Subject Key Identifier of x509 v3 certificate
Hi everyone,
I have the following code I am using to extract the Subject Key Identifier from a X509 Certificate-
byte[] subjectKeyIdentifier =
cert.getExtensionValue("2.5.29.14");
This returns the DER encoded Octet string. However I want the octet string exclusing the encoding of the octet string prefix... How do I know the exact length of the prefix?
appreciate any help,
--Manveen
if you use bouncycastle provider you can take advantage of the classes in org.bouncycastle.asn1 package.
byte[] outer = cert.getExtensionValue("2.5.29.14");
DERInputStream dis = new DERInputStream(new ByteArrayInputStream(outer));
ASN1OctetString oc =(ASN1OctetString)dis.readObject();
byte[] inner = oc.getOctets();If you want to take that to check in a certpath check or validation you might check posts like
http://forums.java.sun.com/thread.jspa?threadID=633098
Similar Messages
-
Subject Key Identifier (SKI) changed after RootCA upgrade
Hello,
I have a RootCA running windows 2003 ENT SP2 and I made an upgrade to a new machine (newer HW) and Windows 2008 R2. The original rootCA was configured with an HSM, so the backup CA is not an option for me since the keys can not be exported (I dont
have a .p12 file).
I exported the HSM settings together with the keys (HSM vendor's procedure) and during the CA setup wizard, I select the option: "Use existing private key” and then “Select an existing private key on this computer” . Then I click on "edit"
select the correct CSP (the one from the HSM) and click on "Search". The private key appears immediately, I select it and i keep going with the installation. It all goes smoothly and CA services are correctly installed.
The problem is that the SKI of the new CA certificate does not match with the SKI of the original CA certificate, it is changed somehow during the installation.
I have performed the same test, but migrating to another windows 2003 server, and the SKI is kept exactly the same, there is no difference (maybe the way the SKI is generated is different from windows 2003 to 2008).
My applications communicate to each other using this SKI, replacing it everywhere is something that i dont want to consider.
Does somebody know if it is possible to force this setting to be kept?
Thanks in advance
Best regardsHi Vadims,
Thanks for your reply, I have been playing a bit with openssl and a CA certificate, and in the meantime i solved the issue, and this is what I "guess" or what I understand from it:
1) If you install CA services and use the options: select and existing key --> select a certificate --> then you will have to choose a p12 file which contains both (public and private key) and will use both values to generate a NEW certificate,
but it will NOT generate the SKI value, it will just use the one from the p12 file. That is why the SKI does not change if you use this option
2) I am using an HSM and the private key is stored there and can not be exported, so, i can not generate a p12 file, in that case, I have the opther option in the wizard: select an existing key --> use an existing key.... Then i can choose the correct
private key from the HSM once i select the correct CSP... And then the fun begins:
3) Acording to the RFC
For CA certificates, subject key identifiers SHOULD be derived from
the public key or a method that generates unique values. Two common
methods for generating key identifiers from the public key are:
(1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).
(2) The keyIdentifier is composed of a four bit type field with
the value 0100 followed by the least significant 60 bits of the
SHA-1 hash of the value of the BIT STRING subjectPublicKey
(excluding the tag, length, and number of unused bit string bits).
4) After all my openssl adventure, it all came down to 2 files containing the public key and the BIT STRING of the public key, I opened them both and I confirmed that for the SKI generated on the windows 2008 machine, the method used to calculate the
SKI is using the BIT STRING (option (1) from the RFC)
While for the SKI generated in the windows 2003 machine, the method is : ???????
What I think is that from windows 2003 to windows 2008 the certificate services changed the way they calculate the SKI.
First they were maybe doing a SHA1 of the whole public key and now they are using a SHA1 of only the bitstring of the public key which is more similar to what is said on the RFC (point 1)).
Then I started to look if there was a way to change this, and.... -
Root CA and Authority Key Identifier
We are in the process of migrating our AD CS servers to Windows 2012 R2 and at the same time changing the algorithm to SHA256 with key length of 4096 bits.
Is it possible to have the Authority Key Identifier (AKI) included in the root certificate?AKI is not necessary in the root certificate as it will match SKI (Subject Key Identifier). Why waste certificate size?
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool. -
IPhone Mail app; IMAP; x509 client certificate?
The title says it all really.
I have an x509 client certificate happily installed in my iPhone's keychain. This certificate works correctly in Safari, allowing access to sites which demand it. When I try to collect mail from an IMAP server which also requires a client certificate, it doesn't work.
As far as I can work out, the Mail app is not sending my client certificate when the server requests it to do so. Is this true? Is there a way to configure the Mail app to respond correctly to the server's client certificate request? Any pointers or information welcome!I think so.
Actually I think I need to get the App Password for Mail on my phone. It generates the app password and I enter it into the password in the gmail setup for mail.
The problem is that when I hit next on that page, I get the message:
"my name" is already added" and I cannot proceed.
Before doing this setup I deleted my gmail account by tapping the email address and hitting delete in the Mail, Contact and Calendars setup..
but, there is something hiding in my iPhone that remembers my old gmail password (I guess) and doesn't let me proceed.
If I enter my gmail iChain password I get the same thing.
If i do this in airplane mode (no connection to google) i also get the same.
I talked to an apple care person who had me reset all my settings... still the same thing.
I am trying to avoid a gull reset of the iPhone, but that may be in the cards.
Going to go to the apple store and ask there, but i am not hopeful.
Barry -
JWSDP 1.4 accepts only X509 v3 certificates?
Hi!
The sample keys and demos supplied with JWSDP 1.4 worked fine for me. I tried generating my own keys to use with SOAP encryption and I got the following exception:
java.rmi.RemoteException: Expected Version 3 Certificate, found Version 1; nested exception is:
com.sun.xml.wss.SecurityTokenException: Expected Version 3 Certificate, found Version 1
I checked keytool's doc and it says that it can only generate v1 certificates (it is able to handle v1 through v3).
Has anyone any suggestions as to what would be the easiest way to solve this (either by generating v3 certs easily or by forcing JWSDP to accept v1 certs)?
Rgs,
PanuI'll answer to myself if anyone else encounters the same problem: JWSDP 1.4 (or WSS to be more specific) indeed requires X509 v3 certs and keytool does not generate that version.
One has to use other tools to generate them, for example openssl. After that Sun's pkcs12import is used to make them understood by Java environment. -
X509 encoded certificate - is it really ASN.1?
I can get a good Certificate from encoded bytes bcert
ByteArrayInputStream bis = new ByteArrayInputStream(bcert);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)cf.generateCertificate(bis);
my question: is an encoded certificate (eg bcert) a good ASN.1 ?
I cant DeCode with marben nor with codec.sourceforge
Am I wasting my time looking for an ASN.1 decoder? anyway java decodes the bytes to a certificate just fine.I am giving up looking for ASN.1 decoders
marben does NOT decode codec.sourceforge does NOT decode ViewBer does NOT decode
I guess oughta look for DER decoders
ASN1VE thinks it has decoded, but gives final element a bitstring 1022 which you might think was the public key,
except it isnt
and I believe the last item is 2.5.29.19 BasicConstraints 0402300 (java says so, and 0402300 << 2 = 1008C00 whereas my encoded ends in ...C08C0 notice some matching bits?
