How to include password when enrolling CSR to EJBCA using JSCEP - ejbca

I am attempting to enroll a certificate signing request to EJBCA using JSCEP as documented here:
I am able to submit a csr from the web console using the same format of csr and private key (for ssl authorization on port 8443), but when I try it via JSCEP, I get the following error in the EJBCA logs:
Error processing SCEP request.: ion: No password in request.
I'm guessing that it wants the username and enrollment code of an end entity like the one I am required to enter via the web UI, but I see absolutely nowhere in the JSCEP API to enter that information. Perhaps the private key is sufficient, but that does seem a little odd as the UI wanted both.
I suppose it could also mean that my CSR must have a password, which it doesn't, but the UI didn't give me a problem with that so I don't see why this would.
The keystore (parsed from a p12 file, with password included), and csr are both parsed from files rather than generated programatically. The csr is from a third party whose keys I do not have.
My enrollment request via the jscep client looks like the following:
client.enrol(certificate, privateKey, request, config.getCaProfile());
The certificate and private key are both taken from the p12 file and the request is parsed from the csr (pkcs12) passed to me. The caProfile is the CA Name listed in the table on the homepage of the https::8443/ejbca/adminweb/
Please let me know if my parameters are wrong or if I need to include a password somewhere, how can I do that in the API.

I am now able to do this for a programatically constructed csr and it works end to end, so I'm considering the issue closed. I still have some work to use a third party csr, but that shouldn't be a big deal.
The code is below.
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
KeyPair entityKeyPair = keyPairGenerator.genKeyPair();
PublicKey entityPubKey = entityKeyPair.getPublic();
X500Principal requesterSubject = new X500Principal("CN=endEntityName");
PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(requesterSubject, entityPubKey);
DERPrintableString password = new DERPrintableString("endEntityPassword");
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, password);
PrivateKey entityPrivKey = entityKeyPair.getPrivate();
JcaContentSignerBuilder csrSignerBuilder = new JcaContentSignerBuilder("SHA1withRSA");
ContentSigner csrSigner =;
PKCS10CertificationRequest csr =;


Is it possible to generate certificate signing request(.csr) using secuity framework in ios?

I would like to make https request with a server require client-certificate authentication. I looked into this Creating a SecCertificateRef for NSURLConnection Authentication Challenge . It worked as expected.
However, it need to prepare the p12 file which include the private key. It would be securied as it need password to import the p12 file using SecPKCS12Import().
However, there could be other option. That is the ios-client should make a certificate signing request(.CSR) and let a third party(it would be the server) sign it.
For my search, I see that I can use SecKeyGeneratePair() for generate key pair. But I don't see any API that generate a CSR.
Do it really need openssl to achieve this?
Also, a bit off topic, once the ios-client somehow get back the signed certificate. I can use SecCertificateCreateWithData() to retrieve an SecCertificateRef(). However, to fill in a NSURLCredential . I also need the SecIdentityRef which come from p12 file using
SecPKCS12Import(). How can I retreve an SecIdentityRef without SecPKCS12Import() but just a certificate file like crt or der?
There is no explicit support for CSR in Security Framework in iOS. However, it is not that difficult to build CSR 'manually' - it is just ASN.1 DER block of data that are available at iOS runtime.
Here is pseudo code of that:
Use SecKeyGeneratePair() from Security Framework to create fresh public/private key
Implement getPublicKeyBits method to retrieve NSData-form of fresh public key (see )
Implement getPrivateKey method to retrieve SecKeyRef from Keychain
Follow to construct ASN.1 DER of CSR in NSMutableData
Use CC_SHA1_* to create signature hash of Certification Request Info (part of CSR)
Use SecKeyRawSign and private key to sign CSR
This will create proper CSR (in form of NSData) that can be sent to CA for approval.
My implementation is available on GitHub: .

What public key to use when verifying signature OneLogin ID Token

I am trying to verify id_token I received from OneLogin OpenID Connect. I looked up online and everyone says I need to use a .pem file but how do I generate that file? I can use OpenSSL to generate it but which key to use when generating that .pem certificate? I have tried with client_id, client_secret. None of these work.
Can someone please help?
Please see the screenshot.
OneLogin supports public key (RS256) encryption and you can find the public keys courtesy of the well.known endpoint OneLogin provides.
This URL (specific to your account) can also be found on the SSO tab of your application configuration.
From that endpoint you can get links to various details about the certs in various fields
"id_token_signing_alg_values_supported": [
"issuer": "",
"jwks_uri": "",
For more details on the specifics, check out the OIDC spec. I also highly recommend making your code be able to respond to changing keys as these keys are subject to change (I believe Google changes theirs daily!)
But any decent open source OIDC client should be able to do this for you.

