So, I have a question regarding the real utilisation of this nice product.
For example, we have 10 users, the USER1 has to sign his pdf document using his own DIGITAL ID ( mean his own certificate generated by the EJBCA - USER1.P12 - ). when he send his signed document to the USER2 , the last one can know that the signer of that document is USER1 and can also validate it.
So, I created a USER1.p12 certificate and imported it into my adobe using menu : document /Security Settings/Digital IDs/Windows Digital IDs/ Add ID. but I don't find how to set the adobe reader to comminucate with my signserver in order to sign the document
So, how can i use adobe reader and my signserver in order to allow USER1, USER2, USER3,….USER10. sign their PDF documents but each one of them use his own P12 certificate and his signature image on the bottom of his document ?
Note : in my adobe reader, even if I load the USER1.P12 Digital ID, the menu document/sign is always greyed. I have checked many settings in the adobe menu : edit/preferences/security but without success..
Any help will appreciate
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
SignServer is for server-side signatures, however it is possible to configure 10 different signers SignerForUser1, …, SignerForUser10 which uses its own keystores. Then you can setup authentication for instance username/password authentication or client certificate authentication so that only user1 can use SignerForUser1 and so on.
When you are saying that you are importing the keystore in Adobe Reader makes me think that you are trying to do signatures at the client side (Adobe Reader is a client-side application). You will have to decide if you want to use SignServer to sign the PDF in which case you can use any of SignServer's interfaces such as the HTTP interface (for instance through the web forms: pdfsign.html or genericsign.html) or if you want to use a client-side application such as Adobe Acrobat.
One thing you can do with Adobe Acrobat (not Reader) together with SignServer is to put a timestamp in the PDF. Then you configure acrobat to use the URL of the SignServer TSA when creating the signature.
I don't want specially to have a client side signature application, the signserver is good for me. So just need to allow my 10 users to sign their documents using their signatures and We can know that a documet X has effectively signed by USER X .
So, regarding your solution to create 10 Signers : signerForUser1,…SignerForUser2.
Do you mean that I have to create 10 Workers in signserver ? each worker using its own keystore
but what about the memory server capacity when my 10 users become 20 or 30 or 50 users ?
than ofr your help !
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, exactly you create one worker for each user that should have its own signing key and certificate. The keys could be stored in individual soft keystores or in an hardware security module (HSM).
For that number of users I don't think the memory capacity will be of a problem. Just roughly calculating on the memory, lets say you have 1GB of RAM then you could have at least 100000 users.
Another problem in my opinion is that you will have to duplicate the configuration for each user which could be hard to manage for large number of users. Some solutions that come to mind now is to create better tools for updating settings for multiple users or to develop support for for using multiple keys and certificates from the same keystore.
I am looking for a BEST, SIMPLE and QUICK way to create one worker with its key signing and certificate.
The worker will be used by one and only one user to sign his documents. Sure that I will have to create many and many workers in future if my signserver will be in production environnement. Also, if all things are clear for me and easy to do it manually, I will certainly create tools or Shell scripts to create them automatically.
So, right now, the way that I use to create my workers is little bit complicate.
Please, could you show me the simple steps to follow in order to get my workers installed and able to sign.!
thanks
Kader
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The easiest setup is probably to build SignServer with all modules already included, then you will just have to set properties for the workers you want. Set the property includemodulesinbuild=true in signserver_build.properties and do an "ant deploy".
Then create a configuration file for your worker(s), lets call it pdfsigners_configuration.properties with similar content as below:
GLOB.WORKER42.CLASSPATH = org.signserver.module.pdfsigner.PDFSigner
GLOB.WORKER42.SIGNERTOKEN.CLASSPATH = org.signserver.server.cryptotokens.P12CryptoToken
WORKER42.NAME=PDFSigner
WORKER42.AUTHTYPE=NOAUTH
WORKER42.KEYSTOREPATH=/opt/signserver/p12/pdfsigner12.p12
WORKER42.KEYSTOREPASSWORD=foo123
You will have to change KEYSTOREPATH and KEYSTOREPASSWORD accordingly.
