Search Results

Search found 73 results on 3 pages for 'pfx'.

Page 1/3 | 1 2 3  | Next Page >

  • How to Convert a PFX Certificate into a JKS Certificate to configure it on WebLogic

    - by adejuanc
    To convert a pfx cert file to a jks file, please follow these instructions: 1. Set up the environment for the domain, by executing the setDomainEnv.sh script, typically located at $DOMAIN_HOME/bin. $ . ./setDomainEnv.sh 2. Use OpenSSL to check the pfx certificate's content. $ openssl pkcs12 -in <certificate.pfx> -out KEYSTORE.pem -nodesAt this point, a password for the pfx file will be requested. Expected output: $ openssl pkcs12 -in <certificate.pfx> -out KEYSTORE.pem -nodesEnter Import Password:MAC verified OK3. Open KEYSTORE.pem file, from step 2. This should look similar to this:You will find three certificates on it and the private key: Bag Attributes Microsoft Local Key set: <No Values> localKeyID: 01 00 00 00 friendlyName: le-36c42c6e-ec49-413c-891e-591f7e3dd306 Microsoft CSP Name: Microsoft RSA SChannel Cryptographic ProviderKey Attributes X509v3 Key Usage: 10-----BEGIN RSA PRIVATE KEY-----MIIEpQIBAAKCAQEAtPwoO3eOwSyOapzZgcDnQOH27cOaaejHtNh921Pd+U4N+dlm...EDITING...R5rsB00Yk1/2W9UqD9Nn7cDuMdilS8g9CUqnnSlDkSG0AX67auKUAcI=-----END RSA PRIVATE KEY-----Bag Attributes localKeyID: 01 00 00 00 friendlyName: *.something.comsubject=/serialNumber=sj6QjpTjKcpQGZ9QqWO-pFvsakS1t8MV/C=US/ST=Missouri/L=CHESTERFIELD/O=Oracle_Corp, Inc./OU=Oracle/CN=*.something.comissuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA-----BEGIN CERTIFICATE-----MIIErzCCA5egAwIBAgIDAIH6MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT...EDITING...wA5JxaU55teoWkuiAaYRQpuLepJfzw+qMk5i5FpMRbVMMfkcBusGtdW5OrAoYDL94rgR-----END CERTIFICATE-----Bag Attributes friendlyName: GeoTrust Global CAsubject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CAissuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA-----BEGIN CERTIFICATE-----MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT...EDITING...5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==-----END CERTIFICATE-----Bag Attributes: <Empty Attributes>subject=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CAissuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA-----BEGIN CERTIFICATE-----MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT...EDITING...TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=-----END CERTIFICATE-----4. Identify and store contents from KEYSTORE.pem certificate, to proceed and create jks files:At this point, you will find three certificates on KEYSTORE.pem and the private key. 4.1 Private Key.To identify the private key, look for the following headings: -----BEGIN RSA PRIVATE KEY----------END RSA PRIVATE KEY-----Both above mentioned tags will be surrounded the private key. Go ahead and save the content of it into a file called: my_key_pk.pem. This has to include the headings. Expected file: -----BEGIN RSA PRIVATE KEY-----MIIEpQIBAAKCAQEAtPwoO3eOwSyOapzZgcDnQOH27cOaaejHtNh921Pd+U4N+dlm...EDIT...Y4ZrW12PRa9/EOBGTG5teKAEada/K4yKReTyQQAGq6j5RjErmuuKkKgPGMSCjvMSR5rsB00Yk1/2W9UqD9Nn7cDuMdilS8g9CUqnnSlDkSG0AX67auKUAcI=-----END RSA PRIVATE KEY-----4.2 Root Certificate.To identify the Root Certificate, look for the following headings: subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA Subject and issuer must be the same. Go ahead and save the content of it into a file called: my_key_root.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE, both included.4.3 Intermediate Certificate.To identify an Intermediate Certificate, look for the following heading: subject=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CAissuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA Subject and issuer are different only on the CN. Go ahead and save the content of it into a file called: my_key_intermediate.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE, both included. NOTE: This certificate is optional and there are some cases where it'll not be present. If this is the case, go ahead and skip this step. In any other case, this needs to be added to the identity keystore jks file. 4.4 Server Certificate. To identify a Server Certificate, look for the following heading: friendlyName: some.thing.comsubject=/serialNumber=sj6QjpTjKcpQGZ9QqWO-pFvsakS1t8MV/C=US/ST=Missouri/L=CHESTERFIELD/O=Oracle_Corp, Inc./OU=Oracle/CN=some.thing.com        A server certificate includes a heading called Friendly Name. Go ahead and save the content of it into a file called: my_key_crt.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE, both included.5. Create a Trust Keystore and import the Root certificate into it. $ keytool -import -trustcacerts -file my_key_root.pem -alias my_key_root -keystore my_key_trust.jks -storepass <store_pass> -keypass <key_pass>Expected Output: Certificate already exists in system-wide CA keystore under alias <geotrustglobalca> Do you still want to add it to your own keystore? [no]: yes Certificate was added to keystore6. Generate an Identity Keystore and import Server into it. $java utils.ImportPrivateKey -keystore my_key_identity.jks -storepass <store_pass> -storetype JKS -keypass <key_pass> -alias server_identity -certfile my_key_crt.pem -keyfile my_key_pk.pem -keyfilepass <pfx_password> With these instructions, two jks files will be produced: my_key_identity.jks my_key_trust.jks With both files, the next step is to configure Custom Identity and Custom Trust on WebLogic Server.

