About self-signed (sign_webutil.bat) certificates, CA for ISV

Similar Messages

• 50.28.68.31:2087 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for a id="cert_

  50.28.68.31:2087 uses an invalid security certificate.
  The certificate is not trusted because it is self-signed.
  The certificate is only valid for <a id="cert_domain_link" title="new.thelifeincomegroup.com">new.thelifeincomegroup.com</a>
  (Error code: sec_error_untrusted_issuer)

  See https://support.mozilla.org/kb/Secure+Connection+Failed

• Export & Import Self-Signed Root CA Certificate?

  I have created a self-signed Root CA certificate with which I sign all of my other certificates on a leopard Server. This Root CA is installed and trusted on all of our client machines.
  I recently tested exporting and archiving the Root CA in every format available from Keychain Access and then tried to import these files into another Snow Leopard server and was unable to assign the imported Certificates as a "Default Certificate Authority".
  Does anyone know how I can set this Root CA that I created on another server as the default CA on this new machine for signing all future certificates that I create?
  Fore some reason when I go into Keychain Access and select: Keychain Access -> Certificate Assistant -> Set the Default Certificate Authority… I end up with no certificates to choose from and the "Add a Certificate Authority…" button will not allow me to select any of the exported certificate formats that I archived.
  Any thoughts?

  Anyone have any information at all? This seems like a very basic need for maintaining certificates beyond the usable life of the equipment on which they were created.
  I have found precious little information about this specific to Apple OS.

• Replace Self-Signed FAST Search Certificate with Third Party Certificate

  We are trying to replace the Self-Signed FAST Search Certificate with Third Party Certificate in our SP 2010 environment. And are facing issues while enabling the SSL communication between the FAST servers and the corporate servers.
  Our FAST search servers are in a different farm than that of the Corporate Servers.
  The details of the certificate we received is as follows:
  Issued to : FastSearchCert
  Issued By: Issuer Name
  Valid From: 4/21/2015 to 4/20/2017
  We were able to successfully renew the certificate on the FAST Search Server by following the below steps:
  1.  Login to the Administrative and the Non-Administrative nodes 
  of the FAST server. Go to Windows Service and stop the FAST Search for SharePoint and the FAST Search for SharePoint Monitoring services in both the servers.
  Follow the below steps in the Administrative Node followed by the Non-Administrative Node
  2. 
  Install the certificate in the following paths in the certificate store:
  “Certificates(Local Computer)\Personal”
  “Certificates(Local Computer)\Trusted Root Certification Authorities”
  3. Ensure that the user account configured for the “FAST Search Server 2010 for SharePoint” has access to the private key of the certificate.
  4. Go the Administrative node of the FAST farm and follow the below steps:
  Go to the certificate store.
  Expand the Personal folder and then click the Certificates folder. Double-click the third party signed FAST certificate.
  Open the Details tab and then click Thumbprint. Note down this thumbprint.
  5. Next, open
  Microsoft FAST Search Server 2010 for SharePoint with Administrator
  Privileges.
  6.
  Navigate to the directory, “D:\FASTSearch\installer\scripts” and execute the below command to replace the current certificate with the newly created
  third party signed FAST certificate.
  .\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint".
  7. The FAST certificate was renewed successfully.
  Once the certificate has been renewed successfully in both the nodes, follow the below step:
  8. Start the FASTSearch for SharePoint and the FAST Search
  for SharePoint Monitoring services in the administrator server.
  Next, while enabling the SSL communication between the FAST servers and the other corporate servers, we follow the below steps:
  1. 
  Copy the new certificate from any of the FAST servers to all the web-front end and application servers in the corporate farm, in order to enable SSL communication between these servers and the FAST farm.
  2.   Also, copy the script
  ‘SecureFASTSearchConnector.ps1’ from the location “%FASTSearchFolder%\installer\scripts” in the FAST servers 
  to the web-front end and application servers of the corporate farm.
  3.  Follow the below steps on each of the servers in the corporate farm:
  Open ‘SharePoint 2010 Management Shell’ with administrator privileges and navigate to the directory in which
  SecureFASTSearchConnector.ps1’ script is located.
  And then, execute the below command:
   .\SecureFASTSearchConnector.ps1 -certThumbprint "certificate thumbprint" –ssaName “FASTCibtebtSSA” –username “DOMAIN\SP_Farm”
   Where,
  -certThumbprint 
  - Thumbprint of the certificate
  -ssaName – FAST Content SSA
  -username – The account configured to run the SharePoint
  Search Service
  On execution of the above command, we receive an error message stating that the "Connection to the Content Distributor servername.corp.abc.org: 14391 could not be validated...instance of FAST search server backend is running"
  Please help us resolve this issue. We have not been able to find the cause of the above error for a long time.
  Any help is much appreciated.

