I followed the steps indicated in Example 052 (https://tcpdf.org/examples/example_052/) for generating a pdf with digital signature using tcpdf with a self signed crt. I read also that part about adding the pdf to Adobe List of Trusted Identities. For testing purpose I've added the tcpdf.crt file to trusted identities and it works fine.
But..I can't ask the clients to do the same. The pdf file received should be already validated when is open or at least don't display the message: "Certification by My company is invalid". So, what crt should i use for getting a validated pdf file? I tried to use the crt available for my secured website but I'm getting the same error.
Thank you
Related
To access a public server, I was asked to generate a CSR. I generated the CSR using the Windows MMC snap-in, which was then validated by the authorities, and a CER file was issued to me. I have successfully imported that CER file as well.
However, I am unable to locate the private key corresponding to this CSR. Need serious help here. No option was specified to save the pvt key, even though the checkbox to make it exportable was selected.
The MMC console mentions that a private key exists for this certificate - but does not specify where.
Have managed to export the certificate to a PFX file (asked for a passcode - provided one) - but for all my attempts, extracting the private key from PFX without using any commercial tool is proving to be challenging (using any commercial or online tool is not permitted, unfortunately). (Have trawled through quite a few SO posts - too numerous to be listed).
Will be happy to write a program (in C or Assembly) if that helps extract the private key.
Thanks for your attention.
I'm trying to generate Apple Wallet pass for one of my client but for some reasons related to Certificate signing I cannot generate a valid pass file. I've tried to use public key and private key for generating the Wallet pass but no success.
I might be missing the correct files here, can someone please guide me through the file generation process here?
There is no issue with my Web service to generate the .pkpass file by using an old certificate file (Issued by WWDR bak in 2020).
I'm using this pass file validator to validate the file.
attached screenshot for
As many already know, Google App Engine by default hosts its apps on an appspot.com subdomain and their wildcard (*.appspot.com) SSL certificate allows any apps to use https over this subdomain.
Enter iOS 9 with Universal Links and Web Markup which now requires hosting a 'signed json file' with designated applinks in it. The key word there is 'signed'. This file needs to be signed with a valid SSL cert and private key. (Listing 2-7 and 2-8)
On twitter, I've been told that the signing certificate does NOT have to match the actual website's domain SSL certificate BUT a self-signed certificate will not work.
So one workaround is to simply buy your own SSL certificate and sign it with this cert.
I'm curious what other options there are to those of us hosting APIs and websites on Google App Engine and/or using Google Cloud Endpoints because I assume Google isn't going to hand over their wildcard ssl cert and private key for us to use ;)
Update 8/5/2015
To host the apple-app-site-association file, I had to manually open it and spit it out when called for using the webapp2 handler like so:
class GetAppleAppSiteAssoc(webapp2.RequestHandler):
def get(self):
showAppleAppSiteAssoc(self)
def showAppleAppSiteAssoc(self):
logging.info("Enter showAppleAppSiteAssoc()")
path = os.path.join(os.path.dirname(__file__), 'apple-app-site-association')
fileContents = open(path).read()
self.response.headers['Content-Type'] = 'application/pkcs7-mime'
self.response.out.write(fileContents)
return
app = webapp2.WSGIApplication([('/', MainHandler),
('/apple-app-site-association', GetAppleAppSiteAssoc)],
debug=True)
Currently having issues similar to this post and have tried both signing with my iOS Distribution cert as well as with a valid cert from work.
Update 8/10/2015
Had our dev-ops guy at work sign this with both the CA and intermediate certs from work and uploaded it and it worked!
Still curious about other solutions though.....it does seem odd that the iOS Distribution cert wouldn't have worked.
You don't have to sign apple-app-site-association unless your implementing Activity Continuation for devices running iOS 8. Universal Links are new to iOS 9 and Apple no longer requires apple-app-site-association to be signed.
Well one answer to this question points to the fact that any valid domain certificate (with CA cert) can sign the file (even if that certificate is NOT for the domain the file will live on).
