change. The network resources associated with the names in the certificates are planned to move across as part of the resource gorup).
  In theory I guess this shoud work, but I wanted to know if anyone has had any experience of doing this and there were any gotchas.
  Thanks.

• Fault in autentication wit x509 certificate

  I am configuration a webservice in oc4j using jdeveloper. Using x509. import the client key in server keystore; when execute the client show: WARNING: Subject Key ID extension not found.Using BST Referencing scheme
  javax.xml.rpc.soap.SOAPFaultException: An invalid token was provided
  in the log oc4j.
  Cannot authenticate X509 certificate, User EMAILADDRESS=[email protected], CN=Ana Cecilia de Figueroa, OU=SISTEMA
  DE PAGOS, O=BCR does not exist in our system
  and
  javax.security.auth.login.LoginException: Cannot authenticate X509 certificate, User EMAILADDRESS=[email protected], CN=, OU=SISTEMA DE PAGOS, O=BCR CR does not exist in our system
  at oracle.security.jazn.login.module.WSSLoginModule.authenticateX509Cert(WSSLoginModule.java:434)
  Any has idea.

  For anyone watching this thread for any relevant information,
  after adding sign.xml policy, it started working

• Need to use  x509 certificate for a SMTP server

  Hello everybody,
  if I want to send e-mail from a location different than my company builing, my company SMTP server requires authentication with my peronal x509 certificate.
  I had no problem using Thunderbird, but I would like to use OS X Mail.
  I installed the x509 certificate into the keyring, and in fact I can send digitally signed emails, but I was not able to find how to tell Mail to use my x509 certificate to authenticate myself to the SMTP server.
  Does anybody know how to solve this problem?
  Thanks and bye,
  Lapoz.

  Browsers such as iCabMobile and Atomic allow you to choose how the device identifies itself to a website. IE is one of the options. However, if the reason you need IE is for something like ActiveX, it's not going to work.

• WebID (x509 certificate) on Windows Server 2012

  How can a (end) user log in to Windows Server 2012 using his WebID (x509 certificate)?

  Hi,
  I assume that you are talking about smart card logon, which makes it possible for user to logon using a smart card and a PIN (Personal Identification Number).
  More information for you:
  Set up a smart card for user logon
  http://technet.microsoft.com/en-us/library/cc775842(v=WS.10).aspx
  How to implement x.509 certificate-based windows logon and authentication
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0291dee1-1b10-4139-b36d-f1b953f8a09a/how-to-implement-x509-certificatebased-windows-logon-and-authentication?forum=winserversecurity
  I hope this helps.
  Amy Wang

• How to install & use x509 certificate in XI 3.0

  Hi gurus,
  Somebody knows as install a x509 certificate in XI 3.0? Is it in Visual Admin?
  Is There some guide?
  When this installed, how we test it? What configuration we must do in Communication Channels and the Receiver Agreement/Sender Agreement? What tool we can use to test the scenario?
  Kind regards

  Hi,
  This is used when you are using FTPS in your communicaiton channel. The Certificates are installed in the visual administration. I have not seen any guide on how to install this. But you have a detailed step  by step procedure of how to install in this link:
  http://help.sap.com/saphelp_nw04/helpdata/en/53/b221e3b466b346860715a550ca987d/content.htm
  Apart from this you may also need to install SAP Java Cryptographic Toolkit. You get some help on this at this link:
  http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/content.htm
  Once when you do this your certificates can be seen from the communicaiton channel. In your communication channel in the FTP Conneciton parameters you have to select Conneciton security as FTPS and check the check box X.509 certificates. In keystore if you press F4 you will see the keystore which were installed earlier. Select the keystore and the X.509 Certificate.
  Once you are done with this run your scenario. If you have any errors you will see in communicaiton channel monitoring.
  ---Satish

• Using X509 certificates to create a client in a JCo destination / pool

  Hi,
  Our administrators have set up JCo destinations for us developers to use in connecting to the SAP R/3 back-end.  We need to use X509 certificates instead of username/password to create a connection.  How is this done?  The JCo API doesn't seem to list any class/method combination that is suitable. 
  JCO.createClient allows me to pass an X509 certificate, but it doesn't allow me to specify what JCO.Pool (i.e., JCo destination) to use. 
  JCO.addClientPool seems to allow both, but I don't think I want to really "add" a pool-- don't I just want to "use" a  pre-existing pool, i.e., one of the JCo destinations our administrator has set up? 
  Do I need to create a Client using the X509 certificate and somehow add this Client to the JCO.Pool?  I thought JCo destinations were meant to be pre-established Client pools waiting for a Client to be plucked out of it and used.  Is that wrong?  What am I missing? 
  Thanks in advance for your responses.