Load the configuration with:
bin/signserver.sh setproperties pdfsigners_configuration.properties
Apply the new configuration with:
bin/signserver.sh reload 42
The new configuration can then be viewed by:
bin/signserver.sh getstatus complete all
I have set up the AUTHTYPE to CLIENTCERT in order to force client to authenticate and to ensure that each user use only its "Worker" to sign his dicuments.
So, I created a new certificate for user2 with key usage "client Authenticate + Secure Email" and I installed it in user2's browser. I want this user (USER2) use only the worker2 to sign his document ?
so, doesn't seem to work for me something maybe missed or wrong ?
is there any other way to authenticate users ? like username/password ? or just with certificate ?
thank you
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For client certificate authentication to work there are a number of things to think of.
You will need to access SignServer using a port that uses TLS client authentication. Normally that is port 8443. Also the issuer (CA root certificate) of the client certificate needs to be installed in the application server's truststore. You will then also have to add user1's certificate to the list of authorized clients for WORKER1 and so on using "bin/signserver.sh addauthorizedclient".
Then you will also have to make sure user1 uses a web form where workerName is set to WORKER1. genericsign.html is good for testing as it has a field for workerName.
If you use the latest sources from our subversion repository then you also have the option of UsernamePasswordAuthorizer (https://jira.primekey.se/browse/DSS-212) that uses HTTP basic authentication. You can build the latest documentation with "ant doc" and search in it for UserNamePasswordAuthorizer.
Hi
I need help to find what's wrong with my signserver. My porpuse is to allow for each user to connect to the signserver using client certificate (https) and use use only his own WORKER ( to which I have attached the user's P12 certificate).
So, I followed the recommendations indicated in the last replay of this topic which are so clear but it seems that something is not done correctly in my side !
**MY PROBLEM IS : WHEN THE USER X TRY TO CONNECT TO THE SIGNSERVER WITH HTTPS (PORT 8443) IN ORDER TO USE WORKER X TO SIGN HIS DOCUMENT. SO , i INSTALLED THE CLIENT AUTHENTICATION CERTIFICATE IN USER X'S BROWSER AND USER X TRY TO CONNECT USING THIS URL :
THE ERROR IS : MY SIGNSERVER SHOW ME THE WRONG CERTIFICATE TO ACCEPT. i MEAN THE CERTIFICATE FOR LOCALHOST ISSUED BY ADMNCA1 AND NOT THE CORRECT CERTIFICATE WHICH IS THE VM-CASERVER ISSUED BY MYROOTCA ???!!!! AND SOMETIMES IT DOESN'T DISPLAY THE GENERICSIGN.HTML PAGE AT ALL !!**
Here are my steps : ( ON SERVER SIDE )
- I have created a SSL server certificate as follow :
+ create an end entity profile (called WebServer) and associated to it a SERVER certificate profile
+ create an end entity ( called websrv1) using the WebServer end entity profile
+ in public web, I used "CREATE BROWSER CERTIFICATE" in the menu to generate the SSL certificate for my signserver
SSL connection.
+ rename it as tomcat.jks in put in /usr/local/signserver/p12
+ download the root CA ( called MyRootCA) in PEM format, and renamed it as rootcert.cer and put in /usr/local
/signserver/p12
- I changed the /usr/local/signserver/signserver_build.properties as follow :
