Anyconnect 3.1 self signed certificate warning message

Similar Messages

• SCCM 2007 - task sequence - prestaged media - self-signed certificates - error message 'Certificate has expired for this media'

  Hi there
  Quick scenario.
  We have created a task sequence prestaged media .wim file (SCCM 2007, client OS is Windows XP).
  Recently some of these swap-out machinses, on delivery and start up, have started showing this message:
  'Certificate has expired for this media'.
  This is because the self-signed certificate created during the prestaged media creation process has expired.
  My question is: is it possible to mount the image using dism or imagex and then inject an updated sertificate?
  Best regards
  John

  the disk that has the prestaged media applied must be the boot partition.
  create a task sequence to stage the prestaged media. In this task run a format and partition step which configures both the system disk and the os disk, though make the os disk the active boot partition. Then apply the prestage wim.
  On your deploy task, somewhere after the OS has applied create a group that runs only if the media is OEM (from memory  _SMSTSMedia =
  OEMMedia)
  in this group run the command bcdboot C:\Windows /s F: /f ALL where f: is the drive letter assigned to the system disk, then run another step that removes the drive letter and reboots. The deploy task will now continue and you will be booting to the system
  partition.
  So I wanted to get back to working on this issue.  I noticed that when I said it Worked that it was actually still booting from C drive instead of the reserved partition.  For the past few days I have been trying to get the prestaged to work like
  a network deploy but fail every time.  I cannot get the prestaged to boot from any other partition other then the partition where windows was imaged too.
  So where I am at today.  When I do as suggest above the D drive (The reserved Boot volume) return on reboot. it will not stay hidden.  also the OS is till booting from C and does not change to the D drive or no drive letter drive with the above
  commands.  I think there is some other command missing that tells it to boot from a new location that is not bcdboot.
  Has anyone seen any guides for how to use prestaged and bitlocker enabled task sequence?  I think that would help me figure out my current issues as with bitlocker you must have this other partition.

• ASA self-signed certificate for Anyconnect 3.1, which attributes?

  Hi everybody,
  I can't find the detailed information which attributes are exactly needed for the Anyconnect 3.1 client to correctly identify the VPN server -ASA 8.4(4)1
  I have added two servers in the client connection profile:
  IP address, primary protocol IPsec
  IP address/non-default port number, primary protocol SSL
  Connecting via IPsec only issues a warning about "untrusted source" (I didn't import the certificate as trusted, but that's not the issue)
  Connecting via SSL issues an additional warning "Certificate does not match the server name".
  The self-signed certificate (created with ASDM) includes the IP address as DN cn, additionally as alternate identity "IP address". I have exported the certificate and parsed it with openssl (after re-encoding to PKCS#12 DER) and apparently no attributes are included.
  I would like to give it a try with certtool and openssl to generate a self-signed certificate which is accepted by the Anconnect 3.1, where can I find a detailed description, which attributes are required for Anyconnect SSL sessions? I'm convinced the identity (DN cn) is OK.

  Shamelessly bumping this question,
  Anyone out there (maybe from Cisco) who can tell us, which atttributes are required on a self signed certificate?
  I keep getting "Certificate does not match the Server Name" for SSL-VPN, IPsec-VPN is fine for the same server.

• How to replace an expiring self-signed certificate?

  Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
  First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
  It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
  The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
  It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
  I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
  I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
  Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
  http://screencast.com/t/zlVyR2Hsc
  Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
  Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
  http://screencast.com/t/54c2BUJuXO2
  Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
  Be aware that creating certificates starts to populate your server Keychain.
  http://screencast.com/t/JjLb4YkAM
  It appears that when you start to delete certificates, it leaves behind private keys.
  http://screencast.com/t/XD9zO3n16z
  If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
  OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
  In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
  Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
  Bypass "Introduction".
  In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
  The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
  You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
  In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
  The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
  (OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
  Pant, pant...
  The next window asks for an email address and location information - this appears to be optional.
  Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
  Key Usage Extension window
  Here's where it gets interesting...
  I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
  Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
  Extended Key Usage Extension...
  Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
  Sorry, folks, I just HAVE to show you the help for this window...
  +*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible.  EKU is defined with object identifiers called OIDs.  If the EKU extension is omitted, all operations are potentially valid.*+
  KILL ME NOW!!!
  OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
  Basic Constraints Extension...
  Well, there is no mention of that on the original certificate, so leave it unchecked.
  Subject Alternate Name Extension...
  Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
  DONE!!!! Let's see what the heck we got!
  http://screencast.com/t/QgU86suCiQH
  Well, I don't know about you but that looks pretty close for Jazz?
  I got some extra crap in there but the stuff from the original cert is all there.
  Think we're OK??
  Out with the old certificate (delete).
  Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
  http://screencast.com/t/bydMfhXcBFDH
  Oh yeah...one more thing in KeyChain Access...
  See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
  http://screencast.com/t/GdZfxBkHrea
  Select "Always Trust".
  I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
  I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
  Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
  If you want to see my rant on Apple's worthless documentation, it's here.
  http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

  to add to countryschool and john orban's experiences:
  using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
  in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
  when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
  supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
  you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
  now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
  after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
  lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
  maybe that's hopeful to somebody. but i stopped there since things seem to be working.
  last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
  now, we'll see how everything works once people start really using it...

