SOAP Axis adapter_Encryption via Client Certificate not working

Similar Messages

• HTTPS connection with client certificate not working in spartan

  Spartan does not show certificate for the user to select
  when I click the https link.
  The certificates (taken from a smartcard) are indeed present in the user CertStore.
  It works with IE 11 and Chrome.
  Has somebody any suggestions ?
  Thanks.

  in fact you are more using a reverse-proxy than a proxy since it is on the server part..
  You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
  hope it helps !

• X.509 client certificate not working through Reverse proxy

  Dear expert,
  We are working on fiori infrastructure. Our current scope is to enable X.509 authentication for both internet and intranet. However, the intranet scenario for X.509 authentication is working fine but internet is not, we got error message of "Base64 decoding of certificate failed". For landscape, the only difference between internet and intranet is we have apache reverse proxy in DMZ. We are using gateway as fron-end server, business suite and HANA in the back-end.
  As X.509 authentication works fine under intranet scenario, we assume that the configuration for X.509 for both front-end and back-end are correct. With that assumption, the issue would exist in reverse proxy. We are using apache 2.4.7 with openssl 1.0.1e, but we have upgraded the openssl to the latest version 1.0.1h for SSL certificate generation. Below are the apache configuration for X.509.
  Listen 1081
  <VirtualHost *:1081>
  SSLEngine on
  SSLCertificateFile  "D:/Apache24/conf/server.cer"
  SSLCertificateKeyFile  "D:/Apache24/conf/server.key"
  SSLCertificateChainFile  "D:/Apache24/conf/server-ca.cer"
  SSLCACertificateFile "D:/Apache24/conf/client-ca.cer"
  SSLVerifyClient optional
  SSLVerifyDepth  10
  SSLProxyEngine On
  SSLProxyCACertificateFile "D:/Apache24/conf/internal-ca.cer"
  SSLProxyMachineCertificateFile "D:/Apache24/conf/server.pem"
  AllowEncodedSlashes On
  ProxyPreserveHost on
  RequestHeader unset Accept-Encoding
  <Proxy *>
       AddDefaultCharset Off
       SSLRequireSSL
       Order deny,allow
       Allow from all
  </Proxy>
  RequestHeader set ClientProtocol https
  RequestHeader set x-sap-webdisp-ap HTTPS=1081
  RequestHeader set SSL_CLIENT_CERT  ""
  RequestHeader set SSL_CLIENT_S_DN  ""
  RequestHeader set SSL_CLIENT_I_DN  ""
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
  RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
  ProxyPass / https://ldcinxd.wdf.sap.corp:1081/  nocanon Keepalive=on
  proxyPassReverse /  https://ldcinxd.wdf.sap.corp:1081/
  We are out of mind on how to resolve this issue. Please kindly help if you have any idea on it.
  thanks,
  Best regards,
  Xian' an

  Hi Samuli,
  Really thanks for your reply.
  Yes, we have tried your suggestion above in the apache configure file above, but when testing the HANA service, we got error message "Certificate could not be authenticated".
  Yes, web dispatcher makes the X.509 authentication much easier as under intranet scenario, no DMZ between browser and web dispatcher. Client certificate pass through web dispatcher directly and it works perfectly this way. Not sure why it doesn' t work through apache reverse proxy.
  Best regards,
  Xian' an

• Multiple Exchange accounts and client certificates not working...?

  Hi all,
  I have a problem with my company iPad's. I'm trying to configure 2 Exchange accounts with certificate based authentication on my iPad with the iPhone config utility. For that i have created 2 client certificates.
  When I configure just 1 mailbox, does not matter which one of the 2, with the iPhone config util, it al works ok with client authentication.
  When I configure 2 mailboxes, on the iPad, without client certificate authentication it al works ok.
  When I configure 2 mailboxes with the 2 client certificates with the iPhone config util, both exchange accounts have the same mailbox. When I configure for example mailbox Jim and Harry with the corresponding certificates and I load it into the iPad. The exchange account of Jim has Jim his mailbox, but the exchange account of Harry also has the mailbox of Jim. And sometimes it is vice versa.....
  Can anybody help me in this, we are using 4th gen iPad with MS Exchange ActiveSync 2003 SP2 en MS Forefront TMG with Kerberos delegation.
  Please advice.
  Cheers,
  Eddy

  Hi Eddy,
  I have the feeling that the SSL connection after being established is only using the first authenticated certificated to connect to the exchange server.
  Have you had a look over this Microsoft page:
  http://technet.microsoft.com/en-us/magazine/ff472472.aspx
  Are you able to test 2 accounts on one pad in a test environment preferably with SSL inspection off?
  Do you have any information in the Forefront logs of the users being authenticated from the iPad? Or is one user authenticated twice?
  Cheers,
  IhalpU

• Client certificate not working in E51 after FW upd...

  In our company we have several E51 phones for using our mobile web services. In some cases we need to use client cetrificates for maximum security.
  The situation is: with older firmware versions (100.x/200.x) the certificate and TLS handshakes are working fine, but after upgarding to the latest version (300.x) the browser starts complaining "The operation cannot be completed" when trying to open the https connection. The problem seems to occur in the handshake phase, so debugging and analyzing the problem is very difficult. It's notable that the certificate itself is valid (working with older fw) and is installed just fine. Some cert details: Type: X.509 Algorithm: SHA1RSA
  Normal TLS connections without client certs work. The phones have been formatted and no backups have been restored after formatting, so the problem cannot be about old settings messing up the configuration.
  Has any other had similar problems and have you been able to solve it somehow?

  I am also having this problem where the certificate dialog (Windows Security is usually the title) is never prompted to the user. I tried it on several computers which are all part of the domain. The same computers can also login on another ADFS, so I have
  working certificates.
  I just get a page where a text says I should select a certificate but I never get the dialog to do so.
  Any updates on this issue?

• Certificate not works when deploy the store app package by powershell

   I request a web service with a pfx certificate in windows store app, it works well, but after I create a package by VS2013, and
  deploy the app with powershell, access web service failed, seems the certificate not works. Any hints, suggestion ? My code as below:
  string certRawData = StringEncryptionHelper.Decrypt(ConfigurationLoader.ApplicationSettings.CertificateData.RawData);
  string certPassword = StringEncryptionHelper.Decrypt(ConfigurationLoader.ApplicationSettings.CertificateData.Password);
  await CertificateEnrollmentManager.ImportPfxDataAsync(certRawData,
  certPassword,
  ExportOption.Exportable,
  KeyProtectionLevel.NoConsent,
  InstallOptions.None,
  ConfigurationLoader.ApplicationSettings.CertificateData.FriendlyName);
  CertificateQuery certQuery = new CertificateQuery { FriendlyName = ConfigurationLoader.ApplicationSettings.CertificateData.FriendlyName };
  IReadOnlyList<Windows.Security.Cryptography.Certificates.Certificate> certs = await CertificateStores.FindAllAsync(certQuery);
  certificate = certs.FirstOrDefault();
  var protolFilter = new HttpBaseProtocolFilter { ClientCertificate = certificate };
  var client = new HttpClient(protolFilter);
  HttpResponseMessage result = await client.GetAsync(requestUri);

  Hello Mosser lee，
  As this issue is related to Development, it is recommended to post in the related MSDN forum.
  The professionals there will be glad to help you.
  https://social.msdn.microsoft.com/Forums/en-US/home
  Thanks for your understanding.
  Best regards,
  Fangzhou CHEN
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• BPC 7.5 Admin Client Links Not Working

  I am working in BPC 7.5 SP15 NW. I have recently upgraded to Windows 7 64-bit and now the links in the action pane in the desktop admin client are not working.  The cursor does not change from the nornal pointer to the hand.  That would indicate that the admin client is no longer recognizing them as links.  The links work fine in the desktop Excel client.  I am using 32-bit Excel 2010 with no other version of Office installed.
  Has anyone heard of this behavior and how to correct for it?

