- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2019 06:05 PM
Hi,
I am trying to get a SHA-1 thumbprint of private key in a PKC12 key store. I am finding that my call to GlideCertificateEncryption's method getThumbPrintFromKeystore fails silently and due to the fairly light documentation I cannot tell what is happening. I cannot see any log messages being generated.
Is anyone able to steer me in the correct direction to figuring it out?
var cert = new GlideCertificateEncryption();
var certalias = "le-webserverwithpk-0bf4a773-2b1e-4747-a3e8-af8b62d63ab9";
var certID = "709c6defdb4e7b009e0333f43a961933";
var thumbprint = cert.getThumbPrintFromKeystore(certID, certalias, "SHA-1");
------------------------
keytool -v -list -storetype pkcs12 -keystore file.pfx
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: le-webserverwithpk-0bf4a773-2b1e-4747-a3e8-af8b62d63ab9
Creation date: 24 Jun. 2019
...
...
etc
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2019 03:31 PM
I had to work around the issue, by having two entries for the key in sys_certificate
1) One in PEM format for reading the thumbprint
2) One as a Java Key Store that I imported the PKCS12 formatted cert into
I could not get signing to work with the PKCS12 file either, potentially due to my own ignorance, but without error messages it is hard to tell. Once imported into a JKS file signing silently started working.
Here are some useful commands with the openssl tools at the command line:
convert PKCS12 to pem
> openssl pkcs12 -in file.pfx -out file.pem -nodes
create a JKS keystore with your PKCS12 cert in it:
> keytool -importkeystore -srckeystore file.pfx -srcstoretype PKCS12 -destkeystore keystore.jks
list the keys and their details that are in a JKS keystore:
> keytool -v -list -storetype jks -keystore keystore.jks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2019 03:31 PM
I had to work around the issue, by having two entries for the key in sys_certificate
1) One in PEM format for reading the thumbprint
2) One as a Java Key Store that I imported the PKCS12 formatted cert into
I could not get signing to work with the PKCS12 file either, potentially due to my own ignorance, but without error messages it is hard to tell. Once imported into a JKS file signing silently started working.
Here are some useful commands with the openssl tools at the command line:
convert PKCS12 to pem
> openssl pkcs12 -in file.pfx -out file.pem -nodes
create a JKS keystore with your PKCS12 cert in it:
> keytool -importkeystore -srckeystore file.pfx -srcstoretype PKCS12 -destkeystore keystore.jks
list the keys and their details that are in a JKS keystore:
> keytool -v -list -storetype jks -keystore keystore.jks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2019 04:48 AM
Thank you for this helpful guidance. I too am trying to implement e-signing with certificates and the documentation and code samples are not available through ServiceNow documentation. I am attempting to read the certificate from a CAC storage device on the client through middle ware and I see the command sign (opens in new window) but nothing else. I've activated the "approval with e-signature" plugin and it does not even show up in global search results. This is very important in our processes, so it is quite disappointing that customers get this functionality by attaching a pdf file to an email, but I am unable to deliver it within the ServiceNow environment. I realize that I am still learning to develop in this environment, but I do not like admitting that the documentation does not exist.
I am grateful for your willingness to contribute documentation to this forum for developers like me, thank you.
Kind Regards,
Woody
