A2200220: Peer Certificate expired

Similar Messages

• Error:iaik.security.ssl.SSLCertificateException: Peer certificate rejected

  Hi,
  I am getting error com.sap.engine.interfaces.messaging.api.exception.MessagingException:
  iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  When i test for digital signing and encryption using soap receiver CC
  we passed all the values for soap CC
  Created key store view and in that view I have generated private certificate and generated CSR using SAP CA(test ssl for 8 weeks) for the private key and also imported public key for encryption given by reciver
  When i test i get the error message
  I check certificates validity dates
  I restarted java engine and ICM
  I added the public key in trusted CA in NWA
  I re created the view and added the certifcates
  still the same error
  how and where to check to check IAIK in NWA and how to deploy it in java engine using NWA, we are using PI7.11 (no VA)
  any suggestions?

  Hi,
  The main causes for this kind of problem are:
  1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
  0a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for it and if it's the case renew it or extend the validation.
  3. The certificate chain was not in correct order. Basically the server certificate chain should be in order
  Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again.
  4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
  (This certificate is the one which is sent to Server for Client authentication)
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
  Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio Cagnani

• FTPS error: Peer Certificate Rejected by Chain Verifier

  Hi,
  This scenario is a File to File - Outbound Async Interface. Receiver is configured FTPS with mostly the default parameters.
  However FTPS again haunted us with "Peer Certificate Rejected by Chain Verifier  " error.  We have configured one communication channel with FTPS and tested in DEV, QA clients and moved to production. The weird behavior is it works only certain time. Overall it works 50% of time ok and 50% of time failed with the above error.
  We kept opened all ports on the firewall for outgoing messages.
  We cannot understand the dual behavior. Appreciate any help to resolve this issue.
  Dharmasiri Amith

  Hi Amith,
  The main reasons for this error follows:
  1. The correct server certificate could not be present in the TrustedCA
  keystore view of NWA. Please ensure you have done all the steps
  described in these two URLs:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
  0a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for
  it (that was the cause for other customers as well) and if it's the case
  renew it or extend the validation.
  3. Some other customers have reported similar problem and mainly the
  problem was that the certificate chain was not in correct
  order. Basically the server certificate chain should be in order
  Own->Intermedite->Root. To explain in detail, if your server certificate
  is A which is issued by an intermediate CA B and then B's certificate is
  issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to
  have the right order of certificate in the chain. If the order is B
  first followed by A followed by C, then the IAIK library used by PI
  cannot verify the server as trusted. Please generate the certificate in
  the right order and then import this certificate in the TrustedCA
  keystore view and try again. Please take this third steps as the
  principal one.
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has
  to have certificate with CN equal to the requested site.  I mean if I
  request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in
  the ftp request. This can be the IP address or the full name of the
  host.
  Request the url with the IP of the SSL Server and the certificate to be
  with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio Cagnani

• SAP PI 7.3 Peer certificate rejected by ChainVerifier

  Hi
      We upgraded the PI systems(Dev and Quality) from 7.0 to v7.3 Before the upgrade https scenario was working fine. Important thing is we were not using any certificates to transfer files to our vendor.  All the SOAP receiver adapter with HTTPS url is working fine in production. The production is still with PI 7.0
      After basis upgrade the PI system to v7.3  when I send a messaage to the below url with SOAP receiver adapter i see the below error. This is not a webservice interface.
  https://staging.napa-ibiz.com/..........
  The error is:
  SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Delivering the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.
  The strange part is, after the upgrade it is working fine with one vendor. The SOAP receiver adapter configuration is no different from other scenerios.
  We even restarted  the JAVA engine still no luck.
  I didn't get answer for my below questions:
  1. When I'm not using any certificates to send files to my vendor, why/how I see the above certificates related error.
  2. If it is really a certificate related error, how i'm able to successfully send to one vendor with the similar SOAP receivier configuration.
  3. Why only after the upgrade i see this error?
  Can you please throw some lights on this?
  Thanks,