  Hi Kannan,
  i think this is a Osoft web site configuration issue, the error indicates that you have one duplicate section in the web site configuration file (web.config).
  If you didn't alter the web.config file then the problem may occur because when you use framework 4.0, the machine config already has some of the sections defined that were used in previous ASP.NEt versions.
  You should check which version of the MS Framework is configured for the application pool of the web site, change it to v2.
  Let me know if this solves the issue. Or if you need more help to resolve it.
  Kindest regards,

• I am using Ubuntu; iTunes installed via wine is not working properly. So how should i sync my apps on iTunes and device?          When will iTunes come to Ubuntu

  I am using Ubuntu; iTunes installed via wine is not working properly. So how should i sync my apps on iTunes and device?
  When will iTunes come to Ubuntu?

  See:
  *http://kb.mozillazine.org/Firefox_crashes
  *https://support.mozilla.org/kb/Firefox+crashes
  If you have submitted crash reports then please post the IDs of one or more recent crash reports that have this format:
  *bp-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  You can find the IDs of the submitted crash reports on the <i>about:crashes</i> page.
  *You can open the <b>about:crashes</b> page via the location bar, like you open a website, or open this page via "Help > Troubleshooting Information".
  See:
  *http://kb.mozillazine.org/Mozilla_Crash_Reporter
  *https://support.mozilla.org/kb/Mozilla+Crash+Reporter

• [solved] NFS client will not work correctly

  I have all my $HOME on an NFS Server. So long I used suse and debian, now I want switch to arch but the nfs-client ist not working correctly:
  I start "portmap nfslock nfsd netfs" over rc.conf. When I do a "rpcinfo -p <ip-arch-system>" I got the following
  stefan:/home/stefan # rpcinfo -p 192.168.123.3
     Program Vers Proto   Port
      100000    2   tcp    111  portmapper
      100000    2   udp    111  portmapper
      100021    1   udp  32768  nlockmgr
      100021    3   udp  32768  nlockmgr
      100021    4   udp  32768  nlockmgr
      100003    2   udp   2049  nfs
      100003    3   udp   2049  nfs
      100003    4   udp   2049  nfs
      100021    1   tcp  48988  nlockmgr
      100021    3   tcp  48988  nlockmgr
      100021    4   tcp  48988  nlockmgr
      100003    2   tcp   2049  nfs
      100003    3   tcp   2049  nfs
      100003    4   tcp   2049  nfs
      100005    3   udp    891  mountd
      100005    3   tcp    894  mountd
  As you see "status" is missing, so the statd is not running. It sould look like the result on my suse box:
  stefan:/home/stefan # rpcinfo -p 192.168.123.2
     Program Vers Proto   Port
      100000    2   tcp    111  portmapper
      100000    2   udp    111  portmapper
      100024    1   udp  32768  status
      100021    1   udp  32768  nlockmgr
      100021    3   udp  32768  nlockmgr
      100021    4   udp  32768  nlockmgr
      100024    1   tcp  35804  status
      100021    1   tcp  35804  nlockmgr
      100021    3   tcp  35804  nlockmgr
      100021    4   tcp  35804  nlockmgr
  There is the "status" line and so the statd is running.
  How can I fix that problem, so that statd ist running on my arch box too?
  Last edited by stka (2007-06-10 15:59:48)

  The Problem ist solved.
  I use ldap for authentication. During the setup of the ldapclient I copied the nsswitch.ldap to nsswitch.conf. But the line for "hosts:" was:
  hosts:          dns ldap
  but in my dns ist no localhost entry. After I changed this line to:
  hosts:          files dns ldap
  everything was ok. The statd is now running and I can start to migrate to archlinux ;-)

• HT202879 I can't download program Pages ver 5.1 . It stops to download and tell me to download via purchase(still not working)

  I can't download program Pages ver 5.1 . It stops to download and tell me to download via purchase(still not working)

  Depending where you are, there can be slow downs on the servers.
  You just have to keep trying. I tried 3 times to get the Mavericks upfrade and eventually had to go to the Apple Store.
  Where they gave me a copy of the previous version!
  "Eventually it works" - the new Apple slogan.
  Peter

• SCEP definition updates for clients in DMZ via UNC is not working.

  Hello,
  I have configured SCEP definition updates via UNC method for my Win 8.1 clients in DMZ and its not working.
  Script is properly associated with task scheduler and downloading definition to shared folder properly.
  Even running the mpcmdrun.exe -SignatureUpdate, gives the below error:
  C:\Program Files\Microsoft Security Client>mpcmdrun.exe -SignatureUpdate
  Signature update started . . .
  ERROR: Signature Update failed with hr=80070002
  CmdTool: Failed with hr = 0x80070002. 
  MpCmdRun: Command Line: mpcmdrun.exe  -SignatureUpdate
   Start Time: ‎Sun ‎Jul ‎06 ‎2014 11:05:09
  Start: MpSignatureUpdate()
  Update started 
  Search Started (UNC share) (Path: \\sccm\SCEP_UNC_DEFS\Updates\x64)...
  Search Completed 
  Download Started...
  Download Completed 
  Installation Started...
  Installation Completed 
  Update completed with hr: 0x80070002
  ERROR: Signature Update failed with hr=80070002
  MpCmdRun: End Time: ‎Sun ‎Jul ‎06 ‎2014 11:05:17

  Hi,
  Please check logs on the client to see whether there are any helpful information.(ScanAgent.log, Windowsupdate.log and UpdatesHandler.log)
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SOAP Receiver Adapter problem (client certificate required)

  My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
  PI Server AXD - (Client) - Receiver SOAP adapter
  PI Server AXQ - (Server) - Sender SOAP Adapter.
  Steps in AXD
  1. I have created a certificate of AXD in the service_ssl view of key storage.
  2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
  Steps in AXQ
  1. I have created a certificate of AXQ in the service_ssl view of key storage.
  2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
  3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
  4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
  5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
  Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
  Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
  Any pointer to solve this problem is highly appreciated.
  Thanks
  Abinash

  Hi Hemant,
  I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
  As far as my scenario goes I am not using message level security.
  Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage.  I can see a view named just WebServiceSecuity though.
  Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
  Abinash

• Receiver SOAP adapter SSL error - client certificate required?