I've been waiting since the 90's for X509 to get rational.
Thanks Almighty that Java at least has come to the party.
PS
ASN1VE does display some objects which java says are CN C L O OU et al
wo its not totally useless - maybe it has a DER switch ?
Edited by: 915773 on 14-Mar-2012 20:46 -
Hi,
I have used X509 certificates in conjunction with SAP web applications a number of times and have had little problem is getting them to work, however I have come across a scenario wherby we now need to use X509 RFC3820 certficates. They differ in that it is signed by the end-entity certificate and not by the certificate authority (CA). Usually the proxy cert is presented along with the end-entity (vanilla) X.509 certificate and the chain is used for authentication as opposed to just the vanilla certificate.
Details of the standard are here http://www.ietf.org/rfc/rfc3820.txt
Does anyone know if these can be used in conjunction with SAP? Or what changes to the standard X509 certificate setup would be needed
Kind regards
RichardHi Rich,
just install the proxy (cert's) into the SAP system.
regards,
Patrick -
CWMS hostnames are not treated as valid subject alternate names for a public certificate
Hi,
I have a problem to get s public certificate for my CWMS Server 2.0
fqdn for public vip is "meet.company.de"
But the fqdn hostnames for admin and media vm are "admin.company.corp"
The public certification authority does not accept our CSR because the Subject Alternate Name xxxx.company.corp ist not valid
Any ideas how we can proceed? Wildcard certificate is not an option.Hello,
There are couple of things you can try to do:
1. Change the Certification Authority. At least until November 2015, CAs should accept internal company domains and provide SSL certs for them. Not sure what CA you are trying to use, but I've seen Verisign, GoDaddy, Entrust, etc. providing SSL certs for internal domain names (using SAN certs)
2. Change the FQDNs of your internal VMs. You would need to ensure you configure "company.de" zone in your internal DNS, create DNS entries for all the internal VMs, Private VIP and Admin and WebEx Site for "company.de" domain, and then perform the hostname change on CWMS for all the VMs and Admin site. You can change the VMs hostnames if you go to CWMS Dashboard > System > View More, and by clicking on each VM you will get an option to change the hostname. If the hostname is defined in DNS and resolves to the same IP address as the original hostname, the entry will be properly updated. (NOTE: don't change the IP addresses if not really needed. If needed, take a look at the instructions here) . Once you modified all the hostnames, you can generate new CSR (SAN) and you will get valid internal VM hostnames and your CA will be able to issue you a certificate.
3. If you end up using the same domain name on all the VMs and VIPs, you may consider wildcard certs (not sure why the are not the option in your case).
This is all that you can do when it comes to this issue.
I hope any of this will help.
-Dejan -
CERT_TRUST_IS_NOT_SIGNATURE_VALID when installing a 3rd-party cert in Windows 2008 Domain Controller
Hello,
I'm facing with a problem while trying to install a 3rd-party digital certificate on a Windows 2008 Domain Controller.
Basically, I'm following this TechNet
http://technet.microsoft.com/en-us/library/cc783835(v=ws.10).aspx
1) I did create the file Reqdccert.vbs on the Domain Controller
2) then I did generate the inf file
cscript reqdccert.vbs DomainController E
3) and then I generated a certificate request
certreq -new AD.inf AD.req
4) also I've imported RootCA and SubCA into the Certificate Store of the DC
5) I got a signed certificate from our 3rd-party CA running on Windows 2000
6) when importing the certificate I get the below error
C:\>certreq -ACCEPT ad.p7c
Certificate Request Processor: The signature of the certificate cannot be verifi
ed. 0x80096004 (-2146869244)
Here is the verbose log from CAPI2:
+ System
- Provider
[ Name] Microsoft-Windows-CAPI2
[ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
EventID 11
Version 0
Level 2
Task 11
Opcode 2
Keywords 0x4000000000000003
- TimeCreated
[ SystemTime] 2014-06-13T09:33:02.604870500Z
EventRecordID 304
Correlation
- Execution
[ ProcessID] 1700
[ ThreadID] 3032
Channel Microsoft-Windows-CAPI2/Operational
Computer ad.eac.igs
- Security
[ UserID] S-1-5-21-4171312682-976198474-2692596432-500
- UserData
- CertGetCertificateChain
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- AdditionalStore
- Certificate
[ fileRef] 691847ADD248AEB8579462249B063A1555716B21.cer
[ subjectName] SubCA
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- Certificate
[ fileRef] 0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer
[ subjectName] RootCA
ExtendedKeyUsage
- Flags
[ value] 0
- ChainEngineInfo
[ context] user
- AdditionalInfo
- NetworkConnectivityStatus
[ value] 1
[ _SENSAPI_NETWORK_ALIVE_LAN] true
- CertificateChain
[ chainRef] {0B005F9F-F15B-4FE2-A630-7BBEE6AB5C0A}
- TrustStatus
- ErrorStatus
[ value] 8
[ CERT_TRUST_IS_NOT_SIGNATURE_VALID] true
- InfoStatus
[ value] 0
- ChainElement
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.11
[ hashName] SHA256
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 8
[ CERT_TRUST_IS_NOT_SIGNATURE_VALID] true
- InfoStatus
[ value] 4
[ CERT_TRUST_HAS_NAME_MATCH_ISSUER] true
- ApplicationUsage
- Usage
[ oid] 1.3.6.1.5.5.7.3.1
[ name] Server Authentication
- Usage
[ oid] 1.3.6.1.5.5.7.3.2
[ name] Client Authentication
- Usage
[ oid] 1.3.6.1.4.1.311.20.2.2
[ name] Smart Card Logon
IssuanceUsage
- ChainElement
- Certificate
[ fileRef] 691847ADD248AEB8579462249B063A1555716B21.cer
[ subjectName] SubCA
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.5
[ hashName] SHA1
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 0
- InfoStatus
[ value] 101
[ CERT_TRUST_HAS_EXACT_MATCH_ISSUER] true
[ CERT_TRUST_HAS_PREFERRED_ISSUER] true
- ApplicationUsage
[ any] true
IssuanceUsage
- ChainElement
- Certificate
[ fileRef] 0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer
[ subjectName] RootCA
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.5
[ hashName] SHA1
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 0
- InfoStatus
[ value] 10C
[ CERT_TRUST_HAS_NAME_MATCH_ISSUER] true
[ CERT_TRUST_IS_SELF_SIGNED] true
[ CERT_TRUST_HAS_PREFERRED_ISSUER] true
- ApplicationUsage
[ any] true
- IssuanceUsage
[ any] true
- EventAuxInfo
[ ProcessName] certreq.exe
[ startTime] 2014-06-13T09:32:53.369Z
[ endTime] 2014-06-13T09:33:02.604Z
[ duration] PT9.232850S
- CorrelationAuxInfo
[ TaskId] {A8DC7725-FEE9-4E09-905A-FEFF7FAE9B8B}
[ SeqNumber] 27
- Result The signature of the certificate cannot be verified.
[ value] 80096004
Any idea what the problem is?
