Menu
▾
▴
signserver-develop
You can subscribe to this list here.
| 2008 |
Jan
(1) |
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(4) |
Dec
|
| 2010 |
Jan
(1) |
Feb
|
Mar
|
Apr
(4) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(3) |
| 2012 |
Jan
(1) |
Feb
(8) |
Mar
(10) |
Apr
|
May
(12) |
Jun
(2) |
Jul
(28) |
Aug
(15) |
Sep
(12) |
Oct
(2) |
Nov
|
Dec
(16) |
| 2013 |
Jan
(30) |
Feb
(1) |
Mar
|
Apr
(11) |
May
(2) |
Jun
(11) |
Jul
(15) |
Aug
(4) |
Sep
(1) |
Oct
(10) |
Nov
(1) |
Dec
(2) |
| 2014 |
Jan
(8) |
Feb
(13) |
Mar
(12) |
Apr
(24) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(2) |
Dec
(1) |
| 2015 |
Jan
(3) |
Feb
(6) |
Mar
|
Apr
|
May
(7) |
Jun
(7) |
Jul
(3) |
Aug
(5) |
Sep
(1) |
Oct
(8) |
Nov
(6) |
Dec
|
| 2016 |
Jan
|
Feb
(3) |
Mar
(5) |
Apr
(9) |
May
(26) |
Jun
(8) |
Jul
|
Aug
|
Sep
(11) |
Oct
(8) |
Nov
(1) |
Dec
(2) |
| 2017 |
Jan
(4) |
Feb
(7) |
Mar
(7) |
Apr
(4) |
May
(1) |
Jun
(5) |
Jul
(3) |
Aug
(3) |
Sep
(1) |
Oct
(4) |
Nov
(5) |
Dec
(1) |
| 2018 |
Jan
(4) |
Feb
(1) |
Mar
(1) |
Apr
(1) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
(1) |
Mar
(2) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(2) |
Dec
|
| 2020 |
Jan
(3) |
Feb
|
Mar
(2) |
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2025 |
Jan
|
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Markus K. <mar...@pr...> - 2017-06-26 19:37:24
|
On 06/26/2017 02:21 PM, And Impd wrote: > Hello, > > I'm trying to get SignServer 4.0 CE up using WildFly9 (hosted in MS > Azure Ubuntu 17.04) for evaluation purposes. I have followed > installation instructions and managed to have signserver.ear > successfully deployed. The app server starts and I can access SignServer > via local URL (http://localhost:4457/signserver) . > > However, when I navigate to /signserver/demo/pdfsign.jsp and click on > the Submit button to invoke PDFSigner I get redirected to > /signserver/worker/PDFSigner and the following error is displayed: > > HTTP Status 404 - Worker Not Found > > The exact message from logs is this: > > 10:54:38,477 INFO [org.signserver.server.log.SignServerLog4jDevice] > (default task-24) EVENT: PROCESS; OUTCOME: FAILURE; MODULE: WORKER; > ADMINISTRATOR: Client user; ISSUER: null; SERIAL_NUMBER: null; > WORKER_ID: null; EXCEPTION: No such worker: PDFSigner/; PROCESS_SUCCESS: > false; LOG_TIME: 1498474478472; LOG_ID: > 82e250f4-e4ca-4281-93dc-dfdf70819161; CLIENT_IP: xxx.xxx.xxx.xxx; > REPLY_TIME:1498474478477 > > Next, if I simply reload the current signserver/worker/PDFSigner page I > dont' get 404 error, instead I get HTTP 400 code: > > 12:13:51,685 INFO [org.signserver.web.GenericProcessServlet] (default > task-16) Bad request: Missing field 'data' in request > > Why the PDFSigner worker is not found in the demo app while the app > server seems to start successfully without any critical exception > (except for https:// complaints). I have tried other demo pages and > other workers like XMLSigner: same stuff. > > What config places should I check to enable the PDFSigner worker in the > demo app? Any help/hints would be much appreciated. > > Thanks, > Andrew S. Hi Andrew, This is all expect as the demo web forms are just static forms and by default the SignServer database is empty with no workers configured. You will need to configure the workers that you want to have either using the command line interface or GUI. The quick start demo guide shows how you can first set up a keystore crypto token with the bundled keystore containing already ready keys and certificates and then to set up a PDF signer: https://www.signserver.org/doc/current/manual/installguide.html#Quick_start_demo_PDF_signer Regards, Markus Kilås PrimeKey Solutions Save time and money with an Enterprise support subscription. Please see www.primekey.com for more information. https://www.primekey.com/products/software/ |
|
From: And I. <and...@gm...> - 2017-06-26 12:21:44
|
Hello, I'm trying to get SignServer 4.0 CE up using WildFly9 (hosted in MS Azure Ubuntu 17.04) for evaluation purposes. I have followed installation instructions and managed to have signserver.ear successfully deployed. The app server starts and I can access SignServer via local URL ( http://localhost:4457/signserver) . However, when I navigate to /signserver/demo/pdfsign.jsp and click on the Submit button to invoke PDFSigner I get redirected to /signserver/worker/PDFSigner and the following error is displayed: HTTP Status 404 - Worker Not Found The exact message from logs is this: 10:54:38,477 INFO [org.signserver.server.log.SignServerLog4jDevice] (default task-24) EVENT: PROCESS; OUTCOME: FAILURE; MODULE: WORKER; ADMINISTRATOR: Client user; ISSUER: null; SERIAL_NUMBER: null; WORKER_ID: null; EXCEPTION: No such worker: PDFSigner/; PROCESS_SUCCESS: false; LOG_TIME: 1498474478472; LOG_ID: 82e250f4-e4ca-4281-93dc-dfdf70819161; CLIENT_IP: xxx.xxx.xxx.xxx; REPLY_TIME:1498474478477 Next, if I simply reload the current signserver/worker/PDFSigner page I dont' get 404 error, instead I get HTTP 400 code: 12:13:51,685 INFO [org.signserver.web.GenericProcessServlet] (default task-16) Bad request: Missing field 'data' in request Why the PDFSigner worker is not found in the demo app while the app server seems to start successfully without any critical exception (except for https:// complaints). I have tried other demo pages and other workers like XMLSigner: same stuff. What config places should I check to enable the PDFSigner worker in the demo app? Any help/hints would be much appreciated. Thanks, Andrew S. |
|
From: Markus K. <mar...@pr...> - 2017-06-22 11:03:44
|
On 06/08/2017 06:18 PM, Khadija Ferjani wrote: > Hello all, > > I'm using SignServer 3.7.0 to sign documents. > I'd like to know if it is possible to activate/use a Signer (a > XAdESSigner for example) with a PKCS11CryptoToken without the PIN of the > private key. > Is it possible that the signer sends the PIN as a signature parameter > using web services ? > > -- > Best regards, > > Khadija FERJANI > Hi Khadija, Currently it is not possible to send the token password with a sign request. Instead the token is activated using any of the admin interfaces or being auto-activated (=password stored in the configuration) and then the token stays active. Even if one would add support for getting the token password from the request, after the first request the token would likely stay open due to the then open PKCS#11 sessions. Cheers, Markus PrimeKey Solutions Save time and money with an Enterprise support subscription. Please see www.primekey.com for more information. https://www.primekey.com/products/software/ |
|
From: Khadija F. <fe...@ng...> - 2017-06-08 17:36:29
|
Hello all, I'm using SignServer 3.7.0 to sign documents. I'd like to know if it is possible to activate/use a Signer (a XAdESSigner for example) with a PKCS11CryptoToken without the PIN of the private key. Is it possible that the signer sends the PIN as a signature parameter using web services ? -- Best regards, Khadija FERJANI |
|
From: Markus K. <mar...@pr...> - 2017-05-04 17:45:53
|
On 04/20/2017 12:17 PM, Arnaud Defos wrote: > Is it possible to generate keys in another application and use it in > signserver ? > > It seems that it is not possible with signserver 3.7.0, maybe I miss > something. > Hi Arnaud, You can generate key-pairs using other applications but the new keys might not be available directly to SignServer and it might require the application server to be restarted. Specifically for keys stored in an HSM the objects needs to be following the Sun PKCS#11 provider's key store reqirement: https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#KeyStoreRestrictions Cheers, Markus PrimeKey Solutions Save time and money with an Enterprise support subscription. Please see www.primekey.com for more information. https://www.primekey.com/products/software/ |
|
From: Arnaud D. <arn...@gm...> - 2017-04-20 10:17:11
|
Hi everyone, Is it possible to generate keys in another application and use it in signserver ? It seems that it is not possible with signserver 3.7.0, maybe I miss something. Thanks, have a good day ! Arnaud |
|
From: Arnaud D. <arn...@gm...> - 2017-04-13 13:25:43
|
Thanks Markus, it works with PKCS#12. Have a good day ! 2017-04-09 21:26 GMT+02:00 Markus Kilås <ma...@pr...>: > On 03/21/2017 04:00 PM, Arnaud Defos wrote: > > Hi, > > > > Thanks Markus, it works. > > Hi Arnaud, > > > > > I try now to use JKS instead of P12. > > Any reason why you want to use JKS instead of PKCS#12? > > > > > We have a JKSCryptoToken which seems to work fine with this > configuration: > > > > GLOB.WORKERGENID1.CLASSPATH=org.signserver.server.signers.CryptoWorker > > GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver. > server.cryptotokens.KeystoreCryptoToken > > WORKERGENID1.NAME <http://WORKERGENID1.NAME>=CryptoJKS > > WORKERGENID1.KEYSTORETYPE=JKS > > WORKERGENID1.KEYSTOREPATH=/opt/signserver/keystore.jks > > WORKERGENID1.KEYSTOREPASSWORD=foobar > > WORKERGENID1.DEFAULTKEY=test > > > > The TimestampWorker configuration looks like: > > > > GLOB.WORKERGENID1.CLASSPATH=org.signserver.module.tsa.TimeStampSigner > > WORKERGENID1.NAME <http://WORKERGENID1.NAME>=TimeStampSigner > > WORKERGENID1.AUTHTYPE=NOAUTH > > WORKERGENID1.CRYPTOTOKEN=CryptoJKS > > WORKERGENID1.DEFAULTTSAPOLICYOID=1.1.1.1 > > WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSA > > WORKERGENID1.DEFAULTKEY=my-key > > > > We upload the signercert and signsercertchain to the TimeStampSigner > > without problem > > > > The getstatus command shows > > > > Current version of server is : SignServer CE 3.7.0 > > Status of CryptoWorker with id 1 (CryptoJKS) is: > > Worker status : Active > > Token status : Active > > > > Status of Signer with id 2 (PDFSigner) is: > > Worker status : Active > > Token status : Active > > > > Status of Signer with id 3 (TimeStampSigner) is: > > Worker status : Active > > Token status : Active > > Signings : 0 > > > > > > But when we are use the following command to test the setup is correct > > bin/signclient timestamp > > http://localhost:8080/signserver/process?workerName=TimeStampSigner > > The result is > > > > Exception in thread "main" > > org.signserver.cli.spi.UnexpectedCommandFailureException: > > java.io.IOException: Server returned HTTP response code: 500 for URL: > > http://localhost:8080/signserver/process?workerName=TimeStampSigner > > at > > org.signserver.client.cli.defaultimpl.TimeStampCommand. > execute(TimeStampCommand.java:343) > > at > > org.signserver.cli.CommandLineInterface.execute( > CommandLineInterface.java:97) > > at org.signserver.client.cli.ClientCLI.main(ClientCLI.java:45) > > Caused by: java.io.IOException: Server returned HTTP response code: 500 > > for URL: http://localhost:8080/signserver/process?workerName= > TimeStampSigner > > at > > sun.net.www.protocol.http.HttpURLConnection.getInputStream( > HttpURLConnection.java:1676) > > at > > org.signserver.client.cli.defaultimpl.TimeStampCommand. > tsaRequest(TimeStampCommand.java:676) > > at > > org.signserver.client.cli.defaultimpl.TimeStampCommand. > run(TimeStampCommand.java:364) > > at > > org.signserver.client.cli.defaultimpl.TimeStampCommand. > execute(TimeStampCommand.java:335) > > ... 