  Hi all,
  Problem configuring SSL in XI 3.0 NW04 SP17....
  I have followed the config steps from Rahul's excellent weblog at <a href="/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter">How to use Client Authentication with SOAP Adapter</a> (my Basis team have done the Visual Admin steps) and am going through his example as it closely matches my requirement. So, I have a test receiver SOAP adapter sending messages to a web service URL defined for a sender SOAP adapter. My test scenario is:
  <b>Sender File -> <u><i>Receiver SOAP -> Sender SOAP</i></u> -> IDoc Receiver -> IDocs in R/3</b>
  The problem components are in italic and underlined above. My Receiver SOAP Adapter has the web service URL, Certificate Keystore Entry and View entered. If, in the Sender SOAP Adapter, I have an HTTP Security Level of HTTPS Without Client Authentication, the interface works fine (note that Rahul suggests you untick the User Authentication in the Receiver but with this Security Level, it seems to work with or without it).
  The problem is when I set HTTPS <b>With</b> Client Authentication in the Sender. I then get the following error in the message monitor:
  SOAP: response message contains an error XIServer/UNKNOWN/ModuleUnknownException - com.sap.aii.af.mp.module.ModuleException: java.security.AccessControlException: <b>client certificate required caused by: java.security.AccessControlException</b>: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:1111) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl3.process(ModuleLocalLocalObjectImpl3.java:103) at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:250) at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:103) at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:166) at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:421) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.Client.handle(Client.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java(Compiled Code)) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code)) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code)) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code)) at java.security.AccessController.doPrivileged1(Native Method) at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code)) Caused by: java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:843) ... 22 more
  Has anyone got any idea what this could be caused by?
  Many thanks,
  Stuart Richards

  Have you configured the https port with that keystore entry?
  Check out these links:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b0/881e3e3986f701e10000000a114084/frameset.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/5c/15f73dd0408e5be10000000a114084/frameset.htm
  Regards,
  Henrique.

• Asking specific client certificate (not certificates trusted by authority)

  As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
  I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
  For example:
  Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
  But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
  And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?

  I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
  It might not be elegantBut it is!
  See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
  Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
  This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
  if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
  So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources.

• Client certificate not being presented by Sun JDK

  I have a requirement to connect to an external service provider (SP) using an https get.
  The SP has a server certificate that I have imported to my trust store.
  The SP issued a private key and an intermediate certificate that I have included in my keystore.
  On running the application with IBM JDK1.5 the server responds with the error HTTP Error 403.7 - Forbidden: SSL client certificate is required"
  However on running the same test application with IBM JDK1.4.2 I get the expected response from the client.
  I have attached the contents of the keystore, the contents of thejava class that I am trying to connect with and and the command line options that I am using below.
  Has any one encountered anything similiar?
  {code}contents of Keystore:
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 2 entries
  Alias name: testinter
  Creation date: Mar 6, 2008
  Entry type: trustedCertEntry
  Owner: CN=test Solutions CA, OU=Class 2 OnSite Individual Subscriber C
  A, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Netw
  ork, O=test Solutions, C=US
  Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized
  use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign,
  Inc.", C=US
  Serial number: 98da226f38da2ce29c65e35d505ec36
  Valid from: Tue Jan 24 16:00:00 PST 2006 until: Mon Jan 24 15:59:59 PST 2011
  Certificate fingerprints:
  MD5: D1:7D:C2:B2:30:3E:26:9B:AE:5D:4C:8C:C7:10:B0:E0
  SHA1: 4C:3B:59:67:F4:DE:08:0B:8C:70:AE:0D:05:1E:D1:18:46:00:FC:2D
  Alias name: testclient
  Creation date: Mar 6, 2008
  Entry type: keyEntry
  Certificate chain length: 1
  Certificate[1]:
  Owner: [email protected], CN=BHN AST, T=Programmer, OU="
  Security Phrase - 1111+!", OU=Company - Test Networks, OU="www.verisign.c
  om/repository/CPS Incorp. by Ref.,LIAB.LTD(c)99", OU=Data Center, O=test Prepa
  id Solutions
  Issuer: CN=test Solutions CA, OU=Class 2 OnSite Individual Subscriber
  CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Net
  work, O=test Solutions, C=US
  Serial number: 769ed3a8a02a78a45ba2ce46e974f444
  Valid from: Wed Mar 05 16:00:00 PST 2008 until: Fri Mar 06 15:59:59 PST 2009
  Certificate fingerprints:
  MD5: 2D:6E:37:83:BD:B8:FB:32:0E:08:B7:C5:F9:52:F3:C6
  SHA1: B9:61:D9:D9:F2:B5:9B:5E:9D:73:D2:FB:7A:B6:04:BE:0A:4F:E5:27
  *******************************************{code}
  I am providing the following JVM arguments in my command line:
  {code}-Djavax.net.ssl.keyStore
  -Djavax.net.ssl.keyStorePassword
  -Djavax.net.ssl.trustStore
  -Djavax.net.ssl.trustStorePassword{code}
  I use org.apache.commons.httpclient.HttpClient. I have pasted the code below, though this might not be relevant.
  {code}
  public class MySimpleTest {
  public static void main(String[] args) {
  HttpClient client = new HttpClient();
  String url = "https://sample.domain.com:443/a2a/CO_TestCall.asp?userid=me&password=hello"
  String url = null;
  GetMethod getMethod;
  try {
  // start- Proxy authentication changes
  client.setTimeout(30000);
  client.getParams().setParameter("http.useragent", "X-HTTP-UserAgent: Mozilla/4.0 (compatible; MMozilla/4.0SIE 6.0");
  client.getParams().setSoTimeout(3000);
  client.getParams().setParameter("http.socket.timeout", new Integer(30000));
  client.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
  getMethod = new GetMethod(url);
  client.executeMethod(getMethod);
  String xmlString = getMethod.getResponseBodyAsString();
  System.out.println("Response from SP - \n" + xmlString);
  } catch (HttpException e) {
  e.printStackTrace();
  } catch (IOException e) {
  e.printStackTrace();
  }{code}
  Edited by: dhanyakairali on Nov 26, 2008 2:24 PM

