How to Increase ACS self signed certificate.

Similar Messages

• How to import the self-signed certificate in runtime

  HI.
  I work to connect between JSSE client and OpenSSL server with self-signed certificate.
  But I met the SSLSocketException during handshaking.
  Many Solutions registered in this page.
  But their are all using keytool.
  My application connect many site support the self-signed certificate.
  So, I want to import the certificate in run time.
  How Can I do??
  Please, answer me..
  Thanks,

  did you figure this out??? I need to know how to accept a self-signed certificate, otherwise it's this exception...
  D:\javatools\apis\jsse1.0.2\samples\urls>java -cp jcert.jar;jnet.jar;jsse.jar;. URLReader
  Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert chain
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
  at java.io.OutputStream.write(OutputStream.java:61)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-12019
  8])
  at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120
  198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V
  1.2-120198])
  at java.net.URL.openStream(URL.java:798)
  at URLReader.main(URLReader.java:46)

• How to renew a self signed certificate

  Hello,
  Can someone tell me how I can renew a self signed certificate ? I can't find the relevant option with the certadmin command.
  thx,
  Tom.

  Hi,
  thanks I had scanned through that document, but it doesn't tell you how to renew a self signed certificate. I went through all the options of the certadmin tool, and renewing a certificate is not one of them. So I guess it must be done manually via some pki binary somewhere on my system, but which one and how ?

• How to use a self-signed certificate

  Hello,
  I am having some troubles understanding how to use a self-signed certificate. I have created one using Keychain Access -> Create Certificate but it never asked me for the private key and it never told me where the certificate is stored. How am I supposed to use it?
  Typically I would like to do two things:
  1) use the certificate to for example sign an email or other document so that the recipient can verify that it was really me. I understand the concept that they have to have my public key and use it to somehow decrypt something that I have encrypted with my private key. But where is my private key? As mentioned, the certificate creation process never at any point asked me to provide a private key.  An example using this process to sign an email would be really appreciated.
  2) I want to be able to decrypt a message that someone sends to me after encrypting it with my public key. Again, I need my private key, where is it? I was never asked to choose one!
  Please note that i am familiar with the whole process using openSSL ssh via command line, I just need to understand how to achieve the same thing using the certificate creation procedure provided via Keychain Access.
  In short, now thta I have created my certificate, how do I use it? Examples for dummies would be really appreciated
  Thanks  in advance
  /Andrea

  Can you import the CA cert under “Your Certificates.”, delete the CA cert, switched to “Authorities”, re-imported the CA cert, and restarted Firefox.

• ACS self-signed certificates - renewals?

  We are using the ACS self-signed certs - good for 1 year. We are using PEAP and when configuring the wireless users, we disable the option to "prompt user to authorize new servers or trusted cert authorities."
  Is there a way to renew the cert (or generate a new cert) and not require a physical visit to the computer to redo the wireless setup?
  Perhaps a way to generate a new cert that is named the same as the existing cert? Maybe then I could push out the cert via a GPO.
  Thanks for any help....our cert will expiring in the month (or so) and we are trying to figure out a game plan that doesn't involve touching every computer.

  Hi,
  The kind of certificate it is a regular server certificate.
  You could you a windows 2003 as a CA that is a lot cheaper to get one of those and you can make the certificate for as many years do you want.
  Please see link below that explains how certificates needs to be request and how to use windows 2003 as a CA.
  http://tinyurl.com/9hq4r
  If you decide to use another CA you will need the following instructions
  Step 1: Create a Certificate Signing Request
  Complete these steps:
  1.
  Choose System Configuration > ACS Certificate Setup > Generate Certificate Signing Request.
  2.
  Enter a name in the Certificate subject field with the cn=name format.
  3.
  Enter a name for the private key file.
  Note: The path to the private key is cached in this field. If you press submit a second time after the CSR is created, the private key is overwritten and does not match the original CSR. This result in a private key does not match error message when you attempt to install the server certificate.
  4.
  Enter the private key password and confirm it.
  5.
  Choose a key length of 1024.
  Note: While Cisco Secure ACS can generate key sizes greater than 1024, the use of a key larger than 1024 does not work with PEAP. Authentication might appear to pass in Cisco Secure ACS, but the client hangs while authentication is attempted.
  6.
  Click Submit
  7.
  Copy the CSR output on the right-hand side for submittal to the CA.
  Once this has been created you send it to the CA and they know what to do.
  If you need any assistance let me know.