  Hi,
  I'm note sure whether you can use prepared JCo destinations in this case. However, if it's possible to use single JCo clients you instantiate when you need them, you have different options depending on whether you have an Enterprise Portal installed on top of your J2EE Engine or not.
  --> Without Portal
  Retrieve the user's current certificate from UME using:
  [code]com.sap.security.api.IUser currentUser = ...;
  java.security.cert.X509Certificate[] certificates = currentUser.getUserAccounts()[0].getCertificates();
  byte[] certBytes = certs[0].getEncoded();
  String encodedCert = someBase64Method(certBytes);
  Properties jcoProperties = new Properties();
  // Add your backend properties like hostname and so on...
  jcoProperties.setProperty("jco.client.user", "$X509CERT$");
  jcoProperties.setProperty("jco.client.passwd", x509Cert);
  JCO.Client jcoClient = JCO.createClient(jcoProperties);[/code]
  --> With Portal installed
  In general: Define your backend system in the Portal's system landscape instead of as JCo destination. Configure it's logonmethod for X.509 certificates. Either use UME's user mapping feature directly via com.sap.security.api.UMFactory.getUserMapping()... to add the certificate properties to the JCO properties, or use some intermediate API, some of which are available in the portal, some of which reside in the J2EE Engine (details if you request them).
  Best regards
  Heiko

• Invoking secure services inside bpel with x509 certificate and weblogic

  Hi, everyone. Here we have a problem with invoking secure webservices (*client authentication*) from a bpel deployed in weblogic that is consuming so much time (more than a week) and don't know what else to try.
  The scenario: we have a bpel process which invokes a series of web services without any security mechanisms. Now, we have to change it to invoke a series of webservices that do exactly the same, but using ssl and client authentication with x509 certificates. The first part of it, the ssl one, is done without any problems. But the second part is not working at all, and we (I) are running out of ideas how to configure it in weblogic.
  The situation: I want to invoke a webservice, say, Service1. It requires client authentication, so I should pass a certificate (*which I already have*). I put that certificate inside a keystore (with keytool -importkeystore, from p12 to jks). With SoapUI I have no problem now to invoke the service now. But, I'm not sure what should I do to make it work in weblogic; after all, the provider keeps answering with a HTTP 403 Forbidden error.
  The actions: inside the weblogic's enterprise manager, in SOA deployments (SOA / soa-infra / default ) I selected my composite, and in the Dashboard (down at Services and references), clicked the particular service (Service1). Then, it took me to another page where I can see statistics about that service, and a tab named Policies. There (in Policies) I have the chance to attach a policy, but I don't know which one is the approppriate; I guest it should be WSS11_x509_token_with_message_protection_service_policy, which in turn asks me to provide a value for keystore.recipient.alias, keystore.sig.csf.key and keystore.enc.csf.key. For this keys, I provide values that I configured in Credentials (Weblogic Domain / Security / Credentials, subtree oracle.wsm.security). My own logic tells me that what I have done is what I should have done, but still no luck :(
  I am sure the keystore is ok (if I rename the keystore file it tells me that the keystore file cannot be found, and if I specify an alias which is not inside the keystore it tells me that the alias is not found and list me valid aliases). I guess I am missing something, somewhere, but after many hours (days, almost 2 weeks) googling, still cannot make it work.
  Any ideas would be apreciated. If anyone knows about a post or article about this, it would be apreciated too, but I can tell is not that I just googled for 25 minutes, but I have spent more than a week googling, trying, analyzing and reading formal documentation, with no results.
  Thanks in advance!

  Try to enable SSL and WS debugging on your WLS. Add the following to your startup script:
  -Dweblogic.webservice.verbose=true
  -Dssl.debug=true
  ..then you might be able to spot if the rejection is based on some handshake problem.

