SSL CertGen & Private key import errors - 7.0

Similar Messages

• A fatal error when attempting to access the SSL server credential private key. Error code 0x8009030d. Windows 8.1.

  Hi,
  We develop a server-side application which receives incoming https connections using self-signed certificate. It was all ok while we were using Windows 7 or Windows 2008 as OS, but when our clients started installing Windows 8 as server OS they encountered
  big problem: application got unavailable in few hours after start. 
  In event logs we have following:
  A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.
  After restart, application recreates certificate and all works normal few hours till next fatal error.
  This
  article did not help us. And I repeat that this error appears only on Windows 8 (we tested on Windows 8.1). Windows 2012 Server we did not test yet.
  How we can solve this problem?
  Best regards.

  Hi,
  Since this article released in 2008,I suspect the code mentioned in this article doesn't  supprot Windows 8.
  And since the certificate was written by C#,I suggest you submit a new case on MSDN Forum as they will be more professional on your issue:
  https://social.msdn.microsoft.com/Forums/en-US/home
  Regards,
  Kelvin hsu
  TechNet Community Support

• Private key import via ImportPrivateKey

  I used the Certificate web app included with WLS 7.0 SP1 to generate my private
  key and my CSR. I then used the CSR to request a certificate from my Dept. of
  Defense Certificate Authority. I received my certificate. I then tried to use
  the WLS ImportPrivateKey utility to import my key with the following steps as
  shown in the ImportPrivateKey reference example.
  1) I used keytool -printcert to verify the contents of my servercert.pem file
  and my CAcert.pem file.
  2) I combined the certificate returned for my server with the CA's root certificate
  cat servercert.pem CAcert.pem > combined.pem
  3) I converted my private key file produced by the Certificate web app to pem
  format using the WLS der2pem utility
  4) I ran the Import utility
  java utils.ImportPrivateKey serverkey.jks store_pwd key_alias key_pwd combined.pem
  server_private_key.pem.
  I received the following error.
  ImportPrivateKey will create serverkey.jks
  ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
  ASN.1 tag
  java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
  at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
  Source)
  at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
  Source)
  at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
  at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
  at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
  Does anyone have an idea where I went wrong? Can anyone offer an explanation?
  Thanks

  "Mallik" <[email protected]> wrote in message
  news:3f3274e9$[email protected]..
  >
  I am trying to install weblogic generated ssl certificate and because theprivate
  key needs to be encrypted with a password, i am loading this in a new JDKkeystore
  and trying to configure WL.
  I am running utils.CertGen from weblogic 7.0 sp3 on XP.
  X:\SSLTest>java utils.CertGen testpassword testcert testkey
  Creating Domestic Key Strength - 1024
  ..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
  Encoding
  Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
  in hostnames.

• SSL & generated private key

  I generated a CSR with the certificate servlet. I modified
  config.xml in order to set the right files :
  <SSL Enabled="true" ListenPort="7002" Name="test2" ServerCertificateChainFileName="config/mydomain/cacrt.pem"
  ServerCertificateFileName="config/mydomain/servercert.pem"
  ServerKeyFileName="config/mydomain/serverkey.der"/>
  The serverkey.der is a copy of the file generated by the
  certificate servlet.
  At startup the following error occurs :
  <30 juil. 01 20:23:26 CEST> <Alert> <WebLogicServer> <Security configuration problem
  with certificate file config/mydomain/serverkey.der, java.io.EOFException>
  java.io.EOFException
  at weblogic.security.Utils.inputByte(Utils.java:133)
  at weblogic.security.ASN1.ASN1Header.inputTag ASN1Header.java:125)
  at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
  at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
  at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:397)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1028)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
  at weblogic.Server.main(Server.java:35)
  More over the conversion of the serverkey.der in serverkey.pem
  with openssl gives the following error :
  openssl rsa -in serverkey.der -outform PEM -out serverkey.pem
  read RSA key
  unable to load key
  1276:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib
  .c:662:Expecting: ANY PRIVATE KEY
  and reading the file by the default W2K reader gives an error too.
  Need help !