  >When I'm not using any certificates to send files to my vendor, why/how I see the above certificates related error.
  The URL shows that you are using https transport communication. So you might be sharing the certificate or anonymous ssl with different vendors.  PLease go to STRUST and see whether  you have certificates in the keystore for the different vendors. As you production environment behaves different from pre production in terms of security.
  >If it is really a certificate related error, how i'm able to successfully send to one vendor with the similar SOAP receivier configuration
  You might share certificate correctly for one vendor and keystore might not have for the other vendors.  This is nothing related to soap receiver channel configuration. Certificates can be maintained either java stack level or abap stack.
  >Why only after the upgrade i see this error?
  PI 7.1 and above are 64 bit OS products. There are plenty of changes in the installation and security standards.  Talk to BASIS,

• ISE - What happens when the on-boarded certificate expires?

  I'm trying to design a good BYOD deployment model but have a few questions that need direct answers.  I have down how to go about on-boarding and getting a certificate on a device, the ISE provides great flow for this to happen in many ways.  My questions come from a design perspective before and after the BYOD deployment is completed.
  1. Figuring out a method to validate the device is a Corporate asset or a BYOD asset.
       (I don't want to install a certificate on just any device, or perhaps I do but I need to give permissions to all resources if its a Corporate Device, and more resitrictions if it's BYOD, so how do I figure this out during the provisioning phase?)
       a. Use MDM (May not have one, or if you do we are still waiting on ISE 1.2 for that integration)
       b. Build a Group for provisioning admins, if user PEAP-MSCHAPv2 account is from this group install a certificate. (issue here is that the end user looses administration of the device in the my device portal as the device is now registered to the provisioning admin)
       c. Pre-populate MAC into ISE as all Corporate devices should be provisioned by I.T. before they go to the end user (I think this is good but can see push back from customers as they don't want to add more time to the process)
       d. Certs on any IOS or Android device, provide access based on user group and do not worry if device is Company asset or not (I believe that this is the easiest solution and seems to be what I find in the guides)
       e. Other options I have not thought about, would love input from the crowd
  2. What happens to the device once the Certificate expires?
       (I don't know the answer to this, my thought would be the user or device will fail during the authentication policy and this creates a mess)
       a. Tell the user to delete the profile so they can start all over again (creates help desk calls and frustrated users)
       b. Use MDM for Cert management (may not have one)
       c. Perhaps the client uses SCEP to renew based on the cert template renew policy and there are no issues (this is me wishing)
  Would appreciate some feed back and would like to know if anyone has run into these issues.                   

  Neno,
  Sorry but I don't have any other info on using a public CA, Cisco says to use internal CA's for PKI.  I think the best practice in 1.2 comes out will be to use one interface for Web Management and a different interface for Radius, profiling, posture, and on boarding.  This way you can use your private CA for EAP and a public CA for web traffic.  Have you tried a public CA bound to management and a private CA for EAP yet?
  I did do a session on EAP-TEAP, they explained how it will work and also discussed EAP-FASTv2.  EAP-FASTv2 is available now but you must use anyconnect as your supplicant.  Microsoft and all other vendors will have EAP-TEAP native once it is fully released and comissioned as it will be the new gold standard for EAP.  It will support TLS, MD5, and CHAPv2.  If you are interested I have the PDF of the presentation I attended that shows the flow of how EAP-TEAP will work.  This is much better than wasMachineAuthenticated and machine auth caching, which has many down falls.
  I currently do machine and user auth I just don't require them.  If Machine auth then allow machine on vlan-x with access to AD, DNS, and blah blah.  Then a seperate rule to say user auth gets more access, although I require EAP-TLS for both and if you think about it you are accomplishing the same thing if your PKI is setup correctly.  Make it so users and machines can only auto enroll, that way you know the only way they got their cert was from GPO policy.  I won't go into anymore detail, but there is lots you can do.