  What do you mean by the following:
  That's probably because it can't find a certificate that matches the cipher suites and CAs specified in the Certificate Request message
  Is there some way this can be resolved?
  Following is the debug output using IBM JDK1.4. The response from the server is as expected.
  Dec 2, 2008 10:56:58 AM org.apache.commons.httpclient.auth.AuthChallengeProcesso
  r selectAuthScheme
  INFO: basic authentication scheme selected
  IBMJSSEProvider Build-Level: -20050926
  trustStore is: C:/test/telecom.ks
  trustStore type is : jks
  init truststore
  This is a cert =[
    Version: V3
    Subject: [email protected], CN=TestAST, T=Programmer,
  OU="Security Phrase - 1111+!", OU=Company - Test Networks, OU="www.verisi
  gn.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)99", OU=Data Center, O=test P
  repaid Solutions, ST=CA, C=US
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key:  IBMJCE RSA Public Key:
  modulus:
  13700328555797653992422405008895136799144702421032746442303924045960508846129827
  37401767169101170952814528896263872577201854818466933232859315777147275637960851
  92040201921570983415043931612942054809265710771489792766258003906198481883302677
  501158985042407358121382552144568843482651891301118466381829467239017
  public exponent:
  65537
    Validity: [From: Sun Mar 11 16:00:00 PST 2007,
                 To: Tue Mar 11 15:59:59 PST 2008]
    Issuer: CN=test Prepaid Solutions CA, OU=Class 2 OnSite Individual Subscribe
  r CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust N
  etwork, O=test Prepaid Solutions, C=US
    SerialNumber: [116300044034181362695735633430106044869]
  Certificate Extensions: 5
  [1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
  NetscapeCertType [
     SSL client
  [2]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:false
  PathLen: undefined
  [3]: ObjectId: 2.5.29.32 Criticality=false
  CertificatePolicies [
  PolicyInformation: [
          CertPolicyId: 2.16.840.1.113733.1.7.23.2
          PolicyQualifiers: [PolicyQualifierInfo: [
  CPSuri: [
          object identifier: 1.3.6.1.5.5.7.2.1
          uri: https://www.verisign.com/rpa]
  [4]: ObjectId: 2.5.29.31 Criticality=false
  CRLDistributionPoints [
  1 CRL Distribution Points:
  Distribution Point: [
          Distribution Point Name: [URIName: http://onsitecrl.verisign.com/testP
  repaidSolutionsDataCenter/LatestCRL.crl]
          Reason Flags: null
          Issuer: null
  [5]: ObjectId: 2.5.29.15 Criticality=false
  KeyUsage [
    DigitalSignature
    Key_Encipherment
    Algorithm: [MD5withRSA]
    Signature:
  0000: a9 9a de a4 8a 63 6c d1  c4 a6 cd e1 28 13 90 e5  .....cl.........
  0010: 0f bd ff 08 08 aa 45 05  a7 f0 a2 ea ed a7 82 77  ......E........w
  0020: 9a 59 c1 5a 55 f9 d9 60  fe ff b9 bf 5e ac ae be  .Y.ZU...........
  0030: 6b 0f 12 b9 de 63 d2 34  90 6a 2d 43 6b 16 eb 22  k....c.4.j.Ck...
  0040: f5 6e 2a c0 dc 95 75 7e  2f fe 5e a4 4d 76 0e ca  .n....u.....Mv..
  0050: 56 7f 20 d4 88 9b d9 00  0e b0 63 3a 62 2e da e1  V.........c.b...
  0060: d8 a3 0c da 16 0e eb 3a  c8 39 e4 23 b7 59 f9 03  .........9...Y..
  0070: 68 e6 1c 6a 7f ce 89 ba  e8 f1 02 87 7e 19 80 7e  h..j............
  0080: 33 8b 17 66 33 28 ce 5f  f6 12 03 ba 48 60 06 4f  3..f3.......H..O
  0090: b4 56 af 8d 0c 59 c3 0e  ec 7f 76 37 82 03 30 70  .V...Y....v7..0p
  00a0: 6d 7e de 9b 06 2b 41 13  19 e2 ca 2c 98 c6 82 7c  m.....A.........
  00b0: 5d dc d0 2d 23 27 24 28  08 a5 2d 24 1a 1e 20 44  ...............D
  00c0: 63 cd b0 04 97 ac 71 97  04 12 f7 fe 79 40 d2 95  c.....q.....y...
  00d0: 0c ea 3e 96 06 3d 28 04  a2 6d ec ef d1 61 17 19  .........m...a..
  00e0: d0 bc 7d a9 a8 d7 86 28  68 cd 8c bd 88 02 48 76  ........h.....Hv
  00f0: ac f8 58 9e 5a f6 12 22  7a 3d c1 77 52 e4 4a 1c  ..X.Z...z..wR.J.
  This is a cert =[
    Version: V3
    Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.ne
  t Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O
  =Entrust.net, C=US
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key:  IBMJCE RSA Public Key:
  modulus:
  14060551710975481933679958427775412995993933516866022052634173307104123356793897
  86029054872741136587347742365042373051727361425820266702866562193067033437895460
  98897297163835299300640686715935681464440623967085658420014139658593602796229395
  160423430303106875229776994060540049647635218875669343075088279205771
  public exponent:
  3
    Validity: [From: Tue Oct 12 12:24:30 PDT 1999,
                 To: Sat Oct 12 12:54:30 PDT 2019]
    Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net
  Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=
  Entrust.net, C=US
    SerialNumber: [939758062]
  Certificate Extensions: 8
  [1]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: c4 fb 9c 29 7b 97 cd 4c  96 fc ee 5b b3 ca 99 74  .......L.......t
  0010: 8b 95 ea 4c                                        ...L
  [2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
  NetscapeCertType [
     SSL CA
     S/MIME CA
     Object Signing CA]
  [3]: ObjectId: 1.2.840.113533.7.65.0 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 0c 30 0a 1b 04 56 34  2e 30 03 02 04 90        ..0...V4.0....
  [4]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:true
  PathLen:2147483647
  [5]: ObjectId: 2.5.29.31 Criticality=false
  CRLDistributionPoints [
  2 CRL Distribution Points:
  Distribution Point: [
          Distribution Point Name: [CN=CRL1, CN=Entrust.net Client Certification A
  uthority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS
  incorp. by ref. limits liab., O=Entrust.net, C=US]
          Reason Flags: null
          Issuer: null
  Distribution Point: [
          Distribution Point Name: [URIName: http://www.entrust.net/CRL/Client1.cr
  l]
          Reason Flags: null
          Issuer: null
  [6]: ObjectId: 2.5.29.16 Criticality=false
  PrivateKeyUsage: [
  From: Tue Oct 12 12:24:30 PDT 1999, To: Sat Oct 12 12:24:30 PDT 2019]
