ACS v5.2 - New Self Signed Certificate Not Showing In Browser

Similar Messages

• New self signed certificate, how to mark as trusted for all users on clients

  We have a new 10.8 server that we are currently using for iChat/Messages service.  We have created a self signed certificate to encrypt the traffic to the Messages service since we have the service accessible for internet and phone users.  We use network accounts and users need to log in on several different machines when in the office.
  Can anyone suggest how to tell a client machine to trust the certificate for all users?
  Currently, each user is asked to trust the certificate on each client they log into.
  I have imported the server certificate into the client's system keychain in Kechain Access and asked it to trust the certificate for all items manually.  This does not appear to allow all users to trust the certificate since subsequent users who have not yet trusted the certificate on the test client are still asked to confirm trust.  When opening the iChat.app the users are still propmpted to verify the certificate which now indicates that it is trusted for all users.

  Resolved.
  - Drag certificate from verification dialog.
  - Import into System Keychain
  - Select certificate in System Keychain and select "i" button at bottom of window.
  - Set all items to always trust.

• ACS 5.3 / Self Signed / Certificate base auth

  Hello,
  Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.
  We have exported it to have a Trusted Certificate for client machine.
  This certificat has been installed on a laptop.
  The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)
  I have this error in the log:
  12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in  the client certificates chain
  I think the Access Policies (identity & authorization) are misconfigured:
  > I allowed Host Lookup, PAP/ASCII, MSCHAPV2, EAP-MD5, EAP-TLS, PEAP, EAP-FAST
  > Identity: System:EAPauthentication match EAP-TLS
  id Source: AD in which AD, Internal Users, Password based, certificate based CN Username are enabled
  > authorization: System:WasMachineAuthenticated=True
  Thanks for your help,
  regards,

  Hello,
  I found the answer here:
  https://supportforums.cisco.com/message/1298039#1298039
  ACS self-signed certificate is not compatible with EAP-TLS
  Thanks,

• Mail App Not Working with Self-Signed Certificates

  First and foremost, I apologise for starting another thread that is 90% similar to others but I wanted to avoid falling into an existing context.  Like may others, I am having issues with the Mail App in Mavericks but I have an email account other than G-Mail.
  That being said, here is the issue I am having.  Until recently I never had an issue sending and receiving email from various accounted.  My Internet provider, an Exchange account, even a G-Mail account.
  Yesterday, my Web hosting provider issued a new (self-signed) certificate as the old one had expired (which was also a self-signed certificate).  While I am able to still receive messages, I am no longer able to send any.
  I have tried numberous possible solutions to no avail.  I have removed and readded my email account, I have refreshed my SMTP settings, I have removed all semblence of the account from my Key Chain, added the Certificate manually with full trust, and I have even flushed the caches from my ~/Library/ folder.  The last one perked up the Mail App but did not restore my ability to send messages from my Web provider's SMTP server.
  I suspect this is a bug in the Mail App but I'm hoping I can find a few last solutions before I file a bug report.
  In the meantime, I am using another outgoing server from my Internet provider.  It will do but for consistency I'd much rather use the outgoing server that came with the email account in question.
  I am all but convinced it is the Mail App as Thunderbird is able to use the SMTP server just fine and I am still able to send messages using the exact same settings on my iPhone and iPad.
  In case it helps, I am using a Early 2011 MacBook Pro with the latest Mavericks update (which ironically was meant to solve some issues other users had with the Mail App).
  On a related note, I wish I had stayed on Snow Leopard.  I did not have a single issue with that OS.  Now I feel like I am working on Windows Vista again and I am waiting for the Apple version of Windows 7 to set things right.

  MrsCDS wrote:
  I am using an iPhone 6 plus on iOS 8.1 and suddenly my Yahoo email account will not populate to my Mail app. I have deleted and re-added the account and also re-booted the phone with no luck. I get the spinning wheel up by my Wi-Fi signal that suggests it's attempting to do something, but the bottom of the Inbox only says "Updated Yesterday." Has anyone else experienced this or can someone, especially an Apple employee, tell me how to fix this?
  There is no Apple in this user to user technical forum, if you want an Apple employee you would need to take your phone to the Apple store.
  What happens when you switch to using cellular data?  Does your email update?
  FYI - Yahoo email account is notoriously bad, you can try their app.

• How to replace an expiring self-signed certificate?

  Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
  First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
  It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
  The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
  It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
  I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
  I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
  Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
  http://screencast.com/t/zlVyR2Hsc
  Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
  Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
  http://screencast.com/t/54c2BUJuXO2
  Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
  Be aware that creating certificates starts to populate your server Keychain.
  http://screencast.com/t/JjLb4YkAM
  It appears that when you start to delete certificates, it leaves behind private keys.
  http://screencast.com/t/XD9zO3n16z
  If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
  OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
  In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
  Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
  Bypass "Introduction".
  In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
  The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
  You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
  In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
  The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
  (OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
  Pant, pant...
  The next window asks for an email address and location information - this appears to be optional.
  Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
  Key Usage Extension window
  Here's where it gets interesting...
  I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
  Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
  Extended Key Usage Extension...
  Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
  Sorry, folks, I just HAVE to show you the help for this window...
  +*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible.  EKU is defined with object identifiers called OIDs.  If the EKU extension is omitted, all operations are potentially valid.*+
  KILL ME NOW!!!
  OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
  Basic Constraints Extension...
  Well, there is no mention of that on the original certificate, so leave it unchecked.
  Subject Alternate Name Extension...
  Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
  DONE!!!! Let's see what the heck we got!
  http://screencast.com/t/QgU86suCiQH
  Well, I don't know about you but that looks pretty close for Jazz?
  I got some extra crap in there but the stuff from the original cert is all there.
  Think we're OK??
  Out with the old certificate (delete).
  Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
  http://screencast.com/t/bydMfhXcBFDH
  Oh yeah...one more thing in KeyChain Access...
  See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
  http://screencast.com/t/GdZfxBkHrea
  Select "Always Trust".
  I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
  I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
  Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
  If you want to see my rant on Apple's worthless documentation, it's here.
  http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

  to add to countryschool and john orban's experiences:
  using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
  in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
  when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
  supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
  you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
  now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
  after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
  lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
  maybe that's hopeful to somebody. but i stopped there since things seem to be working.
  last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
  now, we'll see how everything works once people start really using it...

• Persistant ASA self signed Certificate

  Is there a way to keep an ASA from generating a new self signed certificate every time it reloads?

  Try this link from Cisco
  "By default, the security appliance has a self-signed certificate that is regenerated every time the device is rebooted. You can purchase your own certificate from vendors, such as Verisign or EnTrust, or you can configure the ASA to issue an identity certificate to itself. This certificate remains the same even when the device is rebooted. Complete this step in order to generate a self-issued certificate that persists when the device is rebooted....."
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

• RV120W- How to create new unique self-signed certificate?

  Hello,
  how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself. Any idea? Did I miss something? Many thanks!
  Abudef

  So basically RV120W does not support self-signed certificate? It only allows to generate private key and certificate signin request. There is no chance to replace default generic ssl/vpn certifice within router itself? Could you please give me an advice, how to sign that request by some "CA"? I mean no commercial CA, I need something free running under Windows os. Many thanks!

• How to Increase ACS self signed certificate.

  I'm using ACS 4.0 for Windows.
  How can I increase the validity of a self signed certificate from one year to more years?
  Thanks.
  Andrea.

  It is not possible to extend it. You have to re-issue the cert every year. You can either buy a certificate or setup your own CA to extend the time.

• Self Signed Certificate For ACS

  Hi,
  I am running version 4.1 of the ACS appliance and was wondering if anyone knew of a way to get around the limitation of the 1 year self signed certificate? We had no external CA infrastructure.
  Is there a way of creating the CA certificate on an external (temporary) Windows/Linux box and then importing this onto the ACS for use?

  This will be on an isolated network and will only authenticate/authorize a few switches and routers. No MS/Linux on this LAN will use ACS, you still have to create the CER? I could only find where that is needed for EAP, PEAP, HTTPS, Positure Validation, etc. I'm just trying to get the basics working so I can get this started, tested, then move to other things. If you think this is still needed, I'll create the self-signed one but I'm not sure if it will do any good. Thanks for the reply.

• Safari on Windows could not accept self-signed certificate

  Hi, i am using Safari 5.0.4 on Windows 7 and I am trying to access an https site with a self-signed certificate (internal developing site).
  after i install the certificate to the Windows certificate store (i try both Personal store and Trusted Root Certification), when i try to browse the site, Safari asks me to choose a certificate, after i choose it, after a long hang time, Safari displays "Safari can't open the page".
  My questions are:
  1. Any one has configured safari on windows to accept self-signed certificate successfully?
  2. i see some other posts saying "Safari on Windows has bug to use the self-signed certificate", any official document or link saying this if this is true?

  Microsoft Windows web browser support questions?   Try one or more of these resources:
  http://technet.microsoft.com/en-us/library/cc747495(WS.10).aspx
  http://www.leonmeijer.nl/archive/2008/08/01/123.aspx
  http://stackoverflow.com/questions/681695/what-do-i-need-to-do-to-get-ie8-to-acc ept-a-self-signed-certificate
  That was from tossing the /internet explorer import self-signed certificate/ query at Google, and some poking around.  StackOverflow and Microsoft Technet and the Microsoft KBs have more details on Microsoft platforms and products and permutations, too.
  The usual best fix with this stuff is to create your own certificate authority (CA) root certificate and to configure that within your chosen platforms and browsers, but I do not know (off-hand) how to do that on Microsoft Windows boxes.  Google or some KB probably has details of loading your own root cert.  This approach means loading one cert, and the rest of what you create that's signed from that cert will now automatically be trusted.  Basically you become your own CA provider, load your root cert into each of your clients, and then issue your own certs chained from your own root cert, and Bob's Your Uncle.

