While exporting the multi protocol gateway from datapower, the certificates aren't getting exported. IS there a way by which the certificates from Datapower appliance can be extracted?
I've always thought it was rather stupid of DataPower to not distinguish between public keys (certificates) and private keys. There is really no good security reason to disallow exporting public certs.
There is a workaround. It's rather cumbersome, but it comes in handy. Let's say you have a public cert called cert:///my-public.cer and you need to export it.
Create a DataPower Crypto Cert object that points to it, called CC-my-public.
Go to Administration/Miscellaneous/Crypto Tools and select the tab Export Crypto Object.
Select Certificate in Object Type (it's the only allowed selection), and type in CC-my-public in the Object Name and my-public-export.xml in the Output File name.
Click Export Crypto Object button, and then Confirm.
There will now be a file in the temporary filesystem called temporary:///my-public-export.xml and it will contain a Base64-encoded copy of the certificate.
Yes, to do this you have to go to Administration > Miscellaneous > Crypto Tools, then navigate to the Export Crypto Object tab.
In the Object Name property, just provide the name of the Cerypto Certificate Object that is referring to the certificate in the cert: you want to export.
In the Output File Name property, specify any name followed by .xml (hold that thought, we are still in middle of the process).
After clicking in Export Crypto Object, a new file with the specified file name will be placed under the temporary: directory.
Now it is time for the trick…
Open a text editor of your preference (XMLSpy, Notepad++, Notepad, Text Edit, etc)
Feed the first line of a new text file with the following content:
-----BEGIN CERTIFICATE-----
Open the .xml file that was created during the Export Crypto Object process
Copy the content that is under the element /crypto-export/certificate into your new text file in your local editor (see in bold):
<?xml version="1.0" encoding="utf-8"?>
<crypto-export version="1">
<certificate version="1">MIIEYjCCA0qgAwIBAg[...]IQOHO9nj6QowsSATEWDs==</certificate>
</crypto-export>
Finish the work in your new text file with the content:
-----END CERTIFICATE-----
The final file should look similarly to this:
-----BEGIN CERTIFICATE-----
MIIEYEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0
jCCA0qgAwIBAgIISQOHO9nj6QowDQYJKoZIhvcNAQEFBQAwejE [...]
aW4xEjAQBgNVBBAgIISQOHO9nj6QowDQYJKoZIhvcNAQEFBQAw
ejELMAkGA1UW50ZWdyYXRpb24gVGVjaG5vbG9naWVzMRYwFAYD
VQQDEw1zZ2EuYXZuZXWEWw==
-----END CERTIFICATE-----
Save the file using extension .cer, .pem, etc
Done! You have exported a certificate from DataPower under the cert: directory.
Before you ask, yes, DataPower is still safe and private keys cannot be exported following this method.
No, only through a Secure Backup (which is encrypted so you can't read it anyway).
You can't export files other than local.
If you need something dummy , you can always create your own by typing "Crypto Tools" in search. only mandatory field is "Common Name (CN)", I think you know rest,it will create file in cert: with extension -privkey.pem.
Thanks.
Related
I have created a kubernetes cluster on aws using kops.
Unless I am wrong, the ca.crt and ca.key files are in the following locations as indicated by this very helpful answer:
- s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/private/ca/*.key
- s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/issued/ca/*.crt
However, I coulnd't help noticing that in my ~/.kube/config file (which was created automatically by kops), I have an entry named:
certificate-authority-data
whose contents are different than both of the above files.
What is in any case the CA key/crt pairs we should use when issuing client certificates?
Why there are (seemingly) more than one CAs ?
Ok this is weird ... (perhaps for an inexperienced on such issues like me ...)
When I perform:
echo -n <contents_of_the_certificate-authority-data_entry_of_my_kubeconfig_file> | base64 --decode
...I get my ca.crt file ...
Isn't the ca.crt already base64 encoded?
The certificate-authority-data present on your Kubernetes config file is nothing else that your certificate encoded in base64 (It's a lot more practical to have a continuous text string for a configuration file than without the base64 encoding).
Your .crt file is encoded in RSA, not base64. RSA is a secure cryptosystem based on public and private keys (your .crt and .key respectively). Base64, is, at best, useful for formatting or transmitting already encrypted data.
Imagine I have p12 container of private key and public certificate. When I export p12 public cert to separate .cer file with Java keytool I may click to .cer file and see full cert chain. How may I get that full path programatically?
I made little investigation. I used keytool's print cert -v command and saw property AuthorityInfoAccess with subproperty
accessMethod: caIssuers
accessLocation: URIName: http://.../some.crt
I downloaded that some.crt (it was PEM cert), and again used print cert -v and again saw
accessLocation: URIName: http://.../some2.crt and repeated downloading .crt files and geting parent until reaching root .crt which hasn't such property.