2 more > > > > and the logs shows: > > > > [#|2017-03-21T14:42:59.564+0100|INFO|glassfish3.1.2| > javax.enterprise.system.std.com.sun.enterprise.server. > logging|_ThreadID=92;_ThreadName=Thread-2;|ERROR > > [TimeStampSigner] OperatorCreationException: > > org.bouncycastle.operator.OperatorCreationException: cannot create > > signer: no such algorithm: SHA256WITHRSA for provider SUN > > I believe this issue is because Bouncy Castle does not support JKS > keystores (at least not previously?) the provider used is the SUN > provider which apparently does not support the SHA256withRSA algorithm. > > So either you have to use a different signature algorithm (probably not > wanted) or to use a different keystore format such as PKCS#12. > > Cheers, > Markus > PrimeKey Solutions > > > at > > org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown > > Source) > > at > > org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator( > TimeStampSigner.java:753) > > at > > org.signserver.module.tsa.TimeStampSigner.processData( > TimeStampSigner.java:477) > > at org.signserver.ejb.WorkerProcessImpl.process( > WorkerProcessImpl.java:282) > > at org.signserver.ejb.WorkerSessionBean.process( > WorkerSeƒssionBean.java:177) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:57) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > org.glassfish.ejb.security.application.EJBSecurityManager.runMethod( > EJBSecurityManager.java:1052) > > at > > org.glassfish.ejb.security.application.EJBSecurityManager.invoke( > EJBSecurityManager.java:1124) > > at > > com.sun.ejb.containers.BaseContainer.invokeBeanMethod( > BaseContainer.java:5388) > > at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl. > invokeNext(InterceptorManager.java:800) > > at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571) > > at > > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doAround( > SystemInterceptorProxy.java:162) > > at > > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke( > SystemInterceptorProxy.java:144) > > at sun.reflect.GeneratedMethodAccessor100.invoke(Unknown Source) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeInterceptor. > intercept(InterceptorManager.java:861) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl. > invokeNext(InterceptorManager.java:800) > > at > > com.sun.ejb.containers.interceptors.InterceptorManager.intercept( > InterceptorManager.java:370) > > at com.sun.ejb.containers.BaseContainer.__intercept( > BaseContainer.java:5360) > > at com.sun.ejb.containers.BaseContainer.intercept( > BaseContainer.java:5348) > > at > > com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke( > EJBLocalObjectInvocationHandler.java:214) > > at > > com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke( > EJBLocalObjectInvocationHandlerDelegate.java:88) > > at com.sun.proxy.$Proxy268.process(Unknown Source) > > at > > org.signserver.web.GenericProcessServlet.processRequest( > GenericProcessServlet.java:487) > > at > > org.signserver.web.GenericProcessServlet.doPost( > GenericProcessServlet.java:374) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:770) > > at > > org.apache.catalina.core.StandardWrapper.service( > StandardWrapper.java:1542) > > at > > org.apache.catalina.core.StandardWrapperValve.invoke( > StandardWrapperValve.java:281) > > at > > org.apache.catalina.core.StandardContextValve.invoke( > StandardContextValve.java:175) > > at > > org.apache.catalina.core.StandardPipeline.doInvoke( > StandardPipeline.java:655) > > at > > org.apache.catalina.core.StandardPipeline.invoke( > StandardPipeline.java:595) > > at > > org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:161) > > at > > org.apache.catalina.connector.CoyoteAdapter.doService( > CoyoteAdapter.java:331) > > at > > org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:231) > > at > > com.sun.enterprise.v3.services.impl.ContainerMapper$ > AdapterCallable.call(ContainerMapper.java:317) > > at > > com.sun.enterprise.v3.services.impl.ContainerMapper. > service(ContainerMapper.java:195) > > at com.sun.grizzly.http.ProcessorTask.invokeAdapter( > ProcessorTask.java:849) > > at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746) > > at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045) > > at > > com.sun.grizzly.http.DefaultProtocolFilter.execute( > DefaultProtocolFilter.java:228) > > at > > com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter( > DefaultProtocolChain.java:137) > > at > > com.sun.grizzly.DefaultProtocolChain.execute( > DefaultProtocolChain.java:104) > > at > > com.sun.grizzly.DefaultProtocolChain.execute( > DefaultProtocolChain.java:90) > > at com.sun.grizzly.http.HttpProtocolChain.execute( > HttpProtocolChain.java:79) > > at > > com.sun.grizzly.ProtocolChainContextTask.doCall( > ProtocolChainContextTask.java:54) > > at > > com.sun.grizzly.SelectionKeyContextTask.call( > SelectionKeyContextTask.java:59) > > at com.sun.grizzly.ContextTask.run(ContextTask.java:71) > > at > > com.sun.grizzly.util.AbstractThreadPool$Worker. > doWork(AbstractThreadPool.java:532) > > at > > com.sun.grizzly.util.AbstractThreadPool$Worker.run( > AbstractThreadPool.java:513) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.security.NoSuchAlgorithmException: no such algorithm: > > SHA256WITHRSA for provider SUN > > at sun.security.jca.GetInstance.getService(GetInstance.java:100) > > at sun.security.jca.GetInstance.getInstance(GetInstance.java:218) > > at java.security.Signature.getInstance(Signature.java:403) > > at org.bouncycastle.jcajce.ProviderJcaJceHelper.createSignature(Unknown > > Source) > > at > > org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown > > Source) > > ... 56 more > > |#] > > > > [#|2017-03-21T14:42:59.566+0100|INFO|glassfish3.1.2| > javax.enterprise.system.std.com.sun.enterprise.server. > logging|_ThreadID=92;_ThreadName=Thread-2;|ERROR > > [WorkerProcessImpl] SignServerException calling signer with id 3 : > > cannot create signer: no such algorithm: SHA256WITHRSA for provider SUN > > org.signserver.common.SignServerException: SignServerException calling > > signer with id 3 : cannot create signer: no such algorithm: > > SHA256WITHRSA for provider SUN > > at org.signserver.ejb.WorkerProcessImpl.process( > WorkerProcessImpl.java:286) > > at org.signserver.ejb.WorkerSessionBean.process( > WorkerSessionBean.java:177) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:57) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > org.glassfish.ejb.security.application.EJBSecurityManager.runMethod( > EJBSecurityManager.java:1052) > > at > > org.glassfish.ejb.security.application.EJBSecurityManager.invoke( > EJBSecurityManager.java:1124) > > at > > com.sun.ejb.containers.BaseContainer.invokeBeanMethod( > BaseContainer.java:5388) > > at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl. > invokeNext(InterceptorManager.java:800) > > at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571) > > at > > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doAround( > SystemInterceptorProxy.java:162) > > at > > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke( > SystemInterceptorProxy.java:144) > > at sun.reflect.GeneratedMethodAccessor100.invoke(Unknown Source) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeInterceptor. > intercept(InterceptorManager.java:861) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl. > invokeNext(InterceptorManager.java:800) > > at > > com.sun.ejb.containers.interceptors.InterceptorManager.intercept( > InterceptorManager.java:370) > > at com.sun.ejb.containers.BaseContainer.__intercept( > BaseContainer.java:5360) > > at com.sun.ejb.containers.BaseContainer.intercept( > BaseContainer.java:5348) > > at > > com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke( > EJBLocalObjectInvocationHandler.java:214) > > at > > com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke( > EJBLocalObjectInvocationHandlerDelegate.java:88) > > at com.sun.proxy.$Proxy268.process(Unknown Source) > > at > > org.signserver.web.GenericProcessServlet.processRequest( > GenericProcessServlet.java:487) > > at > > org.signserver.web.GenericProcessServlet.doPost( > GenericProcessServlet.java:374) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:770) > > at > > org.apache.catalina.core.StandardWrapper.service( > StandardWrapper.java:1542) > > at > > org.apache.catalina.core.StandardWrapperValve.invoke( > StandardWrapperValve.java:281) > > at > > org.apache.catalina.core.StandardContextValve.invoke( > StandardContextValve.java:175) > > at > > org.apache.catalina.core.StandardPipeline.doInvoke( > StandardPipeline.java:655) > > at > > org.apache.catalina.core.StandardPipeline.invoke( > StandardPipeline.java:595) > > at > > org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:161) > > at > > org.apache.catalina.connector.CoyoteAdapter.doService( > CoyoteAdapter.java:331) > > at > > org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:231) > > at > > com.sun.enterprise.v3.services.impl.ContainerMapper$ > AdapterCallable.call(ContainerMapper.java:317) > > at > > com.sun.enterprise.v3.services.impl.ContainerMapper. > service(ContainerMapper.java:195) > > at com.sun.grizzly.http.ProcessorTask.invokeAdapter( > ProcessorTask.java:849) > > at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746) > > at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045) > > at > > com.sun.grizzly.http.DefaultProtocolFilter.execute( > DefaultProtocolFilter.java:228) > > at > > com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter( > DefaultProtocolChain.java:137) > > at > > com.sun.grizzly.DefaultProtocolChain.execute( > DefaultProtocolChain.java:104) > > at > > com.sun.grizzly.DefaultProtocolChain.execute( > DefaultProtocolChain.java:90) > > at com.sun.grizzly.http.HttpProtocolChain.execute( > HttpProtocolChain.java:79) > > at > > com.sun.grizzly.ProtocolChainContextTask.doCall( > ProtocolChainContextTask.java:54) > > at > > com.sun.grizzly.SelectionKeyContextTask.call( > SelectionKeyContextTask.java:59) > > at com.sun.grizzly.ContextTask.run(ContextTask.java:71) > > at > > com.sun.grizzly.util.AbstractThreadPool$Worker. > doWork(AbstractThreadPool.java:532) > > at > > com.sun.grizzly.util.AbstractThreadPool$Worker.run( > AbstractThreadPool.java:513) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: org.signserver.common.SignServerException: cannot create > > signer: no such algorithm: SHA256WITHRSA for provider SUN > > at > > org.signserver.module.tsa.TimeStampSigner.processData( > TimeStampSigner.java:600) > > at org.signserver.ejb.WorkerProcessImpl.process( > WorkerProcessImpl.java:282) > > ... 52 more > > Caused by: org.bouncycastle.operator.OperatorCreationException: cannot > > create signer: no such algorithm: SHA256WITHRSA for provider SUN > > at > > org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown > > Source) > > at > > org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator( > TimeStampSigner.java:753) > > at > > org.signserver.module.tsa.TimeStampSigner.processData( > TimeStampSigner.java:477) > > ... 53 more > > Caused by: java.security.NoSuchAlgorithmException: no such algorithm: > > SHA256WITHRSA for provider SUN > > at sun.security.jca.GetInstance.getService(GetInstance.java:100) > > at sun.security.jca.GetInstance.getInstance(GetInstance.java:218) > > at java.security.Signature.getInstance(Signature.java:403) > > at org.bouncycastle.jcajce.ProviderJcaJceHelper.createSignature(Unknown > > Source) > > at > > org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown > > Source) > > ... 56 more > > |#] > > > > [#|2017-03-21T14:42:59.584+0100|INFO|glassfish3.1.2| > javax.enterprise.system.std.com.sun.enterprise.server. > logging|_ThreadID=92;_ThreadName=Thread-2;|INFO > > [IWorkerLogger] AUDIT; DefaultTimeStampLogger; LOG_ID: > > 0ed1fc43-f42b-4622-ae4f-99fba7304288; CLIENT_IP: 127.0.0.1; > > REQUEST_FULLURL: > > http://localhost:8080/signserver/process?workerName=TimeStampSigner; > > RequestTime: 1490103779263; ResponseTime: 15; TimeStamp: 1490103779445; > > TimeSource: LocalComputerTimeSource; PKIStatus: ${TSA_PKISTATUS}; > > PKIFailureInfo: ${TSA_PKIFAILUREINFO}; SerialNumber: 4569cf4ec5c6cd9c; > > TSA_POLICYID: 1.2.250.1.302.2.1.1.0; SIGNER_CERT_SERIALNUMBER: > > 6cc9d2ed368a8e4d; SIGNER_CERT_ISSUERDN: CN=TEST - SIGN2 TEST > > CA,OU=794513986,O=TEST,L=CAEN,ST=CALVADOS,C=FR; > > TIMESTAMPREQUEST_ENCODED: > > MCwCAQEwITAJBgUrDgMCGgUABBQAAAAAAAAAAAAAAAAAAAAAAAAAAAIExHyg+Q==; > > TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED}; > > ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION: > > cannot create signer: no such algorithm: SHA256WITHRSA for provider SUN; > > EXCEPTION: SignServerException calling signer with id 3 : cannot create > > signer: no such algorithm: SHA256WITHRSA for provider SUN > > > > |#] > > > > We use signserver 3.7.0, we are using openjdk-7 and we have installed > > the JCE package. > > > > Have we made something wrong ? > > Can you help us going to the right direction ? > > > > Thanks a lot > > |
|
From: Markus K. <ma...@pr...> - 2017-04-09 19:54:48
|
On 03/30/2017 02:55 PM, Khadija Ferjani wrote:
> Hello all,
Hello Khadija,
>
> I'm using SignServer 3.7.0 to sign documents.