Thanks in advance,
Davide.One common reason for that error is that the wrong SubCA certificate had been imported accidentally - e.g. an earlier 'version' of that SubCA with the same Subject CA name but a different key. In this case the validating client will try to build a chain
based on name only but finally the signature check fails.
Could you cross-check if the extension Authority Key Identifier in your DC certificate is the same as the field
Subject Key Identifier of the SubCA certificate? (These are typically hashes of the keys though it is not standardized - it should be a unique string characteristic for the CA)
For the client cert. CERT_TRUST_HAS_NAME_MATCH_ISSUER is indicated in your log - thus Isser name in client cert. matches Subject Name in CA cert, but we don't know about SKI/AKI.
Elke -
How do I set up my own certificate authority
I tried google on the above question, and the most recent thing I found was 7 years old. replacing the phrase used generates a lot of hits with a very poor signal to noise ratio.
I have OpenSSL (in the cygwin distribution), which is quite recent, but frankly its documentation leaves just about everything to be desired. I found pyca, but it has no documentation at all (and it is a couple years old).
I tried the steps appended below, but invariably the attempt to sign the certificates fails with an obscure error message about OpenSSL not finding one thing or another.
At this stage, I just don't care whether I do this using something in the J2SDK such as keytool or OpenSSL, as long as I can get it done. Or if there is some other opensource software tool I can use, terrific. This is primarily for the purpose of securing communications within an Intranet, and secondarily for signing applets and applications distributed through WebStart. If I am not mistaken, I'll need a certificate for each of my servers. Right?
If you know of an URL where this is well explained and illustrated, great. Give that to me.
Otherwise, a simple illustration (or a correction of what I've appended below) would be appreciated. I believe I understand what ought to be happening. It ought to be rather simple to do, but there are these irritating and frustrating minor details getting in the way. For example, the steps I show below seem simple, but everything appears to get messed up by some of the contents of openssl.cnf in 'usr/ssl', in the cygwin directory, and there is no explanation of how to set things up for the first time you use OpenSSL within Cygwin (or on unix for that matter).
Any assistance would be appreciated.
Thanks,
Ted
========failed attempt=====================
# Generation of Certificate Authority(CA)
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config /usr/ssl/openssl.cnf
# Create server request and key
openssl req -new -keyout server-key.pem -out server-req.pem -days 36502 -config /usr/ssl/openssl.cnf
# Remove the passphrase from the key
openssl rsa -in server-key.pem -out server-key.pem
# Sign server cert
openssl ca -policy policy_anything -out server-cert.pem -infiles server-req.pem -config /usr/ssl/openssl.cnf
# Create client request and key
openssl req -new -keyout client-key.pem -out client-req.pem -days 36502 -config /usr/ssl/openssl.cnf
# Remove a passphrase from the key
openssl rsa -in client-key.pem -out client-key.pem
# Sign client cert
openssl ca -policy policy_anything -out client-cert.pem -infiles client-req.pem -config /usr/ssl/openssl.cnfThe following works for me:
NB: Some of the output has been removed in the interests of privacy (this will not affect the outcome)
1. Create CA key and certificate
1.1 Create a new file called "serial" containing the value "01".
1.2 Create an empty file "index.txt"
1.3 Create a subdirectory "newcerts"
1.4 Execute.... create a key for your CA
[ben@localhost ca]$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
..........................................................+++
e is 65537 (0x10001)
1.5 Execute... create a certificate for your own CA
[ben@localhost ca]$ openssl req -config ./openssl.cnf -new -x509 -key ca.key -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:
County or State (full name) []:
City or town (eg, Hitchin) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
2. Create PK key and .csr
2.1 Execute...
[ben@localhost ca]$ keytool -genkey -alias PK
Enter keystore password: password
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=, OU=, O=, L=, ST=, C=GB correct?
[no]: yes
Enter key password for <PK>
(RETURN if same as keystore password):
2.2 Create .csr
[ben@localhost ca]$ keytool -certreq -alias PK -file PK.csr
Enter keystore password: password
3. Sign PK with CA cert
[ben@localhost ca]$ openssl ca -config ./openssl.cnf -in PK.csr -out PK.pem -keyfile ca.key -days 365
Using configuration from ./openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 5 19:48:33 2006 GMT
Not After : Jan 5 19:48:33 2007 GMT
Subject:
countryName = GB
stateOrProvinceName =
organizationName =
organizationalUnitName =
commonName =
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D6:2D:7E:71:77:9E:1A:BB:54:69:98:63:6A:6A:E2:BA:12:C4:D7:DD
X509v3 Authority Key Identifier:
keyid:92:7C:33:7C:EC:1D:76:C5:B8:F0:30:6D:10:12:40:E5:E7:EA:24:31
DirName:/C=GB/ST=/L=/O=/OU=/CN=/emailAddress=
serial:F0:D1:38:36:65:6D:71:D5
Certificate is to be certified until Jan 5 19:48:33 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4. Convert PK certificate into DER format
[ben@localhost ca]$ openssl x509 -in PK.pem -out PK.der -outform DER
5. Import CA certificate into keystores
[ben@localhost ca]$ keytool -import -alias ca -file cacert.pem
Enter keystore password: password
Owner: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
Issuer: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
Serial number: f0d13836656d71d5
Valid from: Thu Jan 05 19:41:09 GMT 2006 until: Fri Jan 05 19:41:09 GMT 2007
Certificate fingerprints:
MD5: AF:3D:8E:25:12:24:04:1F:40:70:BC:A0:9E:0E:44:84
SHA1: B8:E8:0B:A5:86:33:21:0C:B5:3C:6E:F2:DE:7B:31:0F:59:AE:21:E4
Trust this certificate? [no]: yes
Certificate was added to keystore
6. Import signed PK into keystore
[ben@localhost ca]$ keytool -import -alias pk -file PK.der
Enter keystore password: password
Certificate reply was installed in keystore
REF:
http://www.yorku.ca/dkha/docs/jsse_cert/jsse_cert.htm
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#ownca
http://www.openssl.org/docs/apps/ca.html#
openssl.cnf:#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number must be
# commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
# we use PrintableString+UTF8String mask so if pure ASCII texts are used
# the resulting certificates are compatible with Netscape
string_mask = MASK:0x2002
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2
stateOrProvinceName = County or State (full name)
stateOrProvinceName_default =
localityName = City or town (eg, Hitchin)
localityName_default =
0.organizationName = Organization Name (eg, company)
0.organizationName_default =
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always -
Help diagnosing "The selected certificate has errors: Invalid Signature"
I am unable to sign a PDF using a new certificate I have received. I have tried Acrobat X and XI. I have also tried importing both the root and issuing CAs as trust anchors. Those certs seem to verify fine. This issue appears to be with the signature on my cert.
My suspicion is that the issue stems from the issuing CA's use of the "AlternateSignatureAlgorithm", 1.2.840.113549.1.1.10 RSASSA-PSS, for my user cert. Acrobat does not seem to recognize this algorithm. It simply lists the OID value when I look at the signature algorithm under details.
The certificate is validated fine using certutil.exe and works fine when I use it for client SSL authentication. I am using Windows 7 and have tried both 32 and 64 bit PCs.
Has anyone experienced this before?