**# -------- Web GUI configuration --------------
# set this if the web server should not be configured for HTTPS.
j2ee.web-nohttps=true
# When upgrading, the important options are:
# - httpsserver.password
# Password for java trust keystore (p12/truststore.jks), default is changeit.
#java.trustpassword=changeit
# Path to the root certificate to be imported into the java truststore.
java.trustcert=/usr/local/signserver/p12/rootcert.cer
# The password used to protect the web servers SSL keystore.
httpsserver.password=serverpwd
# The path to the web servers SSL keystore.
# Default: p12/tomcat.jks
httpsserver.keystore=/usr/local/signserver/p12/tomcat.jks
# The public port JBoss will listen to http on
# Default 8080
#httpserver.pubhttp=8080
# The public port JBoss will listen to https on, no client cert required
# Default 8442
#httpserver.pubhttps=8442
# The private port JBoss will listen to https on, client cert required
# Default 8443
#httpserver.privhttps=8443
# The interfaces JBoss will bind to. E.g. 127.0.0.1 will only allow connections from localhost.
# Default 0.0.0.0
#httpsserver.bindaddress.pubhttp=0.0.0.0
#httpsserver.bindaddress.pubhttps=0.0.0.0
#httpsserver.bindaddress.privhttps=0.0.0.0
# Default content encoding used to display JSP pages, for example ISO-8859-1, UTF-8 or GBK.
# Default: ISO-8859-1
#web.contentencoding=ISO-8859-1**
- After that I stoped jboss,
- /usr/local/signserver/# ant deploy
- start jboss
*** Here is the contain of my web SSL certificate that I generated and called tomcat.jks and put in /usr/local/signserver/p12
**
root@VM-CAServer:/usr/local/signserver/p12# keytool -list -v -keystore tomcat.jks
Enter keystore password:
- But after dploying signserver and restarting JBOSS, here are the new keystore files of JBOSS ( they don't contain my new
certificate for VM-CAServer - my web server- )
**root@VM-CAServer:/usr/local/jboss/server/default/conf/keystore# keytool -list -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
cacert, Mar 30, 2010, trustedCertEntry,
Certificate fingerprint (MD5): 72:07:66:80:E5:83:EB:73:BE:9B:B8:F3:07:6D:BB:98
localhost, Mar 30, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): 56:C7:85:F7:CA:A5:BB:5D:F6:27:F0:21:2D:4B:04:DD**
**root@VM-CAServer:/usr/local/jboss/server/default/conf/keystore# keytool -list -keystore truststore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
adminca1, Mar 30, 2010, trustedCertEntry,
Certificate fingerprint (MD5): 72:07:66:80:E5:83:EB:73:BE:9B:B8:F3:07:6D:BB:98**
- the tomcat.jks and keystore.jks have the same password (serverpwd) and trustore.jks has changeit as password
- NOW, ON CLIENT SIDE
- I generate certificate profile ( called clientauth)
+ has these key usage/ext : ( digital signature, non-repudiation, key enciphment, client authentication, secure email)
- I create end entity profile ( called userprofile), I asocuited the clientauth certificate profile
- I create an end entity using the userprofile and generate P12 certificate for my USER X and installed in his browser IE. ( this P12 certificate issued by MyRootCA and not AdminCA1)
NOTE : i HAVE ALSO ADDED MANUALLY TH VM-CASERVER ssl CERTIFICATE TO THE KEYSTORE.JKS AND THE MYROOTCA.PEM ROOT CA TO THE TRUSTORE.JKS BUT MY PROBLEM IS NOT FIXED !
MANY OTHER THIGNS HAVE BEEN DONE BUT NO WAY !!!!!!
Please, help !!!!!!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
would you please help me regarding my last post, I know that is so long but many of lines are the contain of files in order to give you more information about my problem.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
An "ant deploy" might not change the keystore if it already exists in JBoss which it in your case does as it looks like you have both EJBCA and SignServer deployed. However, manually adding the right tomcat certificate in /usr/local/jboss/server/default/conf/keystore/keystore.jks and the CA certificate that issues the clients to /usr/local/jboss/server/default/conf/keystore/truststore.jks and restarting JBoss should solve the problem.
You can test the two different problems separately by first visiting https://server-name:8442 which uses SSL but no client authentication just to see that the web server is presenting the right certificate (the one in keystore.jks). When that is working you can go on to making sure that a certificate issued by the CA you put in truststore.jks is installed in the client's web browser. Restart the web browser and then visit https://server-name:8443 depending on your browser it should display a dialog letting you choose which certificate to authenticate with (this is done in Firefox 3 at least). If you instead get an error message the issuer of the certificate is not matching that in the truststore.