  Agree with S Guna, the ISP/Certificate Authority won't generate the private key, the request from your Lync server does.  So the private key is already sitting on your Lync 2010 Server.  Once you import the certificate generated by the certificate
  authority, the private key and certificate should be paired and can be assigned to Lync.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• WebLogic and SSL: supplying private key password upon startup

  Hello,
  Does BEA have an API I can use to customize the WebLogic Server startup? I have
  a password callback function that I would like the WebLogic Server to call when
  it needs the password for decrypting the server certificate private key...
  -- POCO

  nope.. till now..
  thanks
  kiran
  "POC" <[email protected]> wrote in message
  news:3e258885$[email protected]..
  >
  Hello,
  Does BEA have an API I can use to customize the WebLogic Server startup? Ihave
  a password callback function that I would like the WebLogic Server to callwhen
  it needs the password for decrypting the server certificate private key...
  -- POCO

• NAC and SSL - fails to import password protected private key

  I am attempting to import an SSL certificate on my CCA Manager and Server. I purchased a wild card SSL cert *.domain.com. The private key used to generate the certificate was created on an Cisco ACS 3.2 server and has a password. When attempting to import the private key into the CCA Manager the browser times out and no error is reported.
  My guess is that it is waiting for the password to allow access to the private key. Unfortunately there is no place on the form and no pop-up to enter the password.
  Is there a command line option for importing a private key that may work for me?
  Thanks
  Sherm

  The best Possible way is to generate a CSR from the CCA server and then purchase a certificate using that CSR. Then you dont have problems with private keys.
  Regards
  sathappan

• Import an SSL Private Key

  Hello.  Is it possible to export the Private Key from, say, my J2EE engine (I'm running a dual stack) and import it into my ABAP instance so that both systems use the same Private Key?  They both have the same host name.

  I guess its possible. Please correct me if i am wrong.
  Please keep in mind, that simply importing a certificate as a certificate response won't work in this situation, since the public key from your CA and the public key in the individual PSEs already existing on the respective servers won't match.
  following steps all the key pairs and certificates that are currently stored in the SSL Server PSEs on the target systems will be removed. If you want to keep them, you'll need to export them to a safe place.
  Step 1: import the key pair into a PSE
  Since pl.16 of SAPCRYPTOLIB, key pairs given in the format PKCS#12 can be imported into a PSE (note 745063). Since pl.24 of SAPCRYPTOLIB, also the import of key pairs given as PKCS#5, PKCS#8 or OpenSSL-PEM is supported (note 1159829).
  Step 2: import the PSE resulting from Step 1) into the system's database All PSEs that are known to transaction STRUST will be exported from the database and distributed to the application servers at system startup. The related PSE files will be overwritten. So, the PSE resulting from the key pair import in step 1) needs to be imported into the database.
  You'll need to go through a procedure similar to the one described in note 1178155, step 3.
  - Copy the PSE from step 1) to your workstation/PC
  - Start transaction STRUST
  - Doubleclick the "FILE" icon in the navigation area (left hand side)
  - Select the PSE on your workstation/PC
  - Execute the menu item "PSE --> save as..." and choose the SSL Server
  PSE as target. This will save the PSE from step 1 as SSL Server
  standard PSE.
  - The following step is a modification from note 1178155 which is
  only applicable in your special situation: right mouse button click
  on the SSL Server PSE entry in the navigation area. From the context
  menu appearing, select "Change".
  - Remove the distinguished names from all application server specific
  PSEs in the list. Pressing the green tick mark ('save') will remove
  all application server specific SSL Server PSEs, so the system is
  forced to use the SS Server standard PSE instead.
  Don't forget to restart the ICM in order to make your changes become effective.
  Regards,
  Jazz

• SChannel error- The SSL server credential's certificate does not have a private key information property attached to it.