    Read the article

  • "An internal error occurred." when loading pfx file with X509Certificate2

    - by tmp3128
    I'm trying use self-signed certificate (c#): X509Certificate2 cert = new X509Certificate2(Server.MapPath("~/App_Data/myhost.pfx"), "pass"); on a shared web hosting server and I got an error: System.Security.Cryptography.CryptographicException: An internal error occurred. stack trace ends with System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) +33 System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) +0 System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags) +237 System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password) +131 On my dev machine it loads ok. The reason I load *.pfx not a *.cer file because I need a private key access (cer file loads Ok). I made pfx on my dev mochine like that: makecert -r -n "CN=myhost.com, [email protected]" -sky exchange -b 01/01/2009 -pe -sv myhost.pvk myhost.cer pvk2pfx -pvk myhost.pvk -spc myhost.cer -pfx myhost.pfx -po pass Please assist; PS: makecert is a v5.131.3790.0

    Read the article

  • HowTo import Certificate (pfx) with private key in WinXP

    - by Gunther
    Hello, I tried the whole day just to import a cetrificate in winXP, but I allways failed. I did following: Create the certificate with private key (no pasword): makecert -sr LocalMachine -ss My -pe -sky exchange -n "CN=TestCert" -a sha1 -sv TestCert.pvk TestCert.cer Then put certificate and private key together into pfx file: pvk2pfx.exe -pvk TestCert.pvk -spc TestCert.cer -pfx TestCert.pfx Import pfx file with commandline tool (German System): winhttpcertcfg.exe -i TestCert.pfx -a NT-AUTORITÄT\NETZWERKDIENST -c LOCAL_MACHINE\My Error: Unable to import contents of PFX file. Please make sure the filename and path, as well as the password, are correct. Hint: "NT-AUTORITÄT\NETZWERKDIENST" -- "NT-AUTHORITY\NETWORKSERVICE" Filename is ok, password was not set. Even if I set the password (e.g. "MyPassword") in Step 1 and type at the end of step 3: ... -p MyPassword I got the same error. Then I tried to import in the certificate console (mmc with certificate snap-in). There i got following error: "Der private Schlüssel, den Sie importieren, erfordert möglicherweise einen Dienstanbieter, der nicht installiert ist." -- "The imported private key may requires a service-supplier which is not installed". But the Microsoft Crypto-Service is up and running. What else can I do? On Windows Vista and Windows 7 I got this running without these problems. I need this Certificate to run a WCF Service. Thanks in advance for any hint. Regards, Gunther

    Read the article

  • convert .p7b key to a .pfx

    - by DrStalker
    I have an SSL certificate in .p7b format that I need to convert to .pfx. If I try this through the windows certificate managment the option to expert as a .pfx is disabled. Trying with openssl I have found the following two commands to do the conversion: openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer but I'm not sure what key to use for teh esecond command, or what certificate CACert.cer refers to. How can I convert this key to .pfx format?