> The client can only send the digest of the documents to be signed
> (CAdES, XAdES and PAdES signatures)
Does it have to be exactly only the digest of the document or could it
be the digest of the document and some more information?
> I have to generate the cryptographic signature with the client private
> key stored in an HSM and the client will then create the final signature
> envelope.
If the client is constructing the signature format (i.e. CAdES, XAdES
and PAdES) it could construct the structure to be signed (i.e.
containing the message-digest and all other signed attributes) and send
that to the PlainSigner in SignServer. The client could then incorporate
the signature bytes into the final document.
>
> I would like to know if the MRTDSigner allows to perform this operation
> (I need to use RSA and ECDSA algorithms)
The MRTDSigner was used as an early ePassport signer before the
MRTDSODSigner was developed.
As far as I understand it is not actually performing a full signature
operation but only part of the RSA and the input needs to be padded
before. I am not sure if this would work with any real HSM.
For sure it would not work as it is now for ECDSA because of the
hardcoded RSA algorithm below.
>
> Note : I found the following lines in the source code (MRTDSigner.java),
>
> // Using a PKCS#11 HSM plain RSA Cipher does not work, but
> we have to use RSA/ECB/PKCS1Padding
> // It may be possible to use that, if the data is already
> padded correctly when it is sent as input, but only for
> // PKCS#1, not PSS. Sun's PKCS#11 provider does not supoprt
> PSS (OAEP) padding yet as of 2009-08-14.
> // The below (plain RSA) works for soft keystores and
> PrimeCardHSM
> c = Cipher.getInstance("RSA",
> getCryptoToken().getProvider(ICryptoToken.PROVIDERUSAGE_SIGN));
>
> Best regards,
>
> Khadija FERJANI
Cheers,
Markus
PrimeKey Solutions
Save time and money with an Enterprise support subscription. Please see
www.primekey.se for more information.
https://www.primekey.se/technologies/products-overview/
https://www.primekey.se/service-support/support/
|
|
From: Markus K. <ma...@pr...> - 2017-04-09 19:26:37
|
On 03/21/2017 04:00 PM, Arnaud Defos wrote: > Hi, > > Thanks Markus, it works. Hi Arnaud, > > I try now to use JKS instead of P12. Any reason why you want to use JKS instead of PKCS#12? > > We have a JKSCryptoToken which seems to work fine with this configuration: > > GLOB.WORKERGENID1.CLASSPATH=org.signserver.server.signers.CryptoWorker > GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.KeystoreCryptoToken > WORKERGENID1.NAME <http://WORKERGENID1.NAME>=CryptoJKS > WORKERGENID1.KEYSTORETYPE=JKS > WORKERGENID1.KEYSTOREPATH=/opt/signserver/keystore.jks > WORKERGENID1.KEYSTOREPASSWORD=foobar > WORKERGENID1.DEFAULTKEY=test > > The TimestampWorker configuration looks like: > > GLOB.WORKERGENID1.CLASSPATH=org.signserver.module.tsa.TimeStampSigner > WORKERGENID1.NAME <http://WORKERGENID1.NAME>=TimeStampSigner > WORKERGENID1.AUTHTYPE=NOAUTH > WORKERGENID1.CRYPTOTOKEN=CryptoJKS > WORKERGENID1.DEFAULTTSAPOLICYOID=1.1.1.1 > WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSA > WORKERGENID1.DEFAULTKEY=my-key > > We upload the signercert and signsercertchain to the TimeStampSigner > without problem > > The getstatus command shows > > Current version of server is : SignServer CE 3.7.0 > Status of CryptoWorker with id 1 (CryptoJKS) is: > Worker status : Active > Token status : Active > > Status of Signer with id 2 (PDFSigner) is: > Worker status : Active > Token status : Active > > Status of Signer with id 3 (TimeStampSigner) is: > Worker status : Active > Token status : Active > Signings : 0 > > > But when we are use the following command to test the setup is correct > bin/signclient timestamp > http://localhost:8080/signserver/process?workerName=TimeStampSigner > The result is > > Exception in thread "main" > org.signserver.cli.spi.UnexpectedCommandFailureException: > java.io.IOException: Server returned HTTP response code: 500 for URL: > http://localhost:8080/signserver/process?workerName=TimeStampSigner > at > org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:343) > at > org.signserver.cli.CommandLineInterface.execute(CommandLineInterface.java:97) > at org.signserver.client.cli.ClientCLI.main(ClientCLI.java:45) > Caused by: java.io.IOException: Server returned HTTP response code: 500 > for URL: http://localhost:8080/signserver/process?workerName=TimeStampSigner > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1676) > at > org.signserver.client.cli.defaultimpl.TimeStampCommand.tsaRequest(TimeStampCommand.java:676) > at > org.signserver.client.cli.defaultimpl.TimeStampCommand.run(TimeStampCommand.java:364) > at > org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:335) > ... 2 more > > and the logs shows: > > [#|2017-03-21T14:42:59.564+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=92;_ThreadName=Thread-2;|ERROR > [TimeStampSigner] OperatorCreationException: > org.bouncycastle.operator.OperatorCreationException: cannot create > signer: no such algorithm: SHA256WITHRSA for provider SUN I believe this issue is because Bouncy Castle does not support JKS keystores (at least not previously?) the provider used is the SUN provider which apparently does not support the SHA256withRSA algorithm. So either you have to use a different signature algorithm (probably not wanted) or to use a different keystore format such as PKCS#12. Cheers, Markus PrimeKey Solutions > at > org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown > Source) > at > org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator(TimeStampSigner.java:753) > at > org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:477) > at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:282) > at org.signserver.ejb.WorkerSessionBean.process(WorkerSeƒssionBean.java:177) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1052) > at > org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1124) > at > com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:5388) > at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619) > at > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800) > at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571) > at > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doAround(SystemInterceptorProxy.java:162) > at > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:144) > at sun.reflect.GeneratedMethodAccessor100.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:861) > at > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800) > at > com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:370) > at com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:5360) > at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:5348) > at > com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:214) > at > com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88) > at com.sun.proxy.$Proxy268.process(Unknown Source) > at > org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:487) > at > org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:374) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:770) > at > org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1542) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) > at > org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655) > at > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161) > at > org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231) > at > com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317) > at > com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195) > at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849) > at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746) > at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045) > at > com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228) > at > com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137) > at > com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104) > at > com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90) > at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79) > at > com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54) > at > com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59) > at com.sun.grizzly.ContextTask.run(ContextTask.java:71) > at > com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532) > at > com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.security.NoSuchAlgorithmException: no such algorithm: > SHA256WITHRSA for provider SUN > at sun.security.jca.GetInstance.getService(GetInstance.java:100) > at sun.security.jca.GetInstance.getInstance(GetInstance.java:218) > at java.security.Signature.getInstance(Signature.java:403) > at org.bouncycastle.jcajce.ProviderJcaJceHelper.createSignature(Unknown > Source) > at > org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown > Source) > ... 56 more > |#] > > [#|2017-03-21T14:42:59.566+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=92;_ThreadName=Thread-2;|ERROR > [WorkerProcessImpl] SignServerException calling signer with id 3 : > cannot create signer: no such algorithm: SHA256WITHRSA for provider SUN > org.signserver.common.SignServerException: SignServerException calling > signer with id 3 : cannot create signer: no such algorithm: > SHA256WITHRSA for provider SUN > at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:286) > at org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:177) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1052) > at > org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1124) > at > com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:5388) > at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619) > at > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800) > at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571) > at > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doAround(SystemInterceptorProxy.java:162) > at > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:144) > at sun.reflect.GeneratedMethodAccessor100.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:861) > at > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800) > at > com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:370) > at com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:5360) > at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:5348) > at > com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:214) > at > com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88) > at com.sun.proxy.$Proxy268.process(Unknown Source) > at > org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:487) > at > org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:374) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:770) > at > org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1542) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) > at > org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655) > at > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161) > at > org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231) > at > com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317) > at > com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195) > at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849) > at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746) > at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045) > at > com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228) > at > com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137) > at > com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104) > at > com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90) > at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79) > at > com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54) > at > com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59) > at com.sun.grizzly.ContextTask.run(ContextTask.java:71) > at > com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532) > at > com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.signserver.common.SignServerException: cannot create > signer: no such algorithm: SHA256WITHRSA for provider SUN > at > org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:600) > at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:282) > ... 52 more > Caused by: org.bouncycastle.operator.OperatorCreationException: cannot > create signer: no such algorithm: SHA256WITHRSA for provider SUN > at > org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown > Source) > at > org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator(TimeStampSigner.java:753) > at > org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:477) > ... 53 more > Caused by: java.security.NoSuchAlgorithmException: no such algorithm: > SHA256WITHRSA for provider SUN > at sun.security.jca.GetInstance.getService(GetInstance.java:100) > at sun.security.jca.GetInstance.getInstance(GetInstance.java:218) > at java.security.Signature.getInstance(Signature.java:403) > at org.bouncycastle.jcajce.ProviderJcaJceHelper.createSignature(Unknown > Source) > at > org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown > Source) > ... 56 more > |#] > > [#|2017-03-21T14:42:59.584+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=92;_ThreadName=Thread-2;|INFO > [IWorkerLogger] AUDIT; DefaultTimeStampLogger; LOG_ID: > 0ed1fc43-f42b-4622-ae4f-99fba7304288; CLIENT_IP: 127.0.0.1; > REQUEST_FULLURL: > http://localhost:8080/signserver/process?workerName=TimeStampSigner; > RequestTime: 1490103779263; ResponseTime: 15; TimeStamp: 1490103779445; > TimeSource: LocalComputerTimeSource; PKIStatus: ${TSA_PKISTATUS}; > PKIFailureInfo: ${TSA_PKIFAILUREINFO}; SerialNumber: 4569cf4ec5c6cd9c; > TSA_POLICYID: 1.2.250.1.302.2.1.1.0; SIGNER_CERT_SERIALNUMBER: > 6cc9d2ed368a8e4d; SIGNER_CERT_ISSUERDN: CN=TEST - SIGN2 TEST > CA,OU=794513986,O=TEST,L=CAEN,ST=CALVADOS,C=FR; > TIMESTAMPREQUEST_ENCODED: > MCwCAQEwITAJBgUrDgMCGgUABBQAAAAAAAAAAAAAAAAAAAAAAAAAAAIExHyg+Q==; > TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED}; > ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION: > cannot create signer: no such algorithm: SHA256WITHRSA for provider SUN; > EXCEPTION: SignServerException calling signer with id 3 : cannot create > signer: no such algorithm: SHA256WITHRSA for provider SUN > > |#] > > We use signserver 3.7.0, we are using openjdk-7 and we have installed > the JCE package. > > Have we made something wrong ? > Can you help us going to the right direction ? > > Thanks a lot |
|
From: Khadija F. <fe...@ng...> - 2017-03-30 14:12:48
|
Hello all,
I'm using SignServer 3.7.0 to sign documents.
