X.509 certificate signed by RSA-PSS

I am writing a parser for x.509 certificate.
Can someone be so kind and send me a X.509 certificate signed by this scheme. it could be a self singed certificate.
I need it for testing.
Thanks alot,
majorsoul

I think if you select security profile in the channel then you can do sign and verify the certificate in the reciever agreement. THat is only for Security parameters. For just configure certificate authentication, you will not see anything in the receiver agreement.

Similar Messages

How to sign a certificate signing request

Hi all,
In the PKI process, a client generates a PKCS#10 [certificate signing request|http://en.wikipedia.org/wiki/Certificate_signing_request] (CSR see [sun.security.pkcs.PKCS10|http://www.docjar.com/docs/api/sun/security/pkcs/PKCS10.html] ), sends it to the certification authority (CA), & once the identity has been checked by the CA, the client retrieves his X.509 certificate (signed by the CA), sometimes along with the CA X.509 self-signed certificate.
I am acting as a CA, the current only way I know to transform a CSR to a X.509 certificate is by using OpenSSL :
openssl ca -config X509CA/openssl.cnf -days 365 -in CertName_csr.pem -out CertName.pem (see here ).
Is there any keytool way or even better any sun.security.* way to do that operation programmatically using Java code ?
Thanks for your feedback.
Edited by: Le_Sage on 19 avr. 2010 12:12

That's right, found the doc here : [keytool -gencert|http://download.java.net/jdk7/docs/technotes/tools/windows/keytool.html#gencertCmd] .
I guess the underlying code must be found under sun.security.* or com.sun.* code. I'll try to have a look.
Thanks for your feedback.

How to sign a X.509 Certificate

Hi there!
Does anyone know how to sign a X.509 certificate. I have to do this in my application (keytool etc. is not possible).
I searched for hours but couldn't find any working code-samples.
Thanks

1) Generate a CSR (Certificate Signing Request) using 'keytool'.
2) Go to the site of one of the major CA (Certification authorities) such as Verisign.
3) Apply for a signed certificate and post the CSR, your details and some money when requested.
4) Wait for the certificate.

Failed Calling A X.509 Certificate Secured Web Service From OSB

Hi,
I have wsdl resource, business service and proxy service setup in OSB 11.1.1.6 on Linux. The business service will consume a X.509 certificate secured web service running on a remote server.
Below is my approach:
The consumer of the proxy service of OSB signs its saop request header.
My OSB proxy service authenticates the signature and forward the request to business service.
The business service signs the outbound soap request header. (To do this I configured the keystore in Security Provider Configuration of my SOA_domain in Enterprise Manager. Also I applied Web Service Policy of Service Client type to the business service.)
This is not working yet. Not sure if my approach is correct or not?
Thank you,
Eric

