How to include password when enrolling CSR to EJBCA using JSCEP

How to include password when enrolling CSR to EJBCA using JSCEP

By : JdotTdot
Date : November 20 2020, 11:01 PM
help you fix your problem I am now able to do this for a programatically constructed csr and it works end to end, so I'm considering the issue closed. I still have some work to use a third party csr, but that shouldn't be a big deal.
The code is below.
code :
    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
    KeyPair entityKeyPair = keyPairGenerator.genKeyPair();

    PublicKey entityPubKey = entityKeyPair.getPublic();
    X500Principal requesterSubject = new X500Principal("CN=endEntityName");
    PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(requesterSubject, entityPubKey); 

    DERPrintableString password = new DERPrintableString("endEntityPassword");
    csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, password);

    PrivateKey entityPrivKey = entityKeyPair.getPrivate();
    JcaContentSignerBuilder csrSignerBuilder = new JcaContentSignerBuilder("SHA1withRSA");
    ContentSigner csrSigner = csrSignerBuilder.build(entityPrivKey);
    PKCS10CertificationRequest csr = csrBuilder.build(csrSigner);

Share : facebook icon twitter icon
How to include  user's username and password to a  password recovery mail  in symfony 1.4?

How to include user's username and password to a password recovery mail in symfony 1.4?

By : Eros Ar
Date : March 29 2020, 07:55 AM
this one helps. You don't do this ever, ever, EVER, you send a password recovery hash, and add a token with a time to live to your DB, then send the hash via email to the user who lost their password. Do not store passwords in the clear, it violates the clients password security, and should your DB be compromised it would release the username and password combinations to your entire userbase.
Store passwords as:
code :
resetPasswd(username : string, hash : string, newPasswd: string)
tup = DB.recoveryTable.fetchTupple(username,hash);
  if( tup != null && tup.expiresAt <= Date.now())
include(password.php) [<a href='function.include'>function.include</a>]: failed to open stream: No such file

include(password.php) [<a href='function.include'>function.include</a>]: failed to open stream: No such file

By : user3438318
Date : March 29 2020, 07:55 AM
fixed the issue. Will look into that further This is about Yii 1 right? Check your models rules definition. The "required" notation is wrong. It should be array('username, password, email', 'required'),
First element should be the attributes, second the validator. array('attribute list', 'validator name', 'on'=>'scenario name', ...validation parameters...)
JSCEP with X509Certificate and Attribute Certificate

JSCEP with X509Certificate and Attribute Certificate

By : Aric Hoke
Date : March 29 2020, 07:55 AM
This might help you The X509Certificate class represents a Public Key Certificate (PKC), while an Attribute Certificate (AC), although it's a similar (but not that much) structure, has no public key. And they're not the same thing.
A X509Certificate can't be used without a public key, because the key is part of it. If you take a look at the RFC's definition, you'll see it's a mandatory field:
code :
Certificate  ::=  SEQUENCE  {
    tbsCertificate       TBSCertificate,
    signatureAlgorithm   AlgorithmIdentifier,
    signatureValue       BIT STRING  }

TBSCertificate  ::=  SEQUENCE  {
    ... lots of fields...
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    ... }

SubjectPublicKeyInfo  ::=  SEQUENCE  {
    algorithm            AlgorithmIdentifier,
    subjectPublicKey     BIT STRING  }
OpenXPKI with JSCEP to request CRL

OpenXPKI with JSCEP to request CRL

By : Ankit Hegde
Date : March 29 2020, 07:55 AM
hope this fix your issue I solved the problem with the help of the JSCEP and OpenXPKI communities. The problem is that the DN of the issuer is reversed, this means e.g. CN=CA,OU=Test CA,DC=OpenXPKI,DC=ORG is changed to DC=ORG,DC=OpenXPKI,OU=Test CA,CN=CA ONE and the getCRL from the OpenXPKI has no entry for the reversed issuer.
An easy fix is to reverse the issuer for the getCRL request (check OpenXPKI fix) by changing the code from the get_getcrl_issuer_serial.pm file. Add the following code in line 107:
code :
$issuer = join ",", reverse split (/,/, $issuer);
JSCEP help for beginner