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
X509 Certificate:
Version: 3
Serial Number: 100000
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
CN=xyz QA CA
O=xyz Technical Resources Ltd
C=US
NotBefore: 11/15/2012 2:14 PM
NotAfter: 11/16/2022 2:14 PM
Subject:
CN=xyz Issuing CA
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 e3 0b d4 99 e6 01 f1
0010 0e a4 e1 82 8a 8c 39 27 62 7a 03 23 fe 03 3f b5
0020 0d b6 fa c2 1b 86 44 d6 2f 76 65 b0 02 ff 83 69
0030 b7 6a 8d b2 d7 22 74 e3 04 9a 01 ec 4c 0f de ff
0040 c3 db 8f b5 c1 d3 7d 80 f5 ca cc ca 6d ef df 2a
0050 31 25 18 0b 92 1b 4b 1f 41 c0 5f b6 b2 7e f4 43
0060 99 43 01 cf c2 60 de 79 75 ec dc 61 11 ea 87 d0
0070 76 56 a6 4f 00 4a 31 94 37 a5 37 7b 0d 61 49 74
0080 67 88 31 df 81 16 a2 ed 5c 77 6b 23 6b 92 35 c8
0090 b3 05 cc 5a 06 3c a3 b3 6c d8 ad 1e 66 28 4e 90
00a0 3f ad 66 db 6d 13 dd c8 44 29 a0 4f 62 9c f5 5a
00b0 c1 7e 84 fc e6 24 57 c2 bd ce f1 80 b7 bd 13 b8
00c0 9f d1 8a bb 41 43 67 9f 68 25 f6 a6 a2 be 44 89
00d0 11 4f 12 3d 2d d3 85 be 38 f9 97 bd e1 ce 5c 8c
00e0 4e d4 ce be 19 0b a7 91 5d ee 1e c1 84 2c 2a 5e
00f0 bb e5 4a fb 7f 2a f4 b8 06 2b 63 1f d9 c3 d9 d3
0100 5a 13 2d ea 19 63 dd 7c e5 02 03 01 00 01
Certificate Extensions: 9
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None
2.5.29.14: Flags = 1(Critical), Length = 16
Subject Key Identifier
8a 54 1f f7 43 b9 fd 19 3f 82 28 08 13 3d fa 73 42 11 e3 6f
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Certificate Signing, Off-line CRL Signing, CRL Signing (06)
2.5.29.35: Flags = 1(Critical), Length = 7e
Authority Key Identifier
KeyID=c5 91 51 88 76 e2 a4 13 5a 2f 11 84 29 54 de cf 4f 93 28 eb
Certificate Issuer:
Directory Address:
CN=xyz QA CA
O=xyz Technical Resources Ltd
C=US
Certificate SerialNumber=00 96 b6 de 15 a7 4b 97 ac
2.5.29.31: Flags = 0, Length = 36
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://pki.xyzre.qa1/crls/root-ca.crl
1.3.6.1.5.5.7.1.1: Flags = 0, Length = 37
Authority Information Access
[1]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://pki.xyzre.qa1/root-ca.cer
2.5.29.32: Flags = 0, Length = 6e
Certificate Policies
[1]Certificate Policy:
Policy Identifier=2.16.840.1.101.3.2.1.48
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier:
http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/documents/test_policy.pdf
1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
CA Version
V0.0
1.3.6.1.4.1.311.20.2: Flags = 0, Length = c
Certificate Template Name (Certificate Type)
SubCA
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 41 a4 3f 79 99 d2 aa fa f9 4b 88 0c a6 be 6f 40
0010 0b df 10 93 f5 bb 48 c7 1f 89 73 73 09 58 b4 22
0020 f2 b8 0f 78 b1 da 16 81 cd 2d 86 5a 22 90 67 cd
0030 22 03 56 d5 c2 f4 df 79 b2 2a 82 e0 2e 5a 9a c3
0040 92 b5 4d f2 fe 3d 6b f0 97 b0 b7 85 b6 e9 99 4c
0050 f5 87 34 81 bc 27 f0 77 a1 c6 b2 50 b1 c8 b6 2f
0060 6f 01 61 0d 1d bc cd 3b 07 2d 18 71 d3 f1 f2 03
0070 78 e6 82 24 27 b1 65 d5 4b be 6c 20 f7 60 30 4c
0080 49 42 07 4c 13 d9 7d 77 7f 10 a4 32 bc 30 d4 82
0090 bf 40 06 0f 84 32 43 65 67 47 d0 19 59 0e e7 c2
00a0 d9 c1 10 0a 5e df a2 18 04 86 e5 e4 09 80 99 75
00b0 fd 21 ad 86 5f 77 ab 5d aa 79 74 ed eb ba c4 e8
00c0 f1 fb b2 ae 6a dd 07 5c cc 3d 93 99 ff 45 e6 f6
00d0 c6 d6 d3 22 69 c3 43 50 c0 69 e4 7f 3e 73 df 76
00e0 6f 9d fc 73 ed 54 0b 49 3b 6f c8 99 32 b1 9b d5
00f0 15 bd 5f 40 07 a2 f2 92 0e 74 2b f2 01 39 52 b0
Non-root Certificate
Key Id Hash(rfc-sha1): 8a 54 1f f7 43 b9 fd 19 3f 82 28 08 13 3d fa 73 42 11 e3 6f
Key Id Hash(sha1): e7 a5 38 8b 64 5e bd 6e ee 7b 3f 61 bb 8a ed 2c cc 4b 2c 2f
Cert Hash(md5): 69 84 7c 7c d8 2a 35 12 e9 6b e8 6a fd ca be 92
Cert Hash(sha1): eb 2f 11 1b b0 c2 92 a0 14 74 50 42 50 1e de c5 53 de d7 df
---------------- End Nesting Level 1 ----------------
CERT_MD5_HASH_PROP_ID(4):
69 84 7c 7c d8 2a 35 12 e9 6b e8 6a fd ca be 92
CERT_SHA1_HASH_PROP_ID(3):
eb 2f 11 1b b0 c2 92 a0 14 74 50 42 50 1e de c5 53 de d7 df
CERT_KEY_IDENTIFIER_PROP_ID(20):
8a 54 1f f7 43 b9 fd 19 3f 82 28 08 13 3d fa 73 42 11 e3 6f
Cannot find the certificate and private key for decryption.