    Read the article

  • Cannot import the following keyfile: blah.pfx. The keyfile may be password protected.

    - by JasonD
    We just upgraded our Visual Studio 2008 projects to VS2010. All of our assemblies were strong signed using a Verisign code signing certificate. Since the upgrade we continuously get the following error: Cannot import the following key file: companyname.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_3E185446540E7F7A This happens on some developer machines and not others. Some methods used to fix this that worked some of the time include: re-installing the key file from Windows Explorer (right click on the PFX file and click Install) installing VS2010 on a fresh machine for the first time prompts you for the password the first time you open the project, and then it works. On machines upgraded from VS2008, you don't get this option. I've tried using the SN.EXE utility to register the key with the Strong Name CSP as the error message suggests, but whenever I run the tool with any options using the version that came with VS2010, SN.EXE just lists its command line arguments instead of doing anything. This happens regardless of what arguments I supply. Does anyone know WHY this is happening, and have clear steps to fix it? I'm about to give up on Click Once installs and Microsoft Code Signing. Thanks for any help!

    Read the article

  • Copying (or recovering) a .PFX password to another machine?

    - by Adam Robinson
    First things first, I'm aware of all of the finger-wagging potential that this question provides. However, I'm attempting to help out a friend with a project so I haven't been part of the decision making process thus far. I'm attempting to set up a new development machine, but one of the projects is signed with a .PFX key that's password protected and the original developer does not remember the password. The current development machine can open and build the project just fine, so I'm wondering if there is any way either to copy or to recover the saved password that Visual Studio is using on the original box so that the file can be used on the new box. Signing with a new file is obviously an option, but one that we'd prefer to avoid. Does anyone know of a way either to recover or copy the credentials for this file to a new machine?

    Read the article

  • IIS 6 SSL Restore from PFX without Deleting Pending Request

    - by Sev
    I requested a new SSL certificate from a certificate authority, but until they process it my site is losing business. Before doing so, I had backed up the original certificate to a PFX file. Now when I try to restore the backup, it forces me to delete it, or process the request. Since the new one isn't ready yet, is there any way to restore the backup, without deleting the request? Or will it cause any issues if I delete the request to install the new one when it comes in? Server is IIS 6

    Read the article

  • How to read public key from PFX file in java

    - by articlestack
    I am able to read private key from PFX file but not public key. I am using following code to read public key. InputStream inStream = new FileInputStream(certFile); CertificateFactory cf = CertificateFactory.getInstance("X.509"); BufferedInputStream bis = new BufferedInputStream(inStream); // if (bis.available() > 0) { java.security.cert.Certificate cert = cf.generateCertificate(bis); System.out.println("This part is not getting printed in case of PFX file"); // } puk = (PublicKey) cert.getPublicKey(); This code is working properly when i read from .cer file. Please help

    Read the article

  • "Invalid provider type specified" when signing clickonce manifest in VS2008

    - by Mark
    I have a certificate issued by a CA on our intranet (it's a V3 sha1 pfx file). When I use this in the signing part of my clickonce (vsto addin) project, I get the error: C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v9.0\OfficeTools\Microsoft.VisualStudio.Tools.Office.Office2007.targets(250,9): error MSB3482: An error occurred while signing: Invalid provider type specified. Does anyone know what's going on here? Thanks!

    Read the article

  • Multithreading or task parallel library

    - by Bruce Adams
    I have an application which performs 30 independent tasks simultaneously using multithreading, each task retrieves data over http, performs a calculation and returns a result to the ui thread. Can I use tpl to perform the same tasks? Does tpl create 30 new threads and spread them over all the available cores, or does it just split the tasks over the available cores and use one thread per core? Will there be a performance boost using tpl over multithreading in this case?

