SSL certificates and/ or Oracle Certificate Authority

Similar Messages

• SSL Certificate Authority TÜRKTRUST

  I see listed under preferences - advanced - certificates:
  TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  Begins On 13/05/2005
  Expires On 22/03/2015
  What is this SSL Certificate Authority?
  What does it do?

  Hi ,
  1)     Login to the visual administrator using admin userid and pwd
  2)     Goto server >services>keystore
  3)     Select the service_ssl and create new entry with name ssl_credentials
  Click on create button and generated one new entry with name:  ssl_credentilas
  4)     After generating  new entry ssl_credentials(private key) and ssl_credentials.cert (ecertificate) will be created.
  now select the new entry and click on generate CSR request button and send the c
  ertificate to verisgn. they will send u response to ur CSR request.Now save this in .crt ext and goto VA and sekect the new entry again and click on import CSR .
  5)     Select the Trusted CAs and click on import from other button
  6)     Select the service_ssl from the Select view option and select the ssl_credentials (privatekey) which is created in step 3. and click on Ok
  7)     ssl-credentials will be added into the Trusted CAs
  8)Goto SSL provider and  select the  dispatcher
  9)Select the new sockets radio button and select server identity tab and click on Add button.
  10)     Select the (new entry created just now)  ssl-credential and click on ok.
  11)     Add the same for Active sockets and reboot the sun 128 displatcher.
  Result:  Https is working for sun 128 server .

• Oracle Certificate Authority OCA and SSL Immlementation

  Hi
  Is anybody can clear that:
  1) Does OCA only work on intranet or it does work internet also.
  2) What is the difference between OCA and Verisign or any other third party CA
  3) What are the benifits for OCA
  4) What are the advantages and disadvantages for both of them
  5) what are the main steps invloved to implement OCA and SSL
  I'll be very appraciated, if anybody give me the answers as soon as possible. Please gIve me the answers whichever you knows very well.
  Thanks in Advance
  Munir Muhammad

  Certificate authority and SSL are two completely different concepts. They can be related but are by no means similar.
  SSL is a service or a feature, not a product. SSL is used to encrypt the traffic. Part of SSL is the use of certificates for authentication. A server or user would pass a certificate as part of an SSL transmission.
  The certificates used for enrypted transmission(SSL), can be obtained from the Oracle Certificate Authority(OCA), or by a third party certificate authority. OCA is not required to use SSL.
  To achieve a fully encrypted envrinment, you would need to use SSL at several layers. This would be done with or without the use of the Oracle certificate authority.
  1. From the web browser to the middle tier
  2. End user to database
  3. from the middle tier to OID
  4. from the middle tier to the database
  5. From OID to active directory

• SSL certificates and Web Services Usage inside Oracle Database Questions!

  We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
  Service1 is already working, and we can call the service from PL/SQL without troubles.
  However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
  Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
       - SSL Certificates:
  1- Can installed certificates in the Database put in risk the stability of the database?
            2- Can installed certificates in the Database generate performance issues?
            3- Can installed certificates reloading the Databases?
            2- Can installed certificates in the Database generate security issues?
       - Web services:
  1- Can web services calling from the Database put in risk the stability of the database?
  2- Can web services calling from the Database generate performance issues?
  3- Can web services calling from the Database generate security issues in the DMZ?
  Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
  Those are the links describing the procedure mentioned above.
  1 -http://www.kotti.es/2009/11/oracle-wallet/
  DB: Oracle 9i.
  Average number of lines in file: 300
  Periodicity: Twice at day.