  We have a public SSL certificate that allows for Active Directory sync with LDAPS on port 636 with our email smart host. This was working fine and suddenly stopped working and we are now getting SChannel errors Event ID 36869. There were no changes made
  to the Exchange server, the firewall or the DC which holds the certificate. I have run a new certreq from the DC and then re-keyed the public SSL certificate and re-installed 3 times but the error does not go away and AD Sync with the vendor
  fails. When I run LDP.exe the connection on port 636 fails with "cannot open connection" and the system event log throws the S Channel event 36869 "The SSL server credential's certificate does
  not have a private key information property attached to it"  There is no software firewall set on the DC. When I run Certutil -VerifyStore MY  it shows the current certificates as well as the revoked and expired certificates
  correctly. Certificate 0 is the public cert and is listed with Server and Client authentication, the FQDN of the server is correct and "Certificate is Valid" is listed. The private cert is Certificate 1 and has server and client authentication, the
  FQDN is correct, Private key is not exportable and it ends with Certificate is Valid. I do not see a point in re-keying the cert again until I figure out what the root of the problem is. I have read in some forums that the private cert should not be set to
  expire after the public cert but that does not make a lot of sense when in a situation like this the private cert is of course newer than the public. In fact it is too early to renew the public cert. I have been troubleshooting this for a few days and at this
  point I would have to drop my AD sync with the vendor to LDAP in order to add new users. I do not want to do that for obvious reasons and I do not want to have our spam filtering and email archive service running without Directory sync. Any help would be greatly
  appreciated.

  Hi,
  Have you tried this?
  How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services
  http://support.microsoft.com/kb/889651
  Best Regards,
  Amy

• Exporting SSL Private Key

  In the midst of an apocalyptic SSL install in 10.4 server. Currently, I am trying to install a wildcard cert via Server Admin, which may have been a mistake. After smashing my head for a week, I tried a new tack and rebuilt the system keychain and attempted to install the certificate; this failed at the level of Server Admin. However, in Keychain Access I am showing the SSL cert, public and private keys, and the CA's cert, all valid.
  Since I know of no other way to do get KA talking to SA so that I can actually use this certificate, I am trying to export the valid certs and keys to import. My problem is this, the certs and public key export fine, the private key fails returning an error of Unable to Export CLINTERNALERROR. I double checked that root is enabled in netinfo. Any ideas on how to rectify this?

  I believe you have to run Keychain Access as root to export the private key.
  sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

• Private Key Not Found Error in Ldaps

  Hi,
  I am facing "Private Key Not Found" Error in ldaps. The key and the SSL certificate is stored under the same location. The certificate is self signed certificate and in .pem format. When I am trying to install the certifcate through SUN ONE Console it throws the following error
  "Either this certificate is for another server, or this certificate was not requested using this server".
  can any one help me in this regard.
  Regards
  Senthil
  Edited by: senlog80 on Dec 30, 2008 3:18 AM

  Or even better, check the note <a href="https://websmp110.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=924320&_NLANG=E">924320</a>.
  <b>Symptom</b>:
  When you execute a query with virtual characteristics or key figures, the system issues the following error message:
  Object FIELD I_S_DATA-<key figure> not found
  <b>Other terms</b>
  RSR00002, RSR_OLAP_BADI
  <b>Reason and Prerequisites</b>
  This problem is caused by a program error.
  <b>Solution</b>
  If the virtual characteristics or key figures are implemented using the enhancement RSR00002 (CMOD), implement the corrections.
  If the virtual characteristics or key figures were created directly as implementations of the RSR_OLAP_BADI BAdI, compare the source code of the INITIALIZE method with the corresponding source code example. During the call of GET_FIELD_POSITIION_D, <L_S_SK>-VALUE_RETURNNM must be transferred instead of <L_S_SFK>-KYFNM.
  Import Support Package 08 for SAP NetWeaver 2004s BI (BI Patch 08 or SAPKW70008) into your BI system. The Support Package is available when Note 0872280"SAPBINews BI 7.0 Support Package 08", which describes this Support Package in more detail, is released for customers.
  In urgent cases, you can use the correction instructions.
  To provide advance information, the note mentioned above may be available before the Support Package is released. In this case, the short text of the note still contains the words "Preliminary version".
  Assign pts if helpful.