  [7]: ObjectId: 2.5.29.15 Criticality=false
  KeyUsage [
    Key_CertSign
    Crl_Sign
  [8]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: c4 fb 9c 29 7b 97 cd 4c  96 fc ee 5b b3 ca 99 74  .......L.......t
  0010: 8b 95 ea 4c                                        ...L
    Algorithm: [MD5withRSA]
    Signature:
  0000: 3f ae 8a f1 d7 66 03 05  9e 3e fa ea 1c 46 bb a4  .....f.......F..
  0010: 5b 8f 78 9a 12 48 99 f9  f4 35 de 0c 36 07 02 6b  ..x..H...5..6..k
  0020: 10 3a 89 14 81 9c 31 a6  7c b2 41 b2 6a e7 07 01  ......1...A.j...
  0030: a1 4b f9 9f 25 3b 96 ca  99 c3 3e a1 51 1c f3 c3  .K..........Q...
  0040: 2e 44 f7 b0 67 46 aa 92  e5 3b da 1c 19 14 38 30  .D..gF........80
  0050: d5 e2 a2 31 25 2e f1 ec  45 38 ed f8 06 58 03 73  ...1....E8...X.s
  0060: 62 b0 10 31 8f 40 bf 64  e0 5c 3e c5 4f 1f da 12  b..1...d....O...
  0070: 43 ff 4c e6 06 26 a8 9b  19 aa 44 3c 76 b2 5c ec  C.L.......D.v...
  This is a cert =[
    Version: V1
    Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authoriz
  ed use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSig
  n, Inc.", C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key:  IBMJCE RSA Public Key:
  modulus:
  14351375969537625669855198831991651295191487241251642784842741254494712862136652
  49865861338724286276052570119645627384360370149490030232076841237655805776438569
  02490012206184342797701338702212847300700510904054461415882447323962515420981673
  690656531522653631627254509600778128478935206940338665570318609767527
  public exponent:
  65537
    Validity: [From: Sun May 17 17:00:00 PDT 1998,
                 To: Tue Aug 01 16:59:59 PDT 2028]
    Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorize
  d use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign
  , Inc.", C=US
    SerialNumber: [167285380242319648451154478808036881606]
    Algorithm: [SHA1withRSA]
    Signature:
  0000: 51 4d cd be 5c cb 98 19  9c 15 b2 01 39 78 2e 4d  QM..........9x.M
  0010: 0f 67 70 70 99 c6 10 5a  94 a4 53 4d 54 6d 2b af  .gpp...Z..SMTm..
  0020: 0d 5d 40 8b 64 d3 d7 ee  de 56 61 92 5f a6 c4 1d  ....d....Va.....
  0030: 10 61 36 d3 2c 27 3c e8  29 09 b9 11 64 74 cc b5  .a6.........dt..
  0040: 73 9f 1c 48 a9 bc 61 01  ee e2 17 a6 0c e3 40 08  s..H..a.........
  0050: 3b 0e e7 eb 44 73 2a 9a  f1 69 92 ef 71 14 c3 39  ....Ds...i..q..9
  0060: ac 71 a7 91 09 6f e4 71  06 b3 ba 59 57 26 79 00  .q...o.q...YW.y.
  0070: f6 f8 0d a2 33 30 28 d4  aa 58 a0 9d 9d 69 91 fd  ....30...X...i..
  This is a cert =[
    Version: V3
    Subject: [email protected], CN=Thawte Personal Basic CA,
  OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western
  Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key:  IBMJCE RSA Public Key:
  modulus:
  13253536386354654913138758702689025560687846640885974128606081482411288972669674
  09593694394214448269934071264255335350958443035659786636087648033000633904576847
  89299407573545577463510566656987897345834861794576009248121771398416136278226650
  196253637652406375166996828928456019641867231766265750548967038620449
  public exponent:
  65537
    Validity: [From: Sun Dec 31 16:00:00 PST 1995,
                 To: Thu Dec 31 15:59:59 PST 2020]
    Issuer: [email protected], CN=Thawte Personal Basic CA, O
  U=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western
  Cape, C=ZA
    SerialNumber: [0]
  Certificate Extensions: 1
  [1]: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
  CA:true
  PathLen:2147483647
    Algorithm: [MD5withRSA]
    Signature:
  0000: 2d e2 99 6b b0 3d 7a 89  d7 59 a2 94 01 1f 2b dd  ...k..z..Y......
  0010: 12 4b 53 c2 ad 7f aa a7  00 5c 91 40 57 25 4a 38  .KS.........W.J8
  0020: aa 84 70 b9 d9 80 0f a5  7b 5c fb 73 c6 bd d7 8a  ..p........s....
  0030: 61 5c 03 e3 2d 27 a8 17  e0 84 85 42 dc 5e 9b c6  a..........B....
  0040: b7 b2 6d bb 74 af e4 3f  cb a7 b7 b0 e0 5d be 78  ..m.t..........x
  0050: 83 25 94 d2 db 81 0f 79  07 6d 4f f4 39 15 5a 52  .......y.mO.9.ZR
  0060: 01 7b de 32 d6 4d 38 f6  12 5c 06 50 df 05 5b bd  ...2.M8....P....
  0070: 14 4b a1 df 29 ba 3b 41  8d f7 63 56 a1 df 22 b1  .K.....A..cV....
  This is a cert =[
    Version: V3
    Subject: CN=*.mercurypay.com, OU=Comodo PremiumSSL Wildcard, OU=Information Te
  chnology, O=Mercury Payment Systems, STREET="72 Suttle Street, Suite M", L=Duran
  go, ST=Colorado, POSTALCODE=81303, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key:  IBMJCE RSA Public Key:
  modulus:
  12552582405364904122368800557136600883426046147697390022111207038948008845421116
  97612139262756746187884552197255250066841576447434719408180546101657839553295002
  41981704931093809205287106190471023650551952772636758926085360687310943371751673
  005150920927008661377022502832804963301450995642354061325253865423063
  public exponent:
  65537
    Validity: [From: Thu Feb 01 16:00:00 PST 2007,
                 To: Wed Mar 12 15:59:59 PST 2008]
    Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUS
  T Network, L=Salt Lake City, ST=UT, C=US
    SerialNumber: [69293248245822231088475549727641695166]
  Certificate Extensions: 9
  [1]: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
  CA:false
  PathLen: undefined
  [2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
  AuthorityInfoAccess [
  [accessMethod: 1.3.6.1.5.5.7.48.2
  accessLocation: URIName: http://crt.comodoca.com/UTNAddTrustServerCA.crt, access
  Method: 1.3.6.1.5.5.7.48.2
  accessLocation: URIName: http://crt.comodo.net/UTNAddTrustServerCA.crt]]
  [3]: ObjectId: 2.5.29.15 Criticality=true
  KeyUsage [
    DigitalSignature
    Key_Encipherment
  [4]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: c6 3a 32 8e d4 44 8f 6f  46 ff d9 db a7 48 6d 45  ..2..D.oF....HmE
  0010: 62 78 25 a2                                        bx..
  [5]: ObjectId: 2.5.29.37 Criticality=false
  ExtKeyUsage [
          1.3.6.1.5.5.7.3.1       1.3.6.1.5.5.7.3.2]
