To access a public server, I was asked to generate a CSR. I generated the CSR using the Windows MMC snap-in, which was then validated by the authorities, and a CER file was issued to me. I have successfully imported that CER file as well.
However, I am unable to locate the private key corresponding to this CSR. Need serious help here. No option was specified to save the pvt key, even though the checkbox to make it exportable was selected.
The MMC console mentions that a private key exists for this certificate - but does not specify where.
Have managed to export the certificate to a PFX file (asked for a passcode - provided one) - but for all my attempts, extracting the private key from PFX without using any commercial tool is proving to be challenging (using any commercial or online tool is not permitted, unfortunately). (Have trawled through quite a few SO posts - too numerous to be listed).
Will be happy to write a program (in C or Assembly) if that helps extract the private key.
Thanks for your attention.
Related
I followed the steps indicated in Example 052 (https://tcpdf.org/examples/example_052/) for generating a pdf with digital signature using tcpdf with a self signed crt. I read also that part about adding the pdf to Adobe List of Trusted Identities. For testing purpose I've added the tcpdf.crt file to trusted identities and it works fine.
But..I can't ask the clients to do the same. The pdf file received should be already validated when is open or at least don't display the message: "Certification by My company is invalid". So, what crt should i use for getting a validated pdf file? I tried to use the crt available for my secured website but I'm getting the same error.
Thank you
I'm trying to generate Apple Wallet pass for one of my client but for some reasons related to Certificate signing I cannot generate a valid pass file. I've tried to use public key and private key for generating the Wallet pass but no success.
I might be missing the correct files here, can someone please guide me through the file generation process here?
There is no issue with my Web service to generate the .pkpass file by using an old certificate file (Issued by WWDR bak in 2020).
I'm using this pass file validator to validate the file.
attached screenshot for
I have few questions regarding Identity certificate in Profile Payload.
Forgive the ignorance, if some questions are basic.
1.) I found that, we can either use SCEP standard or PKCS12 certificate directly for device identification. SCEP is recommended, since private key will be known only to the device. So in case If I am going to implement SCEP server, do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?
2.) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?
3.) What if the identity certificate is expired?
As a basic version while playing around, I tried to add my own p12 certificate to the Payload without using SCEP.
I tried to add the base64 encoded p12 certificate in the identity payloadcontent key,as mentioned in some link reference. I got an error
The identity certificate for “Test MDM Profile” could not be found
while installing profile.
identity_payload['PayloadType'] = 'com.apple.security.pkcs12'
identity_payload['PayloadUUID'] = "RANDOM-UUID-STRING"
identity_payload['PayloadVersion'] = 1
identity_payload['PayloadContent'] = Base64.encode64(File.read "identity.p12")
identity_payload['Password'] = 'p12Secret'
When I checked 'Configuration Profile key reference', it was mentioned that I should send Binary representation of Payload in Data.
So I tried,
identity_payload['PayloadContent'] = ConvertToBinary(File.read "identity.p12")
I got,
The password for the certificate “IdentityCertificate” is incorrect
I am supplying valid password for exporting the p12 certificate.
What am I doing wrong?
Answering your question:
1) Do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?
Yes. You need some kind of mapping. You can do couple of ways:
Just store it in DB a mapping between certificate common name and device UDID.
Make CN contain UDID (I like this method, because it simplifies initial checks)
And as you pointed out you will need public key to encrypt payloads for this device.
2) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?
There are open source implementation of SCEP. As example jSCEP have it (I used it) and EJBCA have it (I used it too). I saw other implementation (in Ruby and so on). So, you can find an choose something which works with your stack.
3) You need to renew identity certificate before it expeires (the same way as for any other certificates).
4) If your profile doesn't work, I would recommend you to create the same profile in iPhone Configuration Utility and compare with yours. Most of the time, you missed just one tag or something like that (it will take a lot to figure it out without comparing it with working one).
In an attempt to build an iOS project (in XCode), I need to import my colleague's public and private keys for the code signing identity, but I am unable to do so because I get an error in Keychain Access that says "An error has occurred. Unable to import an item. / The contents of this item cannot be retrieved"
FULL DETAILS:
I have got two keys from my colleague's computer, exported them from his Keychain as two files:
Roomer Inc.p12 (the private key)
Roomer Inc.pem (the public key)
When he exported these, he left the password blank (Although we also tried with a password of "test" and got the same results).
When I double-click Roomer Inc.p12 (for the private key), it opens in Keychain Access and promts me to choose the keychain ("login" is selected by default)
I click "Add" and then I am prompted for the password to the keychain (which I leave blank)
Next I always see this message in Keychain access:
However, despite this message appearing, when I click OK, I see a new private key entry for "Roomer Inc". Note that this entry is a private key in the "login" key chain as I would expect, but has no expiration date (should it?)
Next, for the Roomer Inc.pem file (the public key) I am asked to choose the keychain ("login") and I click Add
Then, I also get the "An error has occurred. Unable to import an item. / The contents of this item cannot be retrieved" message for the public key as well. In this case however (unlike the Private key), I do not see any entry corresponding for what I just added.