• Computer certificates expiring within 6 weeks disappearing from machines when computer certificates from two certificate authorities are present

  2008 R2 single tier enterprise certificate authority with root certificate expiring within 6 weeks, also domain controller
  2012 R2 single tier enterprise certificate authority with root certificate valid for more than the next year, also domain controller
  Both servers are approved as certificate authorities for the domain and can issue computer certificates using the computer certificate template. There is a group policy object applied to all workstations that contains an automatic computer certificate request,
  but the actual "certificate services client auto-enrollment" element is "not configured". This process seems to work like a round robin in that computers with no certificate can wind up with a certificate from either certificate
  authority. I need all PCs to have both certs for a DirectAccess migration. I have successfully used SCCM to ensure all PCs have both certificates using compliance rules and a script using certreq.exe.
  A machine will keep both certs until the older computer certificate moves into the 6 week window of expiration, then it gets purged. I have observed this behavior for over a month, even when the CA root certificate wasn't so close to expiring. I
  can't figure out what setting is triggering the purge, but need to stop it. Maybe it's coming from default settings in local machine policy for an element that should be disabled in the group policy object supplying the automatic certificate request?
  The worst part of this issue is that I can't recreate the purging behavior with gpupdates or restarts on my test machines.

  You should not be using Automatic Certificate Request Service (ACRS) for this - it was designed for Windows 2000 and is generally deprecated. Secondly, the reason it is acting like a round-robin as you describe it, is that templates are generally configured
  to attempt to renew within 6 weeks of their expiration. Since the 2008 R2 CA is expiring within 6 weeks, it cant issue anything longer than its own remaining lifetime. It is a well known issue that issuing a certificate within the renewal period will cause
  problems.
  What you should do it use AutoEnrollment and issue a certificate with a very small renewal period (1 week perhaps) by creating a custom V2 template and issuing that from your 2008 R2 CA. Then on the 2012 R2 CA you will need ANOTHER template, as the computer
  will only enroll for a certificate from each template. This one can be configured with a normal lifetime and renewal period.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

• HT201336 Hi I have a certificate expired and was wondering how can I update it ?

  I have an apple Iphone certificate expired and I was wondering how do you renew it?

  No answers, just some questions...  (I'm not sure what you're asking.)
  Where did the certificate originate?  An Apple iPhone certificate?  For what?  For iOS development?  For VPN?  For accessing remote web services, on a server?    This is the OS X Server 10.6 forum; are you working with certificates with that operating system, or with certificates on an iPhone?
  If your OS X Server system has an expired certificate, you'll need to either purchase a new certificate, or generate a new self-signed certificate and load that via the Certificate Assistant and Server Admin tools.

• Yet another "certificate expired" post

  I've tried all the solutions that I've found so far none have worked...tried setting the clock back, application manager settings-software inst.:all, online cert check: off, tried this: /t5/Pool-of-Knowledge/5800-XM-quot-Expired-Certificate-quot-error-message/td-p/442778 , application ...
  still get the "certificate expired" error
  5800 XpressMusic
  software version v 40.2.005
  Am I sol?

  try to sign your app(s) through Opda site.
  If you want to thank someone, just click on the blue star at the bottom of their post

• FNPLicensingService.exe associated with Acrobat 9 Standard - unverified ... certificate expired

  FNPLicensingService.exe associated with Acrobat 9 Standard - unverified ... certificate expired
  Why is this?

  Thanks.  That worked!   Back in the sunshine again
  The message is as seen below : "signature is timestamped but TS has expired"
  I am assuming this is the right message.  If not, do respond.

• What happens if the certificate expire on a ISE PSN

  What happens if a PSN certificate expire? Does all other nodes in the cluster looses the communication channel to that PSN node? 
  What is the procedure to install a new certificate on a PSN node with the expired certificate?
  Does the PSN node still handle client RADIUS requests that does not depend on the PSN cerfificate?
  Tanks!

  You definitely want to renew the certs before they expire. Otherwise the effects can be very devastating to your ISE environment depending on what the certificates are used for :) Below are a couple of links that you can use to obtain more info on both of your questions:
  ISE version 1.2:
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html
  ISE Version 1.3:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html#concept_D7826198A3304303AD046DB981DA4FE6
  Thank you for rating helpful posts!