================ Certificate 1 ================
================ Begin Nesting Level 1 ================
X509 Certificate:
Version: 3
Serial Number: 96b6de15a74b97ac
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
CN=xyz QA CA
O=xyz Technical Resources Ltd
C=US
NotBefore: 11/13/2012 3:35 PM
NotAfter: 11/13/2032 3:35 PM
Subject:
CN=xyz QA CA
O=xyz Technical Resources Ltd
C=US
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 d2 5f 7d c0 c5 25 7f
0010 2c 4c a2 4a 9b 6f e7 7a 35 cd 9a 2a 88 30 36 9b
0020 f8 a4 d8 31 64 72 36 1c 1b 2c dc 73 11 d6 57 a2
0030 97 91 6d bb d0 3c 13 65 28 4d 78 4e e1 c7 06 ac
0040 16 c1 2a 62 39 ba 39 f9 a1 b9 4a 14 39 28 58 0d
0050 f4 97 83 d5 ee 45 91 4a 41 06 e5 b9 60 40 20 48
0060 85 f4 2d 8e 04 7f 81 12 3a 26 e1 0f 21 32 49 bc
0070 20 ef 12 69 5a 20 a4 51 65 6d 85 4c 0f 4c 91 4c
0080 26 47 27 a7 9e 49 e0 f7 56 08 fc 90 47 11 6c a9
0090 b8 81 c6 83 c8 b2 2d e8 c4 ba 8b 45 32 c5 dd a0
00a0 d9 1c 85 10 d6 6b 42 50 9a 42 d6 e4 51 32 73 59
00b0 92 5b d1 44 82 dc be 75 65 94 e7 4a 79 15 ed 23
00c0 f8 a3 3e 28 92 31 75 5c fa b9 1b 6d e0 c3 d0 24
00d0 7a 09 86 d0 2d c7 42 eb 6b fc 95 ed 62 13 21 35
00e0 2f 0e b6 cd c2 c3 66 d4 a6 1b 53 15 49 64 ac 34
00f0 11 20 8b e4 46 bc 60 68 3e 1b cb 5c b8 05 f4 a8
0100 0a a3 53 d0 37 2a 2d 73 01 02 03 01 00 01
Certificate Extensions: 7
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None
2.5.29.14: Flags = 1(Critical), Length = 16
Subject Key Identifier
c5 91 51 88 76 e2 a4 13 5a 2f 11 84 29 54 de cf 4f 93 28 eb
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Certificate Signing, Off-line CRL Signing, CRL Signing (06)
2.5.29.35: Flags = 1(Critical), Length = 7e
Authority Key Identifier
KeyID=c5 91 51 88 76 e2 a4 13 5a 2f 11 84 29 54 de cf 4f 93 28 eb
Certificate Issuer:
Directory Address:
CN=xyz QA CA
O=xyz Technical Resources Ltd
C=US
Certificate SerialNumber=00 96 b6 de 15 a7 4b 97 ac
2.5.29.31: Flags = 0, Length = 36
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://pki.xyzre.qa1/crls/root-ca.crl
1.3.6.1.5.5.7.1.1: Flags = 0, Length = 37
Authority Information Access
[1]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://pki.xyzre.qa1/root-ca.cer
2.5.29.32: Flags = 0, Length = 6e
Certificate Policies
[1]Certificate Policy:
Policy Identifier=2.16.840.1.101.3.2.1.48
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier:
http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/documents/test_policy.pdf
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 69 25 3a 36 f1 13 25 88 73 94 eb cf 5b 70 2e 86
0010 8c 0d 7a 8f 3a 49 0e 42 18 da c9 00 26 68 ea 42
0020 cd 2a 24 43 0d ec 6b 15 73 14 33 69 c2 60 3d 40
0030 1c 4d 59 12 7a e9 03 00 81 ba 1e 50 55 05 bd 60
0040 88 84 bb 8e e3 f5 ce 00 42 ae fd 01 05 fd bc 5f
0050 af cc e3 a4 4d f2 84 8b 9b 0d 24 16 d6 d4 51 da
0060 50 9c c4 69 d6 b8 18 be e5 5c 48 b8 8a a3 d4 22
0070 0e 26 f2 15 d8 ff 19 34 d4 1d 69 50 02 51 da e8
0080 ad 05 a3 2f 1c e9 0f da e3 4c 36 c4 cd 6e a5 76
0090 88 19 90 78 ad fe 94 62 46 91 2b 0a 36 df e2 ea
00a0 4a a9 f4 5c dc 77 4d e5 f4 ab e9 b9 da f6 b0 9f
00b0 6c f5 50 74 14 19 05 df 96 b5 ee af a3 31 a5 af
00c0 8f 6c be 67 43 78 55 0e 39 46 80 05 12 5f c2 4f
00d0 24 fc 13 f7 e5 ee 64 0f dd 9a 49 5c 57 10 1c 4b
00e0 7a 9f 5a 1f 0c ec 5b 8d b4 c4 ed d8 09 cc 1c d9
00f0 9f 04 3f 85 ab 95 48 8e 77 e0 91 81 39 46 fb a3
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): c5 91 51 88 76 e2 a4 13 5a 2f 11 84 29 54 de cf 4f 93 28 eb
Key Id Hash(sha1): f0 fc 52 1c c1 a6 16 2d 28 c1 71 84 ae d4 18 87 74 c4 f8 1c
Cert Hash(md5): c9 af 16 63 9e 51 7b 8e 22 25 96 d7 a7 66 fa ab
Cert Hash(sha1): e6 0b ef c1 fb e6 94 13 dc 9f 26 80 33 31 43 d9 ec af d7 be
---------------- End Nesting Level 1 ----------------
CERT_MD5_HASH_PROP_ID(4):
c9 af 16 63 9e 51 7b 8e 22 25 96 d7 a7 66 fa ab
CERT_SHA1_HASH_PROP_ID(3):
e6 0b ef c1 fb e6 94 13 dc 9f 26 80 33 31 43 d9 ec af d7 be
CERT_KEY_IDENTIFIER_PROP_ID(20):
c5 91 51 88 76 e2 a4 13 5a 2f 11 84 29 54 de cf 4f 93 28 eb
Cannot find the certificate and private key for decryption.