I ended up buying one for one of my domains and signing the file for another domain.
https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html
If your app runs in iOS 9 or later and you use HTTPS to serve the apple-app-site-association file, you can create a plain text file that uses the application/json MIME type and you don’t need to sign it.
All websites mention that Passbook passes can be sent by e-mail. But when the pass (generated by our server) is attached to an e-mail, the iOS e-mail client won't open it and write "(null)" instead. The same pass works fine on Android and also has no problems communicating with our web service. Any ideas? Google searches didn't offer any solutions.
Screenshot:
Solved: There were multiple problems:
The authentication token has to be at least 16 characters long
I used the "Apple Inc. Root Certificate" (wrong one) instead of the "AppleWWDRCA" (correct one)
For production the web service needs to use https
You get that when the pass in invalid, most likely due to it being incorrectly signed and/or the pass certificate has expired.
Drag your pass into iPhone Simulator and check the Console app to look for error in the logs.
I have taken a project created by someone else on another machine.
I have filled in the signed keys form and had my keys emailed to me.
I have double clicked on each to install them: I then go to the signature tool in the vmTools folder. selected my .cod file (built today).
I then get the list of cod files with 'not registered' next to them in the status column.
I hit the request button and get the error. 'unable to request signatures until this application has been registered with all signing authorities. what am I missing?
It sounds like the signing server may be down, you can check the current status of the signing server here:
isthesigningserverdown.com
It is always a quick and easy start to troubleshooting signatures.
Please see this blackberry.com reference.
To prevent this being lost to link rot, I pasted the important content below.
Note: if you're using the Eclipse plugin, not the old JDE, then you would go to the BlackBerry menu, select Sign, and either Install New Keys or Import Existing Keys. You must use all three files that BlackBerry (RIM) gave you. For example, to install brand new keys:
client-RBB-12341231.csi
client-RCR-12341231.csi
client-RRT-12341231.csi
or for an Import of existing keys:
sigtool.csk
sigtool.db
Problem
In certain situations, when you attempt to sign your application using the SignatureTool application, you receive the following error:
Unable to request signatures until this application has been registered with all signing authorities required.
Cause
You are attempting to request code-signing signatures for your application but the SignatureTool is not registered with all the required signing authorities.
There are two types of RIM Code Signing framework signatures:
Required Signatures - This is specified by the .csl file associated with the .cod file. A required signature is necessary to load your application on the device.
Optional Signatures - This is specified by the .cso file associated with the .cod file. An optional signature indicates that the system may perform a runtime signature check on the application. If the application is not signed, it is not allowed to execute the intended method.
The SignatureTool prevents you from signing the application since it waits until all required signatures are in place. Required signatures are necessary for the application to load successfully on the device.
Resolution
There are several different scenarios where the SignatureTool is not registered with the required code-signing servers.
Scenario 1 - Not Registered with Public Signing Authorities
There are three public-signing authorities (RBB, RRT, and RCR) that represent different sections of the controlled application programming interface (API). When you receive code-signing keys, you receive three .csi files representing the three code-signing servers. It is important to register with all three servers. To determine which signature keys have been successfully installed and/or missing, please review this article
Scenario 2 - Attempting to use a Controlled Signing Authority
There is an additional public-signing authority, the Certicom™ Crypto (RCC) signing authority, that controls access to Certicom cryptography functions on the device. Go to Certicom for more information on accessing the Certicom API’s on the device.
Scenario 3 - Attempting to use an Inaccessible Signing Authority
Research In Motion® maintains its own internal signing authorities for the protection of API’s that are not exposed or data that is not public. It is not possible to gain access to these signing authorities and any reference to Research In Motion internal methods or data should be removed from your application to allow the SignatureTool to sign your application.
Note: JDE 4.1 allows you to turn on code-signing warnings under Preferences. This determines the areas of your application that are attempting to use signatures from each signing authority.
Here's one more useful guide on the BlackBerry website
Occasionally RIM's signing server fails. I've seen it down for hours at a time.