I validated the keystore, all the certificates used and the value for keystore.sig.csf.key / value for keystore.recipient.alias. They are all as expected. Restarted the server. Still failed for OSB to invoke the remote secured web service, but worked if only use soapUI to invoke the same remote secured web service directly.
The error message is:
General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption)
In the soap request / reponse message shown in the OSB Test Console, there seems to be two signature sections in the header and encryption section although I tried not to encrypt the soap request. I am using Web Service Client Policy "calpers/wss11_x509_token_with_message_integrity_client_policy_osb" which was created based on "oracle/wss11_x509_token_with_message_protection_client_policy". The difference between the two policies is my policy not to sign nor to encrypt entire body.
In the "Message Signing Setting" section, I unchecked the "Include Entire Body" and left the three default namespaces under the Header Elements.
In the "Message Encrypt Setting" section, I unchecked the "Include Entire Body" and also left the one default namespace under the Header Elements.
I don't know how to attach document here, so i add long saop message here.
     Business Service Testing - BookSec_Biz_Svc_52
     Request Document
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
<soapenv:Body>
<book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
<book:bookId>10</book:bookId>
<book:bookTitle>eric</book:bookTitle>
<book:bookAuthor>Z</book:bookAuthor>
</book:BookRequest>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-eEud1RcUOPcnV0fDqd6gZQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2013-03-14T18:10:00Z</wsu:Created>
<wsu:Expires>2013-03-14T18:15:00Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-VnzMtSwHMI8THKi2hhG2SQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
MIICazCCAdSgAwIBAgIEUTY65zANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwHhcNMTMwMzA1MTgzNTE5WhcNMTMwNjAzMTgzNTE5WjB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJhF0cMUwB/EjAyIOy9Cq8KCDqTXvlnlvMGq6LEhiGOtrATYy+JnHURcPUeusi65Ua3bE7JACWhHJ0fYEl7NtxPPSN3Q1RovkWGQ6I5O2XuEyMHg3MISh2CHhnkGSR+W6riDSUoB0ZC0KTgu14OTwqo54JSY/ugQszY7QC9DAuabAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAWeQ6LjMo12bY65GmnrmLdbRNm95RkL6gJCKa9pyUaMfvaIqKpmMQW8RM+eB90CR5DrM8oO2+8uKcqTt/pGNRYi2UJh2X0CdmyQQTmf3mCfgoZ597VTl+k3mKHKeeST7ZwAyBRL2jI0VisopFHpUhIwABoDgwOMpLcCF974AZ2rA=
</wsse:BinarySecurityToken>
*<dsig:Signature* Id="XSIG-oISn2AADumTdR86sONuz8g22" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<dsig:Reference URI="#Timestamp-eEud1RcUOPcnV0fDqd6gZQ22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>3LQ1IpQR3rKHvP6Ov/m9ZRoecZM=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>X2BUn9TLL26Ay9A3HGEn/mnGCCE=</dsig:SignatureValue>
<dsig:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#EK-h7saqC1VyBKZw2n1IHz8GQ22" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
+*</dsig:Signature>*+
*<dsig:Signature* xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>dau9qjB2lxIvlaoDIHuWVHqjulI=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference URI="#STR-QC3ZDBRwsXv8unEWVns9rQ22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</wsse:TransformationParameters>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>nPO9mKSC9cMg2fEkGZI+ujy5O1Q=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference URI="#XSIG-oISn2AADumTdR86sONuz8g22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>qXkW/ZFFNc8Bu0VL9eF6c4np7IA=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>
MuHCTh5cW8TiVKtkWFl+Of2EFAiHwuPTR7J9b4/n2KZtPy2OCrgi1lBpuzhFKLhoBxYNOK8TMOa/3b223Vv+CQUfUP7z0YVj5Ck7QETYngaQlS07KulnstJjsAgHBV8Zk3A0EafuWF2c3t5wBzEkgEC99v0EdY3mRiCzt7vh2qs=
</dsig:SignatureValue>
<dsig:KeyInfo Id="KeyInfo-0LT1QavoIVXOHesZfrxTwg22">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
+*</dsig:Signature>*+
*<xenc:EncryptedKey* Id="EK-h7saqC1VyBKZw2n1IHz8GQ22" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsu:Id="STR-QC3ZDBRwsXv8unEWVns9rQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">q9Z9yPxvNw4CvSLQNI4rxVlSF+w=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue xmime:contentType="application/octet-stream" xmlns:xmime="http://www.w3.org/2005/05/xmlmime">
Tgdhxy6wMJBBrw23iq1GLCm0TYKBXSVQvBcN+7TXdXL6FPSjhcbfXqtoz7wzirbSwUZuu+DrYuWs
0BjRXqw3auUSCMlkm4IoT1ag3wFQQ/PEbB8HNlYhW3gp/At3toTw+k5p9wOUd4BMFAiXyeHQ8+dQ
8JUiohXhiHErTDn6fFQ=
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</wsse:Security>
</soap:Header>
<soapenv:Body>
<book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
<book:bookId>10</book:bookId>
<book:bookTitle>eric</book:bookTitle>
<book:bookAuthor>Z</book:bookAuthor>
</book:BookRequest>
</soapenv:Body>
</soapenv:Envelope>
     Response Document
The invocation resulted in an error: Internal Server Error.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Client</faultcode>
<faultstring xmlns:lang="en">
General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption) </faultstring>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
     Response Metadata
<con:metadata xmlns:con="http://www.bea.com/wli/sb/test/config">
<tran:headers xsi:type="http:HttpResponseHeaders" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<tran:user-header name="Accept" value="text/xml"/>
<tran:user-header name="Expires" value="Thu, 14 Mar 2013 18:10:01 GMT"/>
<tran:user-header name="SOAPAction" value=""""/>
<http:Cache-Control>max-age=0</http:Cache-Control>
<http:Connection>close</http:Connection>
<http:Content-Type>text/xml; charset=UTF-8</http:Content-Type>
<http:Date>Thu, 14 Mar 2013 18:10:01 GMT</http:Date>
<http:Server>Apache</http:Server>
<http:Transfer-Encoding>chunked</http:Transfer-Encoding>
</tran:headers>
<tran:response-code xmlns:tran="http://www.bea.com/wli/sb/transports">2</tran:response-code>
<tran:response-message xmlns:tran="http://www.bea.com/wli/sb/transports">Internal Server Error</tran:response-message>
<tran:encoding xmlns:tran="http://www.bea.com/wli/sb/transports">UTF-8</tran:encoding>
<http:http-response-code xmlns:http="http://www.bea.com/wli/sb/transports/http">500</http:http-response-code>
</con:metadata>