I have already add manually the tomcat certificate to the jboss / keystore.jks and the Root CA to the jboss / trustore.jks but it didn't fix my problem. I tried also using the 8442 port but I get the same certificate that ask me to accept I mean the web certificate issued TO the localhost and issued by adminCA1.
So, maybe the manner that I generated the web server certificate (tomcat.jks) is not correct. Just to be sure of what I have done :
should I absolutely provilde a web server certificate request before getting the SSL certificate for that web server ?
Please, what is the best manner in my case to get the web server SSL certificate ?
my case is that I have signserver on jboss with many workers. each worker will be used only by one user to sign his documents.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
The easiest way I think of creating the tomcat keystore.jks is to create an end entity in EJBCA using the SERVER profiles and on the public web choose "Create keystore" and in the drop-down box choose JKS-file. But please make sure that you set the right password for the end entity (ie. serverpwd). You can then place this file called keystore.jks at the right place in JBoss and monitoring the JBoss logfile when it starts to see that there are no problem with the keystore.
Regards,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
but what about the keystore.jks file that already in jboss/server/default/conf/keystore which is created by deploying the EJBCA and contain a certificate of localhost issued by ADMINCA1 ? should I replace or merge both of them in one using the keytool -importkeystore command ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
i follow this sample for add worker
and the jboss send
java.lang.ClassNotFoundException: No ClassLoaders found for: org.signserver.module.pdfsigner.PDFSigner
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
which sample? It's good if you specify more clearly what you do, otherwise we just guess. You have many threads going on, I will only focus on "cant load good the pdfsinger workers".
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I configure timestamp worker it works but in adobe reader when verifying it shows:" signature includes an embbed timestamp but could not be verified." I am using signerserver ce 5.2 and adobe for verification.How can i fix this?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi There
I have a question for you regarding the signserver fonctionnality.
I have installed and configured the signserver with EJBCA. on my ubuntu and work fine. I can easily sign PDF document using URL : http://localhost:8080/signserver/pdfsign.html
So, I have a question regarding the real utilisation of this nice product.
For example, we have 10 users, the USER1 has to sign his pdf document using his own DIGITAL ID ( mean his own certificate generated by the EJBCA - USER1.P12 - ). when he send his signed document to the USER2 , the last one can know that the signer of that document is USER1 and can also validate it.
So, I created a USER1.p12 certificate and imported it into my adobe using menu : document /Security Settings/Digital IDs/Windows Digital IDs/ Add ID. but I don't find how to set the adobe reader to comminucate with my signserver in order to sign the document
So, how can i use adobe reader and my signserver in order to allow USER1, USER2, USER3,….USER10. sign their PDF documents but each one of them use his own P12 certificate and his signature image on the bottom of his document ?
Note : in my adobe reader, even if I load the USER1.P12 Digital ID, the menu document/sign is always greyed. I have checked many settings in the adobe menu : edit/preferences/security but without success..
Any help will appreciate
Thanks
Hi
Is there any help about about my post above ?
thanks
Hi,
SignServer is for server-side signatures, however it is possible to configure 10 different signers SignerForUser1, …, SignerForUser10 which uses its own keystores. Then you can setup authentication for instance username/password authentication or client certificate authentication so that only user1 can use SignerForUser1 and so on.
When you are saying that you are importing the keystore in Adobe Reader makes me think that you are trying to do signatures at the client side (Adobe Reader is a client-side application). You will have to decide if you want to use SignServer to sign the PDF in which case you can use any of SignServer's interfaces such as the HTTP interface (for instance through the web forms: pdfsign.html or genericsign.html) or if you want to use a client-side application such as Adobe Acrobat.
