I am beginner of iPhone. I have no idea of upload app in itunes. I have make certificate and provisioning profile but when i downloaded certificate at that time no with private key.. so, give any suggestion which is apply in my app.
You can do 2 things:
1. Create a new certificate identity via the apple devloper portal In this case you'll need to log into the apple developer portal and use the assistant, as part of this you will need to create and upload a CSR (Certificate Signing Request) which will also create the public and private keys on the machine. Apple sign the request and voila, a signed public/private certificate pair : guide
2. Export the private key from the machine originally used to create the Certificate This case is when your signing with an identity previously created, probably on an old machine or if (as in my case) your developing for a client that has their ID's already created. If you can't access the machine originally used to create the certificate identity you'll have to create a new identity as per the guide/assistant.
To do this, you will need to export your private key (a .p12 file), or public/private key pair via Keychain Access, and install the private key or key pair to the machine your developing on: guide
Related
Need to authenticate a server using certificate, I have used OpenSSL to generate certificate and it was able to authenticate with certificate by enabling client certificate authentication in IIS.
Now when I export the certificate from the device and tried to install it in the other device it was able to authenticate the server, is there any possible way to link or generate a certificate that will only work for the specific machine?
Yes - keep the private key private.
Moving a certificate by itself to another client won't let you authenticate as the owner of that certificate. You would have to move both the certificate and its corresponding private key.
There are generally two ways you can stop the private key being copied:
Use administrative controls to ensure nobody in your organisation copies the keys. This is usually in the form of an agreement between the certificate issuer and the entity named in the certificate, to the effect that "you shall not copy the private key!!". As you can imagine, depending on the scenario, this might not be that enforceable.
If the certificate is certifying a device, generate and store the private key in a hardware device that is a permanent fixture in that client device. A Trusted Platform Module is an example of a device fitted in most modern end-user devices for this purpose.
If the certificate is certifying a person, generate and store the private key in a hardware device that is issued to that person. A smart-card is an example of such a device. You would probably also need administrative controls here to ensure that the user doesn't share their card with others and that they keep any PINs or other authentication data private.
Note that attempting to certify something like the DNS name of the client device as as unique identifier doesn't work, as DNS, MAC addresses etc. can be spoofed.
I have set up an IdentityServer 4 application as per the following answer. The author has used X509Certificate2 in AddSigningCredential(cert). I used AddDeveloperSigningCredential() in development, which has created a tempkey.jwk file in my project folder.
I then tested this Identity Server 4 application with postman:
The above call results in the successful generation of Token. Now, I need to go into production. I have created an Azure App Service to host the Identity Server 4 application.
I have a very little understanding of Digital Certificates and Identity Server 4. I have gone through a few articles/answers but I am getting super confused. Just need to understand all of it in easy words.
My questions are:
How can I create the X509Certificate2 certificate, as done here?
How would the Client application be using this certificate?
Where is it being used in development mode, as I am not providing any Public Key in the Postman call?
How can I create the X509Certificate2 certificate?
This answer might help here: https://stackoverflow.com/a/58136780/1658906.
How would the Client application be using this certificate?
It only uses the public key from the certificate if verifying the token.
Your identity provider (your IdentityServer app) uses the certificate to digitally sign the tokens.
An app that wishes to verify a token issued by the identity provider can use the public key from the certificate to verify the token is valid.
Apps usually get the public key from the discovery endpoint: https://identityserver4.readthedocs.io/en/latest/endpoints/discovery.html.
Getting it from there instead of hard-coding the public key is best practice since it enables key rotation more easily.
The certificate's private key needs to be kept really secure.
If someone has the certificate private key, they can create any token they want, and it'll be considered valid by the applications.
Meaning they could impersonate any user or elevate their permissions etc.
Where is it being used in development mode, as I am not providing any Public Key in the Postman call?
Client apps do not use it when requesting a token.
Only if you want to verify if a token is valid.
We develop extensions for Safari. I installed our Safari Developer Certificate on Windows, but I can't install it on mac (we have two certificates). I tried to download and install them from the Apple website but it doesn't work. What do I have to do?