================ Certificate 2 ================
================ Begin Nesting Level 1 ================
X509 Certificate:
Version: 3
Serial Number: 1500000003a24d67389af826d7000000000003
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
Algorithm Parameters:
30 00
Issuer:
CN=xyz Issuing CA
NotBefore: 11/15/2012 3:13 PM
NotAfter: 11/15/2013 3:13 PM
Subject:
[email protected]
CN=(e) Hugh Kelley
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 e4 55 77 34 c0 b7 58
0010 55 cd 71 1e da d4 83 fd f4 bd a5 d5 26 52 6c 7e
0020 8d 74 ea 0a b6 2c 0c ae b4 8f fc 95 07 9b 1a d4
0030 e1 9f ed e3 7e d7 f4 f0 04 2c e4 ed 4c 49 2b d7
0040 b4 42 c0 1c 12 7c b8 76 22 83 e6 d9 44 78 ce 26
0050 20 5c 9c 71 30 3c 78 01 74 fa ac f9 7b b3 83 28
0060 a8 18 52 10 d4 a5 f0 29 40 15 40 16 5c 90 4b 5d
0070 c4 57 9d 3d 29 4e ce 80 b1 f1 ae 17 a4 cc 85 0b
0080 a2 5e 73 0f ac 0f ff 8b 05 0c b9 f2 17 b3 ad 2f
0090 b7 33 c7 ac bf 16 0f 09 2a e6 b7 f9 90 42 0b 6f
00a0 3b 7f df 86 e6 e9 33 b6 d5 2d be 5f 65 4b 87 45
00b0 d4 53 fc 8e de 0f 49 fd 8b 84 f5 2e cd 00 a9 cd
00c0 0c b2 e2 7e 3e f9 e3 28 2f 9a 55 85 3e b8 b2 3a
00d0 89 ce 19 bd 88 b2 74 da 42 ac bf 07 6c 4a b8 2e
00e0 94 36 3b 28 f0 45 ec 59 f4 22 f3 03 47 85 ef 4c
00f0 ba f5 24 3e 55 60 8b e8 6e e3 e9 1e bf 3c c9 75
0100 88 9c 39 6c 20 66 c0 92 85 02 03 01 00 01
Certificate Extensions: 10
1.3.6.1.4.1.311.21.7: Flags = 0, Length = 30
Certificate Template Information
Template=1.3.6.1.4.1.311.21.8.11609700.13554795.12405411.13975648.10011376.129.8742862.14 66929
Major Version Number=100
Minor Version Number=5
2.5.29.37: Flags = 0, Length = 22
Enhanced Key Usage
Client Authentication (1.3.6.1.5.5.7.3.2)
Secure Email (1.3.6.1.5.5.7.3.4)
Encrypting File System (1.3.6.1.4.1.311.10.3.4)
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Key Encipherment (a0)
1.3.6.1.4.1.311.21.10: Flags = 0, Length = 28
Application Policies
[1]Application Certificate Policy:
Policy Identifier=Client Authentication
[2]Application Certificate Policy:
Policy Identifier=Secure Email
[3]Application Certificate Policy:
Policy Identifier=Encrypting File System
1.2.840.113549.1.9.15: Flags = 0, Length = 37
SMIME Capabilities
[1]SMIME Capability
Object ID=1.2.840.113549.3.2
Parameters=02 02 00 80
[2]SMIME Capability
Object ID=1.2.840.113549.3.4
Parameters=02 02 00 80
[3]SMIME Capability
Object ID=1.3.14.3.2.7
[4]SMIME Capability
Object ID=1.2.840.113549.3.7
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
c2 1d d2 c8 90 64 9c 38 a9 66 9d 12 8b 1a a6 ab a8 72 2a 11
2.5.29.35: Flags = 0, Length = 18
Authority Key Identifier
KeyID=8a 54 1f f7 43 b9 fd 19 3f 82 28 08 13 3d fa 73 42 11 e3 6f
2.5.29.31: Flags = 0, Length = 44
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://pki.xyzre.qa1/crls/xyz Issuing CA.crl
1.3.6.1.5.5.7.1.1: Flags = 0, Length = 45
Authority Information Access
[1]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://pki.xyzre.qa1/xyz Issuing CA.crt
2.5.29.17: Flags = 0, Length = 50
Subject Alternative Name
Other Name:
Principal [email protected]
RFC822 [email protected]
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
Algorithm Parameters:
30 00
Signature: UnusedBits=0
0000 51 58 a1 89 fc fe 9d b3 67 36 9f 4d 41 75 9e 9f
0010 b8 30 10 3b c8 f1 0b 6a b8 ab 84 73 2e 91 7e 05
0020 e0 3a 5b 34 cd 0a 35 bd e0 f6 c2 7c 7f d0 d6 b3
0030 03 3d 8c dd 52 04 7f 62 55 a5 14 a7 5a 20 77 5d
0040 0f bb f6 4d a3 8c 2e 98 76 39 f4 30 18 bf be 5f
0050 0c 62 20 40 39 34 e6 de d2 dd 01 dd e9 bb d0 e5
0060 1e 93 93 0e de c4 c5 86 9e 15 72 ea 4c 37 5c 6c
0070 3d dc 69 8d 17 9d f8 b6 2a 51 1f f5 bc f5 fb 58
0080 2c 03 4f 88 b8 58 a3 cd ca 38 28 3a c9 34 79 4a
0090 46 7c de a1 a8 fa 28 34 1f 23 96 69 51 f1 c7 41
00a0 0b c8 a9 39 71 6c 4f 57 81 7f ec a7 2f 65 b9 97
00b0 c8 2d 1e 24 ff fc d9 58 5c 07 e9 2c 83 77 64 a9
00c0 8f 5d 42 9e c3 ea 85 88 39 7b 23 56 38 6d c9 15
00d0 4c 80 de cf 00 e0 73 27 e2 f1 b3 d4 c9 b5 83 74
00e0 4f 6e 6f 03 2f df c1 29 24 de 6a 70 cf de d4 1f
00f0 fb 07 08 85 89 f9 08 f7 68 5c 68 29 2e 3c 6c de
Non-root Certificate
Key Id Hash(rfc-sha1): c2 1d d2 c8 90 64 9c 38 a9 66 9d 12 8b 1a a6 ab a8 72 2a 11
Key Id Hash(sha1): 42 9c bd 63 60 4c d2 a8 55 bd 1b f4 70 25 34 cd 72 38 ca 8c
Cert Hash(md5): af 8b 1e 76 71 f5 53 f4 93 62 1d e7 5e a8 d1 ff
Cert Hash(sha1): 4f 3b d3 48 ba 05 65 dd 99 bb 33 65 5b 5e ba 13 28 fe 2d 80
---------------- End Nesting Level 1 ----------------
CERT_MD5_HASH_PROP_ID(4):
af 8b 1e 76 71 f5 53 f4 93 62 1d e7 5e a8 d1 ff
CERT_SHA1_HASH_PROP_ID(3):
4f 3b d3 48 ba 05 65 dd 99 bb 33 65 5b 5e ba 13 28 fe 2d 80
CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = {0136F9BB-2135-4642-827C-B883E0BDAF41}
Unique container name: 1119ced7dad9cbd7d39924c9f35b5886_f10cfee5-eccc-4ef4-b0fb-7042bc1815c3
Provider = Microsoft Enhanced Cryptographic Provider v1.0
ProviderType = 1
Flags = 0
KeySpec = 1 -- AT_KEYEXCHANGE
CERT_CEP_PROP_ID(87):
Enrollment Policy Url: ldap:
Enrollment Policy Id: {D8416D24-E050-45B1-B348-B9218292357C}
Enrollment Server Url: Q-PKI-01.xyzre.qa1\xyz Issuing CA
Request Id: 3
Flags = 0
DefaultNone -- 0
Url Flags = 20 (32)
PsfAllowUnTrustedCA -- 20 (32)
Authentication = 2
Kerberos -- 2
Enrollment Server Authentication = 2
Kerberos -- 2
CERT_REQUEST_ORIGINATOR_PROP_ID(71):
Q-APPDEV7-01.xyzre.qa1
CERT_KEY_IDENTIFIER_PROP_ID(20):
c2 1d d2 c8 90 64 9c 38 a9 66 9d 12 8b 1a a6 ab a8 72 2a 11
Unique container name: 1119ced7dad9cbd7d39924c9f35b5886_f10cfee5-eccc-4ef4-b0fb-7042bc1815c3
PP_KEYSTORAGE = 1
CRYPT_SEC_DESCR -- 1
KP_PERMISSIONS = 3f (63)
CRYPT_ENCRYPT -- 1
CRYPT_DECRYPT -- 2
CRYPT_EXPORT -- 4
CRYPT_READ -- 8
CRYPT_WRITE -- 10 (16)
CRYPT_MAC -- 20 (32)
D:(A;ID;GAGR;;;SY)(A;ID;GAGR;;;BA)(A;ID;GAGR;;;S-1-5-21-2052111302-1708537768-839522115-2 4370)
Allow Full Control NT AUTHORITY\SYSTEM
Allow Full Control BUILTIN\Administrators
Allow Full Control xyzRE\hugh.kelley
Private Key:
PRIVATEKEYBLOB
Version: 2
aiKeyAlg: 0xa400
CALG_RSA_KEYX
Algorithm Class: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
Algorithm Type: 0x400(2) ALG_TYPE_RSA
Algorithm Sub-id: 0x0(0) ALG_SID_RSA_ANY
0000 52 53 41 32 RSA2
0000 ...