Web service Security using X.509 certificate

Hi All,
I have a web service deployed on the SAP Web AS J2EE.
I want to include Authentication option in my web service
I have configured the settings for using X.509 certificate(HTTPS) in my
web service configuration and similarly I've configured my client proxy
for the same.
My question is..... from where do I get the X.509 certificate?
actually I have the .crt and .der files, which I created from
the visual administrator.
And also do I need to install anything on my SAP server
in order to use the authentication service? (Any prerequisite)
Thanks,
Talimeren

Hi Talimeren,
when you want to use certificates you have to setup SSL which you've started already. You have to get and import a server certificate which authenticates the server while the client creates a SSL connection. The cert has to assigned to the SSL port. For NW04 you can find the guide here http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
If you want client authentication by certificates as well you have to import at least one root certificate from a certficate authority (CA) which you trust and by which all user certificates are signed.
SAP delivers the IAIK library for WebAS security, but this depends on your WebAS version and installation. I suggest you setup SSL and try to make a connection. If the connection can be made, the security library should be there.
HTH
Daniel
Message was edited by: Correct Link
Daniel Sass

RSA PSS Signature scheme

Hi,
I am working on digital signatures RSA. I have two issues/doubts :-D
1) In Java 1.5, the crypto specification talks abt API support for RSA PKCS using PKCS #1 v2.1 thru the PSS padding scheme for signatures - java.security.spec.PPSParameterSpec. So, how i understood it was, after i create signature object for RSA i have to use setParameter to set these PSSParameterSpec to my signature object. But when i run my code, i get the UnSupportedOperationException. Please help me in this regard.
The Exception message is
java.lang.UnsupportedOperationException
at java.security.SignatureSpi.engineSetParameter(SignatureSpi.java:306)
at java.security.Signature$Delegate.engineSetParameter(Signature.java:11
61)
at java.security.Signature.setParameter(Signature.java:794)
at rsapsSigning.main(rsapsSigning.java:22)
My source code for the same is:
public class rsapsSigning
     public static void main(String a[])
          try
               String datafile = "C:\\old.txt";
               PSSParameterSpec pss = PSSParameterSpec.DEFAULT;
               Signature s = Signature.getInstance("SHA1withRSA");
               /*initialise sugnature object with pss parameter for RSA*/
               s.setParameter((AlgorithmParameterSpec)pss); //exception gets thrown at this point
               KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
               kpg.initialize(128); // 128 is the keysize.
          KeyPair kp = kpg.generateKeyPair();
          PublicKey pubk = kp.getPublic();
          PrivateKey prvk = kp.getPrivate();
               s.initSign(prvk);
               FileInputStream fis = new FileInputStream(datafile);
          byte[] dataBytes = new byte[1024];
          int nread = fis.read(dataBytes);
          while (nread > 0) {
          s.update(dataBytes, 0, nread);
          nread = fis.read(dataBytes);
          byte[] sig = s.sign();
          for(int i = 0;i <sig.length;i++)
               System.out.println(sig);
     }catch(Exception e)
          e.printStackTrace();
2) One other method that i tried was, instead of using PSSParameterSpec class, while creating Signature object, crypto Spec of 1.5 talks abt the usage of "<digest>with<encryptionalgo>and<mgf>" in the getInstance() of Signature class. So going on these lines, i can as well give "SHA1withRSAandMGF1" which is precisely what has been described as the default value for RSA PSS. But when i give so directly, I get "NoSuchAlgorithmException". In fact, for a trial basis when i tried "MD5withSHA1andMGF1" (the example given in the crypto spec of 1.5) also, i get the same exception :-( :-(
java.security.NoSuchAlgorithmException: SHA1withRSAandMGF1 Signature not availab
le
at java.security.Signature.getInstance(Signature.java:208)
at pp.main(pp.java:18)
My code for this is:
public class pp
     public static void main(String a[])
          try
               String datafile = "C:\\new.txt";
               Signature s = Signature.getInstance("SHA1withRSAandMGF1"); //exception gets thrown here
               System.out.println("SHA1withRSAandMGF1");
catch(Exception e)
e.printStackTrace();
I am sorry that my query seems so long. But i was just trying to tell all the cases that I have tried.
I would be grateful to any suggestions.
Best Rgds