  Thiago:
  You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
  I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
  http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
  Regards,
  Jason

• DSEE 6.3.1 and 2048-bit SSL certificates

  Related to my previous post, I'm standing up a new 6.3.1 proxy server and directory server instance that are being added to my existing environment. We use GoDaddy for SSL certificates and they require 2048-bit CSRs, which cannot be generated with 6.3.1 software. That being the case I generated the CSR for each host using openssl with the command:
  openssl req -new -newkey rsa:2048 -nodes -out ldp05_domain_com.csr -keyout ldp05_domain_com.key -subj "/C=us/ST=Massachusetts/L=Cambridge/O=My Corp/OU=Network Operations/CN=ldp05.domain.com"I then took the CSR and received a new signed 2048-bit cert from GoDaddy. I added the GoDaddy root bundle certs into my CA cert chain and then attempted to add the server cert.
  On the directory server I have the problem:
  # dsadm add-cert /usr/local/ds/domain/ ldp05.domain.com /tmp/ldp05.domain.com.crt
  Unable to find private key for this certificate.
  Failed to add the certificate.I get the same error when attempting to add the certificate through DSCC.
  I have a different problem with the 2048-bit certificate on the proxy server. I added the CA cert and that was fine. However, when I add the server cert, it shows up in the CA cert chain.
  # dpadm add-cert /usr/local/dps/domain/ dps05.domain.com /tmp/dps05.domain.com.crt
  # dpadm list-certs /usr/local/dps/domain/
  Alias             Valid from       Expires on       Self-signed? Issued by                          Issued to    
  defaultservercert 2011/02/25 10:08 2013/02/24 10:08 y            CN=dps05.domain.com:389 Same as issuer
  1 certificate found.
  # dpadm list-certs -C /usr/local/dps/domain/|grep dps05
  dps05.domain.com     2011/02/25 11:43 2014/02/25 11:43 n         SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US      CN=dps05.domain.com, OU=Domain Control Validated, O=dps05.domain.comHas anyone successfully added 2048-bit CA signed certificates to both DPS and DS instances? Is there a limitation on the size of a certificate that can be imported as a non CA cert in directory proxy server 6.3.1?

  Sadly after opening a case with Oracle support I was told that the hotfix wasn't built for Linux (which I'm running) and would take 1-2 weeks to complete. I have managed to solve 99% of the issue on my DPS host thus far and have only one remaining issue which is upon adding the cert.
  In order to generate the 2048-bit CSR I had to run the following:
  # cd /usr/local/dps/domain/alias
  # modutil -changepw "NSS Certificate DB" -dbdir .
  # certutil -R -s "CN=dps05.domain.com,OU=Network Operations,O=My Corp,L=City,ST=State,C=US" -o /tmp/dps05.domain.com.csr -d /usr/local/dps/domain/alias -a -g 2048For reference, running the dpadm command to set the cert db password didn't work.
  # dpadm stop /usr/local/dps/domain
  # dpadm get-flags /usr/local/dps/domain
  # dpadm set-flags /usr/local/dps/domain/ cert-pwd-prompt=onOnce I had the properly sized CSR I had the cert issued and attempted to add the root certs to the CA chain and the server cert to the server certificates:
  # dpadm add-cert /usr/local/dps/domain gd-root-bundle gd_bundle.crt
  # dpadm list-certs -C /usr/local/dps/endeca |grep -i daddy
  - This shows the Go Daddy root cert bundle in the CA cert chain
  # dpadm add-cert /usr/local/dps/domain dps05.domain.com dps05.domain.com.crt
  # dpadm list-certs /usr/local/dps/domain
  - Shows only the defaultservercert
  # dpadm list-certs -C /usr/local/dps/endeca |grep -i daddy
  - The server cert now shows up in the CA chain.Does anyone have any idea how I can properly add the new cert to the server cert list so it can be used by the server?

• Firefox does not recognize SSL Certificate issuer Entrust Certification Authority – L1K, but Entrust Certification Authority – L1C is ok?

  We have a new Entrust SSL Certificate with issuer Entrust Certification Authority – L1K which Firefox does not recognize. Internet Explorer and Chrome are ok.
  On a different system we have an Entrust SSL Certificate with issuer Entrust Certification Authority – L1C which is ok with Firefox.

