Signing message with certificate: JCE, IAIK or similar in IBM SDK 5.0

Similar Messages

• How Sign Message with Certificate (public key)?

  Hi, I need to to send Sign xml message by Certificate file (public key) and read sign message
  so how can i do it ??
  and i should have 2 public key ?? or what ??
  please help :)
  Thanks

  ejp has answered your question, but it seems you did not understand. This forum is not a good place to learn about public key cryptography and message encryption. You should already understand these fundamentals before asking questions here. This forum is about how to implement these crypto operations in the Java programming language. If you are cheap or poor, you can try googling for the more information; wikipedia is good starting point also. If you can afford it, I recommend you buy Practical Cryptography_ by Schneier.

• Why unable to sign PDF with certificate after applying Nitro PDF password protection? (despite it explicitly allowing signing with certificates)

  I used Adobe Reader XI to sign PDFs with certificate, which worked perfectly. Except that the PDF could still be edited by other programs (for example, Nitro PDF) after the signing (but not the fill out fields and the signature). To apply password protection makes sense to avoid changes in the PDF being made after it has been signed. So I applied password protection via Nitro PDF that allows only enter fill-out fields and signing. But when I open it with Adobe Reader, the filling out works fine, but the signing part is not available to click on it (all of the buttons under "Sign" tab are grey). When I go on the Security properties with Adobe Reader, I can explicitly see that signing of this PDF is allowed and yet the option is not open to use for me anymore.
  Any ideas on why it is the case and what I could do about that?
  Many thanks!
  O.

  Actually yes, I just asked my colleague to assist me with this, he password-protected the PDF with Acrobat 8, explicitly allowing for signing and fill-out functions, it also appears in Adobe Reader under security properties as "allowed", but it is not open to use in the Reader for me anymore (grey buttons).

• Mail does not allow signed message with .Mac certificate

  Hi all,
  until a few weeks ago, I was able to send signed or encrypted message with my .Mac account and .Mac certificate. Both of them are still valid, and I can still read all messages I sent as encrypted and/or signed, however, Mail does not show the two buttons to crypt and/or sign emails. The certficate seems to work to encrypt iChat dialogs as well.
  I repaired my Keychain, looked at how certficates were configured, everything seems normal to me.
  Any clue ??

  Well, it seems that we've come across something finally.
  In comparing notes, my friend (who is currently able to sign and encrypt messages) and I were comparing notes on our respective certificates. In doing so, he pointed out that he'd noticed a difference in the PURPOSE of my cert versus his cert.
  His cert shows the following purposes:
  1 - Client Authentication
  2 - Email Protection
  3 - Apple .Mac Identity
  4 - Apple iChat Signing
  5 - Apple iChat Encryption
  Whereas mine only shows these purposes:
  1 - Client Authentication
  2 - Apple iChat Signing
  3 - Apple iChat Encryption
  Another thing I noticed while comparing his cert to mine after he pointed this out...his cert is due to expire at the end of October. Mine, on the other hand, was created this past Friday.
  Now, from what I understand, these certs expire one year from date of issue, unless they are revoked earlier. So, I suppose the big question to everyone else out there that is having trouble with using their .Mac issued certificates is "When did yours get renewed?".
  I'm suspecting at this point that somewhere around the end of June the certificates issued by Apple for iChat signing suddenly stopped having the "Purpose" of mail protection. It would also seem that they suddenly stopped having the purpose of .Mac Identity.
  Now I'm curious why Apple would do this, make it actually relatively easy to create a cert that could be used for iChat and Mail encryption, then suddenly take it away. Is this actually what has happened here?
  I'd be really interested in seeing what the renewal dates are and the corresponding "Purposes" are for many of the folks that are reporting trouble with this very issue.
  If you are one of those people who had mail encryption working using your .mac certificate, and it suddenly stopped working...feel free to post your cert information here.
  To get the ball rolling, here's the information from mine...
  Issued By:
  - Apple .Mac Certificate Authority
  Expires:
  - September 14, 2007
  Purposes:
  - Client Authentication
  - Apple iChat Signing
  - Apple iChat Encryption
  G4 800 (Quicksilver) / Powerbook 1.5 GHz   Mac OS X (10.4.7)  