  Your tip on exporting from eDir to locate a missing private key was very helpful. Here are my steps to renew an expired third party certificate when the private key, generated 30 months ago in my case, could not be located.
  In iManager, browse the tree and locate the likely certificate object. The Attributes for the object show Subject Name = webmail.acme.com. Selected the certificate and exported to webmailcert.pfx.
  Then, the openssl commands in TID 7004039, "How to convert a SSL PFX to a PEM file", were run against the .pfx file to create cert.pem, key.pem and server.key files.
  TID 7015500, "How to determine if private key belongs to public key (certificate)", was followed to determine if the public key (downloaded from third party) and private key (just retrieved from iManager) match - they did - that is, the private key converted from webmailcert.pfx matches the downloaded certificate.
  TID 7013103, "How to create a .pem File for SSL certificate Installations", was followed to manually create a server.pem file using openssl.
  TID 7010584, "How to setup SSL Certificate for Apache", part labeled "Additional Information" was followed to modify /etc/apache2/vhosts.d/vhost-ssl.conf file. Server.pem file created above copied to /etc/apache2/ssl.crt/ and /etc/ssl/servercerts/ directories as specified in vhost-ssl.conf.
  Restarted apache2.
  www.digicert.com has an SSL Certificate Checker that can be used to verify the installation is successful.

• How to import self signed root CA certificates on to playbook.

  Hi, 
  I have a test environment with windows CA configured, and i want to install the root CA of this server on to my playbook device, i followed the steps mentioned in PlayBook user guide for importing root certificates, but 
  when i select the certificate in under Security -> certs and click on import it fails with imported 0 of i certificates. 
  could someone help me how can i install self signed root CA's into playbook. 
  regards,
  kamesh.

  I have the same issue along with repeated prompts to accept cert when I am just trying to access the page internally on my network.. Any help here RIM????????

• How to Import Self-signed SSL server certificates in Adobe AIR applications

  Hi,
  I am using secure AMF endpoints for remote object communication from AIR client.
  since i am using a self signed SSL certificate on the server, i am getting a certificate warning message on the AIR client, when ever a remote call is done.
  Is there any mechanism to import the server certificate in AIR application..?
  Please provide suggestions.
  Thanks

  I have the same issue along with repeated prompts to accept cert when I am just trying to access the page internally on my network.. Any help here RIM????????

• Using a Self Signed Root CA Certificate with Mail

  Hello -
  I'm experimenting with public/private encryption using Mail 3.5 on Mac OS 10.5.6, Keychain Access 4.0.2 and Certificate Assistant 2.0.
  I created a Certificate Authority with CA 2.0, granted a certificate to two different users with different email addresses and loaded the certificates into Mail 3.5 on two different machines running 10.5.6. I am able to send and receive signed messages between the two accounts but I'm unable to send encrypted messages, the 'lock' icon remains dimmed.
  When I look at keys in Keychain Access I don't find a public key for the receiver's address but I do have a certificate for both sender and receiver and a public and provate key for the sender.
  Can anyone shed light on why Mail won't let me encrypt the message?
  Thanks,
  Scott.

  Anyone have any information at all? This seems like a very basic need for maintaining certificates beyond the usable life of the equipment on which they were created.
  I have found precious little information about this specific to Apple OS.

• Firefox 3.6.3 does not bring up the "add exception" option for a self-signed certificate

  Hello. The company website I use has moved to a new server. The new server required some changes apparently, and now I am receiving the message CompanyXYZ.net:987 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for Now, on 1 of my 3 computers, I received the I understand the risks, and an option to Add an Exception. However, on the other 2 computers, I simply receive the previously described popup window and no option to proceed. Any suggestions would be appreciated. Thank you for your genius.
  == URL of affected sites ==
  private company server

  I already have the browser.uxl.error_pages.enabled setting set to true, but I still do not get the option to add an exception for an internal certificate. I'm trying to connect to the iLO port on an HP server. Thanks.