• Does anyone know how to use a self signed certificate with apple mail??

  Ive read about it in mail's help and tried to set it up according to it. Ive created a self-signed certificate but have no idea how to set it up as it would work with Mail so that i would be able to send signed messages. could anyone help me??

  Hello rado:
  Welcome to Apple discussions.
  I am assuming this is what you read:
  http://docs.info.apple.com/article.html?path=Mac/10.5/en/8916.html
  If you follow the instructions when you set up the certificate, you should be fine.
  Incidentally, most +"ordinary users"+ (like me) do not use this function. I am curious as to why you want to jump through hoops in your Mail application.
  Barry

• How to erase all self signed certificates and force Server to use Signed SSL

  I have been using a poorly managed combination of self-signed SSL certificates and a free one. I have purchased a good SSL from Digicert and am trying to configure the server to use it across the board. All of the services seem to be using it, but when I try to manage the server remotely, I seeing a self-signed certificate instead.
  I look under the system keychain in K-Access and there are several self signed certificates there (including the one that I am seeing when I try to remote manage).
  Can I replace those self-signed certs with the new one some how?

  Don't delete those.  However, you are on the right track.  Follow these steps to resolve.
  1:  Launch Keychain Access
  2:  Select the System Keychain
  3:  Find the com.apple.servermgrd IDENTITY PREFERENCE (looks like a contact card) and double click to open it
  4:  In the Preferred Certificate popup, change com.apple.servermgrd to your purchased certificate
  5:  Press Save Changes to save.
  6:  Reboot the server or kill the servermgrd process to restart the service.
  That should resolve your issue.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available on the iBooks store

• How to issue a self-signed certificate to match Remote Desktop Gateway server address requested

  I have an RDG server named gw.domain.local with port 3389/tcp forwarded from
  gw.example.com.
  Using RDGM snap-in I created a self-signed SSL certigicate with FQDN gw.example.com.
  But when I connect over RDP from outside the local network I'm getting an error:
  Your computer can't connect to the computer because the Remote Desktop Gateway server address requested and the certificate name do not match
  Because certificate subject name is gw.domain.local indeed.
  So there question is: how to issue a certificate properly, or how to assign an existing one the name to match?

  Hi,
  Thanks for your post in Windows Server Forum.
  The certificate error which you are facing seems like certificate mismatch error, something like the security certificate name presented by the TS Gateway server does not match the TS Gateway name. You can try reconnecting using the FQDN name of the TS Gateway
  server. You can refer below article for more troubleshooting.
  TS Gateway Certificates Part III: Connection Time Issues related to TS Gateway Certificates
  And for creating a SSL certificate for RD gateway, you can refer beneath articles.
  1.  Create a Self-Signed Certificate for the Remote Desktop Gateway Server
  2.  Obtain a Certificate for the Remote Desktop Gateway Server
  Hope it helps!
  Thanks,
  Dharmesh

• How to renew your self-signed certificate p12 with Flash Builder

  I have been using a self-signed certificate (generated using Adobe Flash Builder 4.7) for my Android app. The app is live on Google Play market but the certificate is going to expire soon, and I know if I create new certificate and update my app, existing Android users will not be able to auto-update the app (as the App's Signature has been changed). I would like to know how can we re-new the self-signed Certificate .p12 with Flash Builder?
  Thank you very much.