• Ability to sign emails with certificates

  Hi all,
  I was just wondering if anyone had been able to setup their email on the iphone (I am using a mobile me account which syncs - I don't know the terminology) with digital signatures.
  I have setup my macbook that, when I compose an email, I can sign it with a free certificate I got from Comodo.
  I was wondering if there was a way of setting up the iphone so that I can also sign the messages I compose when I am about?
  I had a look at the iphone configuration utility (briefly) but got scared that I might change some other setting and break my phone (everything else is working so nicely).
  Is there any guides as to how set this up (am happy to look at the iphone utility if I could get all the current settings I have loaded onto it and then just change the required changes). I don't know if this is even allowed in the device...
  Any information would be helpful
  Cheers
  AusQBall

  Hi Sean,
  Thanks for replying but I am not sure that the application does quite what I am after...
  I am not trying to add an image with my signature on it but rather add a cryptographic signature which allows the recipient to know that it came from me. My knowledge on this topic is a little sketchy but I think that, for it to work, a hash of the entire message would need to be calculated and then encrypted with a private key found in my signature certificate (which only I have). The recipient can then check that the message has not been altered using the public key (provided in the email and signed by a certificate authority) to confirm that the hashes match.
  Please reply if I have misunderstood something with the application.
  Also thank you for looking into this for me. Any help is appreciated.
  Cheers
  AusQBall

• Configuration/Setup for securing PI messages with certificates

  Hello Experts,
  I'm looking for some guidance/suggestions/direction in regards to installing and using certificates when exchanging data with trading partners via PI 7.0.  It's something new to us and it's been a bit of a struggle.
  In scenario 1, we want to send to, and receive from, xml documents with a partner.  We currently send from our PI system, but want to receive the messages back thru an F5 network (?) which would decrypt the message and pass it along to PI.  This also takes care of load-balancing.
  In scenario 2, we want to exchange EDI messages using the AS2 Adapter from Seeburger.  Again, messages would be sent from PI and received by the F5 network.
  The F5 would act as the SSL termination point (if that's the correct term), and pass the decrypted message to PI via a normal http transfer.
  We are storing our partners' certificates within PI, and configuring the communication channels to use them.  Is this correct?  Do they need to be stored on the F5 as well?  Do we then give them our certificate from the F5, or do they need a certificate from our PI server, or both?
  I guess what I'm looking for is some straight-forward SSL 101 documentation, especially where it applies to middleware like the F5.  Thanks in advance for any help you can give.

  Hi,
  Just a quick note on the certificates; if you want to encrypt messages sent from PI you need the public key of the receiver stored in PI (J2EE key store) with which to encrypt the messages. When receiving files back from partners, they would need to encrypt the messages with the public key of F5 certificate. F5 would then use its private key to decrypt the message before passing to PI.
  So, yes, you are correct to store the certificates of your partners in PI which will be used in encryption of outbound messages. F5 would only need the private keys of the certificate that your partners have encrypted with, no need for PI certificates to be stored in F5 (unless you also need digital signatures).
  Hope this helps.
  Br,
  Kenneth

• Signing pdf with certificate

  I am using pdfwriter on Windows to sign my pdf's with a certificate. Does an equivalent exist for archlinux? My google-fu didn't turn up anything... Thanks!

  It sounds like your problems stem from needing to adhere to whatever protocol pdfwriter uses. I'm not familiar with that piece of software myself.
  Basically, you have three options in front of you: pdfwriter uses some open specification which *nix has already implemented under some other name; pdfwriter uses a closed specification which has been partially re-implemented in *nix so you can do basic stuff; pdfwriter uses a totally closed spec which no one else cares about.
  If it's one of the first two, you'll be able to find a work around. If it's the last one, you should kick your employer right in the nuts.

• Evolution hangs on signing message

  Hi!
  Since some days (I assume since the upgrade to 3.16.3) evolution hangs on signing messages with pgp. The message about signing the mail appears, but nothing happens. Confusingly enough, message encryption works fine, but decryption also hangs.
  regards
  bjo
  Last edited by bjo (2015-06-17 10:57:42)

  What version of Windows are you on (XP, Vista, Windows 7, Windows 8 )? Is it 32-bit or 64-bit?
  http://support.microsoft.com/kb/827218
  What is the version of Internet Explorer installed on your computer?
  In Internet Explorer go to Help -> About Internet Explorer.
  P.S. Please, don’t say that you are not using Internet Explorer. This is irrelevant. Skype depends on Internet Explorer.

• Read entire IMAP message with one FETCH command

  Is there any way to have JavaMail read an entire IMAP message with a single FETCH command (similar to the way Outlook works)? This is needed because the mail server I'm using does not correctly support the FETCH BODYSTRUCTURE command.
  Thanks in advance.