    Read the article

  • Unit testing with Mocks when SUT is leveraging Task Parallel Libaray

    - by StevenH
    I am trying to unit test / verify that a method is being called on a dependency, by the system under test. The depenedency is IFoo. The dependent class is IBar. IBar is implemented as Bar. Bar will call Start() on IFoo in a new (System.Threading.Tasks.)Task, when Start() is called on Bar instance. Unit Test (Moq): [Test] public void StartBar_ShouldCallStartOnAllFoo_WhenFoosExist() { //ARRANGE //Create a foo, and setup expectation var mockFoo0 = new Mock<IFoo>(); mockFoo0.Setup(foo => foo.Start()); var mockFoo1 = new Mock<IFoo>(); mockFoo1.Setup(foo => foo.Start()); //Add mockobjects to a collection var foos = new List<IFoo> { mockFoo0.Object, mockFoo1.Object }; IBar sutBar = new Bar(foos); //ACT sutBar.Start(); //Should call mockFoo.Start() //ASSERT mockFoo0.VerifyAll(); mockFoo1.VerifyAll(); } Implementation of IBar as Bar: class Bar : IBar { private IEnumerable<IFoo> Foos { get; set; } public Bar(IEnumerable<IFoo> foos) { Foos = foos; } public void Start() { foreach(var foo in Foos) { Task.Factory.StartNew( () => { foo.Start(); }); } } } I appears that the issue is obviously due to the fact that the call to "foo.Start()" is taking place on another thread (/task), and the mock (Moq framework) can't detect it. But I could be wrong. Thanks

    Read the article

  • While using ConcurrentQueue, trying to dequeue while looping through in parallel

    - by James Black
    I am using the parallel data structures in my .NET 4 application and I have a ConcurrentQueue that gets added to while I am processing through it. I want to do something like: personqueue.AsParallel().WithDegreeOfParallelism(20).ForAll(i => ... ); as I make database calls to save the data, so I am limiting the number of concurrent threads. But, I expect that the ForAll isn't going to dequeue, and I am concerned about just doing ForAll(i => { personqueue.personqueue.TryDequeue(...); ... }); as there is no guarantee that I am popping off the correct one. So, how can I iterate through the collection and dequeue, in a parallel fashion. Or, would it be better to use PLINQ to do this processing, in parallel?

    Read the article

  • How do I export a PFX Code Signing Key to SPC and PVK under Windows 7?

    - by Greg Finzer
    I have a code signing key in PFX format that I need to export into SPC and PVK files. I tried to install the OpenSSL from Shining light but the install fails under Windows 7. http://www.shininglightpro.com/products/Win32OpenSSL.html Here are the instructions I am using from Comodo as a basis: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1089 Anyone know of an alternate way to do this?

    Read the article

  • Creating Wildcard Certificates with makecert.exe

    - by Shawn Cicoria
    Be nice to be able to make wildcard certificates for use in development with makecert – turns out, it’s real easy.  Just ensure that your CN=  is the wildcard string to use. The following sequence generates a CA cert, then the public/private key pair for a wildcard certificate REM make the CA makecert -pe -n "CN=*.contosotest.com" -a sha1 -len 2048 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv wildcard.pvk wildcard.cer pvk2pfx -pvk wildcard.pvk -spc wildcard.cer -pfx wildcard.pfx REM now make the server wildcard cert makecert -pe -n "CN=*.contosotest.com" -a sha1 -len 2048 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv wildcard.pvk wildcard.cer pvk2pfx -pvk wildcard.pvk -spc wildcard.cer -pfx wildcard.pfx