• Cisco ACE key.pem import error

  Hi
  after extracting the Cert.pem and Key.pem from the PXF file.
  i am get the following error trying to import the Key.pem file to the ACE
  ENG-CTN-ACE01/Admin# crypto import tftp 10.3.31.249 key5.pem key5
  Trying to connect to tftp server......
  TFTP get operation was successful
  3294 bytes copied
  Successfully imported file from remote server.
  Error: File not of supported key or certificate type - RSA,  import failed.
  ENG-CTN-ACE01/Admin#
  * i have decrypted the key.pem and tried adding the key manually with crypto import terminal command but still getting the same error.
  can you please assist as want am i doing wrong.
  the cert has been uploaded successfully.
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  cisco-sample-cert                        1082  PEM     Yes        CERT
  cisco-sample-key                         887   PEM     Yes         KEY
  wildcard-20140102.cer                    1459  DER     Yes        CERT
  Thanks
  rayyaan

  HI Rayyaan,
  This is a key which you cannot share so that i can try here on my and see what is going on so i would suggested contacting your CA vendor and ask them to provide the key and cert in PEM format. Once you have that try it again. That's all i guess we can do here or you can open a TAC case and see what is going on. If the key is in PEM format ACE shouldn't have any problem in accepting it.
  From user guide:
  Importing Certificate and Key Pair Files
  The ACE supports the importation of PEM-encoded key pairs and certificates (including wildcard certificates) signed by keys. The ACE allows a maximum public key size of 4096 bits. The maximum private key size is 2048 bits.
  You can import a certificate or key pair file to the ACE from a remote server by using the crypto import command in Exec mode. You can import either individual certificates and keys or multiple certificates and keys. Because a network device uses its certificate and corresponding public key together to prove its identity during the SSL handshake, be sure to import both the certificate file and its corresponding key pair file.
  The ACE supports the importation of PEM-encoded SSL certificates and keys with a maximum line width of 130 characters using the terminal. If an SSL certificate or key is not wrapped or it exceeds 130 characters per line, use a text editor such as the visual (vi) editor or Notepad to manually wrap the certificate or key to less than 130 characters per line. Alternatively, you can import the certificate or key by using SFTP, FTP, or TFTP with no regard to line width
  Regards,
  Kanwal

• SSL private key password

  Hello everyone,
  I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
  with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
  SSL certificate. By defaul the private key is not encrypted with password
  (SSL.KeyEncrypted = false by default, according to the documentations) in
  both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
  following error:
  <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
  <Inconsistent se
  curity configuration, java.lang.Exception: Cannot read private key from file
  C:\
  bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
  sure pa
  ssword specified in environment property weblogic.management.pkpassword is
  valid
  .>
  java.lang.Exception: Cannot read private key from file
  C:\bea7\user_projects\age
  ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
  in en
  vironment property weblogic.management.pkpassword is valid.
  at
  weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
  ava:434)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
  at weblogic.Server.main(Server.java:32)
  Is this happening because the private key is actually encrypted with the
  password? It was working, although the KeyEncrypted is not set to true and
  the startup script for WLS 6.1 instance did have a line
  with -Dweblogic.management.pkpassword. Or could this error be result of
  something else? The physical machine the instances are located is the same
  and IP address and the DNS entry hasn't been changed, either.
  Any insight will be greatly appreciated. Thanks!
  Makoto