  After doing my research about the self-signed certificate created by Adobe Flash Builder , I realized that was my mistake to think that the certificate would expire soon. I doubled check the expiration date of my self-signed certificate and the date was set to 35 years after I generated it using flash builder 4.7 (which is very safe).
  For anyone who wants to check the self-signed .p12 expiration date you follow the instruction from this link:
  http://bsdsupport.org/how-do-i-determine-the-expiration-date-of-a-p12-certificate/
  Hope it helps

• How do we create self-signed certificate using java packages

  Hi All,
  I require some information on creating self-signed certificate using java packages.
  The java.security.cert.* package allows you to read Certificates from an existing store or a file etc. but there is no way to generate one afresh. See CertificateFactory and Certificate classes. Even after loading a certificate you cannot regenerate some of its fields to embed the new public key &#8211; and hence regenerate the fingerprints etc. &#8211; and mention a new DN. Essentially, I see no way from java to self-sign a certificate that embeds a public key that I have already generated.
  I want to do the equivalent of &#8216;keytool &#8211;selfcert&#8217; from java code. Please note that I am not trying to do this by using the keytool command line option &#8211; it is always a bad choice to execute external process from the java code &#8211; but if no other ways are found then I have to fall back on it.
  Regards,
  Chandra

  I require some information on creating self-signed certificate using java packages. Its not possible because JCE/JCA doesn't have implementation of X509Certificate. For that you have to use any other JCE Provider e.g. BouncyCastle, IAIK, Assembla and etc.
  I'm giving you sample code for producing self-signed certificate using IAIK JCE. Note that IAIK JCE is not free. But you can use BouncyCastle its open source and free.
  **Generating and Initialising the Public and Private Keys*/
    public KeyPair generateKeys() throws Exception
        //1 - Key Pair Generated [Public and Private Key]
        m_objkeypairgen = KeyPairGenerator.getInstance("RSA");
        m_objkeypair = m_objkeypairgen.generateKeyPair();
        System.out.println("Key Pair Generated....");
        //Returns Both Keys [Public and Private]*/
        return m_objkeypair;
  /**Generating and Initialising the Self Signed Certificate*/
    public X509Certificate generateSSCert() throws Exception
      //Creates Instance of X509 Certificate
      m_objX509 = new X509Certificate();
      //Creatting Calender Instance
      GregorianCalendar obj_date = new GregorianCalendar();
      Name obj_issuer = new Name();
      obj_issuer.addRDN(ObjectID.country, "CountryName");
      obj_issuer.addRDN(ObjectID.organization ,"CompanyName");
      obj_issuer.addRDN(ObjectID.organizationalUnit ,"Deptt");
      obj_issuer.addRDN(ObjectID.commonName ,"Valid CA Name");
      //Self Signed Certificate
      m_objX509.setIssuerDN(obj_issuer); // Sets Issuer Info:
      m_objX509.setSubjectDN(obj_issuer); // Sets Subjects Info:
      m_objX509.setSerialNumber(BigInteger.valueOf(0x1234L));
      m_objX509.setPublicKey(m_objkeypair.getPublic());// Sets Public Key
      m_objX509.setValidNotBefore(obj_date.getTime()); //Sets Starting Date
      obj_date.add(Calendar.MONTH, 6); //Extending the Date [Cert Validation Period (6-Months)]
      m_objX509.setValidNotAfter(obj_date.getTime()); //Sets Ending Date [Expiration Date]
      //Signing Certificate With SHA-1 and RSA
      m_objX509.sign(AlgorithmID.sha1WithRSAEncryption, m_objkeypair.getPrivate()); // JCE doesn't have that specific implementation so that why we need any //other provider e.g. BouncyCastle, IAIK and etc.
      System.out.println("Start Certificate....................................");
      System.out.println(m_objX509.toString());
      System.out.println("End Certificate......................................");
      //Returns Self Signed Certificate.
      return m_objX509;
    //****************************************************************

• How-to install a self-signed certificate on Sony Ericcson W350

  I am a developer and I am writing a j2me application for a Sony Ericcson W350 phone which needs to be able to use the phones SMS capabilities.  I have a signed .jar and .jad file with a self-signed certificate.  However, the phone is still treating my application as an untrusted third party app.  I think this is occuring because my self-signed certificate isn't in the java certificate store on the phone. Is there a way to load my self-signed certificate into the java certificate store?  I have tried copying it over to the phone via bluetooth and usb and installing it through the filesystem, however there isn't an option to install the certificate when browsing to it from the phone's filesystem.  Any help would be much appricated.