Hi Stark,
Exactly....Even my list of signatures does not return anything with PSS. Like how you said may be there is no engine support. But is there any workaround for this??? How can i use PSS with RSA in Java 1.5??? Any idea??
And also in the JCE Crypto Spec, it is given that "For the new signature schemes defined in PKCS #1 v 2.0, for which the <digest>with<encryption> form is insufficient, <digest>with<encryption>and<mgf> can be used to form a name. Here, <mgf> should be replaced by a mask generation function such as MGF1. Example: MD5withRSAandMGF1. " but this also is not displayed in the list of signatures. Am I wrong in my understanding or over looking something or is it that java 5 has not yet started supporting if signature algos are given in this format. Any idea here too ??

Import X.509 certificate via LDAP

Hello,
I have an iPad running iOS 5 and I'd like to know if it's possible to import people's X.509 certificates via LDAP. I have my corporate LDAP set up in Settings>Mail, Contacts and I can search for people fine. The LDAP also has X.509 certificates that I'd like to use for encryption when sending emails from the iPad.
regards,
Tex

I think if you select security profile in the channel then you can do sign and verify the certificate in the reciever agreement. THat is only for Security parameters. For just configure certificate authentication, you will not see anything in the receiver agreement.

Certificate Signing Request CSR

Hi All,
Anyone knew how to generate Certificate Signing Request (CSR) from Oracle OC4J Application server?
I'm using this command
"keytool -genkey -keyalg RSA -keystore.jks -storepass 123456"
Then I just complete the details before got this error
"keytool error: java.lang.IllegalStateException: masked envelope"
Am I doing the correct things or not?
TQ For your help.

Sorry, it's my fault actually because run it in the wrong directory. I run it in ORACLE_HOME directory it should be in ORACLE_HOME/j2ee directory...
But if you use Oracle Wallet Manager, it's easier...

How to pass x.509 certificate in my request...

Hi all,
Can any one of you tell me how to create a x.509 certificate?? and how to pass it in my request???
Thanks in advance
Manoj Nair....

Thanks a lot abhishek but I couldn't make out any thing.
What I have seen in one the ppts is that no coding is required for sending the certificate in the request.
Can you help me how would I go about it regarding the above??
The thing is like I have created a java keystore and it fetched me a self-signed certificate.
The thing is like How would I send this certificate in my request... and you know that there is a policy step like "verfify certificate" where in it asks for the keystore.
I have given my keystore location.
When I tried to test the page, it should an error like " verification of certificate failed"
When I saw my gateway logs, it spoke something like;
'certificate is not presented in the request'
'no matching certificate is found in the keystore'
'verification of certificate failed'
It is evident from the first two statements of the gateway log that there is no certificate coming in the request. Had there been certificate, it would have tried to match the certificate with the certificate that is in the keystore and would have verified it. But here it is not the case... I am not able to send in the certificate in my request...
Can you tell me out how to go about this...
one more question.......
is the self-signed certificate that is created by the keytool utility written in x.509 certificate standard or not?