• Portal Certificate Expired with NO VA running!!!

  Hi All,
  I got one issue about Portal certificate expiration, for which SSO is not working b/w Portal and R3.
  As working on Solaris, required to re-generate the Keystore Certificate via Visual Admin, but WHAT!!!
  I am not able to run it, it says that JAVA_HOME needs to be set.
  Done (Set) but still am not able to see that VA screen. Tried thru root and SIDADM (recommended) also, but couldnt... which is turning my head 360 degrees.
  Well request you all to share your good experiences thru which i may be able to resolve the issue which is pending past 2 days and no proceedings since...
  And i guess there is no way out to increase the validity of certificate without VA. OR is there any????
  Thanks
  Piyush

  hi Anil,
  i got,
  /usr/java
  we ran the command "./go" to start visual admin, which inturn shows the error as below
  4/7/10 12:09 PM com.sap.engine.tools.launcher.Launcher Error : console output st
  ream will not be logged into a file; there was an error opening the log file
  java.io.FileNotFoundException: /usr/sap/EPD/JC01/j2ee/admin/log/console_logs/out
  put.log (Permission denied)
          at java.io.FileOutputStream.open(Native Method)
          at java.io.FileOutputStream.<init>(FileOutputStream.java:179)
          at java.io.FileOutputStream.<init>(FileOutputStream.java:131)
          at com.sap.engine.tools.launcher.Launcher.initLogs(Launcher.java:636)
          at com.sap.engine.tools.launcher.Launcher.init(Launcher.java:198)
          at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:113)
  4/7/10 12:09 PM com.sap.engine.tools.launcher.Launcher Error : unable to invoke
  main class  com.sap.engine.services.adminadapter.gui.AdminFrameView
  Exception in thread "main" com.sap.engine.tools.launcher.LauncherException
          at com.sap.engine.tools.launcher.Launcher.launch(Launcher.java:340)
          at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:114)
  caused by -
  java.lang.reflect.InvocationTargetException
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
  java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
  sorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:324)
          at com.sap.engine.tools.launcher.Launcher.launch(Launcher.java:336)
          at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:114)
  Caused by: java.lang.InternalError: Can't connect to X11 window server using ':0
  .0' as the value of the DISPLAY variable.
          at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
          at sun.awt.X11GraphicsEnvironment.<clinit>(X11GraphicsEnvironment.java:1
  34)
          at java.lang.Class.forName0(Native Method)
          at java.lang.Class.forName(Class.java:141)
          at java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvi
  ronment.java:62)
          at java.awt.Window.init(Window.java:231)
          at java.awt.Window.<init>(Window.java:275)
          at java.awt.Frame.<init>(Frame.java:401)
          at java.awt.Frame.<init>(Frame.java:366)
          at javax.swing.SwingUtilities$1.<init>(SwingUtilities.java:1641)
          at javax.swing.SwingUtilities.getSharedOwnerFrame(SwingUtilities.java:16
  37)
          at javax.swing.JWindow.<init>(JWindow.java:160)
          at javax.swing.JWindow.<init>(JWindow.java:112)
          at com.sap.engine.services.adminadapter.gui.AboutWindow.<init>(AboutWind
  ow.java:12)
          at com.sap.engine.services.adminadapter.gui.AdminFrameView.main(AdminFra
  meView.java:234)
          ... 6 more
  caused by -
  java.lang.reflect.InvocationTargetException
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
  java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
  sorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:324)
          at com.sap.engine.tools.launcher.Launcher.launch(Launcher.java:336)
          at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:114)
  Caused by: java.lang.InternalError: Can't connect to X11 window server using ':0
  .0' as the value of the DISPLAY variable.
          at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
          at sun.awt.X11GraphicsEnvironment.<clinit>(X11GraphicsEnvironment.java:1
  34)
          at java.lang.Class.forName0(Native Method)
          at java.lang.Class.forName(Class.java:141)
          at java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvi
  ronment.java:62)
          at java.awt.Window.init(Window.java:231)
          at java.awt.Window.<init>(Window.java:275)
          at java.awt.Frame.<init>(Frame.java:401)
          at java.awt.Frame.<init>(Frame.java:366)
          at javax.swing.SwingUtilities$1.<init>(SwingUtilities.java:1641)
          at javax.swing.SwingUtilities.getSharedOwnerFrame(SwingUtilities.java:16
  37)
          at javax.swing.JWindow.<init>(JWindow.java:160)
          at javax.swing.JWindow.<init>(JWindow.java:112)
          at com.sap.engine.services.adminadapter.gui.AboutWindow.<init>(AboutWind
  ow.java:12)
          at com.sap.engine.services.adminadapter.gui.AdminFrameView.main(AdminFra
  meView.java:234)
          ... 6 more
  Regards
  Piyush