One thing you can do with Adobe Acrobat (not Reader) together with SignServer is to put a timestamp in the PDF. Then you configure acrobat to use the URL of the SignServer TSA when creating the signature.
Regards,
Markus
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Thank you for your clarifications.
I don't want specially to have a client side signature application, the signserver is good for me. So just need to allow my 10 users to sign their documents using their signatures and We can know that a documet X has effectively signed by USER X .
So, regarding your solution to create 10 Signers : signerForUser1,…SignerForUser2.
Do you mean that I have to create 10 Workers in signserver ? each worker using its own keystore
but what about the memory server capacity when my 10 users become 20 or 30 or 50 users ?
than ofr your help !
Yes, exactly you create one worker for each user that should have its own signing key and certificate. The keys could be stored in individual soft keystores or in an hardware security module (HSM).
For that number of users I don't think the memory capacity will be of a problem. Just roughly calculating on the memory, lets say you have 1GB of RAM then you could have at least 100000 users.
Another problem in my opinion is that you will have to duplicate the configuration for each user which could be hard to manage for large number of users. Some solutions that come to mind now is to create better tools for updating settings for multiple users or to develop support for for using multiple keys and certificates from the same keystore.
Regards,
Markus
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Hi Markus
I am looking for a BEST, SIMPLE and QUICK way to create one worker with its key signing and certificate.
The worker will be used by one and only one user to sign his documents. Sure that I will have to create many and many workers in future if my signserver will be in production environnement. Also, if all things are clear for me and easy to do it manually, I will certainly create tools or Shell scripts to create them automatically.
So, right now, the way that I use to create my workers is little bit complicate.
Please, could you show me the simple steps to follow in order to get my workers installed and able to sign.!
thanks
Kader
The easiest setup is probably to build SignServer with all modules already included, then you will just have to set properties for the workers you want. Set the property includemodulesinbuild=true in signserver_build.properties and do an "ant deploy".
Then create a configuration file for your worker(s), lets call it pdfsigners_configuration.properties with similar content as below:
GLOB.WORKER42.CLASSPATH = org.signserver.module.pdfsigner.PDFSigner
GLOB.WORKER42.SIGNERTOKEN.CLASSPATH = org.signserver.server.cryptotokens.P12CryptoToken
WORKER42.NAME=PDFSigner
WORKER42.AUTHTYPE=NOAUTH
WORKER42.KEYSTOREPATH=/opt/signserver/p12/pdfsigner12.p12
WORKER42.KEYSTOREPASSWORD=foo123
You will have to change KEYSTOREPATH and KEYSTOREPASSWORD accordingly.
Load the configuration with:
bin/signserver.sh setproperties pdfsigners_configuration.properties
Apply the new configuration with:
bin/signserver.sh reload 42
The new configuration can then be viewed by:
bin/signserver.sh getstatus complete all
Regards,
Markus
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Hi
Thank your help, Now my signserver it's more interessting now !!
So, I have created, just for example 5 workers with different signing certificate :
WORKER1 --> USER1.P12
WORKER2 -->USER2.P12
…..
WORKER5 -->USER5.P12
I have set up the AUTHTYPE to CLIENTCERT in order to force client to authenticate and to ensure that each user use only its "Worker" to sign his dicuments.
So, I created a new certificate for user2 with key usage "client Authenticate + Secure Email" and I installed it in user2's browser. I want this user (USER2) use only the worker2 to sign his document ?
so, doesn't seem to work for me something maybe missed or wrong ?
is there any other way to authenticate users ? like username/password ? or just with certificate ?
thank you
For client certificate authentication to work there are a number of things to think of.
You will need to access SignServer using a port that uses TLS client authentication. Normally that is port 8443. Also the issuer (CA root certificate) of the client certificate needs to be installed in the application server's truststore. You will then also have to add user1's certificate to the list of authorized clients for WORKER1 and so on using "bin/signserver.sh addauthorizedclient".
Then you will also have to make sure user1 uses a web form where workerName is set to WORKER1. genericsign.html is good for testing as it has a field for workerName.