    Read the article

  • Deploying an SSL Application to Windows Azure &ndash; The Dark Secret

    - by ToStringTheory
    When working on an application that had been in production for some time, but was about to have a shopping cart added to it, the necessity for SSL certificates came up.  When ordering the certificates through the vendor, the certificate signing request (CSR) was generated through the providers (http://register.com) web interface, and within a day, we had our certificate. At first, I thought that the certification process would be the hard part…  Little did I know that my fun was just beginning… The Problem I’ll be honest, I had never really secured a site before with SSL.  This was a learning experience for me in the first place, but little did I know that I would be learning more than the simple procedure.  I understood a bit about SSL already, the mechanisms in how it works – the secure handshake, CA’s, chains, etc…  What I didn’t realize was the importance of the CSR in the whole process.  Apparently, when the CSR is created, a public key is created at the same time, as well as a private key that is stored locally on the PC that generated the request.  When the certificate comes back and you import it back into IIS (assuming you used IIS to generate the CSR), all of the information is combined together and the SSL certificate is added into your store. Since at the time the certificate had been ordered for our site, the selection to use the online interface to generate the CSR was chosen, the certificate came back to us in 5 separate files: A root certificate – (*.crt file) An intermediate certifcate – (*.crt file) Another intermediate certificate – (*.crt file) The SSL certificate for our site – (*.crt file) The private key for our certificate – (*.key file) Well, in case you don’t know much about Windows Azure and SSL certificates, the first thing you should learn is that certificates can only be uploaded to Azure if they are in a PFX package – securable by a password.  Also, in the case of our SSL certificate, you need to include the Private Key with the file.  As you can see, we didn’t have a PFX file to upload. If you don’t get the simple PFX from your hosting provider, but rather the multiple files, you will soon find out that the process has turned from something that should be simple – to one that borders on a circle of hell… Probably between the fifth and seventh somewhere… The Solution The solution is to take the files that make up the certificates chain and key, and combine them into a file that can be imported into your local computers store, as well as uploaded to Windows Azure.  I can not take the credit for this information, as I simply researched a while before finding out how to do this. Download the OpenSSL for Windows toolkit (Win32 OpenSSL v1.0.1c) Install the OpenSSL for Windows toolkit Download and move all of your certificate files to an easily accessible location (you'll be pointing to them in the command prompt, so I put them in a subdirectory of the OpenSSL installation) Open a command prompt Navigate to the folder where you installed OpenSSL Run the following command: openssl pkcs12 -export –out {outcert.pfx} –inkey {keyfile.key}      –in {sslcert.crt} –certfile {ca1.crt} –certfile (ca2.crt) From this command, you will get a file, outcert.pfx, with the sum total of your ssl certificate (sslcert.crt), private key {keyfile.key}, and as many CA/chain files as you need {ca1.crt, ca2.crt}. Taking this file, you can then import it into your own IIS in one operation, instead of importing each certificate individually.  You can also upload the PFX to Azure, and once you add the SSL certificate links to the cloud project in Visual Studio, your good to go! Conclusion When I first looked around for a solution to this problem, there were not many places online that had the information that I was looking for.  While what I ended up having to do may seem obvious, it isn’t for everyone, and I hope that this can at least help one developer out there solve the problem without hours of work!

    Read the article

  • X509Certificate.Export Method

    - by klerik123456
    I try export cert .pfx : string certPath = "D:\\cert.pfx"; cert = new X509Certificate2(certPath, "pass"); byte[] certData = cert.Export(X509ContentType.Pfx,"pass"); /// **error in this line** X509Certificate newCert = new X509Certificate(certData,"pass"); But it finish with this error : Key not valid for use in specified state. Can somebody help me ?? Any solution as export certificate from store ??

    Read the article

  • RemoteApp shows no certificate available but RD Session host finds it fine

    - by Scott Chamberlain
    I am trying to set up remote app for a internal domain. I have a Root CA that is trusted my all of the end computers, that cert has signed a wildcard cert I am trying to use for the server. I added the pfx of the wildcard cert to the local machine personal store. From there I can use it fine for signing the RD Session Host session. However when I try to set up the signature for Remote App the certificate does not show up. What do I need to do to get my certificate to be available for for use? UPDATE: The Certificate was generated through the following commands: makecert -pe -n "CN=*.vw.local" -a sha1 -sky signature -ic VetWebCA.cer -iv VetWebCA.pvk -sv VetWebComputerWildcard.pvk VetWebComputerWildcard.cer pvk2pfx -pvk VetWebComputerWildcard.pvk -spc VetWebComputerWildcard.cer -pfx VetWebComputerWildcard.pfx The resultant pfx was added to the machine local store via mmc. Oddly, going in to Powershell if I add the -CodeSigningCert flag to find the wildcard certificate it is excluded from the serch results for Get-Childitem in my Cert:\Local Machine\My path, but if I don't include it it is there.