JWT/KONG: Cannot create JWTs with a shared secret

I'm playing around KONG API gateway recently.
I want to sign each JWT with a secret that is shared in all micros. I need this because I want other micros to be able to decode given JWT and extract payload data and work upon it (e.g. _user_id_ field in the payload).
When I try to create a JWT for the first consumer, it works just fine. But when I try to create it for the second consumer I'm getting the following error:
{u'secret': u"already exists with value 'secret'}
I'm not exactly sure but I think KONG/JWT requires unique secret for each consumer to create a JWT. Is it possible to configure JWT plugin properly to be able to use shared secret to sign JWTs?
PS: I'm not entirely sure that using a shared secret is a good practice. If there is a better way to do this please let me know. Thanks!
Kong version v0.10.2
You can use private-public key signing method.
Create your JWT token with a private key and share the public key with all other microservices. Other microservices can verify the signature of the token by using the shared public key.
You can use RSA algorithm for generating the keys & signing the tokens. The private key should be only with the service which is generating the token.
Snippet for generating keys:
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
KeyPair kp = kpg.genKeyPair();
Key publicKey = kp.getPublic();
Key privateKey = kp.getPrivate();
Snippet to generate JWT token. I am using JJwt API for generating the token:
.signWith(SignatureAlgorithm.RS256, privateKey )
Snippet to verify the token with public key:
.setSigningKey(publicKey )
Hope this helps.

Signing Apple MDM profile

I am working on an Apple MDM server, and actually it is working fine. I have a signature problem, that makes the client complain about the certificate, so now I am interested in how others sign their configuration profiles.
I use java, but any kind of help is welcome, since this is not a particular question on how to implement the code in java, but more on how to correctly sign the configuration profile.
This is how we do it currently:
byte[] data = ...
X509Certificate cert = ...
KeyPair keyPair = ...
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
gen.addSigner(keyPair.getPrivate(), cert, CMSSignedGenerator.DIGEST_SHA1, new AttributeTable(new Hashtable<DERObjectIdentifier, Attribute>()), null);
CMSSignedData signedData = gen.generate(new CMSProcessableByteArray(data), true, "BC");
We are using a self signed certificate created with the algorithm SHA1withRSA and the key is with RSA and the size is 2048.
Does anyone see a problem with this way of doing it, or are you just doing it differently which maes it work?
And please feel free to post code in other languages than java - it might still help.
I did two things to fix this.
First I changed the certificate to x509 v3 - it was v1. Then I added KeyUsage and BasicConstraints to make iOS accept it as trusted.
The second I did was to add the certificate itself as a CertStore.
These two steps makes the certificate similar to the certificate iPhone Configuration Utility uses.

Unable to sign security tokens with certificate in WIF scenario

I'm trying to implement a custom STS for a WIF scenario I'm investigating, but it's failing. It's failing when trying to obtain the private key from the certificate used to sign the tokens. I create the STS with the following configuration:
var signingCert = new X509Certificate2(#"C:\<path>\MySigningCertificate.pfx");
var config
= new SecurityTokenServiceConfiguration()
DisableWsdl = true,
TokenIssuerName = "Tribold",
SecurityTokenService = typeof(TriboldSecurityTokenService),
SigningCredentials = new X509SigningCredentials(signingCert),
CertificateValidationMode = X509CertificateValidationMode.Custom,
CertificateValidator = new CertificateValidator()
However, with WCF diagnostic logging configured, I get the following message in the Service Trace Viewer:
The private key is not present in the X.509 certificate.
This appears to be logged as the code comes out of my custom STS (i.e., after calling GetOutputClaimsIdentity(...) on my custom STS class, and therefore I can only assume that it's now trying to sign the issued security token and failing because it can't obtain a private key to do so.
The private key appears to be present on the loaded certificate:
Debug.Assert(signingCert.HasPrivateKey == true);
but it fails later on. I'm having no luck resolving this, please help!
It looks like thread "cant use .pfx file for X.509 certificates" in the Geneva (= AD FS 2.0) forums covers the same problem which you report. So the resolution reported there might work, which is "specifying the X509KeyStorageFlags.PersistKeySet flag when initiating the X509Certificate2 object".
I'd be surprised if you didn't have to specify a password when opening a PFX file. X509Certificate2 has overloads that take a password in the form of a string or a SecureString.