SSL private key password

Similar Messages

• Private key password for Default DemoIdentity Keystore?

  Hi
  I am trying to Configure SSL in ALSB. I have created the PKI Credential mapping for the Default DemoIdentity Keystore
  But it is asking for the password to access the Keypair.
  The document states that i need to provide the password set during the creation of the keystore
  but as i am using the default keystore i dont know where to look for the password.
  Error :
  [Security:090809|The key pair could not be retrieved from the keystore with the supplied alias demoidentity and its password
  I tried using the KeyStorePassphrase  but it didnt help me much ..
  Can any one help me on this?
  Regards
  Anusha                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  Jay is right
  To be more precise you can use something like
  keytool -list -keystore ${wl_home}/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrasewhich leads to the following output
  Keystore type: JKS
  Keystore provider: SUN
  Your keystore contains 4 entries
  certgenca, Mar 22, 2002, trustedCertEntry,
  Certificate fingerprint (MD5): 8E:AB:55:50:A4:BC:06:F3:FE:C6:A9:72:1F:4F:D3:89
  wlsdemocanew2, Jan 24, 2003, trustedCertEntry,
  Certificate fingerprint (MD5): 5B:10:D5:3C:C8:53:ED:75:43:58:BF:D5:E5:96:1A:CF
  wlsdemocanew1, Jan 24, 2003, trustedCertEntry,
  Certificate fingerprint (MD5): A1:17:A1:73:9B:70:21:B9:72:85:4D:83:01:69:C8:37
  wlscertgencab, Jan 24, 2003, trustedCertEntry,
  Certificate fingerprint (MD5): A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FEThe following list provides the location and passwords of the demo certificates:
  Trust store location: ${WL_HOME}/server/lib/DemoTrust.jks
  Trust store password: DemoTrustKeyStorePassPhrase
  Key store location: ${WL_HOME}/server/lib/DemoIdentity.jks
  Key store password: DemoIdentityKeyStorePassPhrase
  Private key password: DemoIdentityPassPhrase

• Does WLS 5.1 support private key passwords like WLS 6 does ?

  WebLogic 6.0 supports private key passwords as described here http://e-docs.bea.com/wls/docs60/adminguide/cnfgsec.html#1053139,
  summarized here;
  "When using PKCS-8 encrypted private keys, you need to enable the Use Encrytped
  Keys field on the SSL tab of the Server window in the Administration Console.",
  plus you need to use this diraective -Dweblogic.management.pkpassword=
  I can't find any support for this in WLS 5.1. Does 5.1 support this additional
  level of security ?
  Thanks.

  In order to have the weblogic.mangement.pkpassword stuff work two other things need to have happened first:
  1) you generated a protected private key rather than just a "regular" private key. In the Certificate Servlet this is done by typing characters into the password field of the form to generate the key and
  then later passing those characters to the weblogic.management.pkpassword commandline attribute.
  2) you set the KeyEncrypted attribute in the SSL page in the console
  You can use protected/encrypted private keys or not but you need to make sure that you actually generated an encrypted private key and you've set SSL to use an encrypted private key and told the
  server to start up with an encrypted private key.
  Paul
  On 24 Jul 2001 08:13:06 -0700, [email protected] (David Barrett) wrote:
  Hello Dave,
  Dave here.
  I'm having some problems with the Weblogic SSL installation also. I
  was able to set the weblogic.management.pkpassword, but I am recieving
  the following error when attempting to start the server.
  Jul 23, 2001 1:44:53 PM EDT> <Info> <Logging> <Only log messages of
  severity "Error" or worse will be displayed in this window. This can
  be changed at Admin Console> myserver> Servers> myserverpass> Logging>
  General> Stdout severity threshold>
  <Jul 23, 2001 1:44:57 PM EDT> <Alert> <WebLogicServer> <Security
  configuration problem with certificate file config/myserver/mykey.der,
  java.lang.NullPointerException>
  java.lang.NullPointerException
  at weblogic.security.PKCS5.setPassword(PKCS5.java:173)
  at weblogic.security.RSAPrivateKeyPKCS8.<init>(RSAPrivateKeyPKCS8.java:124)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:387)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)
  Please let me know if you know of any way to fix this issue.
  Best,
  David
  "Dave Javu" <[email protected]> wrote in message news:<[email protected]>...
  WebLogic 6.0 supports private key passwords as described here http://e-docs.bea.com/wls/docs60/adminguide/cnfgsec.html#1053139,
  summarized here;
  "When using PKCS-8 encrypted private keys, you need to enable the Use Encrytped
  Keys field on the SSL tab of the Server window in the Administration Console.",
  plus you need to use this diraective -Dweblogic.management.pkpassword=
  I can't find any support for this in WLS 5.1. Does 5.1 support this additional
  level of security ?
  Thanks.