    Read the article

  • "SignTool error: Access is denied" in TFS 2010 build process

    - by user351352
    I'm getting "SignTool Error: Access is Denied" when I attempt to sign a file. When I use an administrator cmd, all works fine. However, this process is going to be used in a TFS 2010 build process and using the InvokeProcess task with signtool gives the same access denied message as a non-administrator command prompt. More info: On a Win2008 R2 enterprise machine. User is machine admin and on the domain. The TFS Build service is also set to run as this user. Using a self signed certificate created using these instructions: How do I create a self-signed certificate for code signing on Windows? After following these instructions I have the following files: MyCA.cer MyCA.pvk MySPC.cer MySPC.pvk MySPC.pfx MyCA is in my Trusted Root Certification Authorities I imported MySPC.pfx into personal certificates, following the advice here: SignTool error: Access is denied To do the signing I'm using the thumbprint of the MySPC.pfx that was imported into the Personal section so my signtool command looks like: sign /sha1 1e9d7b5ad98552d9c58944e3f3903e6b929f4819 /t http://timestamp.verisign.com/scripts/timestamp.dll "FileName" Once again this works in Admin mode. This also works when running cmd as administrator: sign /f "C:\Code Signing Non-Release\MySPC.pfx" /t http://timestamp.verisign.com/scripts/timestamp.dll "FileName" New to code signing in general, so any help is welcome.

    Read the article

  • How to generate a client certificate using a third party CA-NOT Self Signed CA

    - by Bryan
    I am trying to trying to export a client certificate for use with a web browser. The goal is to restrict access using the <Location directive to the admin area. I have seen numerous tutorials on using self signed CAs. How would you do this using a third party? 1) Do I need to include the CA in the client pfx if it is a trusted root CA? I have seen both examples. Without CA: openssl pkcs12 -export -inkey KEYFILENAME -in CERTFILEFILENAME -out XXX.pfx With CA: openssl pkcs12 -export -in my.crt- inkey my.key -certfile my.bundle -out my.pfx 2) Do I need to still include SSLCACertificateFile for trusted CA in the httpd.conf setup? SSLVerifyClient none SSLCACertificateFile conf/ssl.crt/ca.crt <Location /secure/area> SSLVerifyClient require SSLVerifyDepth 1 </Location> http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8

    Read the article

  • Security issues in accepting passwords vs auto generating the password

    - by Vivekanand Poojari
    Hi, I am developing a console application. This application generates a self signed certificate and installs it in the current machine's certificate store. The steps invlolved are :- Generate a certificate Create a pfx file Install the pfx file For these steps i would need a password for protecting the private key and the pfx file. However these passwords are used only during the execution of the exe. Should I auto generate a password using some random number generation algorithm or accept the password as input from the user? What are the security issues involved in both the scenarios ? Thanks Vivekanand

    Read the article

  • Unable to find valid certification path to requested target while CAS authentication