The client can only send the digest of the documents to be signed
(CAdES, XAdES and PAdES signatures)
I have to generate the cryptographic signature with the client private
key stored in an HSM and the client will then create the final signature
envelope.
I would like to know if the MRTDSigner allows to perform this operation
(I need to use RSA and ECDSA algorithms)
Note : I found the following lines in the source code (MRTDSigner.java),
// Using a PKCS#11 HSM plain RSA Cipher does not work, but
we have to use RSA/ECB/PKCS1Padding
// It may be possible to use that, if the data is already
padded correctly when it is sent as input, but only for
// PKCS#1, not PSS. Sun's PKCS#11 provider does not supoprt
PSS (OAEP) padding yet as of 2009-08-14.
// The below (plain RSA) works for soft keystores and
PrimeCardHSM
c = Cipher.getInstance("RSA",
getCryptoToken().getProvider(ICryptoToken.PROVIDERUSAGE_SIGN));
Best regards,
Khadija FERJANI
|
|
From: Arnaud D. <arn...@gm...> - 2017-03-21 15:00:36
|
Hi,
Thanks Markus, it works.
I try now to use JKS instead of P12.
We have a JKSCryptoToken which seems to work fine with this configuration:
GLOB.WORKERGENID1.CLASSPATH=org.signserver.server.signers.CryptoWorker
GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.KeystoreCryptoToken
WORKERGENID1.NAME=CryptoJKS
WORKERGENID1.KEYSTORETYPE=JKS
WORKERGENID1.KEYSTOREPATH=/opt/signserver/keystore.jks
WORKERGENID1.KEYSTOREPASSWORD=foobar
WORKERGENID1.DEFAULTKEY=test
The TimestampWorker configuration looks like:
GLOB.WORKERGENID1.CLASSPATH=org.signserver.module.tsa.TimeStampSigner
WORKERGENID1.NAME=TimeStampSigner
WORKERGENID1.AUTHTYPE=NOAUTH
WORKERGENID1.CRYPTOTOKEN=CryptoJKS
WORKERGENID1.DEFAULTTSAPOLICYOID=1.1.1.1
WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSA
WORKERGENID1.DEFAULTKEY=my-key
We upload the signercert and signsercertchain to the TimeStampSigner
without problem
The getstatus command shows
Current version of server is : SignServer CE 3.7.0
Status of CryptoWorker with id 1 (CryptoJKS) is:
Worker status : Active
Token status : Active
Status of Signer with id 2 (PDFSigner) is:
Worker status : Active
Token status : Active
Status of Signer with id 3 (TimeStampSigner) is:
Worker status : Active
Token status : Active
Signings : 0
But when we are use the following command to test the setup is correct
bin/signclient timestamp
http://localhost:8080/signserver/process?workerName=TimeStampSigner
The result is
Exception in thread "main"
org.signserver.cli.spi.UnexpectedCommandFailureException:
java.io.IOException: Server returned HTTP response code: 500 for URL:
http://localhost:8080/signserver/process?workerName=TimeStampSigner
at
org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:343)
at
org.signserver.cli.CommandLineInterface.execute(CommandLineInterface.java:97)
at org.signserver.client.cli.ClientCLI.main(ClientCLI.java:45)
Caused by: java.io.IOException: Server returned HTTP response code: 500 for
URL: http://localhost:8080/signserver/process?workerName=TimeStampSigner
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1676)
at
org.signserver.client.cli.defaultimpl.TimeStampCommand.tsaRequest(TimeStampCommand.java:676)
at
org.signserver.client.cli.defaultimpl.TimeStampCommand.run(TimeStampCommand.java:364)
at
org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:335)
... 2 more
and the logs shows:
[#|2017-03-21T14:42:59.564+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=92;_ThreadName=Thread-2;|ERROR
[TimeStampSigner] OperatorCreationException:
org.bouncycastle.operator.OperatorCreationException: cannot create signer:
no such algorithm: SHA256WITHRSA for provider SUN
at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown
Source)
at
org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator(TimeStampSigner.java:753)
at
org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:477)
at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:282)
at org.signserver.ejb.WorkerSessionBean.process(WorkerSeƒssionBean.java:177)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1052)
at
org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1124)
at
com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:5388)
at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619)
at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800)
at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571)
at
com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doAround(SystemInterceptorProxy.java:162)
at
com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:144)
at sun.reflect.GeneratedMethodAccessor100.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:861)
at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800)
at
com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:370)
at com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:5360)
at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:5348)
at
com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:214)
at
com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88)
at com.sun.proxy.$Proxy268.process(Unknown Source)
at
org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:487)
at
org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:374)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
at
org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1542)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at
org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
at
com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045)
at
com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228)
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at
com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at
com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at
com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at
com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.NoSuchAlgorithmException: no such algorithm:
SHA256WITHRSA for provider SUN
at sun.security.jca.GetInstance.getService(GetInstance.java:100)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)
at java.security.Signature.getInstance(Signature.java:403)
at org.bouncycastle.jcajce.ProviderJcaJceHelper.createSignature(Unknown
Source)
at org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown
Source)
... 56 more
|#]
[#|2017-03-21T14:42:59.566+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=92;_ThreadName=Thread-2;|ERROR
[WorkerProcessImpl] SignServerException calling signer with id 3 : cannot
create signer: no such algorithm: SHA256WITHRSA for provider SUN
org.signserver.common.SignServerException: SignServerException calling
signer with id 3 : cannot create signer: no such algorithm: SHA256WITHRSA
for provider SUN
at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:286)
at org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:177)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1052)
at
org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1124)
at
com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:5388)
at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619)
at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800)
at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571)
at
com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doAround(SystemInterceptorProxy.java:162)
at
com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:144)
at sun.reflect.GeneratedMethodAccessor100.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:861)
at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800)
at
com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:370)
at com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:5360)
at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:5348)
at
com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:214)
at
com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88)
at com.sun.proxy.$Proxy268.process(Unknown Source)
at
org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:487)
at
org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:374)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
at
org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1542)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at
org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
at
com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045)
at
com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228)
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at
com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at
com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at
com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at
com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.signserver.common.SignServerException: cannot create signer:
no such algorithm: SHA256WITHRSA for provider SUN
at
org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:600)
at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:282)
... 52 more
Caused by: org.bouncycastle.operator.OperatorCreationException: cannot
create signer: no such algorithm: SHA256WITHRSA for provider SUN
at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown
Source)
at
org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator(TimeStampSigner.java:753)
at
org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:477)
... 53 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm:
SHA256WITHRSA for provider SUN
at sun.security.jca.GetInstance.getService(GetInstance.java:100)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)
at java.security.Signature.getInstance(Signature.java:403)
at org.bouncycastle.jcajce.ProviderJcaJceHelper.createSignature(Unknown
Source)
at org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown
Source)
... 56 more
|#]
[#|2017-03-21T14:42:59.584+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=92;_ThreadName=Thread-2;|INFO
[IWorkerLogger] AUDIT; DefaultTimeStampLogger; LOG_ID:
0ed1fc43-f42b-4622-ae4f-99fba7304288; CLIENT_IP: 127.0.0.1;
REQUEST_FULLURL:
http://localhost:8080/signserver/process?workerName=TimeStampSigner;
RequestTime: 1490103779263; ResponseTime: 15; TimeStamp: 1490103779445;
TimeSource: LocalComputerTimeSource; PKIStatus: ${TSA_PKISTATUS};
PKIFailureInfo: ${TSA_PKIFAILUREINFO}; SerialNumber: 4569cf4ec5c6cd9c;
TSA_POLICYID: 1.2.250.1.302.2.1.1.0; SIGNER_CERT_SERIALNUMBER:
6cc9d2ed368a8e4d; SIGNER_CERT_ISSUERDN: CN=TEST - SIGN2 TEST
CA,OU=794513986,O=TEST,L=CAEN,ST=CALVADOS,C=FR; TIMESTAMPREQUEST_ENCODED:
MCwCAQEwITAJBgUrDgMCGgUABBQAAAAAAAAAAAAAAAAAAAAAAAAAAAIExHyg+Q==;
TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED};
ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION: cannot
create signer: no such algorithm: SHA256WITHRSA for provider SUN;
EXCEPTION: SignServerException calling signer with id 3 : cannot create
signer: no such algorithm: SHA256WITHRSA for provider SUN
|#]
We use signserver 3.7.0, we are using openjdk-7 and we have installed the
JCE package.
Have we made something wrong ?
Can you help us going to the right direction ?
Thanks a lot
2017-03-20 15:25 GMT+01:00 Markus Kilås <ma...@pr...>:
> On 03/20/2017 11:41 AM, Arnaud Defos wrote:
> > Hi,
> >
> > Thanks for your answer.
