iaik.asn1.CodingException: No ASN.1 AlgorithmID
Hi, I have created a private key using the below command and signed the csr >>openssl genrsa -out host.key When I try to use the host.key in my server, I am egtting the below error - caused by: A lifecycle exception was thrown while trying to initialize the Tomcat servercaused by: LifecycleException: Protocol handler initialization failed: java.io.IOException: An AXSecurityException was thrown while trying to create the server socket on the port [ 8001] with the message: iaik.asn1.CodingException: No ASN.1 AlgorithmID type!- Looks like the private key is not ASN.1 type. Can anyone help me to resolve this issue. Thanks in advance, Babu
Re: iaik.asn1.CodingException: No ASN.1 AlgorithmID
Thanks Stephen. Your solution works. Thanks, Babu On 10/3/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: On Mon, Oct 02, 2006, Eshwaramoorthy Babu wrote:> Hi,> I have created a private key using the below command and signed the csr > >>openssl genrsa -out host.key> When I try to use the host.key in my server, I am egtting the below error> -> caused by: A lifecycle exception was thrown while trying to initialize the > Tomcat server> caused by: LifecycleException: Protocol handler initialization failed:> java.io.IOException: An AXSecurityException was thrown while trying to> create the server socket on the port [ 8001] with the message: > iaik.asn1.CodingException: No ASN.1 AlgorithmID type!> ->> Looks like the private key is not ASN.1 type.>> Can anyone help me to resolve this issue. >Probably doesn't like OpenSSL private key format. YOu can use variousutilities to convert the default form to other forms. You could try DER formatfirst then pkcs8 format in PEM and DER format. Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: http://www.drh-consultancy.demon.co.uk__OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
SSL Question
Can anyone help me to identify the certificate requirement for the below scenario We are planning to implement ssl for our b2b product Server : Apache webserverClient : JAVA based Product(not browser) 1. Server should authenticate the client.2. Client should authenticate the server.3. Server should encrypt and decrypt the message 4. Client should encrypt and decrypt the message Now for Point 2 to 3 (server side certificate) my understanding is a. I should generate private key, csr and then get it signed from authorities like verisign.b. Place the private key and the certificate at the server side c. Place the certificate (publickey+certificate) and root certificate at client sideThe server will decrypt and encrypt the messages using the its private key, the client will authenticate the server and encrypt and decrypt the message using server's public key + certificate. Now If have to implement point 1 (server authenticating the client) do I have to get another certificate for the client?If I have separate certificate for the client I have to have private key also for the client. In that case how the encryption, decryption does happen? In my client's(JAVA based Product) if I have to enable the ssl for point 1 I have to specify the client certificate and the private key(It expects the client certificate and private key. In that case both client and server will have its own private key. I am little confused how encryption and decryption will happen if both client and server has its own private key? Can any one help me to clarify the above. Thanks in advanceBabu
Re: SSL Question
Thanks a lot Marek. Now it is very clear to me. I spent lot of time to get this information but I couldnt find this(clients private key usage) in any of the document. Can you please suggest me some good website/ books to learn how SSL works? One more question: Is CSR machine specific? If I generate the CSR in machine A and install the certificate in Machine B will it work? If not can you please tell me why it will not work? What are the machne specific details goes into CSR? Also the document says the while generating CSR the the Common Name [CN] should match my hostname which is www.dubaibank.ae. when the server presents its certificate to the client will the client verify the URL entered in browser with the URL that is there in the certificate? Thanks again, Babu On 10/4/06, Marek Marcola <[EMAIL PROTECTED]> wrote: Hello,> Can anyone help me to identify the certificate requirement for the> below scenario >> We are planning to implement ssl for our b2b product>> Server : Apache webserver> Client : JAVA based Product(not browser)>> 1. Server should authenticate the client.> 2. Client should authenticate the server. > 3. Server should encrypt and decrypt the message> 4. Client should encrypt and decrypt the message>>> Now for Point 2 to 3 (server side certificate) my understanding is> a. I should generate private key, csr and then get it signed from > authorities like verisign.> b. Place the private key and the certificate at the server side> c. Place the certificate (publickey+certificate) and root certificate> at client side> The server will decrypt and encrypt the messages using the its private > key, the client will authenticate the server and encrypt and decrypt> the message using server's public key + certificate.>> Now If have to implement point 1 (server authenticating the client) do > I have to get another certificate for the client?> If I have separate certificate for the client I have to have private> key also for the client. In that case how the encryption, decryption> does happen? >>> In my client's(JAVA based Product) if I have to enable the ssl for> point 1 I have to specify the client certificate and the private> key(It expects the client certificate and private key. In that case > both client and server will have its own private key. I am little> confused how encryption and decryption will happen if both client and> server has its own private key?>> Can any one help me to clarify the above. In SSL, server RSA private_key/server_certificate is used to securelytransport from client to server 48 bytes of random data calledpre_master_secret from which key for symmetrical encryption alghoritms(DES, AES) and message digest functions (MD5, SHA1) are created. This means that encryption/decryption of real application datais performed by symmetrical encryption, not RSA.For short:- server sends server_certificate to client- client checks server_certificate (with root CA) - client encrypts random 48 bytes with server_certificate and sends to server- server decrypts this data with server private_key and gets 48 random bytes from client- both sides calculates keys for encryption, MAC verification Server proofs having proper private key by generating proper symmetricalkeys (identical with clients).Client_private_key/client_certificate is used only for clientauthentication. If server is configured to request client authentication then special packet is send from server to client requestingclient certificate (certificate_request), in response client sends toserver his certificate (in certificate packet) and special packetcalled certificate_verify which has special data encrypted with client private key. Server verifies client certificate (with root CA),decrypts data from certificate_verify packet using client certificate,calculates your own data, compares this and if this equals - client is authenticated by server. Of course this proof only that clienthas client_private_key/client_certificate.>From now, client key/certificate is not used.Best regards,--Marek Marcola < [EMAIL PROTECTED]>__OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: SSL Question