    - by Dmitriy Sukharev
    I'm trying to configure CAS authentication. It requires both CAS and client application to use HTTPS protocol. Unfortunately we should use self-signed certificate (with CN that doesn't have anything in common with our server). Also the server is behind firewall and we have only two ports (ssh and https) visible. As far as there're several application that should be visible externally, we use Apache for ajp reverse proxying requests to these applications. Secure connections are managed by Apache, and all Tomcat are not configured to work with SSL. But I obtained exception while authentication, therefore desided to set keystore in CATALINA_OPTS: export CATALINA_OPTS="-Djavax.net.ssl.keyStore=/path/to/tomcat/ssl/cert.pfx -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.keyAlias=alias -Djavax.net.debug=ssl" cert.pfx was obtained from certificate and key that are used by Apache HTTP Server: $ openssl pkcs12 -export -out /path/to/tomcat/ssl/cert.pfx -inkey /path/to/apache2/ssl/server-key.pem -in /path/to/apache2/ssl/server-cert.pem When I try to authenticate a user I obtain the following exception: Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174) ~[na:1.6.0_32] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) ~[na:1.6.0_32] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318) ~[na:1.6.0_32] Meanwhile I can see in catalina.out that Tomcat see certificate in cert.pfx and it's the same as the one that is used while authentication: 09:11:38.886 [http-bio-8080-exec-2] DEBUG o.j.c.c.v.Cas20ProxyTicketValidator - Constructing validation url: https://external-ip/cas/proxyValidate?pgtUrl=https%3A%2F%2Fexternal-ip%2Fclient%2Fj_spring_cas_security_proxyreceptor&ticket=ST-17-PN26WtdsZqNmpUBS59RC-cas&service=https%3A%2F%2Fexternal-ip%2Fclient%2Fj_spring_cas_security_check 09:11:38.886 [http-bio-8080-exec-2] DEBUG o.j.c.c.v.Cas20ProxyTicketValidator - Retrieving response from server. keyStore is : /path/to/tomcat/ssl/cert.pfx keyStore type is : PKCS12 keyStore provider is : init keystore init keymanager of type SunX509 *** found key for : 1 chain [0] = [ [ Version: V1 Subject: CN=wrong.domain.name, O=Our organization, L=Location, ST=State, C=Country Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 13??a lot of digits here??19 public exponent: ????7 Validity: [From: Tue Apr 24 16:32:18 CEST 2012, To: Wed Apr 24 16:32:18 CEST 2013] Issuer: CN=wrong.domain.name, O=Our organization, L=Location, ST=State, C=Country SerialNumber: [ d??????? ????????] ] Algorithm: [SHA1withRSA] Signature: 0000: 65 Signature is here 0070: 96 . ] *** trustStore is: /jdk-home-folder/jre/lib/security/cacerts Here is a lot of trusted CAs. Here is nothing related to our certicate or our (not trusted) CA. ... 09:11:39.731 [http-bio-8080-exec-4] DEBUG o.j.c.c.v.Cas20ProxyTicketValidator - Retrieving response from server. Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1347433643 bytes = { 63, 239, 180, 32, 103, 140, 83, 7, 109, 149, 177, 80, 223, 79, 243, 244, 60, 191, 124, 139, 108, 5, 122, 238, 146, 1, 54, 218 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } *** http-bio-8080-exec-4, WRITE: TLSv1 Handshake, length = 75 http-bio-8080-exec-4, WRITE: SSLv2 client hello message, length = 101 http-bio-8080-exec-4, READ: TLSv1 Handshake, length = 81 *** ServerHello, TLSv1 RandomCookie: GMT: 1347433643 bytes = { 145, 237, 232, 63, 240, 104, 234, 201, 148, 235, 12, 222, 60, 75, 174, 0, 103, 38, 196, 181, 27, 226, 243, 61, 34, 7, 107, 72 } Session ID: {79, 202, 117, 79, 130, 216, 168, 38, 68, 29, 182, 82, 16, 25, 251, 66, 93, 108, 49, 133, 92, 108, 198, 23, 120, 120, 135, 151, 15, 13, 199, 87} Cipher Suite: SSL_RSA_WITH_RC4_128_SHA Compression Method: 0 Extension renegotiation_info, renegotiated_connection: <empty> *** %% Created: [Session-2, SSL_RSA_WITH_RC4_128_SHA] ** SSL_RSA_WITH_RC4_128_SHA http-bio-8080-exec-4, READ: TLSv1 Handshake, length = 609 *** Certificate chain chain [0] = [ [ Version: V1 Subject: CN=wrong.domain.name, O=Our organization, L=Location, ST=State, C=Country Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 13??a lot of digits here??19 public exponent: ????7 Validity: [From: Tue Apr 24 16:32:18 CEST 2012, To: Wed Apr 24 16:32:18 CEST 2013] Issuer: CN=wrong.domain.name, O=Our organization, L=Location, ST=State, C=Country SerialNumber: [ d??????? ????????] ] Algorithm: [SHA1withRSA] Signature: 0000: 65 Signature is here 0070: 96 . ] *** http-bio-8080-exec-4, SEND TLSv1 ALERT: fatal, description = certificate_unknown http-bio-8080-exec-4, WRITE: TLSv1 Alert, length = 2 http-bio-8080-exec-4, called closeSocket() http-bio-8080-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I tried to convert our pem certificate to der format and imported it to trustedKeyStore (cacerts) (without private key), but it didn't change anything. But I'm not confident that I did it rigth. Also I must inform you that I don't know passphrase for our servier-key.pem file, and probably it differs from password for keystore created by me. OS: CentOS 6.2 Architecture: x64 Tomcat version: 7 Apache HTTP Server version: 2.4 Is there any way to make Tomcat accepts our certificate?