> >
> > I try to follow instructions to setup 3.7.0 timestamp signer for demo
> > (it is not the same instructions for the current version) but I have
> > several errors on the timestamp signer :
> >
> > Here is an extract of : >bin/signserver getstatus brief all
> >
> > Status of CryptoWorker with id 7 (CryptoTokenP12) is:
> > Worker status : Active
> > Token status : Active
> >
> > Worker properties:
> > KEYSTORETYPE=PKCS12
> >
> > CLASSPATH=org.signserver.common.ProcessableConfig
> >
> > DEFAULTKEY=Signer 2
> >
> > KEYSTOREPATH=/opt/signserver/res/test/dss10/dss10_signer2.p12
> >
> > SIGNERCERT=
> >
> > NAME=CryptoTokenP12
> >
> >
> > SIGNERCERTCHAIN=MIIEhzCCAm+gAwIBAgIITQ7wWwEnF4EwDQYJKoZIh
> vcNAQELBQAwTTEXMBUGA1UEAwwORFNTIFJvb3QgQ0EgMTAxEDAOBgNVBAsMB
> 1Rlc3RpbmcxEzARBgNVBAoMClNpZ25TZXJ2ZXIxCzAJBgNVBAYTAlNFMB4XD
> TE0MTAxMDA4NDQyOVoXDTM0MTAxMDA4NDQyOVowQDEUMBIGA1UEAwwLVFMgU
> 2lnbmVyIDIxGzAZBgNVBAoMElNpZ25TZXJ2ZXIgVGVzdGluZzELMAkGA1UEB
> hMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiQkk9WQ+
> ufdrnms7oDcGdt7Sd8lH0gNIjwCYWFgQEugp+Jq/HSgx1t0N74OTC/vzEGSBuP//
> aWEwJWayz3RHNj53R3SuDZI/zL8OzLHCuKoJ+4zuWeWC9IcJjChfz64MzvMjnfKQpWG
> oje23IU9rxGyN8U4hap/f376wlSF5biP3H2u61/qqC2PE5g9DAPKBP1whWkztl6GGpViV
> xBlGymsyDnmzZI39rvySsBbnWayggOB337Nuwi/O4aoKyk7cA3xvaby2UdOUD8Tj7c5mR
> KqCnHwVIoh9spRrzrqlHOm29xsv/CkXFiTLGpwHqjsIWdZuveBQ+
> nPwqO5jvKkybAgMBAAGjeDB2MB0GA1UdDgQWBBRKRH8HvWJ0mZHx15nOIECp
> LNbOEzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCB6Id7orbsCqPtxWKQJ
> YrnYWAWiMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBgg
> rBgEFBQcDCDANBgkqhkiG9w0BAQsFAAOCAgEAcVo//K7a0PDKQypvdYLMR5byNr+
> lvQlvf2ebnnbL7epgZor+5iKPy8NbEfdlu1PzQaJKcM9XVc68cW
> yuS1JStJHQuCeFDt8JBe2Wy+z6sC905nxkh495YYHFzjV8OpA5K7f8fcEnres+
> 7BJM9opnLlWZwCcZx1UjWy1ETOuT//0311Uhn/MXd3V3cfx3oCRrZ+EgS/
> XFg1FFqnk1Ntxa4AIpyr8dWR8boTG9uN/kd5D8gLJUINwCI+
> AMfzsnotMqYwpUGtnaayssTpVQqQ8w2vUvJ8mlqbbOZS+d1HJ+xAWhXjVwxk9t++
> LUTXW6lKp8YuYNN2w+j/Ga4o76QO1tsRAhtgVYiiTOf9nHO9fJvLj+N/qxVr2OWq+/
> C9n87moyZHuD0aDW6FoqkG/Adh0g1GNolop6M1C+iu/SRrdFF7aoBr083lQxI32OLsFrICWqZ
> X1+cWk5yZn6ARuiDLX4GSaz63VmoqEW4TPN51HIGX0p4VVOagfqNQrEg86pTlZF
> pBfQ9LlmpYV/B2x5Snbpe/raW67hQ1NvrrDV/ilxxKXdFLXXBARqn6/
> t73F0SkyFtCHhSieOm1TMli3IdHgV7up88TE5PnJ6VT6n+
> mcaQxz4bUmpFKCoFFlIaHpQSW2iQQsOXgKt/GOJEajR/MGhZNJeTpWK4Bs4uffGDwu+Tck\=
> >
> >
> > Authorized clients (serial number, issuer DN):
> >
> >
> > Status of Signer with id 8 (TimeStampSigner) is:
> > Worker status : *Offline*
> > Token status : Active
> > Signings : 0
> >
> > *Errors: *
> > * - No signer certificate available*
> > * - No key available for purpose: null*
> > * - Unsupported certificate type*
> > *
> > *
> > Worker properties:
> > CRYPTOTOKEN=CryptoTokenP12
> >
> > CLASSPATH=org.signserver.common.ProcessableConfig
> >
> > AUTHTYPE=NOAUTH
> >
> > SIGNERCERT=
> >
> > NAME=TimeStampSigner
> >
> > WORKERLOGGER=org.signserver.module.tsa.DefaultTimeStampLogger
> >
> > SIGNERCERTCHAIN=
> >
> > DEFAULTTSAPOLICYOID=1.2.3
> >
> >
> > Authorized clients (serial number, issuer DN):
> >
> > Signer certificate:
> > * Error: No Signer Certificate have been uploaded to this signer.*
> >
> >
> > Do you have any ideas ?
> >
> > Thanks for your help !
> >
> >
> > Arnaud
>
> Hi Arnaud,
>
> You probably should specify in your TimeStampSigner which key in
> CryptoTokenP12 that it should use.
>
> For instance set the worker property DEFAULTKEY=Signer 2 in
> TimeStampSigner.
>
>
> Cheers,
> Markus
> PrimeKey Solutions
>
>
> Save time and money with an Enterprise support subscription. Please see
> www.primekey.se for more information.
> https://www.primekey.se/technologies/products-overview/
> https://www.primekey.se/service-support/support/
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
|
|
From: Markus K. <ma...@pr...> - 2017-03-20 14:25:59
|
On 03/20/2017 11:41 AM, Arnaud Defos wrote: > Hi, > > Thanks for your answer. > > I try to follow instructions to setup 3.7.0 timestamp signer for demo > (it is not the same instructions for the current version) but I have > several errors on the timestamp signer : > > Here is an extract of : >bin/signserver getstatus brief all > > Status of CryptoWorker with id 7 (CryptoTokenP12) is: > Worker status : Active > Token status : Active > > Worker properties: > KEYSTORETYPE=PKCS12 > > CLASSPATH=org.signserver.common.ProcessableConfig > > DEFAULTKEY=Signer 2 > > KEYSTOREPATH=/opt/signserver/res/test/dss10/dss10_signer2.p12 > > SIGNERCERT= > > NAME=CryptoTokenP12 > > > SIGNERCERTCHAIN=MIIEhzCCAm+gAwIBAgIITQ7wWwEnF4EwDQYJKoZIhvcNAQELBQAwTTEXMBUGA1UEAwwORFNTIFJvb3QgQ0EgMTAxEDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAoMClNpZ25TZXJ2ZXIxCzAJBgNVBAYTAlNFMB4XDTE0MTAxMDA4NDQyOVoXDTM0MTAxMDA4NDQyOVowQDEUMBIGA1UEAwwLVFMgU2lnbmVyIDIxGzAZBgNVBAoMElNpZ25TZXJ2ZXIgVGVzdGluZzELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiQkk9WQ+ufdrnms7oDcGdt7Sd8lH0gNIjwCYWFgQEugp+Jq/HSgx1t0N74OTC/vzEGSBuP//aWEwJWayz3RHNj53R3SuDZI/zL8OzLHCuKoJ+4zuWeWC9IcJjChfz64MzvMjnfKQpWGoje23IU9rxGyN8U4hap/f376wlSF5biP3H2u61/qqC2PE5g9DAPKBP1whWkztl6GGpViVxBlGymsyDnmzZI39rvySsBbnWayggOB337Nuwi/O4aoKyk7cA3xvaby2UdOUD8Tj7c5mRKqCnHwVIoh9spRrzrqlHOm29xsv/CkXFiTLGpwHqjsIWdZuveBQ+nPwqO5jvKkybAgMBAAGjeDB2MB0GA1UdDgQWBBRKRH8HvWJ0mZHx15nOIECpLNbOEzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCB6Id7orbsCqPtxWKQJYrnYWAWiMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG9w0BAQsFAAOCAgEAcVo//K7a0PDKQypvdYLMR5byNr+lvQlvf2ebnnbL7epgZor+5iKPy8NbEfdlu1PzQaJKcM9XVc68cWyuS1JStJHQuCeFDt8JBe2Wy+z6sC905nxkh495YYHFzjV8OpA5K7f8fcEnres+7BJM9opnLlWZwCcZx1UjWy1ETOuT//0311Uhn/MXd3V3cfx3oCRrZ+EgS/XFg1FFqnk1Ntxa4AIpyr8dWR8boTG9uN/kd5D8gLJUINwCI+AMfzsnotMqYwpUGtnaayssTpVQqQ8w2vUvJ8mlqbbOZS+d1HJ+xAWhXjVwxk9t++LUTXW6lKp8YuYNN2w+j/Ga4o76QO1tsRAhtgVYiiTOf9nHO9fJvLj+N/qxVr2OWq+/C9n87moyZHuD0aDW6FoqkG/Adh0g1GNolop6M1C+iu/SRrdFF7aoBr083lQxI32OLsFrICWqZX1+cWk5yZn6ARuiDLX4GSaz63VmoqEW4TPN51HIGX0p4VVOagfqNQrEg86pTlZFpBfQ9LlmpYV/B2x5Snbpe/raW67hQ1NvrrDV/ilxxKXdFLXXBARqn6/t73F0SkyFtCHhSieOm1TMli3IdHgV7up88TE5PnJ6VT6n+mcaQxz4bUmpFKCoFFlIaHpQSW2iQQsOXgKt/GOJEajR/MGhZNJeTpWK4Bs4uffGDwu+Tck\= > > > Authorized clients (serial number, issuer DN): > > > Status of Signer with id 8 (TimeStampSigner) is: > Worker status : *Offline* > Token status : Active > Signings : 0 > > *Errors: * > * - No signer certificate available* > * - No key available for purpose: null* > * - Unsupported certificate type* > * > * > Worker properties: > CRYPTOTOKEN=CryptoTokenP12 > > CLASSPATH=org.signserver.common.ProcessableConfig > > AUTHTYPE=NOAUTH > > SIGNERCERT= > > NAME=TimeStampSigner > > WORKERLOGGER=org.signserver.module.tsa.DefaultTimeStampLogger > > SIGNERCERTCHAIN= > > DEFAULTTSAPOLICYOID=1.2.3 > > > Authorized clients (serial number, issuer DN): > > Signer certificate: > * Error: No Signer Certificate have been uploaded to this signer.* > > > Do you have any ideas ? > > Thanks for your help ! > > > Arnaud Hi Arnaud, You probably should specify in your TimeStampSigner which key in CryptoTokenP12 that it should use. For instance set the worker property DEFAULTKEY=Signer 2 in TimeStampSigner. Cheers, Markus PrimeKey Solutions Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. https://www.primekey.se/technologies/products-overview/ https://www.primekey.se/service-support/support/ |
|
From: Arnaud D. <arn...@gm...> - 2017-03-20 13:48:52
|