  Of course you should get a new mail server. There's so many to choose
  from, including many free options, why put up with one that doesn't care
  enough to implement the IMAP spec correctly?
  If you're stuck, use the MimeMessage copy constructor to copy the IMAP
  message to a new MimeMessage object, then access all the data through
  the MimeMessage object. The entire message will be fetched from the
  server in one FETCH command.

• Business Service sign a message with always same certificate

  Hello,
  We  need to call an external web service that require the request be signed by a certificate.
  Our organization has an Oracle Service Bus and our intention is use the bus to facilitate our clients the calls.
  I did the next steps:
  1.- I Have configured the keystore of OSB with the certificated.
  2.- I have made the business service, with the end-point the external ws.
  3.- I Have configured the sign-body ws-policy in business service.
  4.- When i prove it with debug console of OSB, i select the keystore provider and it works.
  The problem is:
  When I make the Proxy Service seems that the Business Service give the requirement to the Proxy for sign the message,  and what I want is publish the Proxy Service without this requirement and sign the message with always the same certificate.
  I would like the message was signed by Proxy Service or Business Service, and not by clients who call the OSB.
  I don't know how configure it on OSB.
  It is possible to configure OSB in that way?
  Thanks
  Miguel

  Hello,
  Can you please confirm the following
  1. You are setting up an expired certificate as the host certificate for your host (or) are you trying to sign an ASPX file with an expired certificate?
  2. The webserver where you are hosting this ASPX (IIS I presume), has only certificate based authentication enabled - is that right?
  3. You are seeing that when the user opens the website they are prompted that the certificate has expired, and even if they chose to move forward, they are not able to - is that the issue?
  4. If (3) is not the issue and you want to be able to get access to the certificate-expiration error as part of the ASPX code, then that wouldn't be possible because the certificate validation would happen as part of the TLS connection negotiation
  If you can please provide some more details, it will help.
  Thank you

• How to send digitally sign S/MIME messages with Powershell cmdlet Send-MailMessage?

  Hello,
  using AD Windows PKI I assigned a certificate EKU (1.3.6.1.5.5.7.3.4) to sign emails and get this with
  autoenrollment also to my CERT Store PS
  CERT:\CurrentUser\UserDS\ or the certificate could found via MMC / certificates in the store structur under "Active Directory User Object".
  Signed messages (red icon) to send as S/MIME message using Outlook 2010 is not a problem.
  Using PowerShell cmdlet Send-MailMessage to be sent company notification for a new passwordpolicy some days before pwd expired?! I use the cmdlet already successfully to filling HTML bodies with variables and send to individuals accounts.
  Reduced simplified PS code:
  $SMTPBodyHtmlTemplate = Get-Content "C:\PS\Template\HTMLBody.html" | Out-String
  Function SendEmailNotification # /* SEND E-MAIL Notification to User */#
  [string] $SMTPServer = "mail.domain.local"
  $CurrentUser = "$env:username"
  [string]$SMTPFrom = (Get-ADUser $CurrentUser -properties mail).mail
  [string[]] $SMTPTo = $($Obj.EmailAddress)
  [string]$SMTPSubject = "Notification!"
  [String]$SMTPBodyHtml = $SMTPBodyHtmlTemplate.Replace("UserDisplayname","$($UserDisplayname)")
  Send-MailMessage -From $SMTPFrom -To $SMTPTo -Subject $SMTPSubject -BodyAsHtml $SMTPBodyHtml -dno OnFailure -SmtpServer $SMTPServer -encoding ([System.Text.Encoding]::UTF8) -ErrorAction Continue
  How can I use the PSDrive own CERT and using PowerShell cmdlet Send-MailMessage
  to send a signed message, without development experience?
  Thanks in advance for cooperation.
  Manfred Schüler