    Read the article

  • How to load another's service certificate to my WebLogic truststore?

    - by Murugan
    An online service provided me with their certificate (a pfx file) along with its password. I am looking to load that into my WebLogic 8.1 truststore in Unix. There is a truststore currently that exists in my WebLogic. I am new to this so I was wondering what was the process to add that other party's certificate to my existing WebLogic keystore. Do I need to convert the pfx file into a different for Unix?

    Read the article

  • X509Certificate.CreateFromCertFile - the specified network password is not correct

    - by pcampbell
    I have a .NET application that I want to use as a client to call an SSL SOAP web service. I have been supplied with a valid client certificate called foo.pfx. There is a password on the certificate itself. I've located the certificate at the following location: C:\certs\foo.pfx To call the web service, I need to attach the client certificate. Here's the code: public X509Certificate GetCertificateFromDisk(){ try{ string certPath = ConfigurationManager.AppSettings["MyCertPath"].ToString(); //this evaluates to "c:\\certs\\foo.pfx". So far so good. X509Certificate myCert = X509Certificate.CreateFromCertFile(certPath); // exception is raised here! "The specified network password is not correct" return cert; } catch (Exception ex){ throw; } } It sounds like the exception is around the .NET application trying to read the disk. The method CreateFromCertFile is a static method that should create a new instance of X509Certificate. The method isn't overridden, and has only one argument: the path. When I inspect the Exception, I find this: _COMPlusExceptionCode = -532459699 Source=mscorlib Question: does anyone know what the cause of the exception "The specified network password is not correct" ?

    Read the article

  • Strong Naming an assembly using command line compile

    - by David
    I am trying to use NAnt in order to compile and sign an assembly using the vbc compiler. I have a project set up and am able to successfully sign the assembly compiling with VS2010. When I try to sign it using the command line I get this error: vbc : error BC30140: Error creating assembly manifest: Error signing assembly -- The parameter is incorrect. I even created a trivially simple app (just an assemblyinfo.vb file) that will not compile and sign using vbc.exe What am I doing wrong? here is my assemblyinfo.vb: Option Strict Off Option Explicit On Imports System Imports System.Reflection <Assembly: AssemblyVersionAttribute("2010.05.18.0918"), _ Assembly: AssemblyCopyrightAttribute("Copyright © Patient First 2007"), _ Assembly: AssemblyCompanyAttribute("Patient First, Inc."), _ Assembly: AssemblyProductAttribute("Patient First Framework"), _ Assembly: AssemblyDelaySign(false), _ Assembly: AssemblyKeyFile("test.pfx"), _ Assembly: AssemblyTitleAttribute("PatientFirst.Framework")> test.pfx is located in the same folder as assemblyinfo.vb Here is how I am trying to compile it: vbc /target:library /verbose assemblyinfo.vb I also tried using vbc /target:library /verbose assemblyinfo.vb /keyfile:test.pfx and tried using /keyfile parameter without the AssemblyDelaySign and AssemblyKeyFile attributes If I remove the AssemblyDelaySign and AssemblyKeyFile attributes and leave off the /keyfile command line parameter it compiles fine. What is the correct way to do this with vbc? --EDIT: I have found that MSBuild also does not like having the AssemblyKeyFile attribute as I have defined it in the AssemblyInfo.vb, it gives the same failure message. So the only way I can currently get this to build correctly is to set properties on the project to tell it which key file to use and to sign the assembly.

    Read the article

1 2 3  | Next Page >