If you use the latest sources from our subversion repository then you also have the option of UsernamePasswordAuthorizer (https://jira.primekey.se/browse/DSS-212) that uses HTTP basic authentication. You can build the latest documentation with "ant doc" and search in it for UserNamePasswordAuthorizer.
Regards,
Markus
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Hi
I need help to find what's wrong with my signserver. My porpuse is to allow for each user to connect to the signserver using client certificate (https) and use use only his own WORKER ( to which I have attached the user's P12 certificate).
So, I followed the recommendations indicated in the last replay of this topic which are so clear but it seems that something is not done correctly in my side !
**MY PROBLEM IS : WHEN THE USER X TRY TO CONNECT TO THE SIGNSERVER WITH HTTPS (PORT 8443) IN ORDER TO USE WORKER X TO SIGN HIS DOCUMENT. SO , i INSTALLED THE CLIENT AUTHENTICATION CERTIFICATE IN USER X'S BROWSER AND USER X TRY TO CONNECT USING THIS URL :
HTTPS ://VM-CASERVER:8443/SIGNSERVER/GENERICSIGN.HTML
THE ERROR IS : MY SIGNSERVER SHOW ME THE WRONG CERTIFICATE TO ACCEPT. i MEAN THE CERTIFICATE FOR LOCALHOST ISSUED BY ADMNCA1 AND NOT THE CORRECT CERTIFICATE WHICH IS THE VM-CASERVER ISSUED BY MYROOTCA ???!!!! AND SOMETIMES IT DOESN'T DISPLAY THE GENERICSIGN.HTML PAGE AT ALL !!**
Here are my steps : ( ON SERVER SIDE )
- I have created a SSL server certificate as follow :
+ create an end entity profile (called WebServer) and associated to it a SERVER certificate profile
+ create an end entity ( called websrv1) using the WebServer end entity profile
+ in public web, I used "CREATE BROWSER CERTIFICATE" in the menu to generate the SSL certificate for my signserver
SSL connection.
+ rename it as tomcat.jks in put in /usr/local/signserver/p12
+ download the root CA ( called MyRootCA) in PEM format, and renamed it as rootcert.cer and put in /usr/local
/signserver/p12
- I changed the /usr/local/signserver/signserver_build.properties as follow :