  Hi,
  could create with an other colleague a DLL file (with this informations) for successfully sending sign messages from PS-Script. 
  Function SendEmailNotification # /* SEND SIGN E-MAIL */#
  $SMTPBodyHtmlTemplate = Get-Content "C:\PS\Template\HTML.html" | Out-String
  [System.Reflection.Assembly]::LoadFile("C:\PS\Assembly\Cpi.Net.SecureMail.dll") | Out-Null
  [string]$strSmtpServer = "smtp.domain.local"
  [string]$strSmtpPort = "25"
  [string]$strFrom = (Get-ADUser $CurrentUser -properties mail).mail
  [string]$strFromAlias = (Get-ADUser $CurrentUser -properties DisplayName).DisplayName
  [string]$strTo = $UserEmailAddress
  [string]$strToAlias = $UserEmailDisplayName
  [String]$strSubject = "Subject as you like"
  [string]$strBody = $SMTPBodyHtmlTemplate.Replace("UserDisplayname","$($UserDisplayname)")
  $objMail = New-Object Cpi.Net.SecureMail.SecureMailMessage
  $objFrom = New-Object Cpi.Net.SecureMail.SecureMailAddress($strFrom,$strFromAlias,$objCert,$objCert)
  $objTo = New-Object Cpi.Net.SecureMail.SecureMailAddress($strTo,$strToAlias)
  $objMail.From = $objFrom
  $objMail.to.Add($objTo)
  $objMail.Subject = $strSubject
  $objMail.Body = $strBody
  $objMail.IsBodyHtml = $TRUE
  $objMail.IsSigned = $TRUE
  $objMail.IsEncrypted = $FALSE
  $objSMTPClient = New-Object System.Net.Mail.SmtpClient($strSmtpServer,$strSmtpPort)
  $objSMTPClient.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
  $objSMTPClient.send($objMail)
  Maybe Microsoft can implement this in future versions of the cmdlets Send-MailMessage ;-)
  Manfred Schüler

• Replace Self-Signed FAST Search Certificate with Third Party Certificate

  We are trying to replace the Self-Signed FAST Search Certificate with Third Party Certificate in our SP 2010 environment. And are facing issues while enabling the SSL communication between the FAST servers and the corporate servers.
  Our FAST search servers are in a different farm than that of the Corporate Servers.
  The details of the certificate we received is as follows:
  Issued to : FastSearchCert
  Issued By: Issuer Name
  Valid From: 4/21/2015 to 4/20/2017
  We were able to successfully renew the certificate on the FAST Search Server by following the below steps:
  1.  Login to the Administrative and the Non-Administrative nodes 
  of the FAST server. Go to Windows Service and stop the FAST Search for SharePoint and the FAST Search for SharePoint Monitoring services in both the servers.
  Follow the below steps in the Administrative Node followed by the Non-Administrative Node
  2. 
  Install the certificate in the following paths in the certificate store:
  “Certificates(Local Computer)\Personal”
  “Certificates(Local Computer)\Trusted Root Certification Authorities”
  3. Ensure that the user account configured for the “FAST Search Server 2010 for SharePoint” has access to the private key of the certificate.
  4. Go the Administrative node of the FAST farm and follow the below steps:
  Go to the certificate store.
  Expand the Personal folder and then click the Certificates folder. Double-click the third party signed FAST certificate.
  Open the Details tab and then click Thumbprint. Note down this thumbprint.
  5. Next, open
  Microsoft FAST Search Server 2010 for SharePoint with Administrator
  Privileges.
  6.
  Navigate to the directory, “D:\FASTSearch\installer\scripts” and execute the below command to replace the current certificate with the newly created
  third party signed FAST certificate.
  .\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint".
  7. The FAST certificate was renewed successfully.
  Once the certificate has been renewed successfully in both the nodes, follow the below step:
  8. Start the FASTSearch for SharePoint and the FAST Search
  for SharePoint Monitoring services in the administrator server.
  Next, while enabling the SSL communication between the FAST servers and the other corporate servers, we follow the below steps:
  1. 
  Copy the new certificate from any of the FAST servers to all the web-front end and application servers in the corporate farm, in order to enable SSL communication between these servers and the FAST farm.
  2.   Also, copy the script
  ‘SecureFASTSearchConnector.ps1’ from the location “%FASTSearchFolder%\installer\scripts” in the FAST servers 
  to the web-front end and application servers of the corporate farm.
  3.  Follow the below steps on each of the servers in the corporate farm:
  Open ‘SharePoint 2010 Management Shell’ with administrator privileges and navigate to the directory in which
  SecureFASTSearchConnector.ps1’ script is located.
  And then, execute the below command:
   .\SecureFASTSearchConnector.ps1 -certThumbprint "certificate thumbprint" –ssaName “FASTCibtebtSSA” –username “DOMAIN\SP_Farm”
   Where,
  -certThumbprint 
  - Thumbprint of the certificate
  -ssaName – FAST Content SSA
  -username – The account configured to run the SharePoint
  Search Service
  On execution of the above command, we receive an error message stating that the "Connection to the Content Distributor servername.corp.abc.org: 14391 could not be validated...instance of FAST search server backend is running"
  Please help us resolve this issue. We have not been able to find the cause of the above error for a long time.
  Any help is much appreciated.