If I check signserver.log, I have : 2017-03-20 14:43:14,116 ERROR [p: thread-pool-1; w: 8] [ProcessableConfig] java.io.IOException: Error in java.io.ByteArrayInputStream@5ac52fd8, missing -----BEGIN CERTIFICATE----- boundary Any ideas ? Thanks 2017-03-20 11:41 GMT+01:00 Arnaud Defos <arn...@gm...>: > Hi, > > Thanks for your answer. > > I try to follow instructions to setup 3.7.0 timestamp signer for demo (it > is not the same instructions for the current version) but I have several > errors on the timestamp signer : > > Here is an extract of : >bin/signserver getstatus brief all > > Status of CryptoWorker with id 7 (CryptoTokenP12) is: > Worker status : Active > Token status : Active > > Worker properties: > KEYSTORETYPE=PKCS12 > > CLASSPATH=org.signserver.common.ProcessableConfig > > DEFAULTKEY=Signer 2 > > KEYSTOREPATH=/opt/signserver/res/test/dss10/dss10_signer2.p12 > > SIGNERCERT= > > NAME=CryptoTokenP12 > > SIGNERCERTCHAIN=MIIEhzCCAm+gAwIBAgIITQ7wWwEnF4EwDQYJKoZIh > vcNAQELBQAwTTEXMBUGA1UEAwwORFNTIFJvb3QgQ0EgMTAxEDAOBgNVBAsMB > 1Rlc3RpbmcxEzARBgNVBAoMClNpZ25TZXJ2ZXIxCzAJBgNVBAYTAlNFMB4XD > TE0MTAxMDA4NDQyOVoXDTM0MTAxMDA4NDQyOVowQDEUMBIGA1UEAwwLVFMgU > 2lnbmVyIDIxGzAZBgNVBAoMElNpZ25TZXJ2ZXIgVGVzdGluZzELMAkGA1UEB > hMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiQkk9WQ+ > ufdrnms7oDcGdt7Sd8lH0gNIjwCYWFgQEugp+Jq/HSgx1t0N74OTC/vzEGSBuP// > aWEwJWayz3RHNj53R3SuDZI/zL8OzLHCuKoJ+4zuWeWC9IcJjChfz64MzvMjnfKQpWG > oje23IU9rxGyN8U4hap/f376wlSF5biP3H2u61/qqC2PE5g9DAPKBP1whWkztl6GGpViV > xBlGymsyDnmzZI39rvySsBbnWayggOB337Nuwi/O4aoKyk7cA3xvaby2UdOUD8Tj7c5mR > KqCnHwVIoh9spRrzrqlHOm29xsv/CkXFiTLGpwHqjsIWdZuveBQ+ > nPwqO5jvKkybAgMBAAGjeDB2MB0GA1UdDgQWBBRKRH8HvWJ0mZHx15nOIECp > LNbOEzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCB6Id7orbsCqPtxWKQJ > YrnYWAWiMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBgg > rBgEFBQcDCDANBgkqhkiG9w0BAQsFAAOCAgEAcVo//K7a0PDKQypvdYLMR5byNr+ > lvQlvf2ebnnbL7epgZor+5iKPy8NbEfdlu1PzQaJKcM9XVc68cW > yuS1JStJHQuCeFDt8JBe2Wy+z6sC905nxkh495YYHFzjV8OpA5K7f8fcEnres+ > 7BJM9opnLlWZwCcZx1UjWy1ETOuT//0311Uhn/MXd3V3cfx3oCRrZ+EgS/ > XFg1FFqnk1Ntxa4AIpyr8dWR8boTG9uN/kd5D8gLJUINwCI+ > AMfzsnotMqYwpUGtnaayssTpVQqQ8w2vUvJ8mlqbbOZS+d1HJ+xAWhXjVwxk9t++ > LUTXW6lKp8YuYNN2w+j/Ga4o76QO1tsRAhtgVYiiTOf9nHO9fJvLj+N/qxVr2OWq+/ > C9n87moyZHuD0aDW6FoqkG/Adh0g1GNolop6M1C+iu/SRrdFF7aoBr083lQxI32OLsFrICWqZ > X1+cWk5yZn6ARuiDLX4GSaz63VmoqEW4TPN51HIGX0p4VVOagfqNQrEg86pTlZF > pBfQ9LlmpYV/B2x5Snbpe/raW67hQ1NvrrDV/ilxxKXdFLXXBARqn6/ > t73F0SkyFtCHhSieOm1TMli3IdHgV7up88TE5PnJ6VT6n+ > mcaQxz4bUmpFKCoFFlIaHpQSW2iQQsOXgKt/GOJEajR/MGhZNJeTpWK4Bs4uffGDwu+Tck\= > > > Authorized clients (serial number, issuer DN): > > > Status of Signer with id 8 (TimeStampSigner) is: > Worker status : *Offline* > Token status : Active > Signings : 0 > > *Errors: * > * - No signer certificate available* > * - No key available for purpose: null* > * - Unsupported certificate type* > > Worker properties: > CRYPTOTOKEN=CryptoTokenP12 > > CLASSPATH=org.signserver.common.ProcessableConfig > > AUTHTYPE=NOAUTH > > SIGNERCERT= > > NAME=TimeStampSigner > > WORKERLOGGER=org.signserver.module.tsa.DefaultTimeStampLogger > > SIGNERCERTCHAIN= > > DEFAULTTSAPOLICYOID=1.2.3 > > > Authorized clients (serial number, issuer DN): > > Signer certificate: > * Error: No Signer Certificate have been uploaded to this signer.* > > > Do you have any ideas ? > > Thanks for your help ! > > > Arnaud > > > 2017-03-16 3:06 GMT+01:00 Jaime Hablutzel Egoavil <hab...@gm...>: > >> >> On Wed, Mar 15, 2017 at 4:24 PM, Arnaud Defos <arn...@gm...> >> wrote: >> >>> Hi everyone, >>> >>> I would like to use TimeStamp server but I have troubles with the >>> configuration. >>> >>> I have for the moment two workers : >>> - one for JKS configuration (it is active and online) >>> - one for StampSigner which is active and offline >>> => Worker status : Offline >>> Token status : Active >>> Signings : 0 >>> >>> Errors: >>> - Missing extended key usage timeStamping >>> - The extended key usage extension must be present and marked as >>> critical >>> >> >> There are some requirements on the digital certificate to be used for >> timestamping, see https://www.ietf.org/rfc/rfc3161.txt, "2.3. >> Identification of the TSA". >> >> You could easily generate a certificate for that purpose and with the >> required extension by using XCA or you could just use the demonstration >> certificate for starting as indicated in the link below. >> >> >>> >>> I use signserver 3.7.0. >>> >>> I don't understand how could I configure signing certificate and >>> certificate chain. Which properties do I have to set ? In which worker ? Is >>> the default key configuration important ? >>> >> >> First try to get the timestamping service working by following >> instructions here https://www.signserver.org/doc/current/manual/installgu >> ide.html#Quick_start_demo_Timestamp_signer. >> >> >>> >>> >> >>> Do you have any ideas ? >>> >>> Thanks a lot, >>> >>> Best regards, >>> >>> Arnaud >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> SignServer-develop mailing list >>> Sig...@li... >>> https://lists.sourceforge.net/lists/listinfo/signserver-develop >>> >>> >> >> >> -- >> Jaime Hablutzel - RPC 994690880 >> > > |
|
From: Arnaud D. <arn...@gm...> - 2017-03-20 10:41:19
|
Hi,
Thanks for your answer.
I try to follow instructions to setup 3.7.0 timestamp signer for demo (it
is not the same instructions for the current version) but I have several
errors on the timestamp signer :
Here is an extract of : >bin/signserver getstatus brief all
Status of CryptoWorker with id 7 (CryptoTokenP12) is:
Worker status : Active
Token status : Active
Worker properties:
KEYSTORETYPE=PKCS12
CLASSPATH=org.signserver.common.ProcessableConfig
DEFAULTKEY=Signer 2
KEYSTOREPATH=/opt/signserver/res/test/dss10/dss10_signer2.p12
SIGNERCERT=
NAME=CryptoTokenP12
SIGNERCERTCHAIN=MIIEhzCCAm+gAwIBAgIITQ7wWwEnF4EwDQYJKoZIhvcNAQELBQAwTTEXMBUGA1UEAwwORFNTIFJvb3QgQ0EgMTAxEDAOBgNVBAsMB1Rlc3RpbmcxEzARBgNVBAoMClNpZ25TZXJ2ZXIxCzAJBgNVBAYTAlNFMB4XDTE0MTAxMDA4NDQyOVoXDTM0MTAxMDA4NDQyOVowQDEUMBIGA1UEAwwLVFMgU2lnbmVyIDIxGzAZBgNVBAoMElNpZ25TZXJ2ZXIgVGVzdGluZzELMAkGA1UEBhMCU0UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiQkk9WQ+ufdrnms7oDcGdt7Sd8lH0gNIjwCYWFgQEugp+Jq/HSgx1t0N74OTC/vzEGSBuP//aWEwJWayz3RHNj53R3SuDZI/zL8OzLHCuKoJ+4zuWeWC9IcJjChfz64MzvMjnfKQpWGoje23IU9rxGyN8U4hap/f376wlSF5biP3H2u61/qqC2PE5g9DAPKBP1whWkztl6GGpViVxBlGymsyDnmzZI39rvySsBbnWayggOB337Nuwi/O4aoKyk7cA3xvaby2UdOUD8Tj7c5mRKqCnHwVIoh9spRrzrqlHOm29xsv/CkXFiTLGpwHqjsIWdZuveBQ+nPwqO5jvKkybAgMBAAGjeDB2MB0GA1UdDgQWBBRKRH8HvWJ0mZHx15nOIECpLNbOEzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCB6Id7orbsCqPtxWKQJYrnYWAWiMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG9w0BAQsFAAOCAgEAcVo//K7a0PDKQypvdYLMR5byNr+lvQlvf2ebnnbL7epgZor+5iKPy8NbEfdlu1PzQaJKcM9XVc68cWyuS1JStJHQuCeFDt8JBe2Wy+z6sC905nxkh495YYHFzjV8OpA5K7f8fcEnres+7BJM9opnLlWZwCcZx1UjWy1ETOuT//0311Uhn/MXd3V3cfx3oCRrZ+EgS/XFg1FFqnk1Ntxa4AIpyr8dWR8boTG9uN/kd5D8gLJUINwCI+AMfzsnotMqYwpUGtnaayssTpVQqQ8w2vUvJ8mlqbbOZS+d1HJ+xAWhXjVwxk9t++LUTXW6lKp8YuYNN2w+j/Ga4o76QO1tsRAhtgVYiiTOf9nHO9fJvLj+N/qxVr2OWq+/C9n87moyZHuD0aDW6FoqkG/Adh0g1GNolop6M1C+iu/SRrdFF7aoBr083lQxI32OLsFrICWqZX1+cWk5yZn6ARuiDLX4GSaz63VmoqEW4TPN51HIGX0p4VVOagfqNQrEg86pTlZFpBfQ9LlmpYV/B2x5Snbpe/raW67hQ1NvrrDV/ilxxKXdFLXXBARqn6/t73F0SkyFtCHhSieOm1TMli3IdHgV7up88TE5PnJ6VT6n+mcaQxz4bUmpFKCoFFlIaHpQSW2iQQsOXgKt/GOJEajR/MGhZNJeTpWK4Bs4uffGDwu+Tck\=
Authorized clients (serial number, issuer DN):
Status of Signer with id 8 (TimeStampSigner) is:
Worker status : *Offline*
Token status : Active
Signings : 0
*Errors: *
* - No signer certificate available*
* - No key available for purpose: null*
* - Unsupported certificate type*
Worker properties:
CRYPTOTOKEN=CryptoTokenP12
CLASSPATH=org.signserver.common.ProcessableConfig
AUTHTYPE=NOAUTH
SIGNERCERT=
NAME=TimeStampSigner
WORKERLOGGER=org.signserver.module.tsa.DefaultTimeStampLogger
SIGNERCERTCHAIN=
DEFAULTTSAPOLICYOID=1.2.3
Authorized clients (serial number, issuer DN):
Signer certificate:
* Error: No Signer Certificate have been uploaded to this signer.*
Do you have any ideas ?