• Recovering Private Key Password

  I have a customer who is trying to load a private key from a file but can not remember the Private Key password. Does anyone have an idea of what the best way to recover this would be if its possible?

  this is not possible since this is the most important part of the security protocol.
  You have to created a new key and get a new certificate.
  Regards,
  Gilles.

• WebLogic and SSL: supplying private key password upon startup

  Hello,
  Does BEA have an API I can use to customize the WebLogic Server startup? I have
  a password callback function that I would like the WebLogic Server to call when
  it needs the password for decrypting the server certificate private key...
  -- POCO

  nope.. till now..
  thanks
  kiran
  "POC" <[email protected]> wrote in message
  news:3e258885$[email protected]..
  >
  Hello,
  Does BEA have an API I can use to customize the WebLogic Server startup? Ihave
  a password callback function that I would like the WebLogic Server to callwhen
  it needs the password for decrypting the server certificate private key...
  -- POCO

• WBL 7.0 and SSL private key problem

  Having generated certificate request, and associated private key, I obtained
  the corresponding server level certificate. I am having problems starting the
  server with the cert. I have configured my server appropriately, here is the SSL
  configuration from the domain config.xml
  <SSL Enabled="true" HostnameVerificationIgnored="true"
  ListenPort="8090" Name="SampleServer"
  ServerCertificateChainFileName="nasaca.pem"
  ServerCertificateFileName="mydomain-cert.pem"
  ServerKeyFileName="mydomain-key.pem"/>
  and I am using -Dweblogic.management.pkpassword=mypassword
  in the startup script, however I get :
  java.lang.Exception: Cannot read private key from file /usr/user_projects/Sample/mydomain-key.pem.
  Make sure password specified in environment property weblogic.management.pkpassword
  is valid.
  I have given the right password. So the question is why am I seeing the error
  I am running this server on Sun Solaris. The password contains the usual ascii
  characters, including shell special characters.
  Any way checking the private key file ?
  Also as we have seen problems with the particular certificate we get from the
  CA, I wanted to use "utils.ValidateCertChain", alas this documented utility is
  conveniently missing from weblogic.jar. Oh big blue, why didn't we go with you
  Seriously, please help
  Tarang

  Darkit,
  I have the same problem. Let me know if you find a solution to this problem.
  Thanks,
  Bharathi

• Exporting SSL Private Key

  In the midst of an apocalyptic SSL install in 10.4 server. Currently, I am trying to install a wildcard cert via Server Admin, which may have been a mistake. After smashing my head for a week, I tried a new tack and rebuilt the system keychain and attempted to install the certificate; this failed at the level of Server Admin. However, in Keychain Access I am showing the SSL cert, public and private keys, and the CA's cert, all valid.
  Since I know of no other way to do get KA talking to SA so that I can actually use this certificate, I am trying to export the valid certs and keys to import. My problem is this, the certs and public key export fine, the private key fails returning an error of Unable to Export CLINTERNALERROR. I double checked that root is enabled in netinfo. Any ideas on how to rectify this?

  I believe you have to run Keychain Access as root to export the private key.
  sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

• Reconver SSL private key?

  I have a bit of a dilemma since I tried to install an SSL certificate on my server that needs intermediate certs. Here's what I did:
  1) In Server Admin, create a new key for my domain and use that key to create a CSR to send to a certificate authority. (This creates a public key, a private key and a self-signed certificate in the system keychain on the server).
  2) Sent the CSR away and got the signed certificate back.
  3) Used Server Admin to add the signed certificate to the existing domain cert (this replaces the self-signed cert). Restart services etc.
  Here's the problem: the cert that I have needs intermediate certs installed in order to be functional- currently the certificate shows as an untrusted authority. If I delete the current certificate in Server Admin to start again from scratch, it will delete the private key that I need to reinstall. I downloaded the intermediate certificates from the CA's website, but now the certificate installed on the server can't be modified. Besides, there is no place to enter the intermediate certificates. My plan was to try to paste all the certs into the box where it asks for the new certificate, but no joy since it is now locked.
  I would like to create a new certificate (there is a place in there to install intermediate certs), but I'll need to get my private key out of Keychain Access into a pem formatted file but I can't seem to get the thing to export.
  Questions:
  1) Is there a way to export a private key from Keychain Access so that it can be used for server admin?
  2) Is there a way to get at this from the command line?
  3) Is there some other procedure that can magically fix this problem?
  Thanks,
  Miles