  [6]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: a1 72 5f 26 1b 28 98 43  95 5d 07 37 d5 85 96 9d  .r.....C...7....
  0010: 4b d2 c3 45                                        K..E
  [7]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
  NetscapeCertType [
     SSL client
     SSL server
  [8]: ObjectId: 2.5.29.32 Criticality=false
  CertificatePolicies [
  PolicyInformation: [
          CertPolicyId: 1.3.6.1.4.1.6449.1.2.1.3.4
          PolicyQualifiers: [PolicyQualifierInfo: [
  CPSuri: [
          object identifier: 1.3.6.1.5.5.7.2.1
          uri: https://secure.comodo.net/CPS]
  [9]: ObjectId: 2.5.29.31 Criticality=false
  CRLDistributionPoints [
  2 CRL Distribution Points:
  Distribution Point: [
          Distribution Point Name: [URIName: http://crl.comodoca.com/UTN-USERFirst
  -Hardware.crl]
          Reason Flags: null
          Issuer: null
  Distribution Point: [
          Distribution Point Name: [URIName: http://crl.comodo.net/UTN-USERFirst-H
  ardware.crl]
          Reason Flags: null
          Issuer: null
    Algorithm: [SHA1withRSA]
    Signature:
  0000: 40 b2 e3 1d 81 d4 74 9b  1d cb ca c3 e9 6e 4f 5b  ......t......nO.
  0010: 54 9a 86 bf 53 4a d6 72  8d 88 e6 ff a9 03 ea 0a  T...SJ.r........
  0020: dd a4 f7 fc 21 ed 6a 4f  f9 a1 d4 7a b2 da fc fb  ......jO...z....
  0030: bb a3 ab 8a a7 54 00 2a  12 dd e3 d6 29 96 42 d5  .....T........B.
  0040: 9a e0 3e 1b 4e da 0e b6  5b 56 51 bd 63 f6 fe 62  ....N....VQ.c..b
  0050: eb d3 5e 9f fb 71 7b 09  d0 ef 98 06 55 76 56 8b  .....q......UvV.
  0060: 9b a0 d9 c8 8a c3 fd df  f9 81 39 16 65 1e 2e ac  ..........9.e...
  0070: 1c e5 b8 a6 76 ef 7b 18  50 d9 cd a1 cc 31 f3 d4  ....v...P....1..
  0080: 79 f0 63 95 e7 97 15 28  c3 c6 2a 23 9d 62 08 f4  y.c..........b..
  0090: 4b bd 23 eb 8d 72 7d 4b  a9 49 83 63 fb 65 b7 b8  K....r.K.I.c.e..
  00a0: 96 d8 13 2c 54 f2 11 7c  7d 30 55 f4 0e aa 13 eb  ....T....0U.....
  00b0: 83 bf ea 22 86 2a d8 4c  db a6 21 b4 ce fd 0a 7d  .......L........
  00c0: bb 65 a5 a7 8f eb 84 1d  8c 3b c7 11 87 e2 06 ab  .e..............
  00d0: 64 24 ae 48 7c 28 77 db  78 0e a8 b4 a9 32 ff 15  d..H..w.x....2..
  00e0: a0 64 65 18 f3 a3 30 3d  9e ed 8d 29 a4 a0 a1 61  .de...0........a
  00f0: 3b 86 e2 36 dd 4b fc c9  92 36 e4 be 20 89 cc ab  ...6.K...6......
  This is a cert =[
    Version: V3
    Subject: CN=*.pinsprepaid.com, OU=PayGo Web Certificate, O=Test Network,
  L=San Diego, ST=California, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key:  IBMJCE RSA Public Key:
  modulus:
  16285445822297696212633924794811890815794019787240551300464692045229173045293235
  50230392745826419206436177596443014635997679083703668232616210082740759395739089
  19454275822427538242285978316988871614402763162307764241796571858989037339686419
  365958906689885958381857638860003924094925916555184457276424623285201
  public exponent:
  65537
    Validity: [From: Sat Dec 29 20:23:42 PST 2007,
                 To: Fri Dec 24 20:23:42 PST 2027]
    Issuer: CN=*.pinsprepaid.com, OU=PayGo Web Certificate, O=Test Network, L
  =San Diego, ST=California, C=US
    SerialNumber: [10665365584614926415]
  Certificate Extensions: 3
  [1]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: a0 28 c8 12 0d dd 40 13  f5 22 d7 b6 c9 eb 42 ae  ..............B.
  0010: e1 14 66 94                                        ..f.
  [CN=*.pinsprepaid.com, OU=PayGo Web Certificate, O=Test Network, L=San Dieg
  o, ST=California, C=US]
  SerialNumber: [10665365584614926415]
  [2]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:true
  PathLen:2147483647
  [3]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: a0 28 c8 12 0d dd 40 13  f5 22 d7 b6 c9 eb 42 ae  ..............B.
  0010: e1 14 66 94                                        ..f.
    Algorithm: [SHA1withRSA]
    Signature:
  0000: 9c 44 24 18 34 24 f7 74  87 24 96 60 44 83 e8 db  .D..4..t....D...
  0010: 1b ee 83 e9 e1 c3 56 7b  26 2f e3 5a 61 47 89 08  ......V....ZaG..
  0020: ba 90 53 93 bd fa 4b bf  d4 8e d3 f4 73 33 25 88  ..S...K.....s3..
  0030: f1 03 33 03 b8 58 51 7f  d0 e3 6c e5 52 6a 7e 13  ..3..XQ...l.Rj..
  0040: b1 a6 fc 0a 35 0f c1 0f  5f cd 98 e3 15 34 3b 01  ....5........4..
  0050: 4d 97 c4 46 f7 dc 4a 88  ac f8 9a a1 ed d7 2d 62  M..F..J........b
  0060: d8 1b af 22 3c 80 af f1  d5 11 b0 b4 05 c8 31 71  ..............1q
  0070: d5 dd 4a 42 d1 4c 97 f3  18 74 77 5f 0b 9b 10 7d  ..JB.L...tw.....
  This is a cert =[
    Version: V3
    Subject: CN=secure1.galileoprocessing.com, OU=Production, O=Galileo Processing
  Inc., L=West Bountiful, ST=Utah, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key:  IBMJCE RSA Public Key:
  modulus:
  16585272136129690466708620936482853429710701504038078236367586054432000828333691
  71917574804367890152416144664864739837342571709183400677965661645849511638944496
  97747864586117452849688436666474856963873439961969030395107131294137520076094597
  149589721904600686262918653808018055505396653031945227384584896096387
  public exponent:
  65537
    Validity: [From: Mon Jan 14 16:00:00 PST 2008,
                 To: Mon Feb 28 15:59:59 PST 2011]
    Issuer: [email protected], CN=Thawte Premium Server CA, O
  U=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Weste
  rn Cape, C=ZA
    SerialNumber: [165265921466827562370348155546990963259]
  Certificate Extensions: 4
  [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
  AuthorityInfoAccess [
  [accessMethod: 1.3.6.1.5.5.7.48.1
  accessLocation: URIName: http://ocsp.thawte.com]]
  [2]: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
  CA:false
  PathLen: undefined
  [3]: ObjectId: 2.5.29.31 Criticality=false
  CRLDistributionPoints [
  1 CRL Distribution Points:
  Distribution Point: [
          Distribution Point Name: [URIName: http://crl.thawte.com/ThawteServerPre
  miumCA.crl]
          Reason Flags: null
          Issuer: null
  [4]: ObjectId: 2.5.29.37 Criticality=false
  ExtKeyUsage [