• In Firefox 4.0 with a Server with a self signed certificate using IPv6 I can not add a "Security Exception" for this certificate.

  In Firefox 4.0 I have a server ... it contains a self signed certificate. Using IPv6 I can not add a "Security Exception" for this certificate.
  1. I log onto the server (using IPv6). I get the "Untrusted connection page" saying "This connection is Untrusted"
  2. I click on "Add Exception.." under the "I understand the Risks" section.
  3. The "Add Security Exception" dialog comes up. soon after the dialog comes up I get an additional "Alert" dialog saying
  An exception occured during connection to xxxxxxxxx.
  Peer's certificate issuer has been marked as not trusted by the User.
  (Error code sec_error_untrusted_issuer).
  Please note that this works in Firefox 3.6.16 (in IPv4 and IPv6). It also works in Firefox 4.0 in IPv4 only IPv6 has an issue. What's wrong?

  Exactly the same problem, except I'm using FF v6 for Windows, not FF v4 as for the lead post. This is for a self-cert which IS trusted, although the error message says it isn't.

• Safari 7 on OSX 10.9 not enjoying SSL self signed certificates

  Hello people from the web,
  I am experiencing a weird issue with self signed certificates. Since I upgraded to OSX 10.9 (Maverick) I am not able to connect to an HTTPS site protected by a self signed SSL certificate. The only remaining browser on my computer able to do the trick is Firefox (24). Chrome (30) and Safari (7) cannot.
  Have you experienced the same issue? Have you found a solution?
  On my quest for a solution I found this article:
  http://curl.haxx.se/mail/archive-2013-10/0036.html
  However it seems to me this is more the webkit common engine causing the issue. Is it possible that Webkit has become more picky with SSL Certificates? In which case how to generate a cutom one that would suit Safari 7 and Chrome 30+?
  Thank you for any help you could provide
  Oscar

  Safari - Unsupported third-party add-ons may cause Safari to unexpectedly quit or have performance issues
  Safari/other browsers – Website not loading
  Safari Problems

• Safari could not establish secure connection to my localhost with self signed certificate

  was using maven+grizzly+jersey to start my own server. I created self signed certificate so that my server can support https. I case you are curious, following is how I generated my certificate
  I was testing this on my iMac (Running Mavericks) Now, I added the server.cert to the system keychain so that all users can trust this certificate. Also, I change the trust level to "Always Trust".
  I get this work in Chrome and Firefox. They asked me to add exception for this certificate, I did and then everything goes fine. However, I have never make Safari(7.0) happy. I always get the error saying that Safari cannot establish secure connection to my localhost.
  Does anyone have any idea why it happened? Or is there better way to debug this problem so that I will be able to tell at which step things goes wrong.
  Thank you in advance. I really appreciated it.

  Any help much appreciated!

• Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

  SCCM 2012 has been successfully installed on the server:
  SRVSCCM.
  The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
  Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
  The cluster service is running on the account: sqlclusteruser
  The account has the appropriate SPN are registered:
  setspn -L domain\sqlclusteruser
  Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
  MSSQLSvc/CLS-SQL4
  MSSQLSvc/CLS-SQL4.domain.local
  MSSQLSvc/CLS-SQL4:11434
  MSSQLSvc/CLS-SQL4.domain.local:11434
  After some time on the cluster hosts every day started appearing new folders with files inside:
  srvboot.exe
  srvboot.ini
  srvboot.log
  srvboot.log contains the following information:
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
  Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
  Copyright (C) 2011 Microsoft Corp.
  Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
  Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
  Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
  Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
  Failed to retrieve SQL Server service account.
  Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
  Disconnecting from Site Server.
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

  The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
  Without successfull bootstrap the siteserver backup is not able to run successfully.
  Try grant everyone the read permisson on
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
  This worked for me.
  After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
  After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
  sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"

• Lion server erased self signed certificate

  Help!!! I accidentally deleted the self signed certificate that had the right keys for my third party SSL.  Now I cannot replace the self signed certificate with the new SSL.  Now what????

  I will begin my answer by making an emphasis that the best way to protect your data in-transit is using a 2048 bit certificate signed by a trusted certificate authority (CA) instead of relying on the self-signed certificate created by SQL Server.
   Please remember that the self-signed certificate created by SQL Server usage for data in-transit protection was designed as a mitigation against passive traffic sniffers that could potentially obtain SQL Server credentials being transmitted
  in cleartext, but nothing more. Think of it as a mitigation against a casual adversary.
   The self-signed certificate usage was not intended to replace real data in-transit protection using a certificate signed by a trusted CA and encrypting the whole communication channel. Remember, if it is self-signed, it is trivial to spoof.
  After making this clarification, the self-signed certificate generated by SQL Server uses a 1024 bit key, but that size may be subject to change in future versions of the product. Once again, I would like to strongly discourage relying on the self-signed
  certificate created by SQL Server for data in transit transmission.
  BTW. Azure SQL Database uses a 2048 certificate issued by a valid certificate authority.
  I hope this information helps,
  -Raul Garcia
   SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.