  Thanks,
  This is the part that I was looking for:
  Launch Keychain Access as root:
  sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access &
  I then went here http://www.gridsite.org/wiki/Convert_p12 and converted the p12 to pem so I could use it in server admin.
  Thanks again,
  Miles

• Import an SSL Private Key

  Hello.  Is it possible to export the Private Key from, say, my J2EE engine (I'm running a dual stack) and import it into my ABAP instance so that both systems use the same Private Key?  They both have the same host name.

  I guess its possible. Please correct me if i am wrong.
  Please keep in mind, that simply importing a certificate as a certificate response won't work in this situation, since the public key from your CA and the public key in the individual PSEs already existing on the respective servers won't match.
  following steps all the key pairs and certificates that are currently stored in the SSL Server PSEs on the target systems will be removed. If you want to keep them, you'll need to export them to a safe place.
  Step 1: import the key pair into a PSE
  Since pl.16 of SAPCRYPTOLIB, key pairs given in the format PKCS#12 can be imported into a PSE (note 745063). Since pl.24 of SAPCRYPTOLIB, also the import of key pairs given as PKCS#5, PKCS#8 or OpenSSL-PEM is supported (note 1159829).
  Step 2: import the PSE resulting from Step 1) into the system's database All PSEs that are known to transaction STRUST will be exported from the database and distributed to the application servers at system startup. The related PSE files will be overwritten. So, the PSE resulting from the key pair import in step 1) needs to be imported into the database.
  You'll need to go through a procedure similar to the one described in note 1178155, step 3.
  - Copy the PSE from step 1) to your workstation/PC
  - Start transaction STRUST
  - Doubleclick the "FILE" icon in the navigation area (left hand side)
  - Select the PSE on your workstation/PC
  - Execute the menu item "PSE --> save as..." and choose the SSL Server
  PSE as target. This will save the PSE from step 1 as SSL Server
  standard PSE.
  - The following step is a modification from note 1178155 which is
  only applicable in your special situation: right mouse button click
  on the SSL Server PSE entry in the navigation area. From the context
  menu appearing, select "Change".
  - Remove the distinguished names from all application server specific
  PSEs in the list. Pressing the green tick mark ('save') will remove
  all application server specific SSL Server PSEs, so the system is
  forced to use the SS Server standard PSE instead.
  Don't forget to restart the ICM in order to make your changes become effective.
  Regards,
  Jazz

• SSL Private Key

  Hi,
  I would like to export my Portal private key, so that it can be used for network traffic capture (Wire shark).
  Can anyone point me in the direction as to where this file can be exported.
  Thanks
  Kai
  PS. Points will be awarded.....

  The Path to export the certificate is:
  On the Portal
  System administration -> system configuration -> Keystore administration -> download verify.der file
  Regards,
  Chengappa

• How to install PEM-format SSL private key from weblogic to NES

  I have unexpired PEM-format certificates in my weblogic 8.1sp4 domain. Since the architecture requires us to use Iplanet 6.0sp2 as the http/https server, we have to move the certificates to iplanet side. Is that possible ? Especially the private key ? Iplanet has key8.db format files. How do I install a PEM key in iplanet and store it in key3.db file ? Thanks !

  Hi
  I've already found code to answer my second question, but my first question still remains, is there a way that I can change a Encrypted Private Key Info for PEM to DER format??? I tried to delete the header and footer of some key in PEM format and Base64 decode the body, but It launches a Exception when I'm trying to create the EncryptedPrivateKeyInfo object.
  Thank you

• How to force iOS to ask for S/MIME private key password every time?

  Hi, I am using S/MIME signing and encryption on my iOS devices and I am very surprised that the system does not require password for encrypting, decrypting or signing a message when using my cell phone. Everyone with access to it (be it a thief who saw my unlock code or somebody I know personally) will be able to send/read all encrypted messages. That is a deal breaker for me and I hope I am not the only one.
  So the question is: I need to be asked for a password everytime I (a) read encrypted message, (b) send a signed message or (c) send an encrypted message.
  How can I do that?
  I imported my key via iPhone configuration utility, but I was unable to find an option for that.