HTTPS SSL Certificate Signed using Weak Hashing Algorithm

I am support one client for, whom falls under Security scans mandatory for new implementation of ASA 5520 device . The client uses Nessus Scan and the test results are attached
The Nessus scanner hit on 1 Medium vulnerabilities, Could you pls review the statement and provide work around for the same.
Nessus Scanner reports
Medium Severity Vulnerability
Port : https (443/tcp)
Issue:
SSL Certificate Signed using Weak Hashing Algorithm
Synopsis :
The SSL certificate has been signed using a weak hash algorithm.
Description :
The remote service uses an SSL certificate that has been signed using
a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These
signature algorithms are known to be vulnerable to collision attacks.
In theory, a determined attacker may be able to leverage this weakness
to generate another certificate with the same digital signature, which
could allow him to masquerade as the affected service.
See also :
http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://www.kb.cert.org/vuls/id/836068
Solution :
Contact the Certificate Authority to have the certificate reissued.
Plugin Output :
Here is the service's SSL certificate :
Subject Name:
Common Name: xxxxxxxxxx
Issuer Name:
Common Name: xxxxxxxxxx
Serial Number: D8 2E 56 4E
Version: 3
Signature Algorithm: MD5 With RSA Encryption
Not Valid Before: Aug 25 11:15:36 2011 GMT
Not Valid After: Aug 22 11:15:36 2021 GMT
Public Key Info:
Algorithm: RSA Encryption
Public Key: 00 AA AB 57 9C 74 FF E9 FB 68 E1 BF 69 90 8E D2 65 7F DF 40
D6 F6 29 E7 35 5E 16 FB 76 AA 03 3F 47 07 5A D0 6D 07 E0 EC
06 7E D4 9A 43 C6 B3 A6 93 B7 76 CC 58 31 25 36 98 04 30 E6
77 56 D7 C3 EE EF 7A 79 21 5E A0 78 9B F6 1B C5 E6 2A 10 B5
CB 90 3D 6D 7C A0 8D B1 B8 76 61 7F E2 D1 00 45 E2 A1 C7 9F
57 00 37 60 27 E1 56 2A 83 F5 0E 48 36 CC 61 85 59 54 0C CB
78 82 FB 50 17 CB 7D CD 15
Exponent: 01 00 01
Signature: 00 24 51 24 25 47 62 30 73 95 37 C4 71 7E BD E4 95 68 76 35
2E AF 2B 4A 23 EE 15 AF E9 09 93 3F 02 BB F8 45 00 A1 12 A9
F7 5A 0C E8 4D DB AE 92 70 E4 4C 24 10 58 6B A9 87 E1 F0 12
AE 12 18 E8 AB DF B9 02 F7 DA BE 3C 45 02 C4 1E 81 44 C2 74
25 A2 81 E7 D6 38 ED B9 66 4C 4A 17 AC E3 05 1A 01 14 88 23
E8 9F 3B 5C C5 B8 13 97 27 17 C3 02 5F 6E 7C DB 4C D3 65 B5
C5 FC 94 62 59 04 E7 7E FB
CVE :
CVE-2004-2761
BID :
BID 11849
BID 33065
Other References :
OSVDB:45106
OSVDB:45108
OSVDB:45127
CWE:310
Nessus Plugin ID :
35291
VulnDB ID:
69469
and try with configure the ssl encryption method with " ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5" but it throws the same issue.
Here is ASA log
7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxx/2586
6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2586
6|Oct 19 2011 01:59:34|725007: SSL session with client production:xxxxxxxx/2586 terminated.
6|Oct 19 2011 01:59:34|302014: Teardown TCP connection 3201 for production:xxxxxxx/2586 to identity:xxxxxx/443 duration 0:00:00 bytes 758 TCP Reset-I
6|Oct 19 2011 01:59:34|302013: Built inbound TCP connection 3202 for production:xxxxxxxxxxx/2587 (xxxxxxxxx/2587) to identity:xxxxxx/443 (xxxxxxx/443)
6|Oct 19 2011 01:59:34|725001: Starting SSL handshake with client production:xxxxxxxxxxx/2587 for TLSv1 session.
7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxxxx/2587
6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2587
H

Hi Ramkumar,
The report is complaining that the Certificate Authority who signed the ID certificate presented by the ASA used a weak hashing algorithm. First, you need to determine who signed the certificate.
If the certificate is self-signed by the ASA, you can generate a new certificate and use SHA1 as the hashing algorithm. To do this, the ASA needs to be running a software version that is at least 8.2(4) (8.3 and 8.4 software also support SHA1).
If the certificate is signed by an external CA, you need to contact them and ask them to sign a new certificate for you using SHA instead of MD5.
The links you posted have more information on this as well. Hope that helps.
-Mike