• What happens to Apps when the Distribution certificate expires?

  Our distribution certificate expires in mid March. Do I have to re-build all the apps that are on the App Store with the new certificate or will they continue to install without issues?
  My gut feel is that Apple would not expect developers to re-submit all their apps just because the certificate has expired but like a confirmation from someone since I am sure many have crossed this bridge.
  Thanks in advance.
  -TRS

  +>I assume that any new submissions will have to have to be built with a profile which includes a valid certificate.+
  Of course....just follow the money
  It is a solid process, but of course Apple, like any business that operates around time-based/recurring fees, wants to get the 'subscriber' to re-up sooner than later.
  The countdown in the dev center, etc. we see about our 'expiration' date is meant not only as a friendly reminder concerning whatever risk, it is a prod to get whatever monies out of our pockets and into theirs...sooner than later

• Distribution certificate expiring 3/12. Distribution profile expiring 9/12.

  Our Distribution certificate expires tomorrow but the profile is active till 9/12.
  So my Q is:
  a) If i build something on 3/13 will XCode error out at build time in the CodeSign step?
  b) If i build something on 3/12 and submit to Apple on 3/13 will it accept since the Profile is valid?
  I am just trying to figure out if i need to wait until i have a new certificate and a new profile before i build my apps.
  Thanks,
  -TRS

  I have not re-newed the certificate so my Q has no relevance now
  In any case the answer is that the certificate has to be valid otherwise XCode does not show the profile as selectable. It indicates a disabled information message in the drop-down menu.
  Thanks to those who spent their valuable time reading my original post.
  -TRS
  -TRS

• SSL Re-encryption with Portal and Web Dispatcher: certificate expired

  Hello,
  I am trying to set up HTTPS connection to the Portal through SAP Web Dispatcher. We are using SSL Re-encryption. I think I got everything set up correctly. When trying to access through a Web browser the web dispatcher trace file shows error message 'certificate expired'. Looking at the Portal (Visual admin - Keystore) I am pretty sure it is the service-ssl with localhost. It is expired. Two questions:
  - is it correct that it uses localhost or am I missing anything?
  - How would I recreate the certificate? (I am sure it is somewhere in the Online documentation, but haven't found it yet). Can I do this while the Portal is productive without breaking the normal access (http) to the Portal. This is our Production portal.
  Thanks,
  Ingrid

  Hi,
  Go thru the contents of SAP Note,
  685306 -Enabling SSL and renewing the J2EE certificate
  And also the help contents in,
  http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/content.htm
  These might of some help to you !
  Regards
  Srinivasan T

• Asa ssh/vnc plugins digital certificates expired

  Hi,
  we've got our new asa set up now (more or less). But what gets us is that the Cisco ssh/vnc plugins and the java applet for port forwarding all come up with "digital certificate expired". Now this is not going to instill confidence in our users.
  We are running 8.0(4)3 and asdm 6.1(3) and the plugins are the latest available from Cisco's software download page
  (ssh-plugin.08030, vnc-plugin.080130).
  Are newer ones available?
  Thanks
  Dorothea

  BTW this could be of help:
  http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp241924
  You probably want to install a code signer certificate.
  While this seems to be what you're looking for, I have never managed to generate a bundle such that Java doesn't complain at all anymore...