Thanks for your help !
Arnaud
2017-03-16 3:06 GMT+01:00 Jaime Hablutzel Egoavil <hab...@gm...>:
>
> On Wed, Mar 15, 2017 at 4:24 PM, Arnaud Defos <arn...@gm...>
> wrote:
>
>> Hi everyone,
>>
>> I would like to use TimeStamp server but I have troubles with the
>> configuration.
>>
>> I have for the moment two workers :
>> - one for JKS configuration (it is active and online)
>> - one for StampSigner which is active and offline
>> => Worker status : Offline
>> Token status : Active
>> Signings : 0
>>
>> Errors:
>> - Missing extended key usage timeStamping
>> - The extended key usage extension must be present and marked as
>> critical
>>
>
> There are some requirements on the digital certificate to be used for
> timestamping, see https://www.ietf.org/rfc/rfc3161.txt, "2.3.
> Identification of the TSA".
>
> You could easily generate a certificate for that purpose and with the
> required extension by using XCA or you could just use the demonstration
> certificate for starting as indicated in the link below.
>
>
>>
>> I use signserver 3.7.0.
>>
>> I don't understand how could I configure signing certificate and
>> certificate chain. Which properties do I have to set ? In which worker ? Is
>> the default key configuration important ?
>>
>
> First try to get the timestamping service working by following
> instructions here https://www.signserver.org/doc/current/manual/
> installguide.html#Quick_start_demo_Timestamp_signer.
>
>
>>
>>
>
>> Do you have any ideas ?
>>
>> Thanks a lot,
>>
>> Best regards,
>>
>> Arnaud
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>>
>
>
> --
> Jaime Hablutzel - RPC 994690880
>
|
|
From: Jaime H. E. <hab...@gm...> - 2017-03-16 02:07:05
|
On Wed, Mar 15, 2017 at 4:24 PM, Arnaud Defos <arn...@gm...> wrote: > Hi everyone, > > I would like to use TimeStamp server but I have troubles with the > configuration. > > I have for the moment two workers : > - one for JKS configuration (it is active and online) > - one for StampSigner which is active and offline > => Worker status : Offline > Token status : Active > Signings : 0 > > Errors: > - Missing extended key usage timeStamping > - The extended key usage extension must be present and marked as > critical > There are some requirements on the digital certificate to be used for timestamping, see https://www.ietf.org/rfc/rfc3161.txt, "2.3. Identification of the TSA". You could easily generate a certificate for that purpose and with the required extension by using XCA or you could just use the demonstration certificate for starting as indicated in the link below. > > I use signserver 3.7.0. > > I don't understand how could I configure signing certificate and > certificate chain. Which properties do I have to set ? In which worker ? Is > the default key configuration important ? > First try to get the timestamping service working by following instructions here https://www.signserver.org/doc/current/manual/installguide.html#Quick_start_demo_Timestamp_signer . > > > Do you have any ideas ? > > Thanks a lot, > > Best regards, > > Arnaud > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop > > -- Jaime Hablutzel - RPC 994690880 |
|
From: Arnaud D. <arn...@gm...> - 2017-03-15 21:24:13
|
Hi everyone,
I would like to use TimeStamp server but I have troubles with the
configuration.
I have for the moment two workers :
- one for JKS configuration (it is active and online)
- one for StampSigner which is active and offline
=> Worker status : Offline
Token status : Active
Signings : 0
Errors:
- Missing extended key usage timeStamping
- The extended key usage extension must be present and marked as
critical
I use signserver 3.7.0.
I don't understand how could I configure signing certificate and
certificate chain. Which properties do I have to set ? In which worker ? Is
the default key configuration important ?
Do you have any ideas ?
Thanks a lot,
Best regards,
Arnaud
|
|
From: Willi T. <wil...@gm...> - 2017-02-22 10:56:15
|
Hi, The concept of SignServer as I understand is to send data from client to server, which will enable some type of worker which can be configured to go through authorizer. The authorizer as implementation of interface IAuthorizer will check the request in isAuthorized and this is the authentication for worker. I would like to ask how to implement challenge response authentication for SignServer. Anyone has done it already? Should I implement custom functions and interfaces to SignServer or it is possible using Authorizer somehow? The main goal is to have custom implementation of authentication protocol, e.g. mutual authentication using zero-knowledge mechanism. WT |
|
From: Jaime H. E. <hab...@gm...> - 2017-02-21 16:34:49
|
See this previous thread https://sourceforge.net/p/signserver/mailman/message/34989800/. On Mon, Feb 20, 2017 at 2:56 PM, Willi Trace <wil...@gm...> wrote: > Hi, > > I am looking to use SignServer as a base for remote signature creation > compliant to eIDAS. > Do you know if there is some deployment of SignServer like that or how > much work there would be to comply with eIDAS using SignServer? > > I am planning to develop custom authentication module to use mobile phones > to authenticate to key stored inside HSM. As SignServer should have already > implemented features like alias selectors and archivers, I believe it can > be used to achieve this kind of trusted service and be certified according > eIDAS. > > What do you think? > > WT > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop > > -- Jaime Hablutzel - RPC 994690880 |
|
From: Willi T. <wil...@gm...> - 2017-02-20 19:56:56
|
Hi, I am looking to use SignServer as a base for remote signature creation compliant to eIDAS. Do you know if there is some deployment of SignServer like that or how much work there would be to comply with eIDAS using SignServer? I am planning to develop custom authentication module to use mobile phones to authenticate to key stored inside HSM. As SignServer should have already implemented features like alias selectors and archivers, I believe it can be used to achieve this kind of trusted service and be certified according eIDAS. What do you think? WT |
|
From: Jose A. <j....@gm...> - 2017-02-16 03:34:48
|
Hi. Can i Sign Document with my certificate pkcs12 on my browser (ej Firefox) o usb? I understand that I can sign with certificate of worker. (pdf, etc) i understand that certificate of worker is safe in HSM. But, can i sign of document with a certificate portable, utilize signserver? thanks. -- ############################# # Sistema Operativo: Debian # # Caracas, Venezuela # ############################# |
|
From: Jose A. <j....@gm...> - 2017-02-11 00:54:59
|
Hi.
I Use hsm utimaco and for ECDSA and use clientToolBox for generate
example (ejbca):
ejbcaClientToolBox.sh PKCS11HSMKeyTool generate
/etc/utimaco/libcs_pkcs11_R2.so secp384r1 secp384r1Alias 0
where "secp384r1" is information provider for DOC of hsm.
On Fri, Feb 3, 2017 at 9:52 AM, Blum, Jon <jon...@or...> wrote:
> Hello all --
>
> I'm able to generate RSA keys through the SignServer CLI, but I get
> "Cannot load SunEC provider" errors if I try to generate an ECDSA key.
> What should I check for in my setup?
>
> An example:
>
> [jon@localhost lib]$ bin/signserver generatekey CryptoTokenP11 -keyalg
> ECDSA -keyspec prime192v3 -alias 2017_06
> (...)
> Caused by: java.lang.RuntimeException: Cannot load SunEC provider
> at sun.security.pkcs11.P11ECKeyFactory.getSunECProvider(
> P11ECKeyFactory.java:55)
> at sun.security.pkcs11.P11ECKeyFactory.getECParameterSpec(
> P11ECKeyFactory.java:71)
> at sun.security.pkcs11.P11KeyPairGenerator.initialize(
> P11KeyPairGenerator.java:146)
> at sun.security.pkcs11.P11KeyPairGenerator.<init>(
> P11KeyPairGenerator.java:133)
> at sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(
> SunPKCS11.java:1014)
> at sun.security.pkcs11.SunPKCS11$P11Service.newInstance(
> SunPKCS11.java:991)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
> at java.security.KeyPairGenerator.getInstance(
> KeyPairGenerator.java:279)
> at org.cesecore.keys.util.KeyStoreTools.generateEC(
> KeyStoreTools.java:175)
> at org.cesecore.keys.util.KeyStoreTools.generateKeyPair(
> KeyStoreTools.java:320)
> at org.cesecore.keys.token.PKCS11CryptoToken.generateKeyPair(
> PKCS11CryptoToken.java:212)
> at org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(
> PKCS11CryptoToken.java:515)
> at org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(
> PKCS11CryptoToken.java:527)
> at org.signserver.server.BaseProcessable.generateKey(
> BaseProcessable.java:1059)
>
> For the record, this is SignServer 3.7.0, under JDK 8, running on Wildfly
> 10, talking to a Luna SA HSM. The system's been functioning fine for
> months with RSA keys.
>
> I've tried generating ECDSA with a variety of different keyspecs. I've
> checked that sunec.jar exists on my system, in /usr/java/latest/jre/lib/ext/sunec.jar;
> is it possible that SignServer could be running somehow without this in its
> path? Do I need to copy it locally into my Wildfly installation?
>
>
> I've also confirmed that SunEC is in the provider list in java.security:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=sun.security.pkcs11.SunPKCS11
> ${java.home}/lib/security/luna.cfg
> security.provider.3=sun.security.rsa.SunRsaSign
> security.provider.4=sun.security.ec.SunEC
> (etc)
>
>
> Whatever the problem is, it appears to be P11CryptoToken-specific. If I
> try running with a P12CryptoToken, I get a different error, which indicates
> that it's apparently found the crypto provider it needs but not the named
> curve I'm looking for:
>
> [jon@localhost signserver]$ bin/signserver generatekey CryptoTokenP12
> -keyalg ECDSA -keyspec P-224 -alias 2017_06
> (...)
> Caused by: java.security.cert.CertificateParsingException:
> java.io.IOException: Unknown named curve: 1.3.132.0.33
> at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
> at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
> at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
> at sun.security.provider.X509Factory.engineGenerateCertificate(
> X509Factory.java:102)
> at java.security.cert.CertificateFactory.generateCertificate(
> CertificateFactory.java:339)
> at org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.getCertificate(Unknown
> Source)
> at org.signserver.server.cryptotokens.CryptoTokenHelper.
> getSelfCertificate(CryptoTokenHelper.java:499)
> at org.signserver.server.cryptotokens.CryptoTokenHelper.
> createDummyCertificate(CryptoTokenHelper.java:471)
> at org.signserver.server.cryptotokens.KeystoreCryptoToken.generateKey(
> KeystoreCryptoToken.java:475)
> at org.signserver.server.BaseProcessable.generateKey(
> BaseProcessable.java:1059)
>
>
> But that's a secondary issue; my actual solution has to use the
> CryptoTokenP11.
>
> Any suggestions welcome!
>
> Cheers,
> Jon Blum
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
>
--
#############################
# Sistema Operativo: Debian #
# Caracas, Venezuela #
#############################
|
|
From: Markus K. <ma...@pr...> - 2017-02-07 16:54:37
|
On 02/03/2017 02:52 PM, Blum, Jon wrote:
> Hello all --
>
> I'm able to generate RSA keys through the SignServer CLI, but I get
> "Cannot load SunEC provider" errors if I try to generate an ECDSA key.