  Deactivating existing Java certificates prevented me from installing the .jad file.  I accessed the phone's file system using both Sony PC Companion with USB and using the OS file browser over bluetooth.

• How do I override self-signed certificate old ssl blocking.

  My hard drive failed and was replaced by my desktop support team. As a result, I had to re-install FireFox, my preferred browser to provide console connections to my production servers. These connections are old, firmware platforms that are not updatable behind multiple firewall layers. They use old versions of ssl and self signed certificates. Your new browser simply blocks access. Without the ability to override permanently this 'feature', I am unable to access the consoles of servers doing billions of dollars in business. I have a work-around in place with other browsers.

  So, you are saying that EVERY time I need to access this type of server on my own internal network that is not visible anywhere, I have to go thru this rigamarole of this add on thing, because YOU have decided I can no longer access my own servers in my own network? If there is no permanent fix, I will find another browser that will do the job, and this will be uninstalled across the enterprise, because it becomes very unusable in crisis situations and even during a normal workday, because of the unnecessarily complicated process that has to be done each time. Unbelievable gall. I am speechless. Sure glad I discovered it when it was not urgent. I am sure glad you all are smarter than I am. Sheesh.

• How to configure a self-signed certificate

  Can someone please help me get the parameters/variables correct to gererate a self-signed SSL certificate on a CSS?
  Generte the RSA Key Pair
  ssl gen temprsakeys 1024 "passwd123"
  Associate RSA Key Pair to Key Pair Name
  ssl associate rsakey temprsakeys temprsakeys-file
  Generate Self-Signed Certificate
  ssl gencert certkey temprsakeys signkey ????
  Associate Certificate with a file
  ssl associate cert ??? ????

  this is documented at :
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080579e92.html#wp999000
  The principle of self-signed is that the certkey and the signkey are the same.
  Gilles.

• How to import a self signed certificate into Firefox from the windows store properly.

  I am currently trying to get a wcf service that runs on the same machine as the browser that is making the request. Since the connection is between a browser and an application running on the same machine security was orginally not a concern and it seemed fine to leave the request on http. The first issue arrised when Firefox did not allow mixed content calls (The website making the requests uses https). I have the service converted fine to run with Chrome and IE in https, but not for Firefox due to its use of a seperate store.
  For the windows store I created one CA cert which then issues the self signed cert which is then binded to a port I have the WCF service listening on (In my case this is: https://localhost:8502).
  This all needs to be done progammatically so I can't manually Add an Exception (which does work).
  If there was a way to use certutil (I am not very addept at using this tool at all) to add this exception it would be very helpful.
  The other method I have tried is exporting the selof signed cert and then importing it. Using IIS I can only export the file as .pfx which I can't seem to import into the Servers tab in the certificates interface (I assume this is the right location for it since the exception adds it here). I extracted the certificate from the port through code and imported it to the store, but it does not seem have the extra column defining the port like the exception cert does (It does not work wither).
  How do I do this correctly? Or is it even possible to have a self signed cert bypass all this? I only have it using self signed certs since the service is just running on localhost.

  HI,
  Adding an exception does work manually, but you would like to do this programmatically. This has more on the nSS functions [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Certificate_Download_Specification]
  I have not tried this you can add it to the file cert8.db if you can insert it into each profile you can access? (For example copy the file after you have manually added it?) that would overwrite any uniqueness however- not good for preserving data.
  The best advice would come from the security mailing list or the esr mailing list, that helps enterprise environments.

• How to use a self signed certificate in Firefox 33

  Unfortunatly https://support.mozilla.org/de/questions/1012765 does not provied a reasonable solution for version 33
  Is there realy no other option, to use own testsites and old embedded Web-Servers, than switching to chromium?

  Can you import the CA cert under “Your Certificates.”, delete the CA cert, switched to “Authorities”, re-imported the CA cert, and restarted Firefox.