  Did you verify that all intermediate certificates are installed on the server?
  You can inspect the certificate chain via a site like this:
  *http://www.networking4all.com/en/support/tools/site+check/
  *https://www.ssllabs.com/ssltest/

• Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

  We have a Certificate Authority (Version: 5.2.3790.3959) configured on  Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
  Currently i am only able to generate SSL cert with md5RSA.

  Hi,
  Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
  Therefore, you need to build a new CA to use a new algorithm.
  More information for you:
  Is it possible to change the hash algorithm when I renew the Root CA
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
  Changing public key algorithm of a CA certificate
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
  modify CA configuration after Migration
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
  Best Regards,
  Amy Wang

• Install SSL certificate for Oracle HTTP server

  I received a PFX file that contains an SSL wildcard certificate for our company *.xyz.com.
  I used this tool "xca" to extract two files: "server.crt" and "serverkey.pem".
  I want to install this on the oracle 11g HTTP server (OHS) installed as standalone based on apache 2.2
  With oracle, i have to create a wallet and point the SSL.CONF wallet directive to use that wallet.
  I used Oracle Wallet Manager to create it and import the certificate but this is where i am having a problems.
  First I could not restart the web server but the it worked but I got SSL handshake errors (Shown below).
  According to oracle steps, I have to create a CSR and then import the certificate into the wallet
  http://www.apache.com/resources/how-to-setup-an-ssl-certificate-on-apache/
  However, when I tried to use Oracle Wallet Manager, there were two options: import server certificate and trusted certificate.
  The import server certificate was greyed out. I had to create a CSR just to get it enabled but I did not use the CSR, i just imported the "server.crt" file.
  I also tried to import the "serverkey.pem" into the trused certificate option but was rejected (invalid certificate).
  Do you know how to create a successful wallet based on the files i have and not creating a CSR since i already have a certificate file?
  2013-05-04T20:11:40.2718-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1253263680] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
  [2013-05-04T20:11:40.2719-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1253263680] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
  [2013-05-04T20:11:40.4774-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] unusably short session_id provided (0 bytes)
  [2013-05-04T20:11:40.4776-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
  [2013-05-04T20:11:40.4776-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
  [2013-05-04T20:11:40.6814-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] unusably short session_id provided (0 bytes)
  [2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
  [2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error

  I do not have weblogic installed. I only have standalone 11g HTTP server with mod_plsql.
  If i can get OWM working to create a successful certificate them the problem would be resolved.
  I am just not sure what is Root Certificate and Trustworthy Certificate and how to get that from the files i have.

• How to load the ssl certificate to oracle wallet

  I have oracle 10.2.0.3 on Unix.
  I have a oracle wallet created. I need to load ssl certificate to the oracle wallet. I have CA certificate and server related certificate. In owm interface, there is Certificate:(Empty) and Trusted Certificates. Does anybody know where my certificate should go, Certification:(Empty) or Tryusted Certificates? By the way my certificate is from Verisign.
  Thanks a lot!

  Hi
  Thanks. I have added my LDAP certificate to Oracle wallet.
  Now my doubt is :
  Before adding this cert to my wallet , i have tried to connect my application through SSL , am able to connect it.
  I have used DBMS_LDAP.open_SSL function for conencting.
  Before adding the new cert my wallet conatins :
  ewallet.p12
  cwallet.sso
  GeoTrust.cer
  Equifaxb64.cer
  After adding the new cert also i am able to conenct through ssl my concern is , how we can figure out whether the ldap package checking my cert or not?
  How DBMS_LDAP.open_SSL works?
  Could anyone help me out to solve the issue?
  Thanks,
  San

• Re: Mail for Exchange and SSL certificate

  I think this is what you need to do
  1. go to the page from where you have to install certificate
  2.You will see lock symbol at the right hand side of the page, click on it and save it on your desktop PC by going to details page
  3. Open Nokia PC Suite --> FileManager and trasnfer the certificate from your PC to FileManager
  4. Click on the certificate inside FileManager and install it, while installing allow it to choose its place automatically
  Then try synchronising your mail, you ill receive it for the first time when you connect then it wont ask you for that again till you connect next time.
  Hope this helps