Java Card & X 509 certificates

Hi,
i have a question about using Java Card with X.509 Certificates (including Attribute Certificates RFC 3281).
I already have some experience with JC 2.1.1. I have implemented applets for storing files and retrieving them (deployed on card using GemXplore Developer Kit)
and then managed the communication between off card application using the OCF 1.2.
But that was back in 2004. From what i see now OCF has been abandoned.
What i want to implement now is to load Certificates on Java Card (and store files as well).
I read that in order to manage Certificates, i have to use a PKCS 11 API (like Bouncy Castle or IAKI). Does this substitute OCF? I remember OCF was complimentary to PKCS 11.
And if it does, can i use such API to read and write other files except from Certificates? Finally does it treat Attribute Certificates (AC) same as PKI Certs?
I case you need clarifications, i ll be happy to provide. Thank you in advance
John

I think you can store keys and data to sign in the same applet. data is just data, it won't auto interfere.
about javacard 3, I think this is a very polemic subject. To feed the troll, I'll say that I'm working in a smart card company that has done cards for many years. since the beginning, i can say. All my colleagues and I think that javacard 3 is an evil. APDUs ARE card-ish and a good thing for such small CPUs. Javacard 3 has been made by sun under pressure of telcos that don't want complicated things, and are big specification fans, that never wrote a line of code. Javacard 3 will put a big overhead on card response time: as of now, there are many abstractions levels to cross to execute bytecode, and servlets and (dont know what will replace apdus) will increase transaction times.
cards are cards, not web servers. for us, public transportaton sectors guys, javacard 3 is a frankenstein. we want speed and low level access. we don't care about J2EE.
just don't tell me about the increased mem and power of new cards. How much will they cost? A javacard is already expensive, they will not get cheaper, and this will not help spreading javacards.
people working in the J2EE world will code for javacard 3 like they do for mainframes. They will require more powerful card just because they're too lazy to code a correct embedded software . Can you imagine that? Maybe javacard 4 will require a heatsink on cards.
this is a very personal opinion of course ;)

Java Applet Certificate Signing Window comes up BLANK!

Hi Everyone I have a problem where
Java Applet Certificate Signing Window comes up BLANK!
It comes up as blank gray panel with the java logo on the upper left.
the title bar says "Java Plugin Security Warning"
And I can't figure out what to do to make it come up properly. I tried double clicking it dragging it around to make it repaint itself nothing happens.
I have tried clearing temp files deleting files from IE, deleting cookies, clearing the history.
Now i'm going to restart the computer and see if it works.
It is supposed to give me buttons.
1. Accept for this session
2. Grant
3. Deny
4. View Certificate
But does anyone have any idea how to address this issue ?
Stephen

You might try setting the trace level to 5 in the plugin's Java console and looking what it spits out while the applet is launching. I remember seeing loads of information in there including stuff relating to certificate validation. It might be helpful.
The trick to getting this info during start up:
1) get the plugin to load by directing your browser to page with a known applet. Write your own little stub applet and load it or go to http://java.sun.com/. There's an applet on that page.
2) bring up the plugin's console if it's not already and then go to a blank page.
3) set the trace level to 5 in the console. (just press the 5 key).
4) go to the page that launches your applet. You'll have tons of information pour out in your console.
Happy hunting.