• X509 Certificate Generation from a URL

  Hi All,
  I can easily create a X509 Certificate from a text file using the CertificateFactory class and display all the fields in the generated certificate.
  Now, I wish to do same thing but using an url instead of a text file. I would like to know the followings:
  1. whether a X509 Certificate (or any other type) is associated with a server represented by the given URL. For instance, say url is http://www.xyz.com, so I wish to know whether this site has a X509 Certificate associated with it.
  2. if yes, I would like to download the certificate and read the certificate contents.
  How to do these two things?
  Can someone throw some light in this connection? Your help will be highly appreciated.
  Regards,
  ~Mohan

  I saw your posting.. I don't have an answer for you, but I need to create some X509 certificates, and I'd really apprectiate it if you could share how you created them from a file..
  thanks,
  Jim

• Accessing X509 certificate info

  We are authenticating by using a certificate for the web server. We need to authorize users for a web service by using the CN or DN shown on the certificate. For the web services, how can I pull the CN or DN off the certificate used for a web service transaction?

  I cant help you much with Oracle Apps. But my 2 cents.
  If your App server/ web server is validating the client X509 Certificates, once authentication is successful, some identifier should be passed on to your application. You should be able to leverage that to get the user CN or DN.
  When you access a web server from within your application, you can then control who can access the web service and still pass the user CN or DN or other user identifier in the SOAP Header, which the Web Service can validate. Your web service has to perform the authorization check even if you perform this at the client side.
  When the service is going to validate the User CN or DN, it is going to rely on SOAP message eitehr as body or as custom header. In this case you have to generate the SOAP message from the client with appropriate values which your application should have mapped it.
  I answered a similar question in Microsoft Platform at LinkedIn.
  http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/70725-1147608?browseIdx=4&sik=1188955275463&goback=%2Eama
  Thanks
  Ram

• Replace Self-Signed FAST Search Certificate with Third Party Certificate

  We are trying to replace the Self-Signed FAST Search Certificate with Third Party Certificate in our SP 2010 environment. And are facing issues while enabling the SSL communication between the FAST servers and the corporate servers.
  Our FAST search servers are in a different farm than that of the Corporate Servers.
  The details of the certificate we received is as follows:
  Issued to : FastSearchCert
  Issued By: Issuer Name
  Valid From: 4/21/2015 to 4/20/2017
  We were able to successfully renew the certificate on the FAST Search Server by following the below steps:
  1.  Login to the Administrative and the Non-Administrative nodes 
  of the FAST server. Go to Windows Service and stop the FAST Search for SharePoint and the FAST Search for SharePoint Monitoring services in both the servers.
  Follow the below steps in the Administrative Node followed by the Non-Administrative Node
  2. 
  Install the certificate in the following paths in the certificate store:
  “Certificates(Local Computer)\Personal”
  “Certificates(Local Computer)\Trusted Root Certification Authorities”
  3. Ensure that the user account configured for the “FAST Search Server 2010 for SharePoint” has access to the private key of the certificate.
  4. Go the Administrative node of the FAST farm and follow the below steps:
  Go to the certificate store.
  Expand the Personal folder and then click the Certificates folder. Double-click the third party signed FAST certificate.
  Open the Details tab and then click Thumbprint. Note down this thumbprint.
  5. Next, open
  Microsoft FAST Search Server 2010 for SharePoint with Administrator
  Privileges.
  6.
  Navigate to the directory, “D:\FASTSearch\installer\scripts” and execute the below command to replace the current certificate with the newly created
  third party signed FAST certificate.
  .\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint".
  7. The FAST certificate was renewed successfully.
  Once the certificate has been renewed successfully in both the nodes, follow the below step:
  8. Start the FASTSearch for SharePoint and the FAST Search
  for SharePoint Monitoring services in the administrator server.
  Next, while enabling the SSL communication between the FAST servers and the other corporate servers, we follow the below steps:
  1. 
  Copy the new certificate from any of the FAST servers to all the web-front end and application servers in the corporate farm, in order to enable SSL communication between these servers and the FAST farm.
  2.   Also, copy the script
  ‘SecureFASTSearchConnector.ps1’ from the location “%FASTSearchFolder%\installer\scripts” in the FAST servers 
  to the web-front end and application servers of the corporate farm.
  3.  Follow the below steps on each of the servers in the corporate farm:
  Open ‘SharePoint 2010 Management Shell’ with administrator privileges and navigate to the directory in which
  SecureFASTSearchConnector.ps1’ script is located.
  And then, execute the below command:
   .\SecureFASTSearchConnector.ps1 -certThumbprint "certificate thumbprint" –ssaName “FASTCibtebtSSA” –username “DOMAIN\SP_Farm”
   Where,
  -certThumbprint 
  - Thumbprint of the certificate
  -ssaName – FAST Content SSA
  -username – The account configured to run the SharePoint
  Search Service
  On execution of the above command, we receive an error message stating that the "Connection to the Content Distributor servername.corp.abc.org: 14391 could not be validated...instance of FAST search server backend is running"
  Please help us resolve this issue. We have not been able to find the cause of the above error for a long time.
  Any help is much appreciated.