  Here's how I got my Nokia to accept the certificate as trusted. It may not work for everybody but it worked for me and after the past week of messing about I am truly grateful for that...
  Basically, I uninstalled then reinstalled Certificate Services through add/remove programs. I then followed the advice on this site (below), but only as far as requesting a cert through IIS Manager.
  http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
  I followed the advice until this section (mainly because it wouldn't allow me to request a cert through IE on the server...)..
  "Getting the Pending Request accepted by our Certificate Authority"
  I then opened "certification authority" on the server (through administrative tools) and right clicked the cert authority which will have the same name as the cert you had just requested and selected properties. In my case, something like mail.mydomain.co.uk...
  Under the General Tab I highlighted "certificate#0" in the CA Certificates box and clicked "view certificates".
  This opens the cert and I then clicked the "details" tab and saved the cert to a location using the "copy to file" button.
  Using the wizard I selected the first option "DER encoded binary x509(.cer) gave it a friendly name, saved it somewhere handy and closed the wizard.
  I then copied the file onto a pc with the Nokia PC Suite installed and copied it to the documents folder (although any one will do). I guess you could bluetooth or email the cert as well..
  I then browsed to it on the phone, clicked on it and it let me save it automatically into the certs folder. I restarted the phone, checked SSL was on and bingo the certificate was trusted and remains working today... You might have to delete an existing cert if you already have one installed as it won't let you overwrite it..
  As I say, I can't say this will work for anybody else as I have probably fiddled around with the server so much it has gone west in some respects, but it works for me and that'll do for now...
  dc

• Mail for Exchange and SSL certificate

  I have a little problem with Mail For Exchange and my Nokia N80. I have self-signed certificate for Exchange mailserver and when I am synchronizing e-mails I got always message: "The site has sent an untrusted certificate. Continue anyway ?". I underestand that my certificate isn't verified by any root authority, but if I have synchronization schedule set at 15 minutes it means I have to confirm this message four times when I am not with my mobile one hour. So question is:
  Is possible to import self-signed SSL certificate into Nokia N80 and set it as trusted ? If yes, please describe me how, because I have tried import the certificate as CER (it was opened just as NOTE on Nokia), I tried to convert it via openssl to PEM (the file was not recognized) etc... Thanks for any help in advance.
  Reply With Quote

  Go to your outlook web access website and click on the lock and then view certificate. The details and then you can save it in DER format to your desktop.
  Then go to this site:
  http://www.redelijkheid.com/symcaimport/ and insert through the browse button and then copy the link to your phone.
  Then you should be able to download it
  You can also go to your IIS default site on the exchange server and directory security and export your certificate under edit certificate.
  I have tried everything now. I can download my certificate and the valicert from GoDaddy, but the Nokia phone is still saying "do you trust this certificate" every time the phone syncs.
  Our firm have taken the E-phones away now and went over to windows mobile and all of them worked within 10 minutes without any errors.
  The funny thing is that when you try to call nokia, they wont help you with Mail for Exchange, and it is there program
  I know my GoDaddy certificate works on windows mobile phones, so It must be something with Mail for Exchange.
  Every guy I talked to about symbian phones have told me they always gives problems with SSL. I am a bit **bleep**, but can conclude that Nokia is for the private consumer.
  Best Regards
  Morten @ Denmark
  Message Edited by asp3200 on 02-May-2008 08:37 AM

• How move Oracle Certificate Authority on other server

  Hello!!!
  I am planning move Oracle Certificate Authority
  to another host with certificates and so on.
  Can you help me, I cannot find any documentation.

  Hi,
  You can start with some value say 40% of your physical memory allocate to SGA (SGA_TARGET) and see your database performance. Then monitor the use of SGA and then can decide on the add or reduce it. There is no direct rule for sizing it purely depends on your application behavior and amount of data and many other factors.
  This will be continuous process, you need to start with some reasonable value.
  Cheers,
  Dilipkumar Patel.