When you download the certificate from the web you only get the certificate. The private key is usually on the machine from which you created the certSigningRequest.
The certSigning request (you can create one by using KeyChain Access app) creates the private key and adds it to your login keychain.
If you don't have access to the original machine, then I'd suggest you revoke your certificate on the portal and create a new one.
The only way to export a certificate is to export it along with the private key. Usually folks do this using KeyChain Access app. You can export the p12 format key which can be used to import on a different machine.
Without the private key, downloading the cert from the portal is useless. This is true for not just Safari certs but for all Mac development certs.
Is it possible to export private key from CERTIFICATE SIGNING REQUEST?
I have a CSR file and some CRT files. Now I have to install this certificate. How do I do it or do I need some other files in order to install this certificate?
No you cannot export the private key from CSR because the CSR does not contain any private key.
You need another file that has a private key and if you have that you won't need the CSR to extract the private key.
You create CSR from a private key not other way around.
In general the process goes like
You create private key
You create CSR Hand CSR to Certificate Authority aka CA
CA will give you a Certificate
you are good to go with you private key and with certificate depending upon client e.g. PHP Curl is fine with it
You may also combine your private key and Certificate using PKCS12 format depending upon your client requirements.
First comes the private key generated by you. openssl is a great utility for this.
Then the public key can be generated from the private key, or a Certificate Signing Request file can be generated which contains the public key in addition to extra information about your company and your site.
That CSR is pasted (using the Godaddy or Digicert methods) into a certificate request form on their respective sites. There is a verification process which may happen automatically or by email.
Then they'll generate a cert which you can use -- the public key is part of the cert.
So notice that you started off with a generated public private key pair, and ended with a cert private key pair.
If you're talking about a 'client' (general rule, this process can go back and forth), in general it will use just the cert, which is sent from the server during TLS (ahem, was SSL) negotiations. Or a utility program will use a cert when talking to a 'server' that is paired with it. The server is the one that will decrypt with the private key what was encrypted using the public key embedded in the cert.
So if all you have is a cert, in general you are talking about a client that knows which server it is going to go to.
But usually you are talking about a server, in which case the private key is probably already installed, and all you are doing is updating the cert. So if we are talking about a webserver, there are going to be configuration files which will point you to where the 'old' cert is that you are replacing. You'll also see where the key is, but that wouldn't need to be replaced unless you started the process by generating a new key. If so, then you'd also replace the old key with the new key.
I ended up in the same situation when I was given a new certificate from a third party for an existing CSR.
The initial CSR was complete and certificate was installed in Windows environment. When I tried to import the new certificate it was imported without its private key. This link was very helpful:
https://learn.microsoft.com/en-us/troubleshoot/iis/assign-certificate-private-key
Basically when creating a CSR (from IIS etc.) Windows stores the private key internally. When importing the certificate to the same machine, Windows automatically signs it with the private key.
When you import it for a second time. You have to use the command:
certutil -repairstore my "SerialNumber"
Where Serial number is the imported certificate's serial number
I am developing an html application where an user has to first login using his digital certificate. After login he has to perform encryption and decryption of data using his digital certificate.
Now in case when the certificate is available in the form of .pfx file then we can just install it and the certificate appears in the container and we can use it during login and during encryption and decryption.
This works fine in case if we have .pfx for our digital certificate.
But now i want to enhance it for etoken's(security token). I dont know much about etoken's. The problem is that how can i use the digital certificate stored in it while login?
Also how should i use the private key stored in it while decryption?
Can anyone please tell me about any tutorials (if any) which will explain the usage of etoken and the CryptoAPI's.
As I mentioned in the answer to your previous question, Windows CSPs map the certificate from hardware to Windows certificate storage, so this is transparent to you. If you can access the certificate via Windows certificate storage API, then you don't need to care where the certificate is actually located.
Note that you can't transfer a private key to the server, i.e. you would have to use a client-side module (either ActiveX or Java applet) that will perform operations locally. This is not specific to certificates on hardware, but also to certificates which have non-exportable private keys.