The important missing part of the answer mentioning signtool is: Yes, with the well known signtool.exe you can also find out, if a file is signed. No need to download another tool! E.g. with the simple line: signtool verify /pa myfile.exe if %ERRORLEVEL% GEQ 1 echo This file is not signed. (For verbose output, add … Read more
You can also set the attributes as optional: # For the CA policy [policy_match] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional
Firstly, you have a few terminology problems: the X509 standard defines certificates, and RSA and DSA are two of the public key algorithms that can be used in those certificates; certificates are used to hold public keys, and never private keys. PKCS#12 is a standard for a container which can hold an X509 client certificates … Read more
I will answer to my own questions, but not delete it, in case someone else got the same problems: return new JcaX509CertificateConverter().getCertificate(certificateHolder); And for attribute certificates: return new X509V2AttributeCertificate(attributeCertificateHolder.getEncoded()); Not nice, as it is encoding and decoding, but it works.
If you timestamp your code while the certificate is valid the effect is that your expired certificates are good. From Thawte Code Signing Certificate FAQs: How long can I use a Code Signing Certificate for? Code Signing Certificates are valid for 1 or 2 years depending on which life cycle you choose when you purchase … Read more
The Subject, in security, is the thing being secured. In this case it could be a person’s email or a website or a machine. If we take the example of an email, say my email, then the subject key container would be the protected location containing my private key. The certificate store usually refers to … Read more
IETF PKIX (latest version RFC 5280) is a well accepted profile for certificates. From section 4.1.2.4, the following fields must be supported (I’ve added between parenthesis is the OpenSSL long and optional short name): country (countryName, C), organization (organizationName, O), organizational unit (organizationalUnitName, OU), distinguished name qualifier (dnQualifier), state or province name (stateOrProvinceName, ST), common … Read more
If the keystore is PKCS12 type (.pfx) you have to specify it with -storetype PKCS12 (line breaks added for readability): keytool -list -v -keystore <path to keystore.pfx> \ -storepass <password> \ -storetype PKCS12
SAML responses come with a signature and a public key for that signature. You can use the public key to verify that the content of the SAML response matches the key – in other words – that response definitely came from someone who has the matching private key to the public key in the message, … Read more
.p12 and .pfx are both PKCS #12 files. Am I missing something? Have you tried renaming the exported .pfx file to have a .p12 extension?