• SCUP 2011 for SCCM 2007 - SUP, WSUS plus MS PKI certificates (not self-signed ones)

  I am installing System Center Updates Publisher 2011 for our SCCM 2007 R2 system.
  Our SCCM 2007 R2 system runs in mixed mode. We have a dedicated server for SUP/WSUS and OSD/PXE functions.
  Shall I install SCUP 2011 on the dedicated server? I have installed it on my Windows 7 computer. What is the best practice configuration? SCUP should be equivalent WSUS role for Microsoft Partners software updates. Am I right? In this case, I should install
  SCUP on the SUP/WSUS server in my opinion.
  We have used the SUP/WSUS to apply Microsoft updates without any problems so far.
  When I am investigating the certificate requirement for SCUP 2011 code signing, I have found out that our SUP/WSUS server has some self-signed certificates for SMS and WSUS.
  All our SCCM 2007 servers except one have self-signed SMS Encryption Certificate and
  SMS Signing Certificate - those certificates are issued to
  SMS by SMS. The SUP/WSUS server also has an extra self-signed certificate
  WSUS Publishers Self-signed for code signing.
  We do have our own Microsoft Active Directory Certificate Services internal PKI service which has been trusted by our AD domain. Therefore, I would like to use an certificate from the PKI service for SCUP 2011 server such that all our SCCM 2007 clients will
  trust the certificate for non Microsoft software updates.
  What should I do re the self-signed SMS or WSUS certificates on the SUP/WSUS server?
  I just want to add SCUP to our SCCM 2007 system without causing problems to Microsoft updates deployment via SUP/WSUS.
  Thanks,
  SJJ123

  Personally I have used the self signed certificate and used the AD Group policy to distribute the certificate. I think it would be possible to import a certificate from your PKI into SCUP. Have you tried this?
  Louis

• Exchange 2013 don't unassign IIS Services from Certificate Self-Sign

  Hi,
  I Imported a new Public certificate to Exchange 2013 SP1 and assigned IIS Service, but IIS service keep assign to certificate self signed. Now, I have ISS services
  assigned in two certificate (self signed and public certificate), someone have seen it? What do I do now?
  Another question, Can I remove self-signed certificate? Is it any one service tied to Exchange?

  Hi,
  If possible, please provide more parameters(Status, IsSelfSigned etc.) about the certificate with IIS service:
  Get-ExchangeCertificate -Thumbprint
  382E9DCC4CCA38DA488345F7B46114BA91EBB8F0 | FL
  Get-ExchangeCertificate -Thumbprint
  86EE0029EBC8FDCC9F98572602E69F65226BAB76 | FL
  Please restart IIS service by running iisreset /noforce from a command prompt window. If the public certificate is configured correctly and has included all namespaces used for all Internal and external Exchange connections,
  we can remove the self-signed certificate safely.
  Thanks,
  Winnie Liang
  TechNet Community Support

• Can you use a self signed certificate on an external Edge Server interface?

  Hi,
  I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
  interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
  cert is valid (root and intermediate have been checked for validity).
  At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
  Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
  Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
  I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
  Thx

  Drago,
  Thanks for all your help. I got it working.
  My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
  Let me update everyone about self-signed certificates:
  YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
  I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
  intermediate have been checked for validity).
  Here are my notes:
  Create/enable your own external Certificate Authority (CA) running on a server with internet access. 
  On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
  Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
  You should have already completed: Step1 and Step 2.
  Run or Run Again "Step 3: Request, Install or Assign Certificates".
  Install the "Edge internal" certificate.
  Click "Request" button to run the "Certificate Request" wizard.
  You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
  Once the certificate has been created, use "Import Certificate" to import it.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
  In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
  Install the "Edge External" certificate (public Internet).
  Click the "Request" button to run the "Certificate Request" wizard.
  Press "next"
  Select "Prepare the request now, but send it later (offline certificate request).
  Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
  Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
  Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
  Fill in the organization info.
  Fill in the Geographical Information.
  The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
  Select your "Configured SIP domains"
  "Configure Additional Subject Alternative Names" if you want. Otherwise, next.
  Verify the "certificate Request Summary". Click next.
  Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
   Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
  In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
  For the "External Edge certificate (public Internet), click "Assign".
  The "Certificate Assignment" wizard will run.
  Click next.
  From the list, select your cert "EXTERNAL-EDGE".
  Finish the wizard to "complete".
  You are finished on the server.
  Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
  When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
  Browse
  Select "Trusted Root Certification Authorities"
  Finish the wizard.

• Free Self Signing Midlet for Series 60 3'rd Edition

  Hi folks,
  I just read a great blog about self signing midlets with your own certificate and run them successfully atleast in Series 60 2'nd ed. phones. and this whole process is absolutely free.
  Just read the blog, follow the procedure and u are ready to test your app in trusted third party domain.
  http://browndrf.blogspot.com/
  njoy
  SD
  I have a request to those who will like (or dislike) this post, please reply just good (or bogus) only to keep this thread remain in the first few pages, in order to make it get more visible to the members who will require it.
  atleast I'm not asking for any dukes.
  :-P
  Message was edited by:
  find_suvro@SDN