More than one X.509 certificate was found with the specified parameters

Greetings All,
We are getting an error in our application event logs every minute or so and it seems to be causing search queries to fail. Same error is appearing in the ULS logs.
System
Provider
Name]
System.ServiceModel
4.0.0.0
EventID
3
Qualifiers]
49154
Level
2
Task
5
Keywords
0x80000000000000
TimeCreated
SystemTime]
2014-06-25T02:30:12.000000000Z
EventRecordID
92894
Channel
Application
Computer
Security
UserID]
EventData
System.ServiceModel.ServiceHostingEnvironment+HostingManager/63835064
System.ServiceModel.ServiceActivationException:
The service '/0c98374520dc4b748d92a1e51b365dce/SearchService.svc' cannot be
activated due to an exception during compilation. The exception message is: More
than one X.509 certificate was found with the specified parameters.. --->
System.ArgumentException: More than one X.509 certificate was found with the
specified parameters. at
Microsoft.SharePoint.Utilities.CertificateManager.GetCertificate(String
storeName, StoreLocation storeLocation, X509FindType findType, Object findValue)
at
Microsoft.SharePoint.Administration.SPIisWebServiceSettings.get_LocalSslCertificate()
at Microsoft.SharePoint.SPServiceHostOperations.Configure(ServiceHostBase
serviceHost, SPServiceAuthenticationMode authenticationMode) at
Microsoft.Office.Server.Search.Administration.SearchServiceHostFactory.CreateServiceHost(String
constructorString, Uri[] baseAddresses) at
System.ServiceModel.ServiceHostingEnvironment.HostingManager.CreateService(String
normalizedVirtualPath, EventTraceActivity eventTraceActivity) at
System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(ServiceActivationInfo
serviceActivationInfo, EventTraceActivity eventTraceActivity) at
System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String
normalizedVirtualPath, EventTraceActivity eventTraceActivity) --- End of inner
exception stack trace --- at
System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String
normalizedVirtualPath, EventTraceActivity eventTraceActivity) at
System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String
relativeVirtualPath, EventTraceActivity
eventTraceActivity)
w3wp
6328
Doesn't appear to affect the component health status or the crawling process, only the return of search results.
Sorry, something went wrong.
Search has encountered a problem that prevents results from being returned. If the issue persists, please contact your administrator.
I checked the certificates snapin, didn't see anything out of the ordinary but I have a feeling it goes deeper than that.
Where can I remove this duplicate certificate? Thanks!

Open IIS and check server certificates
Check if there is any certificate applied to Security token service
Did you used any certificate for web application in site
Check binding of all web application in IIS
Try to browse
servername/0c98374520dc4b748d92a1e51b365dce/SearchService.svc from all servers, check the certificate details
If this helped you resolve your issue, please mark it Answered

How to create a certificate signing request that works with Microsoft CA

Hi, I have created a certificate signing request file with keytool. When I try to create a certificate from it with CertReq (I use a Microsoft CA) I get the following error message:
Certificate not issued (Denied) Denied by Policy Module The request does not contain a certificate template extension or the CertificateTemplate request attribute. (The request contains no certificate template information. 0x80094801 (-214687 5391)) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module The request does not contain a certificate template extension or the CertificateTemplate request attribute.
How do I create a certificate signing request file so that a Microsoft CA will accept it and create a certificate from it. Thanks, Linh.

I'm writing a applecation about x509 to deal with certificate and certificate request.
I found that DER format certificate request create by sun's software with no extensions.
I think this cause your error.My be MS CA can't identify such a request!So it's difficult to solve this problem unless MS or Sun change their codes.
JStranger

Certificate signing operation was not successful - Exit code: 127

We are using SCOM 2012 SP1 CU2 to deploy agent to a Redhat Linux.
In the process, we are able to successfully discover the target machine, but when we click on "Manage" we get this below error message. Why should there be scxadmin file or directory already present ? Isn't the installer supposed to
create this file ? We have successfully deployed agent to another client machine with exact same OS. So, what might be happening here ??? Any insight is appreciated.
Failed to sign kit. Exit code: 127
Standard Output:
Standard Error: bash: /opt/microsoft/scx/bin/tools/scxadmin: No such file or directory
Exception Message:

this is the version scx-1.4.1-278.x86_64 is what we use and I assume it got there by me pushing the agent. scx-1.4.1-278.x86_64
rpm -e scx returned...
/opt/microsoft/scx/bin/scxcimserver not installed
rm: cannot remove `/opt/microsoft/scx/lib': No such file or directory
rm: cannot remove `/opt/microsoft/scx/bin': No such file or directory
When I check /var/opt and /etc/opt microsoft directories were there and I was able to remove them successfully. When I push the agent again after removing everything, I get this below error message.
Task invocation failed with error code -2130771918. Error message was: Certificate signing module called with an empty certificate. Check that the certificate on the remote host is valid, and that the remote host can be accessed over SSH.
Management group: mymanagementgroup
Workflow name: Microsoft.Unix.Agent.GetCert.Task
Object name: MY - UNIX Resource Pool
Object ID: {9810A404-BA8B-E34C-45E7-25FFCCF3C40E}

X.509 certificate signed by RSA-PSS

Similar Messages

Maybe you are looking for