  By revealing your unlock code your device is already compromised. Just like revealing your computers login password. Once the computer is compromised, any number of things can be done which render the certificate password useless. Keyloggers can be installed, the kernel can be patched to steal DPAPI keys, etc. Real software companies like Apple and Microsoft don't entertain security through obscurity.

• Two-way SSL: Private key is incorrectly read if the charset is set to UTF8

  Looks like PEMInputStream and other related classes assumes the application charset
  "iso81", but if the charset is something else, then "java.security.KeyManagementException"
  is thrown.
  We have everything setup and two-way ssl works when the encoding is not set. but
  brakes if the encoding is UTF8.
  WLS 7.0
  OS - HP-UX
  Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
  app).
  Thanks

  I would suggest posting this to the security newsgroup.
  -- Rob
  Govinda Raj wrote:
  Looks like PEMInputStream and other related classes assumes the application charset
  "iso81", but if the charset is something else, then "java.security.KeyManagementException"
  is thrown.
  We have everything setup and two-way ssl works when the encoding is not set. but
  brakes if the encoding is UTF8.
  WLS 7.0
  OS - HP-UX
  Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
  app).
  Thanks

• WLS70 SSL encrypted keys and Certificate Request Generator

  Hi,
  we are trying to certificate our WLS 7.0. We use the Certificate Request Generator
  webapp for generating the request. The generator forces the user to give in a
  private key password. But in the server's SSL config tab the field "Use encrypted
  Keys" is fixed to "false" (in WLS 6.1 this field is a checkbox). Is this a bug
  in WLS7.0?

  Hi Alain,
  thanks for your workaround. We will check it out ... although I've been instructed
  on the BEA admin trainee to never change config.xml manually :)
  "Alain Hsiung" <[email protected]> wrote:
  Hi Joern
  consider it a bug or not, you can go to the file config.xml and edit
  the
  XML attribute "KeyEncrypted" of the XML element "SSL" to "true".
  Hope this helps.
  Regards
  Alain Hsiung, Ideartis Inc.
  "Joern Wohlrab" <[email protected]> wrote in message
  news:[email protected]..
  Hi,
  we are trying to certificate our WLS 7.0. We use the Certificate RequestGenerator
  webapp for generating the request. The generator forces the user togive
  in a
  private key password. But in the server's SSL config tab the field"Use
  encrypted
  Keys" is fixed to "false" (in WLS 6.1 this field is a checkbox). Isthis a
  bug
  in WLS7.0?

• Private Key File problem

  I have Weblogic Server Version 6.0. I created Private Key File using Certificate
  Request Generator Servlet. It created the the private key file (.der) file &
  CSR using which I got the Trial Server Certificate from Verisign. I installed
  the certificate (.pem) and configured the server. When I restarted the server
  it gives the following EOFException while reading the Private Key File : (I gave
  the Private Key password while generating the private key file from the servlet)
  <Dec 21, 2001 7:43:08 PM GMT+05:30> <Alert> <WebLogicServer> <Security configura
  tion problem with certificate file config/mydomain/TTI-D066-key.der, java.io.EOF
  Exception>
  java.io.EOFException
  at weblogic.security.Utils.inputByte(Utils.java:133)
  at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
  at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
  at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
  at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:398)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)
  Thanks in advance for any solutions...
  Regards,
  Venkatesan

  Hi,
  please check if you provided the private key password which was used to
  create the file in the following property
  -Dweblogic.management.pkpassword
  on the command line correctly.
  In addition, please check "Use Encrypted Keys" to "true" in <server>->SSL
  tab from the admin console.
  Maria
  Developer Relations Engineer
  BEA Support
  Venkatesan schrieb in Nachricht <3c234536$[email protected]>...
  >
  I have Weblogic Server Version 6.0. I created Private Key File usingCertificate
  Request Generator Servlet. It created the the private key file (.der) file&
  CSR using which I got the Trial Server Certificate from Verisign. Iinstalled
  the certificate (.pem) and configured the server. When I restarted theserver
  it gives the following EOFException while reading the Private Key File : (Igave
  the Private Key password while generating the private key file from theservlet)
  >
  <Dec 21, 2001 7:43:08 PM GMT+05:30> <Alert> <WebLogicServer> <Securityconfigura
  tion problem with certificate file config/mydomain/TTI-D066-key.der,java.io.EOF
  Exception>
  java.io.EOFException
  at weblogic.security.Utils.inputByte(Utils.java:133)
  at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
  at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
  at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
  at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:398)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)
  Thanks in advance for any solutions...
  Regards,
  Venkatesan