I think, that I should programatically download chain as I described above and provide it to CertPathValidator as shown here.
If I really need to get chain as I described above, is there any libraries already doing this? Is there any way to do it with std lib? I didn't find bouncycastle examples and java's standart library code like
java.security.cert.Certificate[] cchain = keystore.getCertificateChain(alias);
returns one entry for certificate actually having 2 "parents".
Nitpick: you surely mean keytool -printcert (with hyphen, without space, -v not needed here).
A privatekey entry created by Java in JKS or PKCS12 usually contains the full chain, but keytool -exportcert extracts only the leaf cert.
A PKCS12 created by something else may contain the full chain or not, possibly depending on what you clicked when creating it.
If the chain is there, KeyStore.getCertificateChain returns it, and keytool -list -v (here -v matters) shows it.
If a certificate was imported, or reimported, as a trustedcert entry -- usually in JKS, PKCS12 isn't designed for lone certs -- that never contains the chain, so getCertificateChain on that entry won't work, but IIRC CertPathBuilder can build a chain combining multiple trustedcert entries in one store.
If you do need a parent (chain) cert
you don't already have, and the child specifies AIA.caIssuers, then yes using that to fetch is sensible.
I'm pretty sure there is nothing in standard Java (JRE) library that does this for you, at least so far; I don't know about BouncyCastle or anybody else.
I'm trying to deploy a VSTO solution, which are 2 addins for Word and for Outlook, using ClickOnce. Due to our deployment infrastructure/practices, I cannot publish it using Visual Studio, it is instead built on a build server and deployed via a deployment server.
For local development, a self-signed certificate is used. The deployment worked with this self-signed certificate (if the the self-signed certificate was installed on the machine), but now I want to add a real company certificate so that the application can be deployed to the users.
During deployment, after the configuration files are poked, they are updated and re-signed with the real certificate. However, this produces the following error during installation:
System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for <app name> or its location is not trusted. Contact your administrator for further assistance.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.ProcessSHA1Manifest(ActivationContext context, DeploymentSignatureInformation signatureInformation, PermissionSet permissionsRequested, Uri manifest, ManifestSignatureInformationCollection signatures, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
The Zone of the assembly that failed was:
MyComputer
The only lead I have is that, after re-signing, the values in publisherIdentity element are not changed (both .vsto and .manifest), only the Signature element has values corresponding to the new certificate.
Following commands are used to sign the .vsto and .manifest files (as far as I can see from the deployment scripts):
mage.exe -Update "[path to .vsto/.manifest]"
mage.exe -Sign "[path to .vsto/.manifest]" -CertHash [certificateHash]
where [certificateHash] is the thumbprint of the real certificate and is used to look up the certificate in certificates stores. I'm told this is security measure so that the certificate file doesn't have to be distributed along with the deployment package.
After signing, the files have their Signature values changed, but the publisherIdentity still has the name and issuerKeyHash of the self-signed certificate.
I tried poking these two values prior to re-signing, but I'm don't know how to calculate the issuerKeyHash.
Any advise on how to proceed would be much appreciated!
Edit:
I was trying out other mage.exe parameters, like '-TrustLevel FullTrust' (which didn't have any effect) or '-UseManifestForTrust True' along with Name and Publisher parameters, which yielded this error message (which is different than the one mentioned above).
************** Exception Text **************
System.InvalidOperationException: You cannot specify a <useManifestForTrust> element for a ClickOnce application that specifies a custom host.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.GetManifests(TimeSpan timeout)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
.
The certificate that the app is signed with isn't trusted by Windows. As a work around,
Right click on setup.exe,
Select properties then the Digital Signatures tab
Select Vellaichamy/user then click Details
Click View Certificate and Click Install Certificate.
Do not let it automatically choose where to store the sert, install the certificate in the Trusted Root Certification Authorities Store. Once the cert is installed the app should install...
Take a look at the Granting Trust to Office Solutions article which states the following:
If you sign the solution with a known and trusted certificate, the solution will automatically be installed without prompting the end user to make a trust decision. After a certificate is obtained, the certificate must be explicitly trusted by adding it to the Trusted Publishers list.
For more information, see How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications.
Also you may find the Deploying an Office Solution by Using ClickOnce article helpful.
We have found what the problem was. We used a version of mage.exe tool from Windows SDK from a folder named 7A (I don't remember the full paths, sorry). A colleague then found another folder with versions 7A, 8 and 8A. Once we took the .exe from 8A folder, the installation works as expected.
Try copying all the necessary files to the client computer then install. If you can avoid installing from the network drive you might be able to avoid this exception.