  Thanks Tony - it worked!!
  "Tony" <TonyV> wrote in message news:[email protected]...
  It may be because the private key is both unprotected and in DER format.
  There are some things to try:
  1) Convert the private key file from a DER file to a PEM file and try
  that:
  a) Follow the for converting an unprotected private key at:
  http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
  b) Look at the resulting PEM file, it should look something like
  this:
  -----BEGIN RSA PRIVATE KEY-----
  -----END RSA PRIVATE KEY-----
  (Be sure there is no extra lines or whitespace after thefooter)
  >
  c) Change your configuration to point at the PEM file
  If that doesn work, then you can try protecting the key with apassword
  using
  the wlkeytool utility (It should be in the server/bin directory). The
  tool should prompt
  for a password to use to protect it:
  wlkeytool inputkey.pem outputkey.pem
  Then change your configuration to use the protected private key, andset
  the passwod to use.
  Tony
  "Makoto Suzuki" <[email protected]> wrote in message
  news:[email protected]...
  Hello everyone,
  I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0SP2
  with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
  same
  SSL certificate. By defaul the private key is not encrypted withpassword
  (SSL.KeyEncrypted = false by default, according to the documentations)in
  both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script resultsthe
  following error:
  <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
  <Inconsistent se
  curity configuration, java.lang.Exception: Cannot read private key fromfile
  C:\
  bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
  sure pa
  ssword specified in environment property weblogic.management.pkpassword
  is
  valid
  .>
  java.lang.Exception: Cannot read private key from file
  C:\bea7\user_projects\age
  ncyPortal\portal_islandinsurance_com-key.der. Make sure passwordspecified
  in en
  vironment property weblogic.management.pkpassword is valid.
  at
  weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
  ava:434)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
  atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
  at weblogic.Server.main(Server.java:32)
  Is this happening because the private key is actually encrypted with the
  password? It was working, although the KeyEncrypted is not set to true
  and
  the startup script for WLS 6.1 instance did have a line
  with -Dweblogic.management.pkpassword. Or could this error be result of
  something else? The physical machine the instances are located is thesame
  and IP address and the DNS entry hasn't been changed, either.
  Any insight will be greatly appreciated. Thanks!
  Makoto

• Private key error

  I used the certificate app to create a Private Key file (in .der format)
  and a .pem request.
  But when I specify it in the SSL section and reatsrt the server I get an
  error message:
  Any Ideas ?
  Also When I double click the .der file even Windows says its an "Invalid
  Security Certificate File"
  WLS 6.1 SP3
  Also I think the error is deceiving since the file is present in the
  directory referred by WLS
  Thanks in advance
  N Rao
  <Oct 9, 2002 11:31:57 AM CDT> <Notice> <WebLogicServer> <Starting WebLogic
  Admin
  Server "myserver" for domain "mydomain">
  <Oct 9, 2002 11:31:57 AM CDT> <Alert> <WebLogicServer> <Security
  configuration p
  roblem with certificate file
  C:/bea/wlserver6.1/config/mydomain/MY-WKS-key.der
  , java.lang.Exception: Required file
  C:/bea/wlserver6.1/config/mydomain/MY-WKS
  -key.der which is specified by ServerKeyFileName, was not found>
  java.lang.Exception: Required file
  C:/bea/wlserver6.1/config/mydomain/MY-WKS-k
  ey.der which is specified by ServerKeyFileName, was not found
  at
  weblogic.t3.srvr.SSLListenThread.resolvePropertyFromLocalFile(SSLList
  enThread.java:154)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:386)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1097)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:490)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:206)
  at weblogic.Server.main(Server.java:35)
  <Oct 9, 2002 11:32:08 AM CDT> <Notice> <Management> <Application Poller not
  star
  ted for production server.>
  <Oct 9, 2002 11:32:57 AM CDT> <Notice> <WebLogicServer> <ListenThread
  listening