Many thanks Marek. On 10/5/06, Marek Marcola <[EMAIL PROTECTED]> wrote: Hello,> I spent lot of time to get this information but I couldnt find> this(clients private key usage) in any of the document. > Can you please suggest me some good website/ books to learn how SSL> works?One of good book: "SSL and TLS essentials" by Stephen Thomas (Willey).> One more question:> Is CSR machine specific? If I generate the CSR in machine A and > install the certificate in Machine B will it work? If not can you> please tell me why it will not work?> What are the machne specific details goes into CSR?I assume that CSR is Certificate Signing Request. This is not machine dependent because this is universal ASN.1 structure (in this formatcalled DER format) optionally base64 encoded with some headers(in this format called PEM format).Maybe some "newline" problems sometimes may occur. > Also the document says the while generating CSR the the Common Name> [CN] should match my hostname which is www.dubaibank.ae. when the> server presents its certificate to the client will the client > verify the URL entered in browser with the URL that is there in the> certificate?Yes, and if hostname from certificate will differ from enteredin URL you will get message window with this information and you are requested to make decision: "Continue Anyway"or "Drop Connection".Best regards,--Marek Marcola <[EMAIL PROTECTED] >__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
https in java
Hi, I want to write a simple HTTPSClient and server using JAVA with server and client authentication. I have the below certificate's and private key's for server and the client in PEM and PKCS8 format. Root certificate : PEM formatcertificate : PEM formatPrivate Key : PKCS8 Can we use PEM and PKCS8 format directly in JAVA? Do I have to do any format conversion to use the certificate and the keys in JAVA. Can anyone help me in explaining the steps to write JAVA code for HTTPS using PEM format certificate and PKCS keys? I would appreciate if you can steps me a sample code for the above. Thanks in Advance,Babu
Converting PEM and PKCS8 to JKS (JAVA keystore)
Hi, I have the below certificates with me 1.Server certificate : PEM format 2.Private Key in : PKCS8 format 3.Server Root Certificate in : PEM format Cannay one tell me How to convert the above into Java keystore(JKS) FORMAT. Is there any tool available for conversion? Does keytool understand PEM and PKCS8 format? If I have to give the server certificate and the root certificate to the client do I have to include the server and server root certificate in a single keystore file? Agains for the server do I have to generate another keystore file with Private key and server certificate? Thanks in advance, Babu
SSL Client authendication
Hi, We have a JAVA SSL client talking to HTTP Server. The server side ssl is working fine. Now we are planning to use client authendication(server authendicating client). I spoke to the certificate provider (comtrust) regerding this. He suggested me to purchace a user certificate.They also said for this user certificate private key is not required. I just need to submit online form from their website. No csr is required. NowI will not be having private key in client's certificate store instead I will only have the User certificate from comtrust.Will the above work?? My understanding is the certificate store should also have the private key. Thanks,Babu
PKCS12 question
Hi, Is it possible to have only the certificate in PKCS12 file. I do not want to include my private key . I just want my certificate in PKCS12 format. If so Can anyone tell me the command to convert the certificate into PKCS12 Thanks in advance, Babu
Re: SSL Client authendication
Hi Bernhard, Thanks for your response. Thanks for your response.We have already purchased the certificate. But we do not have have private key with us. because we have submitted the csr request from CA's website. My client is not Browser. It is JAVA application. Now, Can I use this certificate with my JAVA clients with out private key? will client authendication work without private key?-Babu On 10/30/06, Bernhard Froehlich <[EMAIL PROTECTED]> wrote: Eshwaramoorthy Babu wrote:>> Hi,>> We have a JAVA SSL client talking to HTTP Server. >> The server side ssl is working fine. Now we are planning to use client> authendication(server authendicating client).>> I spoke to the certificate provider (comtrust) regerding this. He > suggested me to purchace a user certificate.> They also said for this user certificate private key is not required.> I just need to submit online form from their website. No csr is required.> > NowI will not be having private key in client's certificate store> instead I will only have the User certificate from comtrust.> Will the above work??>> My understanding is the certificate store should also have the private > key.>Of course client certificates are also issued for a public/private keypair and (usually) need some kind of CSR. The only technical differencebetween client and server certificates is which data is included in the X509 certificate.But if you are using standard browsers it is considerably simpler toissue client certificates, since the process of generating a key pairand the corresponding CSR can be automated in a web application. So the user just goes to a web page, enters his/her data into a form andpresses a Button (and maybe answers some "Are you sure" dialogs) togenerate a key and CSR, which is then stored internally by the browser. And after the certificate is generated it can be imported by pointingthe Browser to a specific URL.Somehow it can be said that there is no CSR since the user never gets tosee one. ;)One thing to remember when using such techniques is, that the new certificate can only imported by "exactly" the same browser (usually thesame browser on the same computer and the same user account) where theinitial request has been made. And if you need the same certificate on another computer you probably have to export the certificate on the onecomputer and import it on the other one. Or use a server storedcertificate storage.>> Thanks,> Babu>Hope it helps. Ted;)--PGP Public Key InformationDownload complete Key from http://www.convey.de/ted/tedkey_convey.ascKey fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