048c
Encryption test passed
CertUtil: -dump command completed successfully.Hi Hugh,
As you figured out the certificate was using a signature algorithm that Acrobat did not understand. The "signature algorithm" is a composite of the the digest algorithm (e.g. sha1), and the encryption algorithm (e.g. RSA). Acrobat understands the following digest algorithms; MD5, SHA-1, RIPEMD-160, SHA-256, SHA384, and SHA512. As far as encryption algorithms go, it understands DSA and RSA. Just to make things a little more complicated, version XI also can handle elliptic curve, but versions 6 thru 10 were limited to DSA & RSA. If you are using a digital ID created with the DSA encryption algorithm then the only digest algorithm Acrobat can use with is SHA-1. Just like you saw sha1RSA, you could also use a digital ID with the sha1DSA signature algorithm. If you are using RSA then it will pair with all six digest algorithms I noted above (e.g. sha256RSA).
The Probabilistic Signature Scheme is not something Acrobat understands at all.
Steve -
How to fetch certificates issued in past
Hi,
I have a long list of templates issued in my Client's Issuing CA, some of them are not in use. If I try to export " Issued Certificates" list from CA, it hangs.
I want to know how many certificates and last certificate issed from a specific template for fine-tuning and seggregation purpose. Please let me know how we can check that status.
Thanks
Neha GargHi Paul,
I am getting the output like this :
C:\Windows\system32>certutil -view -restrict "certificate template=<1.3.6.1.4.1.
311.21.8.10269956.2688026.1196953.3333800.9810006.227.1092942.575204>"
Schema:
Column Name Localized Name Type MaxLength
Request.RequestID Request ID Long 4 -- Index
ed
Request.RawRequest Binary Request Binary 65536
Request.RawArchivedKey Archived Key Binary 65536
Request.KeyRecoveryHashes Key Recovery Agent Hashes String 8192
Request.RawOldCertificate Old Certificate Binary 16384
Request.RequestAttributes Request Attributes String 32768
Request.RequestType Request Type Long 4
Request.RequestFlags Request Flags Long 4
Request.StatusCode Request Status Code Long 4
Request.Disposition Request Disposition Long 4 -- Index
ed
Request.DispositionMessage Request Disposition Message String 8192
Request.SubmittedWhen Request Submission Date Date 8 -- Index
ed
Request.ResolvedWhen Request Resolution Date Date 8 -- Index
ed
Request.RevokedWhen Revocation Date Date 8
Request.RevokedEffectiveWhen Effective Revocation Date Date 8 -- Index
ed
Request.RevokedReason Revocation Reason Long 4
Request.RequesterName Requester Name String 2048 -- In
dexed
Request.CallerName Caller Name String 2048 -- In
dexed
Request.SignerPolicies Signer Policies String 8192
Request.SignerApplicationPolicies Signer Application Policies String 8192
Request.Officer Officer Long
4
Request.DistinguishedName Request Distinguished Name String 8192
Request.RawName Request Binary Name Binary 4096
Request.Country Request Country/Region String 8192
Request.Organization Request Organization String 8192
Request.OrgUnit Request Organization Unit String 8192
Request.CommonName Request Common Name String 8192
Request.Locality Request City String 8192
Request.State Request State String 8192
Request.Title Request Title String 8192
Request.GivenName Request First Name String 8192
Request.Initials Request Initials String 8192
Request.SurName Request Last Name String 8192
Request.DomainComponent Request Domain Component String 8192
Request.EMail Request Email Address String 8192
Request.StreetAddress Request Street Address String 8192
Request.UnstructuredName Request Unstructured Name String 8192
Request.UnstructuredAddress Request Unstructured Address String 8192
Request.DeviceSerialNumber Request Device Serial Number String 8192
RequestID Issued Request ID Long 4 -- Index
ed
RawCertificate Binary Certificate Binary 16384
CertificateHash Certificate Hash String 128 -- Ind
exed
CertificateTemplate Certificate Template String 254 -- Ind
exed
EnrollmentFlags Template Enrollment Flags Long 4
GeneralFlags Template General Flags Long 4
PrivatekeyFlags Template Private Key Flags Long 4
SerialNumber Serial Number String 128 -- Ind
exed
IssuerNameID Issuer Name ID Long 4
NotBefore Certificate Effective Date Date 8
NotAfter Certificate Expiration Date Date 8 -- Index
ed
SubjectKeyIdentifier Issued Subject Key Identifier String 128 -- In
dexed
RawPublicKey Binary Public Key Binary 4096
PublicKeyLength Public Key Length Long 4
PublicKeyAlgorithm Public Key Algorithm String 254
RawPublicKeyAlgorithmParameters Public Key Algorithm Parameters Binary 4096
PublishExpiredCertInCRL Publish Expired Certificate in CRL Long 4
UPN User Principal Name String
2048 -- In
dexed
DistinguishedName Issued Distinguished Name String 8192
RawName Issued Binary Name Binary 4096
Country Issued Country/Region String 8192
Organization Issued Organization String 8192
OrgUnit Issued Organization Unit String 8192
CommonName Issued Common Name String 8192 -- In
dexed
Locality Issued City
String 8192
State Issued State
String 8192
Title Issued Title
String 8192
GivenName Issued First Name String 8192
Initials Issued Initials String 8192
SurName Issued Last Name String 8192
DomainComponent Issued Domain Component String 8192
EMail Issued Email Address String 8192
StreetAddress Issued Street Address String 8192
UnstructuredName Issued Unstructured Name String 8192
UnstructuredAddress Issued Unstructured Address String 8192
DeviceSerialNumber Issued Device Serial Number String 8192
Maximum Row Index: 0
0 Rows
0 Row Properties, Total Size = 0, Max Size = 0, Ave Size = 0
0 Request Attributes, Total Size = 0, Max Size = 0, Ave Size = 0
0 Certificate Extensions, Total Size = 0, Max Size = 0, Ave Size = 0
0 Total Fields, Total Size = 0, Max Size = 0, Ave Size = 0
CertUtil: -view command completed successfully.
but it doesnt give me the output that I am looking for. I want to know details of last certificate issued by a given template and its validity status.
Please let me know if I need to make any changes in command.
Thanks
Neha Garg -
Owsm: Verify signature step & certificate references
Hi,
According to the WS-Security 1.0 specification there are 3 ways to reference the certificate:
1. Reference to a Subject Key Identifier
2. Reference to a Binary Security Token
3. Reference to an Issuer and Serial Number
Unless I'm doing something wrong it seems that only the second method is supported. I get NPE and invalid signature errors for other methods. Can anyone confirm if the owsm only supports the second method?
I also don't understand why the "Signer's public-key alias" property is necessary. Since the signature contains a certificate reference the owsm could find the certificate in the keystore except if the certificate is embedded in the security header in which case it already has all necessary information. Any ideas?