• DSEE7 - DPS and CA-signed SSL certificates

  I recently deployed two new DSEE7 DPS servers and last night was attempting to install CA-signed (GoDaddy) SSL certificates on them. I used dpadm to generate the required 2048-bit CSR and received my certificates. I added them to the servers using the DSCC interface and after adding them and restarting the instance the certs were not showing up. I thought perhaps the operation had failed so I tried again and saw that the alias already existed. I then noticed that the certificate was listed under the CA certificates. I deleted it from there and imported the cert using dpadm add-cert, only to have the same thing happen again.
  dpadm add-cert /usr/local/dps/instance/ dps03.prod.domain.com /tmp/dps03.prod.domain.com.crt
  # dpadm list-certs /usr/local/dps/instance
  0 certificate found.
  # dpadm list-certs -C /usr/local/dps/instance | grep dps03
  dps03.prod.domain.com     2010/01/19 11:08 2013/01/19 11:08 n         SERIALNUMBER=xxxxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US      CN=dps03.prod.domain.com, OU=Domain Control Validated, O=dps03.prod.domain.comI have installed SSL certificates from GoDaddy on all my other production DS and DSEE systems (6.3.1) without issue, including their intermediate and root certificates to complete the trust chain.
  Does anyone have any insight into what the issue might be and how to correct it?

  Hi,
  Have you used the same alias in both case ? . i.e
  dpadm request-cert [options] /usr/local/dps/instance dps03.prod.domain.com
  then
  dpadm add-cert /usr/local/dps/instance/ dps03.prod.domain.com /tmp/dps03.prod.domain.com.crt

• UCS Manager and using Microsoft Certificate Authority

  Has anybody gone through the process of setting up UCS Manager with a certificate issued from a Microsoft Certificate Authority?  If so I would appreciate some assistance.  I was able to successfully create a request and have generated the certificate, but I see no way of being able to put the request and the certificate chain back into UCS Manager.

  First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.
  Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.
  Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.
  I hope that helps.
  Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

• SSL certificates and GWIA

  I have run up against a wall trying to install a third party SSL certificate with GWIA 7.0.3 and securing IMAP connections;
  Certificate (And SSL) works fine, but the infamous "The origin of this certificate cannot be verified" type of message comes up for all mail clients attaching, and this is particularly bad for handheld devices like iPhone connecting via IMAP using SSL.
  Has anyone ever successfully installed a 3rd party SSL cert into GWIA with chain of trust back to root CA and been able to overcome this ?
  It' basically the same problem one would run into if issuing a self-signed cert out of NDS/Edir Cert server 2.x or 3.x.
  Any suggestions would be welcome !
  Thanks !