  Your tip on exporting from eDir to locate a missing private key was very helpful. Here are my steps to renew an expired third party certificate when the private key, generated 30 months ago in my case, could not be located.
  In iManager, browse the tree and locate the likely certificate object. The Attributes for the object show Subject Name = webmail.acme.com. Selected the certificate and exported to webmailcert.pfx.
  Then, the openssl commands in TID 7004039, "How to convert a SSL PFX to a PEM file", were run against the .pfx file to create cert.pem, key.pem and server.key files.
  TID 7015500, "How to determine if private key belongs to public key (certificate)", was followed to determine if the public key (downloaded from third party) and private key (just retrieved from iManager) match - they did - that is, the private key converted from webmailcert.pfx matches the downloaded certificate.
  TID 7013103, "How to create a .pem File for SSL certificate Installations", was followed to manually create a server.pem file using openssl.
  TID 7010584, "How to setup SSL Certificate for Apache", part labeled "Additional Information" was followed to modify /etc/apache2/vhosts.d/vhost-ssl.conf file. Server.pem file created above copied to /etc/apache2/ssl.crt/ and /etc/ssl/servercerts/ directories as specified in vhost-ssl.conf.
  Restarted apache2.
  www.digicert.com has an SSL Certificate Checker that can be used to verify the installation is successful.

• Ability to sign emails with certificates

  Hi all,
  I was just wondering if anyone had been able to setup their email on the iphone (I am using a mobile me account which syncs - I don't know the terminology) with digital signatures.
  I have setup my macbook that, when I compose an email, I can sign it with a free certificate I got from Comodo.
  I was wondering if there was a way of setting up the iphone so that I can also sign the messages I compose when I am about?
  I had a look at the iphone configuration utility (briefly) but got scared that I might change some other setting and break my phone (everything else is working so nicely).
  Is there any guides as to how set this up (am happy to look at the iphone utility if I could get all the current settings I have loaded onto it and then just change the required changes). I don't know if this is even allowed in the device...
  Any information would be helpful
  Cheers
  AusQBall

  Hi Sean,
  Thanks for replying but I am not sure that the application does quite what I am after...
  I am not trying to add an image with my signature on it but rather add a cryptographic signature which allows the recipient to know that it came from me. My knowledge on this topic is a little sketchy but I think that, for it to work, a hash of the entire message would need to be calculated and then encrypted with a private key found in my signature certificate (which only I have). The recipient can then check that the message has not been altered using the public key (provided in the email and signed by a certificate authority) to confirm that the hashes match.
  Please reply if I have misunderstood something with the application.
  Also thank you for looking into this for me. Any help is appreciated.
  Cheers
  AusQBall

• Mapping X509 certificate to User

  Hello Everybody,
  I am accessing SAP R/3 Function module from the outside(JAVA Application) using JCO connections.
  I got sucess doing this using Basic authentication.
  I have passed fix username and password to connect to the SAP R/3 from my JAVA program.
  But, now i want to pass X509 certificate from my Java application to SAP R/3 for authentication. I have completed my work from JAVA side. But at SAP R/3 side i don't know where to add this X509 certificate and how to map this certificate to perticular user in SAP R/3.
  If anyone knows then please help.
  Its urgent, so if anybody has some idea then please help.
  Thanks in advance,
  Bhavik
  Message was edited by: Bhavik Devisha

  Through the T-Code : PFCG you have to create the Authorization group .
  the authorization group should contain the object:
  Z:PO_APPROVER_00 ( Authorization group name).
  Add manually the object.
  First select the object  MM_E (Materials Management: Purchasing)
  Under that select M_EINK_FRG
  Assign values properly to the
  Release code: FRGCO
  Release group :FRGGR
  After that use the T-Code : SU01 to provide the rights to the user XYZ.
  By
  Subrahmanian