  My applogies.
  Let me elaborate;-
  "The MIDP 2.0 specification recommends four protection domains for GSM/UTMS devices: the manufacturer, operator, trusted third party, and untrusted domains. <ul><li>The manufacturer domain uses root certificates belonging to the device producer.</li>
  <li>The operator domain is used for the network operator MIDlets and may use root certificates available on storage such as SIM cards.</li>
  <li>The trusted third party domain will encompass well-known Certificate Authorities' (CA) root certificates.</li>
  <li>Finally, the mandatory untrusted domain has not an associated root certificate and is used for unsigned and MIDP 1.0 MIDlet suites. "</li>
  </ul>
  More elaboration here : http://www.forum.nokia.com/info/sw.nokia.com/id/88b8bf92-ab04-46b0-a07a-7c3e835e6d1e/MIDP_2_0_Tutorial_On_Signed_MIDlets_v1_1_en.pdf.html
  SMS in practice is an exception to the general midp policy which specially while sending message will always ask for confirmation even if in trusted third party domain. However, this depends on implementation and exceptions can be found. Some operators (mainly found with CDMA) does not support "Always allowed" option even in restricted apis other than wma.
  More info : here and here
  SD

• Import and trust a self-signed CA certificate from the Terminal

  Hello there,
  i have a problem: I would like to import and trust a self-signed CA(root) certificate from the Terminal to the System.keychain.
  My request is to create a installation script to install the Cisco AnyConnect VPN Client and the needed certificates.
  For the import i have used the following command:
      sudo security import certificate.cer -k "/Library/Keychain/System.keychain" -A
      The Option "-A" says:
  Allow any application to access the imported key without warning (insecure, not recommended!) <- From the Mac Developer Library
  The command reportet: 1 certificate is importet ... but ... the certificate is not trusted.
  What do i need to do to set this certificate as trustworthy at the terminal?
  Thanks for your help and best regards
  Benjamin
  P.S. The command: sudo security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” “/private/tmp/certs/certname.cer” doen't run, i get an error message. Found on http://derflounder.wordpress.com/2011/03/13/adding-new-trusted-root-certificates -to-system-keychain/

  Hello Linc Davis,
  thanks for your answer and sorry for my mistake, because i had already changed the last argument but for this discussion i had only copy this example.
  But your answer show me the right way, big thanks.
  I had entred the following command (see the last argument):
       sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Downloads/mycert.cer"
  ... and i get the following message:
      ***Error reading file ~/Downloads/mycert.cer
       Error reading file ~/Downloads/mycert.cer
  Today i changed the last argument to:
       /Users/User/Downloads/mycert.cer
  and its run.
  Many thanks!
  Benjamin

• OBIEE 11g SSL how to generate self-signed/demo certificate

  Hi,
  We are enabling SSL for OBIEE 11.1.1.5 environment and want to generate self-signed or demo certificate.
  We are following note 1326781.1 and are at Step 1 - point 4 that says:
  4. Submit the Certification request to your Signing Authority (CA).
  Certification Authority(CA) is an valid signing authority of your choice (for example: OpenSSL, Verisign,
  Microsoft, etc)
  Upon submission of the certificate request, CA returns the certificate for the testmachine server (Server Certificate). Copy the CA certificate and Server Certificate to <MW_HOME>/SSL folder.
  How to gerenate self-signed or demo certificate?
  Thanks in advance.

  As long as you have the keytool on that server (installed with WLS) , you can create the generate the certificate and import that into a keystore.
  Follow : Getting Started with WebLogic Server: How to Create and Configure Self Signed Certificates for WebLogic Server Environments [ID 1341192.1] , describes the two options.
  http://www.techpaste.com/2012/06/steps-configure-ssl-oracle-weblogic-server-custom-identity-java-trust-keystore/
  I am not sure how to generate self signed certs on IBM AIX machine.
  HTH,
  SVS

• Need help with Apache self signed client certificates.

  At work we use PHPmyadmin to administer our central MySQL database.
  In order to access PHPmyadmin we use self signed ssl client certificates, for our developers, so that you can only access phpmyadmin if you have a valid client certificate installed in your browser.
  The ssl certificate on the webserver hosting phpmyadmin has expired now and I would like to extend it, preferrably without having to re-genereate client certificates for all users.
  I'm a bit confused to the approach. Most howtos I've found deal with extending a webserver certificate. but it really just looks like they generate a new one.
  Can anyone help me out with how best to approach this.
  Do I simply generate a new Apache Server certificate and then use this to re-sign the existing client certificates?

  As the SOAP servlet says: "Sorry, I don't speak via HTTP GET- you have to use HTTP POST to talk to me.", you must use the HTTP POST method and not the GET method to use SOAP.
  Use setRequestMethod("POST") of class HttpURLConnection to make your HTTP connection use the POST method.
  (I didn't look at all your code).
  Jesper