  I got the problem.
  I simply created a new request thru the 'certificate' app and got a new
  trial id and it worked !
  Regards,
  "Naggi" <[email protected]> wrote in message
  news:[email protected]...
  Also , password for PKCS-8 encryption was left blank in the certificateapp
  >
  >
  >
  I was very interested to see your advertisement for a Senior Software
  Engineer. I have been seeking just such an opportunity as
  this, and I think my background and your requirements may be a good match.
  My resume is enclosed for your review.
  Thank you for your attention to these materials. I certainly look forwardto
  exploring this further.
  Yours truly,
  Nagraj C Rao
  "Naggi" <[email protected]> wrote in message
  news:[email protected]...
  I used the certificate app to create a Private Key file (in .der format)
  and a .pem request.
  But when I specify it in the SSL section and reatsrt the server I get an
  error message:
  Any Ideas ?
  Also When I double click the .der file even Windows says its an "Invalid
  Security Certificate File"
  WLS 6.1 SP3
  Also I think the error is deceiving since the file is present in the
  directory referred by WLS
  Thanks in advance
  N Rao
  <Oct 9, 2002 11:31:57 AM CDT> <Notice> <WebLogicServer> <Starting
  WebLogic
  Admin
  Server "myserver" for domain "mydomain">
  <Oct 9, 2002 11:31:57 AM CDT> <Alert> <WebLogicServer> <Security
  configuration p
  roblem with certificate file
  C:/bea/wlserver6.1/config/mydomain/MY-WKS-key.der
  , java.lang.Exception: Required file
  C:/bea/wlserver6.1/config/mydomain/MY-WKS
  -key.der which is specified by ServerKeyFileName, was not found>
  java.lang.Exception: Required file
  C:/bea/wlserver6.1/config/mydomain/MY-WKS-k
  ey.der which is specified by ServerKeyFileName, was not found
  at
  weblogic.t3.srvr.SSLListenThread.resolvePropertyFromLocalFile(SSLList
  enThread.java:154)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:386)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
  atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1097)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:490)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:206)
  at weblogic.Server.main(Server.java:35)
  <Oct 9, 2002 11:32:08 AM CDT> <Notice> <Management> <Application Pollernot
  star
  ted for production server.>
  <Oct 9, 2002 11:32:57 AM CDT> <Notice> <WebLogicServer> <ListenThread
  listening

• WBL 7.0 and SSL private key problem

  Having generated certificate request, and associated private key, I obtained
  the corresponding server level certificate. I am having problems starting the
  server with the cert. I have configured my server appropriately, here is the SSL
  configuration from the domain config.xml
  <SSL Enabled="true" HostnameVerificationIgnored="true"
  ListenPort="8090" Name="SampleServer"
  ServerCertificateChainFileName="nasaca.pem"
  ServerCertificateFileName="mydomain-cert.pem"
  ServerKeyFileName="mydomain-key.pem"/>
  and I am using -Dweblogic.management.pkpassword=mypassword
  in the startup script, however I get :
  java.lang.Exception: Cannot read private key from file /usr/user_projects/Sample/mydomain-key.pem.
  Make sure password specified in environment property weblogic.management.pkpassword
  is valid.
  I have given the right password. So the question is why am I seeing the error
  I am running this server on Sun Solaris. The password contains the usual ascii
  characters, including shell special characters.
  Any way checking the private key file ?
  Also as we have seen problems with the particular certificate we get from the
  CA, I wanted to use "utils.ValidateCertChain", alas this documented utility is
  conveniently missing from weblogic.jar. Oh big blue, why didn't we go with you
  Seriously, please help
  Tarang

  Darkit,
  I have the same problem. Let me know if you find a solution to this problem.
  Thanks,
  Bharathi

• SSL: how to use Multiple Private key/Certificate pair for authentication.

  Hi all,
  i am implementing SSL in java using X509 Certificate/private key combination.
  i have two set of private key/certificate pair.
  one is factory default and another is generated at run time.
  my problem is to try ssl connection with both pairs on same tcp/ip connection.
  e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
  on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
  can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
  Thanks In Advance
  Saurabh Ahuja

  Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
  It's like this. The idea of PKI with SSL is as follows:
  - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
  - the client has a truststore that trusts the server, one way or the other, see above.
  - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
  - the server sends its cert to the client along with a digital signature signed by its private key.
  - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
  At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
  If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
  You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.