JSCEP help for beginner

By : user2742622
Date : March 29 2020, 07:55 AM
I think the issue was by ths following , You need to learn the following things to get an idea about this project. Please don't skip any of this doc, because I skipped some of the learning materials and eventually I was forced to go to those study materials. So please read every material that I refer here.
JSCEP documentation. https://github.com/jscep/jscep
code :
import org.bouncycastle.asn1.*;
import org.apache.commons.codec.binary.Base64;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.*;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.jscep.client.Client;
import org.jscep.client.DefaultCallbackHandler;
import org.jscep.client.EnrollmentResponse;
import org.jscep.client.verification.CachingCertificateVerifier;
import org.jscep.client.verification.CertificateVerifier;
import org.jscep.client.verification.ConsoleCertificateVerifier;
import org.jscep.client.verification.OptimisticCertificateVerifier;
import org.jscep.transport.request.GetCaCapsRequest;
import org.jscep.transport.request.GetCaCertRequest;
import org.jscep.transport.request.GetNextCaCertRequest;
import org.jscep.transport.response.Capabilities;
import org.jscep.transport.response.Capability;

import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.x500.X500Principal;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.math.BigInteger;
import java.net.Authenticator;
import java.net.PasswordAuthentication;
import java.net.URL;
import java.security.*;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;

public class MainClient {
    public static void main(String args[]) throws Exception{

        URL url = new URL("http://host/certsrv/mscep_admin/mscep.dll");

        DefaultCallbackHandler handler = new DefaultCallbackHandler(new OptimisticCertificateVerifier());
        Client client = new Client(url, handler);
        Authenticator.setDefault (new Authenticator() {
            protected PasswordAuthentication getPasswordAuthentication() {
                return new PasswordAuthentication("username", "password".toCharArray());

        Capabilities caps = client.getCaCapabilities("CA name");

        JcaContentSignerBuilder signerBuilder;
        if (caps.contains(Capability.SHA_1)) {
            signerBuilder = new JcaContentSignerBuilder("SHA1withRSA");
        } else {
            signerBuilder = new JcaContentSignerBuilder("MD5withRSA");

        KeyPair idPair = KeyPairGenerator.getInstance("RSA").genKeyPair();
        X500Name issuer = new X500Name("CN=entity name");
        BigInteger serial = new BigInteger(16, new SecureRandom());
        Calendar cal = Calendar.getInstance();
        cal.add(Calendar.DATE, -1);
        Date notBefore = cal.getTime();
        cal.add(Calendar.DATE, 2);
        Date notAfter = cal.getTime();
        X500Name subject = issuer;
        PublicKey publicKey = idPair.getPublic();
        JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKey);
        X509CertificateHolder idHolder = certBuilder.build(signerBuilder.build(idPair.getPrivate()));
        X509Certificate id = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(idHolder.getEncoded()));

        X500Name entityName = new X500Name("CN=entity name");
        KeyPair entityPair = KeyPairGenerator.getInstance("RSA").genKeyPair();
        SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo
        PKCS10CertificationRequestBuilder csrBuilder = new PKCS10CertificationRequestBuilder(entityName, publicKeyInfo);

                new DERPrintableString(new String("password".toCharArray())));
        ContentSigner signer = signerBuilder.build(entityPair.getPrivate());
        PKCS10CertificationRequest csr = csrBuilder.build(signer);

        EnrollmentResponse response = client.enrol(id, idPair.getPrivate(), csr,"CA name");
        if (response.isFailure()) {
        } else if (response.isPending()) {

            X500Principal entityPrincipal = new X500Principal(

            response = client.poll(id, idPair.getPrivate(), entityPrincipal,
                    response.getTransactionId(),"CA name");
        } else if (response.isSuccess()) {

            CertStore store = response.getCertStore();
            Collection<? extends Certificate> certs = store
            Certificate[] chain = new Certificate[certs.size()];

            int i = 0;
            for (Certificate certificate : certs) {
                chain[i++] = certificate;