I am not able to Sign in to the application as it is throwing the following exception:
com.ibm.wsspi.channel.framework.exception.ChannelException: java.io.IOException: Keystore was tampered with, or password was incorrect
at com.ibm.ws.webservices.engine.xmlsoap.builders.WebServicesFaultProcessor.createFault(WebServicesFaultProcessor.java:415)
at com.ibm.ws.webservices.engine.xmlsoap.SOAPFault.getFault(SOAPFault.java:486)
at com.ibm.ws.webservices.engine.SOAPPart.getFault(SOAPPart.java:1090)
at com.ibm.ws.webservices.engine.SOAPPart.getFault(SOAPPart.java:747)
at com.ibm.ws.webservices.engine.Message.getFault(Message.java:883)
at com.ibm.ws.webservices.engine.Message.ifFaultThrowSelf(Message.java:863)
at com.ibm.ws.webservices.engine.PivotHandlerWrapper.invoke(PivotHandlerWrapper.java:279)
......
How to solve this issue?
Copy the newly added Cert data to a file and save it as “rsa.cert” or get the cert and name it as "rsa.cert"
Then open “ikeman.bat”
Open Key file(jks format) and then look for that certificate which you want to update (may be expired or near to expiry date or changed cert). Save the name of the cert which you want to change (for example these are the names of the certificates). Then click on that Cert and press the Delete button. Then Click on Add button and open the “rsa.cert” file which you save previously. Then give the name same as the name of the cert which you deleted.
Repeat the same process for the Trust File(jks format)
Restart the app server and run the application
Upon installation of a client side certificate, I am getting the exception "Object contains only the public half of a key pair. A private key must also be provided". My application is a VC#.NET application running over an ASP.NET platform. The application also uses WSE 2.0 to import certificates into making SOAP requests.
Upon research, I've found that this exception is of type System.Security.Cryptography.CryptographicException.
I am pretty positive all my WSE settings are configured correctly, since I was able to find a similar certificate by subject-distinguished-name. Any ideas will be greatly appreciated.
I was recently having the same problem. I found one explanation here that worked for me. Specifically, the permissions for the private key. The full info is copied below.
There are a couple things that I would
look at first:
Do you have a private key for this certificate?
Have you given permission for youf application to access the private
key?
You can establish whether you have a
private key by viewing the certificate
through the Windows Certificate Store.
To get to this, follow these steps:
From the Windows Start menu, select Run.
Type mmc in the Open: field. Click OK
Select "Add/Remove Snap-in" from the File menu.
Click the Add button.
Select "Certificates" from the list of Available Standalone Snap-ins.
Click the Add button.
Select "Computer account." Click Next.
Select "Local Computer". Click Finish.
Click Close.
Click OK.
Expand the Certificates node under the Console Root and open the
Personal store.
Double-click the Certificate you're using. If you have a private
key, the dialog will display a message
at the bottom that says "You have a
private key that corresponds to this
certificate".
If you have a private key, then ensure
that your application has permission
to access the key:
Open Windows Explorer.
Navigate to the C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
folder.
Select the files containing the keys that the WSE will need to
retrieve.
From the File menu, select Properties.
On the Security tab, add the ASPNET account and select th e Full
Control option.
Notes:
1. Determining which key file in the MachineKeys folder is
associated with a certificate can be
difficult. One easy method is to note
the creation date and time when
creating a new certificate. When you
view the files in the MachineKeys
directory, check the Date Modified
field for the corresponding date and
time.
2. If you have configured your system to run under a different
account than ASPNET, use that account
when granting permissions to access
the certificate.
As per my experience it could be failing because of two reasons.
Check if your cert has private key available.
If that is .net application then check if you have given permission to cert to make sure your application has permission to access the cert. In my case adding the "iis_iusrs" and given read permission does work for me.
Thanks.
After encountering the same exception: System.Security.Cryptography.CryptographicException, Object contains only the public half of a key pair, I proofed an alternative, but less optimal solution.
Situation: Certificate / key look up worked great inside of Visual Studio IIS Express, but while the Web Application was running under the proper IIS service, I always received the 'Contains only public half of key pair' exception.
I used the WSE3 CertificateTool to locate the private key section on the filesystem and attempted at length to adjust the user permission settings to give the ASP user permissions as per the above answer.
My eventual fix, which was not pretty, was to create a new IIS Application Pool specific to my Web service code and set the user Identity the pool runs as the Local machine owner of the certificate + private key.
The final location I installed the certificate in was "Local Computer / Trusted People".
Using WSE3 CustomPolicyAssertion, C# .NET:
clientToken = X509TokenProvider.CreateToken(StoreLocation.LocalMachine,
StoreName.TrustedPeople, "soap.partnersite.com", X509FindType.FindBySubjectName);
After updating the App Pool Identity, no private key file overrides were necessary when changing the application pool owner.