So, it appears that the private key entry may or may not be OK (I have no way to verify), and the public key entry for Roomer cannot be installed in the keychain without this error message. Please note that I also tried using the security import command to import the public key :
$ security import Roomer\ Inc.pem -f pkcs12 ~/Library/Keychains/login.keychain
1 key imported.
When I do this, although the command returns "1 key imported" I do not see a public key for "Roomer Inc" in my Keychain Access window (I closed out Keychain Access and re-opened it).
Either way, we have identified that this is our blocker. (The symptom of course is that the XCode project won't build for the AdHoc provisioning profile to be used with TestFlight). I have left off the additional steps regarding the XCode build and TestFlight setup, because we believe the core problem has to do with importing the keys as explained above.
We figured out our problem, and I am posting my answer here so that others may find it helpful.
The problem is really a UX problem with Keychain Access. Let me back up and give a little context: when you create a distribution certificate with Apple, you create it based on a PRIVATE KEY and App-based permissions.
In Keychain Access, the distribution certificate is listed as a child below the name of the private key that it was created from. Here's the catch: When you use the search box in Keychain access (in my case we were typing in "Roomer" because that's the name on our distribution certificate), it won't look for a certificate with that name, it will look for a certificate attached to a private key for that name.
So my colleague had create a distribution certificate based on a private key that was named "Jorge Davila" (his name), even though the distribution certificate was named "iPhone Distribution: Roomer Inc."
When he searched for "Roomer" in Keychain Access, the correct one was NOT displayed in the search results because the key this certificate was created from was named "Jorge Davila" not "Roomer". Thus, he was exporting the wrong certificate and didn't realize because there were others (some expired) with that name.
Here's how the correct one looks:
This is a relatively nuanced problem with the UX of Keychain Access and the fact that the search tool doesn't give you the results you expect it to. I am posting this answer in the hope that others may find it useful.
I have taken a project created by someone else on another machine.
I have filled in the signed keys form and had my keys emailed to me.
I have double clicked on each to install them: I then go to the signature tool in the vmTools folder. selected my .cod file (built today).
I then get the list of cod files with 'not registered' next to them in the status column.
I hit the request button and get the error. 'unable to request signatures until this application has been registered with all signing authorities. what am I missing?
It sounds like the signing server may be down, you can check the current status of the signing server here:
isthesigningserverdown.com
It is always a quick and easy start to troubleshooting signatures.
Please see this blackberry.com reference.
To prevent this being lost to link rot, I pasted the important content below.
Note: if you're using the Eclipse plugin, not the old JDE, then you would go to the BlackBerry menu, select Sign, and either Install New Keys or Import Existing Keys. You must use all three files that BlackBerry (RIM) gave you. For example, to install brand new keys:
client-RBB-12341231.csi
client-RCR-12341231.csi
client-RRT-12341231.csi
or for an Import of existing keys:
sigtool.csk
sigtool.db
Problem
In certain situations, when you attempt to sign your application using the SignatureTool application, you receive the following error:
Unable to request signatures until this application has been registered with all signing authorities required.
Cause
You are attempting to request code-signing signatures for your application but the SignatureTool is not registered with all the required signing authorities.
There are two types of RIM Code Signing framework signatures:
Required Signatures - This is specified by the .csl file associated with the .cod file. A required signature is necessary to load your application on the device.
Optional Signatures - This is specified by the .cso file associated with the .cod file. An optional signature indicates that the system may perform a runtime signature check on the application. If the application is not signed, it is not allowed to execute the intended method.
The SignatureTool prevents you from signing the application since it waits until all required signatures are in place. Required signatures are necessary for the application to load successfully on the device.
Resolution
There are several different scenarios where the SignatureTool is not registered with the required code-signing servers.
Scenario 1 - Not Registered with Public Signing Authorities
There are three public-signing authorities (RBB, RRT, and RCR) that represent different sections of the controlled application programming interface (API). When you receive code-signing keys, you receive three .csi files representing the three code-signing servers. It is important to register with all three servers. To determine which signature keys have been successfully installed and/or missing, please review this article
Scenario 2 - Attempting to use a Controlled Signing Authority
There is an additional public-signing authority, the Certicom™ Crypto (RCC) signing authority, that controls access to Certicom cryptography functions on the device. Go to Certicom for more information on accessing the Certicom API’s on the device.
Scenario 3 - Attempting to use an Inaccessible Signing Authority
Research In Motion® maintains its own internal signing authorities for the protection of API’s that are not exposed or data that is not public. It is not possible to gain access to these signing authorities and any reference to Research In Motion internal methods or data should be removed from your application to allow the SignatureTool to sign your application.
Note: JDE 4.1 allows you to turn on code-signing warnings under Preferences. This determines the areas of your application that are attempting to use signatures from each signing authority.
Here's one more useful guide on the BlackBerry website
Occasionally RIM's signing server fails. I've seen it down for hours at a time.