> What should I check for in my setup?
>
> An example:
>
> [jon@localhost lib]$ bin/signserver generatekey CryptoTokenP11 -keyalg
> ECDSA -keyspec prime192v3 -alias 2017_06
> (...)
> Caused by: java.lang.RuntimeException: Cannot load SunEC provider
> at
> sun.security.pkcs11.P11ECKeyFactory.getSunECProvider(P11ECKeyFactory.java:55)
> at
> sun.security.pkcs11.P11ECKeyFactory.getECParameterSpec(P11ECKeyFactory.java:71)
> at
> sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:146)
> at
> sun.security.pkcs11.P11KeyPairGenerator.<init>(P11KeyPairGenerator.java:133)
> at
> sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(SunPKCS11.java:1014)
> at
> sun.security.pkcs11.SunPKCS11$P11Service.newInstance(SunPKCS11.java:991)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
> at java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:279)
> at
> org.cesecore.keys.util.KeyStoreTools.generateEC(KeyStoreTools.java:175)
> at
> org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:320)
> at
> org.cesecore.keys.token.PKCS11CryptoToken.generateKeyPair(PKCS11CryptoToken.java:212)
> at
> org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(PKCS11CryptoToken.java:515)
> at
> org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(PKCS11CryptoToken.java:527)
> at
> org.signserver.server.BaseProcessable.generateKey(BaseProcessable.java:1059)
>
> For the record, this is SignServer 3.7.0, under JDK 8, running on
> Wildfly 10, talking to a Luna SA HSM. The system's been functioning
> fine for months with RSA keys.
>
> I've tried generating ECDSA with a variety of different keyspecs. I've
> checked that sunec.jar exists on my system, in
> /usr/java/latest/jre/lib/ext/sunec.jar; is it possible that SignServer
> could be running somehow without this in its path? Do I need to copy it
> locally into my Wildfly installation?
>
>
> I've also confirmed that SunEC is in the provider list in java.security:
> security.provider.1=sun.security.provider.Sun
> security.provider.2=sun.security.pkcs11.SunPKCS11
> ${java.home}/lib/security/luna.cfg
> security.provider.3=sun.security.rsa.SunRsaSign
> security.provider.4=sun.security.ec.SunEC
> (etc)
>
>
> Whatever the problem is, it appears to be P11CryptoToken-specific. If I
> try running with a P12CryptoToken, I get a different error, which
> indicates that it's apparently found the crypto provider it needs but
> not the named curve I'm looking for:
>
> [jon@localhost signserver]$ bin/signserver generatekey CryptoTokenP12
> -keyalg ECDSA -keyspec P-224 -alias 2017_06
> (...)
> Caused by: java.security.cert.CertificateParsingException:
> java.io.IOException: Unknown named curve: 1.3.132.0.33
> at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
> at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
> at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
> at
> sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
> at
> java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
> at
> org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.getCertificate(Unknown
> Source)
> at
> org.signserver.server.cryptotokens.CryptoTokenHelper.getSelfCertificate(CryptoTokenHelper.java:499)
> at
> org.signserver.server.cryptotokens.CryptoTokenHelper.createDummyCertificate(CryptoTokenHelper.java:471)
> at
> org.signserver.server.cryptotokens.KeystoreCryptoToken.generateKey(KeystoreCryptoToken.java:475)
> at
> org.signserver.server.BaseProcessable.generateKey(BaseProcessable.java:1059)
>
>
> But that's a secondary issue; my actual solution has to use the
> CryptoTokenP11.
>
> Any suggestions welcome!
Hi Jon,
I'm getting unknown curve when specifying prime192v3 but the SunEC issue
could be a different one.
What version of Java are you using?
$ java -version
Does it work if you specify the more common "P-256" curve?
Cheers,
Markus
PrimeKey Solutions
RSA(R) Conference 2017
----------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass? Click
https://www.rsaconference.com/events/us17/register and use the code:
XE7PRMKEY
|
|
From: Blum, J. <jon...@or...> - 2017-02-03 14:21:58
|
Hello all --
I'm able to generate RSA keys through the SignServer CLI, but I get "Cannot
load SunEC provider" errors if I try to generate an ECDSA key. What should
I check for in my setup?
An example:
[jon@localhost lib]$ bin/signserver generatekey CryptoTokenP11 -keyalg
ECDSA -keyspec prime192v3 -alias 2017_06
(...)
Caused by: java.lang.RuntimeException: Cannot load SunEC provider
at
sun.security.pkcs11.P11ECKeyFactory.getSunECProvider(P11ECKeyFactory.java:55)
at
sun.security.pkcs11.P11ECKeyFactory.getECParameterSpec(P11ECKeyFactory.java:71)
at
sun.security.pkcs11.P11KeyPairGenerator.initialize(P11KeyPairGenerator.java:146)
at
sun.security.pkcs11.P11KeyPairGenerator.<init>(P11KeyPairGenerator.java:133)
at
sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(SunPKCS11.java:1014)
at
sun.security.pkcs11.SunPKCS11$P11Service.newInstance(SunPKCS11.java:991)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
at java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:279)
at
org.cesecore.keys.util.KeyStoreTools.generateEC(KeyStoreTools.java:175)
at
org.cesecore.keys.util.KeyStoreTools.generateKeyPair(KeyStoreTools.java:320)
at
org.cesecore.keys.token.PKCS11CryptoToken.generateKeyPair(PKCS11CryptoToken.java:212)
at
org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(PKCS11CryptoToken.java:515)
at
org.signserver.server.cryptotokens.PKCS11CryptoToken.generateKey(PKCS11CryptoToken.java:527)
at
org.signserver.server.BaseProcessable.generateKey(BaseProcessable.java:1059)
For the record, this is SignServer 3.7.0, under JDK 8, running on Wildfly
10, talking to a Luna SA HSM. The system's been functioning fine for
months with RSA keys.
I've tried generating ECDSA with a variety of different keyspecs. I've
checked that sunec.jar exists on my system, in
/usr/java/latest/jre/lib/ext/sunec.jar; is it possible that SignServer
could be running somehow without this in its path? Do I need to copy it
locally into my Wildfly installation?
I've also confirmed that SunEC is in the provider list in java.security:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.pkcs11.SunPKCS11
${java.home}/lib/security/luna.cfg
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
(etc)
Whatever the problem is, it appears to be P11CryptoToken-specific. If I
try running with a P12CryptoToken, I get a different error, which indicates
that it's apparently found the crypto provider it needs but not the named
curve I'm looking for:
[jon@localhost signserver]$ bin/signserver generatekey CryptoTokenP12
-keyalg ECDSA -keyspec P-224 -alias 2017_06
(...)
Caused by: java.security.cert.CertificateParsingException:
java.io.IOException: Unknown named curve: 1.3.132.0.33
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
at
org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.getCertificate(Unknown
Source)
at
org.signserver.server.cryptotokens.CryptoTokenHelper.getSelfCertificate(CryptoTokenHelper.java:499)
at
org.signserver.server.cryptotokens.CryptoTokenHelper.createDummyCertificate(CryptoTokenHelper.java:471)
at
org.signserver.server.cryptotokens.KeystoreCryptoToken.generateKey(KeystoreCryptoToken.java:475)
at
org.signserver.server.BaseProcessable.generateKey(BaseProcessable.java:1059)
But that's a secondary issue; my actual solution has to use the
CryptoTokenP11.
Any suggestions welcome!
Cheers,
Jon Blum
|
|
From: Jose A. <j....@gm...> - 2017-01-09 16:47:57
|
Thanks Markus. I Solved. I create certificate SSL with the Profile-Certificate default EJBCA: SERVER with the AC-Internal (was created when first install new). Always 2 SUBCA (child of CA ROOT) But, one of the 2 SUBCA, show error with SSL. And this is something that I must solve. settings when was create subca. You are rigth when said: it is topic of EJBCA and no SignServer. Sorry. Thanks. On Mon, Jan 9, 2017 at 5:36 AM, Markus Kilås <ma...@pr...> wrote: > On 01/06/2017 04:33 PM, Jose Alberto wrote: > > Hi. > > > > I am use SignServer 4.0, i have integrate with HSM for pkcs11. > > > > And various worker. all work fine. without problem. > > > > > > For this moment, my certificate for https copy from PKI (EJBCA). > > tomcat.keystore and trusstore.keystore And i use the certificate pcks12 > > of EJBCA. for solve the autentication. > > > > > > The Problem: I want generate certificate personalized for https of > > SignServer. But always error on Firefox (always chrome and IE) for > > example: > > > > SEC_ERROR_INADEQUATE_KEY_USAGE > > > > > > I use keytool, generate csr for csr upload on ejbca, ejbca download > > jks, but no run. > > > > I use direct ejbca, download jks, but no run. > > > > > > What is the process for generate SSL for Jboss using EJBCA? > > > > Thanks. > > > > Sorry for my English. > > > > -- > > ############################# > > # Sistema Operativo: Debian # > > # Caracas, Venezuela # > > ############################# > > > > Hi Jose, > > It sounds like the certificate you have issued are not valid for TLS > server authentication. Probably it is missing the appropriate key usage > and/or the external key usage for TLS server authentication. > > This is more of an EJBCA mailing list question I suppose but when > issuing your certificate from EJBCA you can use the SERVER certificate > profile (or a profile cloned from it). That profile should already have > working key usage and extended key usage set. > > Cheers, > Markus > > > Save time and money with an Enterprise support subscription. Please see > www.primekey.se for more information. > https://www.primekey.se/technologies/products-overview/ > https://www.primekey.se/service-support/support/ > > > RSA(R) Conference 2017 > ---------------------- > San Francisco | February 13-17 | Moscone Center > > Come visit us in booth #627 at RSA Conference 2017! > Want a free expo pass? Click > https://www.rsaconference.com/events/us17/register and use the code: > XE7PRMKEY > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop > -- ############################# # Sistema Operativo: Debian # # Caracas, Venezuela # ############################# |
|
From: Jaime H. E. <hab...@gm...> - 2017-01-09 15:05:47
|
If you want a free ssl certificate recognized by major browsers you could take a look at Lets Encrypt CA. Sent from my Android device. On Jan 6, 2017 10:33 AM, "Jose Alberto" <j....@gm...> wrote: Hi. I am use SignServer 4.0, i have integrate with HSM for pkcs11. And various worker. all work fine. without problem. For this moment, my certificate for https copy from PKI (EJBCA). tomcat.keystore and trusstore.keystore And i use the certificate pcks12 of EJBCA. for solve the autentication. The Problem: I want generate certificate personalized for https of SignServer. But always error on Firefox (always chrome and IE) for example: SEC_ERROR_INADEQUATE_KEY_USAGE I use keytool, generate csr for csr upload on ejbca, ejbca download jks, but no run. I use direct ejbca, download jks, but no run. What is the process for generate SSL for Jboss using EJBCA? Thanks. Sorry for my English. -- ############################# # Sistema Operativo: Debian # # Caracas, Venezuela # ############################# ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ SignServer-develop mailing list Sig...@li... https://lists.sourceforge.net/lists/listinfo/signserver-develop |
8 messages has been excluded from this view by a project administrator.