TIA,
Svetozari do use the soa suite and jdeveloper 10.1.3.3 i have created a webservice which i have deployed to the soa application server. using this webservice works using http and https
when i use owsm to add this webservice as a service this also works. using http and https
when i add the request policystep verify certificate i get the following error
Failed to initialize pipeline 'Request' in policy 'repeater(0.1) -
WSM certificate errors 00066 & 00034
Hi,
I created a cert in client, exported it and imported in server as follows:
Client (JRE 160_21)
keytool.exe -genkeypair -alias client_alias -keyalg "RSA" -sigalg "SHA1withRSA" -dname "cn=a, ou=b, o=c, c=in" -keypass password -keystore client.jks -storepass password -validity 5000
keytool.exe -export -alias client_alias -file public_key.cer -keystore client.jks
(Server JRE 160_21)
keytool -import -keystore default-keystore.jks -trustcacerts -alias server_alias -file public_key.cer
From client, I'm trying to do a SOAP invocation using SOAPUI to above server. In "Key Identifier Type" of Signature and Encryption, I've set "Subject Key Identifier".
With WSM policy set as wss10_saml_token_with_message_integrity_service_policy, I'm getting following error:
at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:937)
at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:454)
at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
... 34 more
Caused by: oracle.wsm.security.SecurityException: WSM-00066 : The matching certificate for the given Subject Key Identifier (SKI) cannot be found. at oracle.wsm.security.jps.WsmKeyStore$1CertMatcherImpl.getBySKI(WsmKeyStore.java:704)
at oracle.wsm.security.policy.scenario.policycompliance.impl.ProcessedIncomingSignatures.getSigner(ProcessedIncomingSignatures.java:422)
at oracle.wsm.security.policy.scenario.policycompliance.impl.ProcessedIncomingSignatures.checkUnSignedKeyInfoTokenRef(ProcessedIncomingSignatures.java:353)
With WSM policy set as wss10_saml_token_with_message_protection_service_policy, I'm getting following error:
at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:937)
at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:454)
at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
... 34 more
Caused by: oracle.wsm.security.policy.scenario.policycompliance.PolicyComplianceException: WSM-00034 : Error in Encryption reference mechanism compliance : Expected : direct , Actual : ski. at oracle.wsm.security.policy.scenario.policycompliance.impl.ComplianceEngine.preDecryptionCompliance(ComplianceEngine.java:210)
at oracle.wsm.security.policy.scenario.policycompliance.impl.ComplianceEngine.checkCompliance(ComplianceEngine.java:385)
I tried all keytool commands with JRE 1.7 but with no luck.
We are still evaluating which among the above twp policies we should attach to a composite. But we are getting errors in both cases.
Any help will be appreciated.
Thanks,
Vikas
Edited by: Vikas on Feb 18, 2011 4:05 AMAfter changing some WSM policy option, above error is gone. Now, the error is:
at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
... 34 more
Caused by: oracle.wsm.security.SecurityException: WSM-00169 : Error decrypting the request message.
at oracle.wsm.security.policy.scenario.processor.Wss10MessageSecurityProcessor.decrypt(Wss10MessageSecurityProcessor.java:206)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
... 9 more
Caused by: oracle.security.xmlsec.enc.XECipherException: Data must start with zero
at oracle.security.xmlsec.enc.XEEncryptedKey.decrypt(XEEncryptedKey.java:676)
at oracle.security.xmlsec.enc.XEEncryptedKey.getKey(XEEncryptedKey.java:788)
at oracle.security.xmlsec.wss.WSSecurity.decrypt(WSSecurity.java:2379)
... 46 more
Caused by: javax.crypto.BadPaddingException: Data must start with zero
at sun.security.rsa.RSAPadding.unpadOAEP(RSAPadding.java:393)
I checked SOAPUI and couldn't see any place where key can be specified. -
DSEE Server certificate required on client side?
I have DSEE 6.3 working in my environment but I am not sure it's configured as it should be....
I am using tls:simple and everything works, the certificate store is setup with
the CA and LDAP server certificates on both the LDAP servers and clients.
Questions:
- I was expecting the LDAP client to only require the CA certificate however that didn't work!?
- Shouldn't the server present the server certificate and the client would accept it by validating against the CA certificate? Why would it need to have the server certificate as well?
- If I deploy the LDAP server certificates to the clients will they all need to be replaced/updated when the server certificate expires?
Additional info:
My DSEE server is configured to NOT accept certificate based client authentication.
All my certificates are valid when I check them with certutil -V
Edited by: smorris@ on Jan 5, 2009 8:58 PMHi,
I ended up getting a certificate signed by my internal CA and it worked just as expected.
I can only assume my CA certificate wasn't actually a CA...
Checking the output of the commands you suggested clearly shows this - I must have been blind when I ran this last time (or looking at a different cert).
I guess my question should now be - why was the certificate I created not a valid CA?
Create CA:
CA.sh -newca
Create certdb:
/usr/sfw/bin/certutil -A -n test-ca -t TC,, -d . -i testca.pem
Certutil output on this CA:
/usr/sfw/bin/certutil -d . -L
test-ca CT,,
/usr/sfw/bin/certutil -V -e -l -u V -d . -n test-ca
test-ca : Issuer certificate is invalid.
/usr/sfw/bin/certutil -d . -L -n test-ca
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "<snip>"
Validity:
Not Before: Mon Dec 08 01:57:47 2008
Not After : Tue Dec 06 01:57:47 2016
Subject: "<snip>"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
<snip>
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Comment
Comment: "OpenSSL Generated Certificate"
Name: Certificate Subject Key ID
Data:
<snip>
Name: Certificate Authority Key Identifier
Key ID:
<snip>
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
<snip>
Fingerprint (MD5):
<snip>
Fingerprint (SHA1):
<snip>
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:
Edited by: smorris@ fixed format
Maybe you are looking for
-
Taking time to fetch records from BSEG
Hi all, When iam fetching wrbtr,augdt,zterm fields from BSEG table by passing VBELN and BUKRS it is taking lot of time to get.My query goes like this select vbeln wrbtr augdt zterm from bseg into table t_bsegtab for all entries in t_vt
-
Hi, I am also trying to migrate from 3.5.1 to 9.30 and getting an error unsuceesful log on. I have instralled 3.5.1 on a different machine Windows server 2003 and Oracle 9i. I ahve installed 9.3.0 on other machine and Oracle 10G. While creating the a
-
Is it possible to run an iPhone and an iPod off of one iTunes account?
Is it possible to run an iPhone and an iPod off of one iTunes account? I want to buy an iPhone but I also want to use my Ipod Touch
-
Advanced datagrid with grouped columns and grouped rows
hello every body, plz need your experience help. 'cause Im so new using FLEX I have an XML (like an XML data type) something like this <Table> <Rows> <cAgencia>F0002</cAgencia> <cAgNombre>SanBorja</cAgNombre> <cTVentanilla>V0002</cTVent
-
Screensaver that works while presentation playing?
i have a self standing touch-screen kisok presentation. i've noticed that when the keynote presentation is playing, the screensaver will not come on. in this case the screensaver has been loaded with images very relevant to the presentation and i'd l