**# -------- Web GUI configuration --------------
# set this if the web server should not be configured for HTTPS.
j2ee.web-nohttps=true
# When upgrading, the important options are:
# - httpsserver.password
# Password for java trust keystore (p12/truststore.jks), default is changeit.
#java.trustpassword=changeit
# Path to the root certificate to be imported into the java truststore.
java.trustcert=/usr/local/signserver/p12/rootcert.cer
# The password used to protect the web servers SSL keystore.
httpsserver.password=serverpwd
# The path to the web servers SSL keystore.
# Default: p12/tomcat.jks
httpsserver.keystore=/usr/local/signserver/p12/tomcat.jks
# The public port JBoss will listen to http on
# Default 8080
#httpserver.pubhttp=8080
# The public port JBoss will listen to https on, no client cert required
# Default 8442
#httpserver.pubhttps=8442
# The private port JBoss will listen to https on, client cert required
# Default 8443
#httpserver.privhttps=8443
# The interfaces JBoss will bind to. E.g. 127.0.0.1 will only allow connections from localhost.
# Default 0.0.0.0
#httpsserver.bindaddress.pubhttp=0.0.0.0
#httpsserver.bindaddress.pubhttps=0.0.0.0
#httpsserver.bindaddress.privhttps=0.0.0.0
# Default content encoding used to display JSP pages, for example ISO-8859-1, UTF-8 or GBK.
# Default: ISO-8859-1
#web.contentencoding=ISO-8859-1**
- After that I stoped jboss,
- /usr/local/signserver/# ant deploy
- start jboss
*** Here is the contain of my web SSL certificate that I generated and called tomcat.jks and put in /usr/local/signserver/p12
**
root@VM-CAServer:/usr/local/signserver/p12# keytool -list -v -keystore tomcat.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: vm-caserver
Creation date: Apr 16, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate:
Owner: CN=VM-CAServer
Issuer: C=CA, O=CALAB, CN=MyRootCA
Serial number: 2f42a47cf3bb5401
Valid from: Fri Apr 16 13:46:15 EDT 2010 until: Sun Apr 15 13:46:15 EDT 2012
Certificate fingerprints:
MD5: 13:69:3D:BC:F5:F2:C7:FD:21:0C:7D:5F:01:83:A8:D0
SHA1: 80:ED:A3:F8:14:CF:AD:CD:BC:9E:F6:8A:99:E4:00:95:16:53:3E:15
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AD 2A 48 BC 75 FA F3 54 51 EC 27 21 D1 22 CF 41 .*H.u..TQ.'!.".A
0010: 5E 0A 0B 9A ^…
]
]
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#5: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D8 94 26 72 9D 9B 23 78 77 4C 18 05 93 9B 85 A4 ..&r..#xwL……
0010: 85 81 89 5F …_
]
]
Certificate:
Owner: C=CA, O=CALAB, CN=MyRootCA
Issuer: C=CA, O=CALAB, CN=MyRootCA
Serial number: 134cfecc3e2e2496
Valid from: Thu Apr 08 16:17:45 EDT 2010 until: Wed Apr 08 16:17:45 EDT 2020
Certificate fingerprints:
MD5: B0:07:03:E7:83:E6:7A:80:D8:9C:84:59:F0:3D:1F:BF
SHA1: E0:76:85:B0:1C:21:5D:CD:5A:78:55:09:72:3B:D2:1B:82:27:F1:B4
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D8 94 26 72 9D 9B 23 78 77 4C 18 05 93 9B 85 A4 ..&r..#xwL……
0010: 85 81 89 5F …_
]
]
#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D8 94 26 72 9D 9B 23 78 77 4C 18 05 93 9B 85 A4 ..&r..#xwL……
0010: 85 81 89 5F …_
]
]
*******************************************
*******************************************
Alias name: cacert
Creation date: Apr 16, 2010
Entry type: trustedCertEntry
Owner: C=CA, O=CALAB, CN=MyRootCA
Issuer: C=CA, O=CALAB, CN=MyRootCA
Serial number: 134cfecc3e2e2496
Valid from: Thu Apr 08 16:17:45 EDT 2010 until: Wed Apr 08 16:17:45 EDT 2020
Certificate fingerprints:
MD5: B0:07:03:E7:83:E6:7A:80:D8:9C:84:59:F0:3D:1F:BF
SHA1: E0:76:85:B0:1C:21:5D:CD:5A:78:55:09:72:3B:D2:1B:82:27:F1:B4
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D8 94 26 72 9D 9B 23 78 77 4C 18 05 93 9B 85 A4 ..&r..#xwL……
0010: 85 81 89 5F …_
]
]
#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D8 94 26 72 9D 9B 23 78 77 4C 18 05 93 9B 85 A4 ..&r..#xwL……
0010: 85 81 89 5F …_
]
]
*******************************************
*******************************************
**
- But after dploying signserver and restarting JBOSS, here are the new keystore files of JBOSS ( they don't contain my new
certificate for VM-CAServer - my web server- )
**root@VM-CAServer:/usr/local/jboss/server/default/conf/keystore# keytool -list -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
cacert, Mar 30, 2010, trustedCertEntry,
Certificate fingerprint (MD5): 72:07:66:80:E5:83:EB:73:BE:9B:B8:F3:07:6D:BB:98
localhost, Mar 30, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): 56:C7:85:F7:CA:A5:BB:5D:F6:27:F0:21:2D:4B:04:DD**
**root@VM-CAServer:/usr/local/jboss/server/default/conf/keystore# keytool -list -keystore truststore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
adminca1, Mar 30, 2010, trustedCertEntry,
Certificate fingerprint (MD5): 72:07:66:80:E5:83:EB:73:BE:9B:B8:F3:07:6D:BB:98**
- the tomcat.jks and keystore.jks have the same password (serverpwd) and trustore.jks has changeit as password
- NOW, ON CLIENT SIDE
- I generate certificate profile ( called clientauth)
+ has these key usage/ext : ( digital signature, non-repudiation, key enciphment, client authentication, secure email)
- I create end entity profile ( called userprofile), I asocuited the clientauth certificate profile
- I create an end entity using the userprofile and generate P12 certificate for my USER X and installed in his browser IE. ( this P12 certificate issued by MyRootCA and not AdminCA1)
NOTE : i HAVE ALSO ADDED MANUALLY TH VM-CASERVER ssl CERTIFICATE TO THE KEYSTORE.JKS AND THE MYROOTCA.PEM ROOT CA TO THE TRUSTORE.JKS BUT MY PROBLEM IS NOT FIXED !