  Your tip on exporting from eDir to locate a missing private key was very helpful. Here are my steps to renew an expired third party certificate when the private key, generated 30 months ago in my case, could not be located.
  In iManager, browse the tree and locate the likely certificate object. The Attributes for the object show Subject Name = webmail.acme.com. Selected the certificate and exported to webmailcert.pfx.
  Then, the openssl commands in TID 7004039, "How to convert a SSL PFX to a PEM file", were run against the .pfx file to create cert.pem, key.pem and server.key files.
  TID 7015500, "How to determine if private key belongs to public key (certificate)", was followed to determine if the public key (downloaded from third party) and private key (just retrieved from iManager) match - they did - that is, the private key converted from webmailcert.pfx matches the downloaded certificate.
  TID 7013103, "How to create a .pem File for SSL certificate Installations", was followed to manually create a server.pem file using openssl.
  TID 7010584, "How to setup SSL Certificate for Apache", part labeled "Additional Information" was followed to modify /etc/apache2/vhosts.d/vhost-ssl.conf file. Server.pem file created above copied to /etc/apache2/ssl.crt/ and /etc/ssl/servercerts/ directories as specified in vhost-ssl.conf.
  Restarted apache2.
  www.digicert.com has an SSL Certificate Checker that can be used to verify the installation is successful.

• Problem Signing Email with Digital Certificate from Smart Card, Outlook 2013

  Hi there, I'm the IT guy for a small company.  I've configured several people in the company to use their smart cards for email signing through Outlook 2013, but a a few computers are giving me this error:
  "Microsoft Outlook cannot sign or encrypt this message because there are no certificates which can be used to send from the e-mail address '<e-mail address>'. Either get a new digital ID to use with this account, or use the Accounts button to
  send the message using an account that you have certificates for."
  I've been in the Trust Center, I see the signing and encrypting certificates. (SHA-1 and 3DES).  Yet when I try to sign, Outlook always fails on the error.
  For my computer, I was able to fix this by adding a "SupressNameChecks" DWORD set to 1 in the Registry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook.  However, this fix is not working for the other people in the company.
  Any other ideas?  Really pulling my hair out on this one, I've tried everything I could find on the net it seems.

  Hi,
  Please checked “E-mail name” under the section ‘Include this information in alternate subject name” on the Subject Name tab of the certificate template.
  We can export the entrust managed services root CA cert from a working machine and import into the trusted root store of a non-working machine. For detailed steps about it, please refer to:
  How To Import and Export Certificates So That You Can Use S/MIME in Outlook Web Access on Multiple Computers
  http://support.microsoft.com/kb/823503/en-us
  Hope it helps.
  Regards,
  Winnie Liang
  TechNet Community Support

• Problems with receiving signed message in outlook

  Hello
  I have a problem with signing message using Javamail. I use a sample program code that I got from some tutorial - it seems to work fine but when I receive the message using outlook express there are fallowing warnings:
  - the message has been changed by untrusted people
  - the e-mail address from the certificete:... (here ma address) doesn't match the address of the sender:... (here no adress)
  I set all the varables: 'sender', 'replyTo', 'return-path' and 'from' with my address used in the certificate. I don't know why there is no address after the word: sender. Maybe some of you had such a problem, solved it and could share with me what is wrong with my message?
  ania

  Hi
  It's me again. I solved the problem.
  The first warning was because I changed the message after signing it, before sending :), and the second (that was worse) was because I was setting up all possible fields: sender, from, reply to and return-path - only sender should be set - now everything works great :)
  ania

• Using a Self Signed Root CA Certificate with Mail

  Hello -
  I'm experimenting with public/private encryption using Mail 3.5 on Mac OS 10.5.6, Keychain Access 4.0.2 and Certificate Assistant 2.0.
  I created a Certificate Authority with CA 2.0, granted a certificate to two different users with different email addresses and loaded the certificates into Mail 3.5 on two different machines running 10.5.6. I am able to send and receive signed messages between the two accounts but I'm unable to send encrypted messages, the 'lock' icon remains dimmed.
  When I look at keys in Keychain Access I don't find a public key for the receiver's address but I do have a certificate for both sender and receiver and a public and provate key for the sender.
  Can anyone shed light on why Mail won't let me encrypt the message?
  Thanks,
  Scott.

  Anyone have any information at all? This seems like a very basic need for maintaining certificates beyond the usable life of the equipment on which they were created.
  I have found precious little information about this specific to Apple OS.