 Error when creating Server Certificate - X509 Certificate Based Authentication in IBM Worklight 6.2
By : jdiotte
Date : March 29 2020, 07:55 AM
should help you out The second error appears because the Root CA certificate failed to be properly generated, so it is saying that it could not find a trusted certificate for it, so after you fix the first error the other ones should work. The first error happens because something is missing in your openssl.cnf file. In your configuration, you have to specify which fields are optional for you and which are required. As shown in slide 18 in the User Certificate Authentication Getting started guide, you specify each one in the policy_match section like this: code :
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
|
 Java Security - X509 Certificate Verification with Public Key
By : oldirtybo
Date : March 29 2020, 07:55 AM
fixed the issue. Will look into that further Typical PKI systems use Certificate Authorities to issue certificates to subjects (by signing them). By signing Certificate Authority forms a chain from the CA to the subject's certificate, this chain can contain multiple CA's if CA1 (root CA) sings CA2's (intermediate CA) certificate which in turn sings the subject's certificate. This is very common on the Internet (for SSL/TLS) and in digital signature scenarios. So you most likely need at least one CA's certificate and it's public key to verify the subject's certificate. Your program can support multiple independent CA's as well. The CA's your program accepts are usually called Trust Anchors. Keeping the Trust Anchors in a KeyStore is also very convenient. code :
final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
final X509Certificate certificateToCheck = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes));
final KeyStore trustStore = KeyStore.getInstance("JKS");
InputStream keyStoreStream = ...
trustStore.load(keyStoreStrem, "your password".toCharArray());
final CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
final X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate(certificateToCheck);
final CertPathParameters certPathParameters = new PKIXBuilderParameters(trustStore, certSelector);
final CertPathBuilderResult certPathBuilderResult = certPathBuilder.build(certPathParameters);
final CertPath certPath = certPathBuilderResult.getCertPath();
final CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
final PKIXParameters validationParameters = new PKIXParameters(trustStore);
validationParameters.setRevocationEnabled(true); // if you want to check CRL
final X509CertSelector keyUsageSelector = new X509CertSelector();
keyUsageSelector.setKeyUsage(new boolean[] { true, false, true }); // to check digitalSignature and keyEncipherment bits
validationParameters.setTargetCertConstraints(keyUsageSelector);
final PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, validationParameters);
System.out.println(result);
|
 Try to run the azure-iot-sdk-java provisioning-x509-sample with an own x509-certificate
By : scott.krieger
Date : March 29 2020, 07:55 AM
it fixes the issue DPS only supports TLS 1.2. TLS connections from older versions will be rejected.
|
 How to get the certificate into the X509 filter (Spring Security)?
By : user3784791
Date : March 29 2020, 07:55 AM
like below fixes the issue No you can't get it that way. You need to grab it from the HttpServletRequest:
|
Check X509 certificate revocation status in Spring-Security before authenticating
By : Benjamin
Date : March 29 2020, 07:55 AM
I hope this helps . I'm not sure about the specifics of Spring-Security, but if it's based on the trustmanagers of the JRE (if if it's the Oracle/Sun JRE), you can activate CRL checks by setting these system properties to true: com.sun.net.ssl.checkRevocation and com.sun.security.enableCRLDP, and setting Security.setProperty("ocsp.enable", "true") (thanks to @WillSargent for pointing out it's a Security property, not a system one).
More details here:
|
» 
code :
Related Posts :