          1.3.6.1.5.5.7.3.1       1.3.6.1.5.5.7.3.2]
    Algorithm: [SHA1withRSA]
    Signature:
  0000: 81 c0 8d bd d5 b7 6f 7f  eb fc 93 33 c3 aa 0d 6f  ......o....3...o
  0010: d9 36 30 c9 af a0 01 a9  dd 75 1a 45 34 60 47 6f  .60......u.E4.Go
  0020: cb 52 65 8c 91 e6 f8 38  91 91 46 00 9f 4d 78 42  .Re....8..F..MxB
  0030: 9f bf 4a 4e ff 63 cb 18  6f 6e 88 26 4e da e0 73  ..JN.c..on..N..s
  0040: ed 49 4a e2 ab dc 01 db  3d fe 4c d7 99 1c 23 23  .IJ.......L.....
  0050: f8 24 54 5b a0 bf 27 57  4c 0a f0 8e 3e 58 3f 5c  ..T....WL....X..
  0060: 03 da 09 0a 29 f2 f5 99  2b b0 da 0e 82 5b 18 cb  ................
  0070: 39 bd 14 91 62 ac 83 8a  b9 b6 8c a4 e0 d9 fd e3  9...b...........
  This is a cert =[
    Version: V3
    Subject: CN=*.questps.com.au, OU=Operations, O=Quest Payment Systems, L=Hawtho
  rn, ST=Victoria, C=AU
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key:  IBMJCE RSA Public Key:
  modulus:
  13927401538401051481741625165099229029681926680820373629686880750356955603275739
  35404946995026390516720126110345930925847480302939279377134754082062263865742071
  20957396443715719965192780351342785833080978234789409963603439531488192089117237
  143472365458965132391280159287801210635522967328773863585549974229739
  public exponent:
  65537
    Validity: [From: Sun Jul 15 23:15:18 PDT 2007,
                 To: Tue Jul 15 23:15:18 PDT 2008]
    Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    SerialNumber: [506317]
  Certificate Extensions: 5
  [1]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 48 e6 68 f9 2b d2 b2 95  d7 47 d8 23 20 10 4f 33  H.h......G....O3
  0010: 98 90 9f d4                                        ....
  [2]: ObjectId: 2.5.29.31 Criticality=false
  CRLDistributionPoints [
  1 CRL Distribution Points:
  Distribution Point: [
          Distribution Point Name: [URIName: http://crl.geotrust.com/crls/secureca
  .crl]
          Reason Flags: null
          Issuer: null
  [3]: ObjectId: 2.5.29.15 Criticality=true
  KeyUsage [
    DigitalSignature
    Non_repudiation
    Key_Encipherment
    Data_Encipherment
  [4]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 0a 69 ce 61 f9 da 96 c8  b5 f9 36 81 43 f6 75 fb  .i.a......6.C.u.
  0010: e4 14 2f 0e                                        ....
  [5]: ObjectId: 2.5.29.37 Criticality=false
  ExtKeyUsage [
          1.3.6.1.5.5.7.3.1       1.3.6.1.5.5.7.3.2]
    Algorithm: [SHA1withRSA]
    Signature:
  0000: 45 66 89 34 af 71 dc b1  fe 20 54 15 54 e8 9e b4  Ef.4.q....T.T...
  0010: 75 da 1c 64 c3 9d e9 d7  91 99 a5 e6 50 88 2f 83  u..d........P...
  0020: cb 14 e5 e1 5a 66 21 68  f3 2b 23 54 61 8e 88 95  ....Zf.h...Ta...
  0030: ec b1 f3 86 d4 c3 3e c2  ee 09 25 78 fa f1 74 dc  ...........x..t.
  0040: a4 d2 73 14 7a 51 f0 82  9e 1f 93 00 f3 f0 94 b5  ..s.zQ..........
  0050: c0 ba 48 9c 86 5f 5b 74  fd 8c 81 83 a7 35 27 cb  ..H....t.....5..
  0060: 31 3b e6 e8 3b b7 3c 26  fb 4e 4d 30 5e 32 e5 da  1........NM0.2..
  0070: 83 e8 8c f9 3e 84 09 04  6d 61 40 ea 08 e7 ff c7  ........ma......
  This is a cert =[
    Version: V1
    Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="
  (c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O
  ="VeriSign, Inc.", C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key:  IBMJCE RSA Public Key:
  modulus:
  22096661060012873855689347974161418916763510073523357926358326864792592503123173
  99490819292635395781267090128441774779218884243225403432375392329269925111338044
  19877348645492891283661498502893173840787837475108926513618176408123228217171508
  48579148188498107741752990085073340007737937361627542392633585717193577428778849
  70689954598075001332363158305018470088291940060537606809254674162830802015825390
  73549038990262947134158436810352799408298755647856794057801047782628775050960576
  78977556854174242282489588564651152454691261263722936464927601734981930340276221
  549179112855447214959676835981467313741947570713364283017
  public exponent:
  65537
    Validity: [From: Thu Sep 30 17:00:00 PDT 1999,
                 To: Wed Jul 16 16:59:59 PDT 2036]
    Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(
  c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O=
  "VeriSign, Inc.", C=US
    SerialNumber: [129520775995541613599859419027715677050]
    Algorithm: [SHA1withRSA]
    Signature:
  0000: 34 26 15 3c c0 8d 4d 43  49 1d bd e9 21 92 d7 66  4.....MCI......f
  0010: 9c b7 de c5 b8 d0 e4 5d  5f 76 22 c0 26 f9 84 3a  .........v......
  0020: 3a f9 8c b5 fb ec 60 f1  e8 ce 04 b0 c8 dd a7 03  ................
  0030: 8f 30 f3 98 df a4 e6 a4  31 df d3 1c 0b 46 dc 72  .0......1....F.r
  0040: 20 3f ae ee 05 3c a4 33  3f 0b 39 ac 70 78 73 4b  .......3..9.pxsK
  0050: 99 2b df 30 c2 54 b0 a8  3b 55 a1 fe 16 28 cd 42  ...0.T...U.....B
  0060: bd 74 6e 80 db 27 44 a7  ce 44 5d d4 1b 90 98 0d  .tn...D..D......
  0070: 1e 42 94 b1 00 2c 04 d0  74 a3 02 05 22 63 63 cd  .B......t....cc.
  0080: 83 b5 fb c1 6d 62 6b 69  75 fd 5d 70 41 b9 f5 bf  ....mbkiu..pA...
  0090: 7c df be c1 32 73 22 21  8b 58 81 7b 15 91 7a ba  ....2s...X....z.
  00a0: e3 64 48 b0 7f fb 36 25  da 95 d0 f1 24 14 17 dd  .dH...6.........
  00b0: 18 80 6b 46 23 39 54 f5  8e 62 09 04 1d 94 90 a6  ..kF.9T..b......
  00c0: 9b e6 25 e2 42 45 aa b8  90 ad be 08 8f a9 0b 42  ....BE.........B
  00d0: 18 94 cf 72 39 e1 b1 43  e0 28 cf b7 e7 5a 6c 13  ...r9..C.....Zl.
  00e0: 6b 49 b3 ff e3 18 7c 89  8b 33 5d ac 33 d7 a7 f9  kI.......3..3...
  00f0: da 3a 55 c9 58 10 f9 aa  ef 5a b6 cf 4b 4b df 2a  ..U.X....Z..KK..
  This is a cert =[
    Version: V3
    Subject: [email protected], CN=Thawte Personal Premium
  CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Wes
  tern Cape, C=ZA
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key:  IBMJCE RSA Public Key:
  modulus:
  14142912792453816926684060849225594563491048166366460724276985519259966555971678
  52869379882523038078369899938721755934187919620921836179968420049065941827306142