MANY OTHER THIGNS HAVE BEEN DONE BUT NO WAY !!!!!!
Please, help !!!!!!
Hello
would you please help me regarding my last post, I know that is so long but many of lines are the contain of files in order to give you more information about my problem.
An "ant deploy" might not change the keystore if it already exists in JBoss which it in your case does as it looks like you have both EJBCA and SignServer deployed. However, manually adding the right tomcat certificate in /usr/local/jboss/server/default/conf/keystore/keystore.jks and the CA certificate that issues the clients to /usr/local/jboss/server/default/conf/keystore/truststore.jks and restarting JBoss should solve the problem.
You can test the two different problems separately by first visiting https://server-name:8442 which uses SSL but no client authentication just to see that the web server is presenting the right certificate (the one in keystore.jks). When that is working you can go on to making sure that a certificate issued by the CA you put in truststore.jks is installed in the client's web browser. Restart the web browser and then visit https://server-name:8443 depending on your browser it should display a dialog letting you choose which certificate to authenticate with (this is done in Firefox 3 at least). If you instead get an error message the issuer of the certificate is not matching that in the truststore.
Regards,
Markus
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/
Hi Markus
I have already add manually the tomcat certificate to the jboss / keystore.jks and the Root CA to the jboss / trustore.jks but it didn't fix my problem. I tried also using the 8442 port but I get the same certificate that ask me to accept I mean the web certificate issued TO the localhost and issued by adminCA1.
So, maybe the manner that I generated the web server certificate (tomcat.jks) is not correct. Just to be sure of what I have done :
should I absolutely provilde a web server certificate request before getting the SSL certificate for that web server ?
Please, what is the best manner in my case to get the web server SSL certificate ?
my case is that I have signserver on jboss with many workers. each worker will be used only by one user to sign his documents.
Hi,
The easiest way I think of creating the tomcat keystore.jks is to create an end entity in EJBCA using the SERVER profiles and on the public web choose "Create keystore" and in the drop-down box choose JKS-file. But please make sure that you set the right password for the end entity (ie. serverpwd). You can then place this file called keystore.jks at the right place in JBoss and monitoring the JBoss logfile when it starts to see that there are no problem with the keystore.
Regards,
Markus
but what about the keystore.jks file that already in jboss/server/default/conf/keystore which is created by deploying the EJBCA and contain a certificate of localhost issued by ADMINCA1 ? should I replace or merge both of them in one using the keytool -importkeystore command ?
i follow this sample for add worker
and the jboss send
java.lang.ClassNotFoundException: No ClassLoaders found for: org.signserver.module.pdfsigner.PDFSigner
which sample? It's good if you specify more clearly what you do, otherwise we just guess. You have many threads going on, I will only focus on "cant load good the pdfsinger workers".
I configure timestamp worker it works but in adobe reader when verifying it shows:" signature includes an embbed timestamp but could not be verified." I am using signerserver ce 5.2 and adobe for verification.How can i fix this?