I have been working on this task to sign a CSR (generated by third party) to be signed by a root CA, which is stored in a token. Sounds like a straightforward job, except that there is a requirement to add a set of extensions as well as subject alternative name to the certificate based on the specification. Since there is no way to alter the CSR to include these information, I assume this should be done during the signing process. However, I have spent lots of time reading the documentations of certutil and certreq to no avail. There seems to be no way to add information for an existing CSR.
Additional information: This has to be done using Microsoft CA due to the limitation of the security token, so OpenSSL is out of question.
I hope someone can help me in this tricky task.
Yes it is possible, check out he below link it is a good starting point
http://blogs.msdn.com/b/alejacma/archive/2011/11/07/how-to-add-subject-alternative-name-to-your-certificate-requests-c.aspx
Related
I have a PKCS#11 library that contacts with the vendor's smart card. The low level details are not provided and I'm not interested in them either.
BTW the smart card has no internal certificate associated with it, its just a dumb smart card with a private key store.
So my question is:
What kind of code should I write to obtain a certificate from the PKCS#11 library, or do I need to write such code? does PKCS#11 supports exporting certificates?(I heard openssl supports using 3rd party PKCS#11 libraries. Can I use that to export a certificate from a smart card?)
If the answer to previous question is yes, in what kind of format is the certificate created? What kind of conversions should I to do in order to convert the raw created certificate into office supported format certificate?
and the last question is how to apply that certificate into microsoft office(2013) in order to digitally sign documents? It looks like that office itself doesn't like internal certificates and it keeps requesting us to get one from verisign (?) what's wrong here and how can I force office to use my own created certificate using the aforementioned method?
PKCS#11 interface lets you read ("export") the certificate from the hardware. However you need not just a certificate, but also a private key. Most hardware devices won't let you export a private key. PKCS#11 has a set of functions which let you perform cryptographic operations using private keys stored in the hardware, but not to export those keys.
The certificate is usually exported in native DER format, which can later be put to the PFX file. However without a private key it doesn't make sense.
Unfortunately I don't know what MS Office expects. I assume that Office in your case accepts only certificates which can be validated up to the trusted root certificate.
I am new to certificates. I am learning about certificates using Google. I have an overview about certificates. Now I've started going through SCEP.
Before starting it I am trying to get to know how SCEP is used in real world. In Google I couldn't find the exact use cases for it.
Can anyone help me on this?
You can check the following links..
For full information on SCEP
Visit https://datatracker.ietf.org/doc/html/draft-nourse-scep-18#page-5
Highlevel information on SCEP
visit http://www.slideshare.net/iveslaaf/3-scep
Does anyone know how to issue additional claims from StarterSTS by Dominic (Codeplex). I currently am getting only Login Time Instance and the Authentication Type which is password. Is there some config file i can edit or Code i need to insert to provide additional claims to the user ?
I'm not sure if you can in StarterSTS, but if you note on the project it says:-
IMPORTANT
StarterSTS has been discontinued. The sources will stay up here for educational purposes. Please use my new project IdentityServer (http://identityserver.codeplex.com) from now on.
IdentityServer does support additional claims. You add the claims using the user profile - it's very easy to do so I would recommend you upgrade to this if possible.
I can't see the source for starterSTS so I'm not sure if it supports this feature. You can find Identity Server V2 here
How to fetch the expiry date from PKCS12 certificate using iOS security framework?
Alternately can I use openssl? if yes, please point me towards relevant API's
Thanks
Great question! If I were doing this coding, I would first try to think of a solution using Keychain Services.
First, you'd need to fetch the keychain item. Say, via `SecItemCopyMatching()'.
This returns a reference to the found items. Preferably a SecCertificateRef (which is described more in detail in Apple's Keychain Services Reference guide).
I don't see an easy way to explicitly fetch the metadata (or expiration date) from a SecCertificateRef off the top of my head. There's a code snippet I found on books.google.com from "IOS 5 Programming Pushing the Limits: Developing Extraordinary Mobile Apps" called "Checking Certificate Validity" (pages 218 & 219 -- I've linked it for you) which basically checks to see if a certificate allows usage based on matching keys (in their example, it's the subject or domain name; for you, it would be the expiration date). Their technique may help you out.
As for using OpenSSL, I found an answer where you can come up with the expiration date from the command line using the openssl tool. If you can get a handle to your certificate, I'm pretty certain this can be done programmatically as well.
I would like to encrypt a string with AES 256 on the iPhone but have not found much via google. What I am trying to do is post some data to a web site as part of a game I am creating, but I do not want the user to be able to cheat by seeing how it is posted because it is plain text. So I want to post one encrypted string to my php page (ala www.test.com/test.php?encrypted= etc...) and then the php script will decrypt it and do what it needs to if it is valid.
You can just use the CryptoHelper which is adopted by CyrptoExercise Sample Project
A much easier approach here would be to use an HTTPS POST, which would give you similar protections with far less code, though there are still difficulties for solving the problem you're attacking. The kind of solution you're describing generally requires some kind of shared secret, and it's very hard to protect code using a shared secret for long. You may find these posts helpful:
Machine ID for Mac
Store an encryption key in Keychain while application installation process
Obfuscating Cocoa
Still, HTTPS is probably a much better solution than AES here.
Check out this site: http://iphonedevelopment.blogspot.com/2009/02/strong-encryption-for-cocoa-cocoa-touch.html