            FileOutputStream os = new FileOutputStream("cert.cer");
            os.write("-----BEGIN CERTIFICATE-----\n".getBytes("US-ASCII"));
            os.write(Base64.encodeBase64(chain[0].getEncoded(), true));
            os.write("-----END CERTIFICATE-----\n".getBytes("US-ASCII"));
            System.out.println("Certificate : "+chain[0].toString());

            KeyStore entityStore = KeyStore.getInstance("JKS");
            entityStore.load(null, null);
            entityStore.setKeyEntry("entity", entityPair.getPrivate(),
                    "secret".toCharArray(), chain);
            entityStore.store(new ByteArrayOutputStream(),

            new DERPrintableString(new String("**password**".toCharArray())));
Related Posts Related Posts :
  • Nancy register dependency with type argument
  • How to set string date in store to date textbox inside a dojo grid
  • clEnqueueNDRangeKernel' failed with error 'out of resources'
  • JavaFX : TableView inside Dialog has duplicate items
  • How to make synchronous url requests with swift 3
  • how to access source code of PolSARpro
  • ABAC with keycloak - Using Resource attributes in policy
  • backpack-for-laravel Error install backpack for Laravel 5.3
  • How can i add custom fields in moodle assignment plugin?
  • Show executed query in Microsoft SQL Server 2016
  • How to integrate Grunt with project from eclipse.
  • How to sort items from shortest to longest
  • Dapper control dates
  • The module "APT50.dll" failed to load
  • Kentico ASCX transformation page type properties
  • The expression you entered contains invalid syntax
  • Android N showing warning alert in Zbar .SO File
  • CPU usage too high while running Ruta Script
  • UITableView load ONCE all cells in background
  • pygame: how to display full-screen without cutting off edges
  • Changing Kademlia Metric - Unidirectional Property Importance
  • Yii2 redirect 404 Page not found
  • How can I emit more values after emit an error?
  • How can I integrate my Bot (created with the Bot Framework) with Spark?
  • Install4j silent updater process hangs in case of incorrect proxy settings
  • How to force view controller orientation in iOS 10?
  • sbt dependsOn, typesafe config merges application.conf
  • Global optimization of polynomial in several variables in Maple?
  • Is there a way to monitor a SQL Server service with ZABBIX?
  • Can't install cygnus-ngsi via Docker
  • API time zone representation
  • Animation of SVG doesnt work
  • How to define and invoke inline a lambda expression in Java
  • Wit.ai - When are the actions triggered?
  • TIBCO SPOTFIRE Time on y-axis (avg duration)
  • Google PubSub Emulator: How to configure logging level
  • Run script in relative path via System.cmd in elixir
  • WSO2 Identity Server: SLO redirect not working as expected
  • Windows Mobil Apps Store Define Install and Uninstall
  • Not able to detect Kurento Media Server crash
  • Flow control in pushtechnology diffusion server delaying publishing client updates
  • Geolocalization user search: Twitter API
  • Changing the filter header in Kibana?
  • Valgrind suppression and return code
  • How can I get female voice by Web Speech API in Google Chrome
  • Strategy for quick icon generation for labview?
  • STM32 internal clocks
  • OrientDB callback after record is persisted in server
  • Position of scaling points
  • Limit nested objects results in rethinkdb query
  • Outlook REST API Push Notification always send the same ResourceData
  • OBIEE Recipients can't see all other recipients of a sent email
  • Hex Encoding and Decoding
  • Why do the bindings on my Orchestration change when I install an msi?
  • Vuejs 2 + splice
  • ImageMagick - Drawing a complex image with many (lots of) squares
  • Get specific property of a model returns error: Undefined property: Illuminate\Database\Eloquent\Builder::$id
  • Installing brew on Mac 10.6 results in syntax error
  • How to create a google map from information contained in a database
  • How can I upgrade to CocoaPods 1.1 when it has been released now?
  • shadow
    Privacy Policy - Terms - Contact Us © soohba.com