  30211575508893419840570952601082644441415731845520305432484883710755881614381726
  656557001768827822997905802020222847103928452492333928687906770815093
  public exponent:
  65537
    Validity: [From: Sun Dec 31 16:00:00 PST 1995,
                 To: Thu Dec 31 15:59:59 PST 2020]
    Issuer: [email protected], CN=Thawte Personal Premium C
  A, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=West
  ern Cape, C=ZA
    SerialNumber: [0]
  Certificate Extensions: 1
  [1]: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
  CA:true
  PathLen:2147483647
    Algorithm: [MD5withRSA]
    Signature:
  0000: 69 36 89 f7 34 2a 33 72  2f 6d 3b d4 22 b2 b8 6f  i6..4.3r.m.....o
  0010: 9a c5 36 66 0e 1b 3c a1  b1 75 5a e6 fd 35 d3 f8  ..6f.....uZ..5..
  0020: a8 f2 07 6f 85 67 8e de  2b b9 e2 17 b0 3a a0 f0  ...o.g..........
  0030: 0e a2 00 9a df f3 14 15  6e bb c8 85 5a 98 80 f9  ........n...Z...
  0040: ff be 74 1d 3d f3 fe 30  25 d1 37 34 67 fa a5 71  ..t....0..74g..q
  0050: 79 30 61 29 72 c0 e0 2c  4c fb 56 e4 3a a8 6f e5  y0a.r...L.V...o.
  0060: 32 59 52 db 75 28 50 59  0c f8 0b 19 e4 ac d9 af  2YR.u.PY........
  0070: 96 8d 2f 50 db 07 c3 ea  1f ab 33 e0 f5 2b 31 89  ...P......3...1.
  This is a cert =[
    Version: V3
    Subject: CN=*.backuppay.com, OU=Comodo PremiumSSL Wildcard, OU=Information Tec
  hnology, O=Mercury Payment Systems, STREET="72 Suttle, Suite 'M'", L=Durango, ST
  =Colorado, POSTALCODE=81303, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key:  IBMJCE RSA Public Key:
  modulus:
  13600061469090500423648422271274026009793773824200084939450792307466414518281905
  78915137508617752173548436692455079898861149850144087985398167558687604694824219
  94042711833635299385450526613233517165581563624887506491771190814673785574365279
  979908619877143128523889569350716633683176043911091941941182416621337
  public exponent:
  65537
    Validity: [From: Thu Feb 01 16:00:00 PST 2007,
                 To: Wed Mar 12 15:59:59 PST 2008]
    Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUS
  T Network, L=Salt Lake City, ST=UT, C=US
    SerialNumber: [291946271077116231447010286015885314245]
  Certificate Extensions: 9
  [1]: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
  CA:false
  PathLen: undefined
  [2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
  AuthorityInfoAccess [
  [accessMethod: 1.3.6.1.5.5.7.48.2
  accessLocation: URIName: http://crt.comodoca.com/UTNAddTrustServerCA.crt, access
  Method: 1.3.6.1.5.5.7.48.2
  accessLocation: URIName: http://crt.comodo.net/UTNAddTrustServerCA.crt]]
  [3]: ObjectId: 2.5.29.15 Criticality=true
  KeyUsage [
    DigitalSignature
    Key_Encipherment
  [4]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: c1 a6 cc 48 48 b5 ed 73  ef 0a cd 2c 29 4c 62 b4  ...HH..s.....Lb.
  0010: d0 ab bf 6e                                        ...n
  [5]: ObjectId: 2.5.29.37 Criticality=false
  ExtKeyUsage [
          1.3.6.1.5.5.7.3.1       1.3.6.1.5.5.7.3.2]
  [6]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: a1 72 5f 26 1b 28 98 43  95 5d 07 37 d5 85 96 9d  .r.....C...7....
  0010: 4b d2 c3 45                                        K..E
  [7]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
  NetscapeCertType [
     SSL client
     SSL server
  [8]: ObjectId: 2.5.29.32 Criticality=false
  CertificatePolicies [
  PolicyInformation: [
          CertPolicyId: 1.3.6.1.4.1.6449.1.2.1.3.4
          PolicyQualifiers: [PolicyQualifierInfo: [
  CPSuri: [
          object identifier: 1.3.6.1.5.5.7.2.1
          uri: https://secure.comodo.net/CPS]
  [9]: ObjectId: 2.5.29.31 Criticality=false
  CRLDistributionPoints [
  2 CRL Distribution Points:
  Distribution Point: [
          Distribution Point Name: [URIName: http://crl.comodoca.com/UTN-USERFirst
  -Hardware.crl]
          Reason Flags: null
          Issuer: null
  Distribution Point: [
          Distribution Point Name: [URIName: http://crl.comodo.net/UTN-USERFirst-H
  ardware.crl]
          Reason Flags: null
          Issuer: null
    Algorithm: [SHA1withRSA]
    Signature:
  0000: a6 e4 56 7a 01 79 c3 28  2a b5 ad ae 58 0c 7c de  ..Vz.y......X...
  0010: bc a2 b7 85 e2 98 e1 18  c5 53 9e 20 bf e8 8f f2  .........S......
  0020: 5e cc 1b 8c 86 47 e4 9d  4e 18 16 91 77 c6 05 7f  .....G..N...w...
  0030: d8 50 4b 94 09 8b ff 64  4b 90 8c 64 4a 78 b3 cb  .PK....dK..dJx..
  0040: d0 3f 46 65 e2 38 a3 0f  c5 31 d1 2a c4 37 51 a7  ..Fe.8...1...7Q.
  0050: 9a 47 d6 03 0b 48 50 6c  5a a2 5d 4f af 8f 6a 77  .G...HPlZ..O..jw
  0060: 78 9f 71 a9 c7 8c ae e2  23 f4 2a 4b 48 e0 05 46  x.q........KH..F
  0070: 4a 88 99 5f ca ef 09 95  f7 d4 37 6f 4a 4a 13 86  J.........7oJJ..
  0080: 41 15 74 80 02 a8 02 80  29 fc 6d d6 e0 d3 a2 ad  A.t.......m.....
  0090: d9 4d ec 25 c3 a0 83 26  0f 7f b5 3d 7d 6f 0d 9a  .M...........o..
  00a0: 2e ab f3 cb 8b 5c d0 18  e3 20 bc 22 97 b6 a0 45  ...............E
  00b0: 8a d0 0c f9 d9 1c 77 6e  17 ee 30 8f 5e 9e 7d c1  ......wn..0.....
  00c0: d4 77 44 8e 3a 3a 7f ee  ee e1 7b 1b 32 81 01 a8  .wD.........2...
  00d0: 62 7e 82 55 be 6c 73 d3  12 a4 23 ab b9 ef ad 5a  b..U.ls........Z
  00e0: 73 7b 28 05 37 d9 69 13  8a 7a d4 31 e8 02 39 6f  s...7.i..z.1..9o
  00f0: ac f9 aa 5f b4 ea bd de  87 03 ee fb b0 80 16 49  ...............I
  This is a cert =[
    Version: V3
    Subject: [email protected], CN=64.47.55.17, OU=MI
  S, O=Cabelas Inc, L=Sidney, ST=Nebraska, C=US
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key:  IBMJCE RSA Public Key:
  modulus:
  13768870705676032884943158948133086707130963695630252713762741898658183420051882
  41914160772118669025761340096644368492520897452521291473029710155067231617758619
  45693847182035381145540493930157142197837425711697611478316115600616533780363229
  520298453203636612811789291165305298410647569530743837859826680773901
  public exponent:
  65537
    Validity: [From: Thu Oct 05 08:36:55 PDT 2006,
                 To: Su