  Hi, I very recently had a similar problem...our existing 3rd party ssl external Verisign certificate expired!!!!
  I have'nt been able to in the past configure a 3rd party ssl certificate into our current Groupwise 7 system due to lots of various methods of doing this task....i got quite confused and if you do not do things in the correct order the whole process will need to ber started over again.
  Ive managed to eventually cracked it and figure out a simple and more structured approach to setting this up.
  The following was in relation to applying the 3rd party external certificate to WEBACCESS
  This was the steps i took:
  Firstly ensure you have the registered details you completed already with your 3rd party SSL supplier, they should have provided you with a:
  OU
  O
  L
  S
  C
  the CN is the webaddress or DNS name your users will hit to access your secured page - we will add this later.
  1) Highlight the container where your server is located which will be the host application part of the webaccess that the ssl is assigned to.
  (my setup is, i have my main grpwise system in one tree, my application - webaccess component in a separate tree) - we need to re-create the SSL object in the second tree or the container where the application component is located.
  2) Right-click to create an object > from the list choose > NDSPKI:Key Material.
  3) Give a name for the certificate name object > then select the second option > Custom.
  (This will allow you to enter more specific information relating to the 3rd party ssl certificate)
  4) The next screen select "External Certificate authority" - this would be your 3rd party ssl. Click next
  5) Next screen asks for the Key size, accept the default value of "2048 bits" > tick "Allow private key to be exported", click next.
  6) Next screen asks for the Certificate Parameters, depending on the order of your, CN, OU,O,L,S,C
  I clicked the edit button and then clicked the small arrow icon to switch the SSL URL around so that my .cn=webserver url address will be read first then the - OU,O,L,S,C.
  (PLEASE NOTE: The (OU,O,L,S,C) should be identical to what was initially registered with your 3rd party SSL supplier.
  7)Once you are happy with the details click "Finish".
  8) You will immediately be asked where to save the "b64" file that will be generated which will be sent off to your 3rd party supplier for re-minting.
  choose a file name - ensure no hyphens,or special characters etc are used and keep to the 8.3 naming length just to avoid any long name issues, i do believe that by adding a hyphen may cause problems as the system automatically puts a hyphen to separate the names automatically hence that is why its advised not to use this.
  I saved my file to root of my c:\
  9)Once this has been done and you click save, send the file off to your 3rd party SSL supplier, they will re-mint the "b64" file and you should get back 2 files:
  a)file.cer
  b)Intermediate.cer
  (filenames could be anything)
  10) Select the "KMO object" you created earlier in step 2, then goto the Certificate tab > Trusted Root certificate" tab to import the Intermediate.csr file sent to you.
  Select import > then read from file and browse for the "Intermediate.csr" file - i chose root of my c:\ to save the re-minted 2 files sent back to me.
  Select the Intermediate file, you should see some encrypted characters show in the blank screen, then select Ok or finish.
  If you see a pop up window stating " Subject name mismatch error" dont worry this is merely a cosmetic issue due to the details not being in the exact naming order, it has been IMPORTED!!
  Click OK.
  Once you have done this you should see your first key pair file imported, check the subject name, Issuer name, effect date, expiration date, certificate status details, these should all show the 3rd party certificate details.
  Then next part is to import the second key pair file.
  Click Certificate>Public Key Certificate tab > import.
  Select to read from file> then browse for the file.csr
  You should see the encrypted characters, then select ok or finish.
  Now you have competed the difficult part you now need to tell you application what SSL object to point to in order to use the SSL encryption.
  For webaccess, you have to edit the apache conf files and enter the name of the SSL/KMO object you created earler.
  11) Goto your application server that will use the ssl, then browse to:
  server\sys\apache2\conf
  edit a file called "httpd.conf"
  then
  amend or add the section:
  SecureListen 443 "Verisign"
  Save theses changes - then shut down your web services on the server, apache, etc. ie, type :
  Apache shutdown commands:
  ap2webdn
  tc4stop
  admsrvdn
  Apache load commands:
  apache2
  ap2webup
  tc4stop
  admsrvup
  wait a minute or so so that the services can be unloaded.
  If you think its safer to do so, you can restart the server - that way you know for sure that everything has been unloaded and re-loaded cleanly.
  ALL done.
  SSL now in operation and working.
  I carried out this method - my own steps and this worked for me.
  Good luck!!!
  Dennis
  Originally Posted by shale999
  I have run up against a wall trying to install a third party SSL certificate with GWIA 7.0.3 and securing IMAP connections;
  Certificate (And SSL) works fine, but the infamous "The origin of this certificate cannot be verified" type of message comes up for all mail clients attaching, and this is particularly bad for handheld devices like iPhone connecting via IMAP using SSL.
  Has anyone ever successfully installed a 3rd party SSL cert into GWIA with chain of trust back to root CA and been able to overcome this ?
  It' basically the same problem one would run into if issuing a self-signed cert out of NDS/Edir Cert server 2.x or 3.x.
  Any suggestions would be welcome !
  Thanks !