• SSL (Self Signed Certificate) in Business Connector

  After going through hundreds of messages, I am still not clear  about the steps involved in including SSL certificate with HTTP protocol.
  1. Instead of subscribing to Trusted Certificate Authority, can we ceate a Self Signed Certificate? If yes, how?
  2. Can anyone please explain the steps involved in including SSL certificate (configuring/importing the certificate)? We are successfully calling HTTP and sending the XML document to a HTTPS URL with authorized user name and password. I need to include SSL certificate to complete the requirement. I have looked at all the PDF documents that are available with BC installation and looked at many forums and still haven't found the answers.
  Thanks in advance.

  Hi Ramesh.
  When untrusted root certificates may be acceptable
  Some CAs may be trusted, but in only a very limited way. For example, a company with employees in diverse
  locations can make internal documents available to all its employees by setting up a Web site on an intranet that
  is only accessible from inside the corporate LAN (i.e. people on the Internet cannot see it). If there are
  documents on this site that should have limited access within the company (such as strategic plans or personnel
  documents), then these can be protected with SSL.
  Since both the servers as well as the browsers are on corporate-controlled equipment, it is well within the
  companyu2019s interests to act as its own CA. This means that the company can generate its own root certificate
  with which it can sign as many SSL certificates as required for the servers deployed in its intranet. Once this is
  done, this certificate should be installed into the certificate stores of all the browsers used in the company. Since
  the computers these browsers run on are controlled by the company, this is easy to do: the corporate IT
  department can have a policy that the companyu2019s root certificate is installed in the browseru2019s certificate store
  whenever a new computer is set up. This prevents security warnings from being displayed whenever an
  employee accesses an SSL-secured site on the company intranet.
  The advantage to the company is that it can deploy secured sites anywhere on its intranet without purchasing
  certificates from an external CA. Note that if the company also runs an e-commerce site, then it should purchase
  its SSL certificate from a trusted CA and not use an internal one for sites accessible to the public, who will not
  have the certificate installed by the corporate IT department, and thus would receive a security warning.
  In such an environment, an unscrupulous employee (most likely a member of the IT team) who has access to
  the private key could launch very successful MITM attacks against employees who visit SSL-protected ecommerce
  and e-banking sites at work. This will be discussed later in this document. However, the company
  can easily protect itself by warning employees not to visit such sites on company time or equipment, since they
  are not u201Cbusiness related activities.u201D
  Please see this doc related to trusted and untrusted certificate.
  http://www.sericontech.com/Downloads/Untrusted_Root_Certificates_Considered_Harmful.pdf

• Flyspray email notification using self signed certificates

  Hi all, I've been having an issue with flyspray sending notification emails through a SMTP server (running on localhost) which uses submission (port 587) and starttls with a self signed certificate. Whenever a notification would be sent I receive an error like the following:
  Notice: Undefined property: Swift_Transport_StreamBuffer::$_sequence in /usr/share/webapps/flyspray/includes/external/swift-mailer/classes/Swift/Transport/StreamBuffer.php on line 236 Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /usr/share/webapps/flyspray/includes/external/swift-mailer/classes/Swift/Transport/StreamBuffer.php on line 102 Completely unexpected exception: Unable to connect with TLS encryption
  This should never happend, please inform Flyspray Developers
  For the time being I just disabled notification all together. But this is a pretty big problem for me as I would like to avoid having to come to the web to view bugs I'm working on. Eventually I will create my own personal CA and this problem will become a non-issue, but until the time comes I'd love a work around (preferably not too dirty if at all possible).
  Thanks for the help.

  H Jerome,
  The certificate may have been generated incorrectly but I would suggest logging
  a support case.
  Kind Regards,
  Richard Wallace
  Senior Developer Relations Engineer
  BEA Support.
  "Jerome Cahuzac" <[email protected]> wrote:
  >
  >
  >
  I want to enable HTTPS protocol with WebLogic Server 5.1
  I want to use a self signed certificate generated with the JDK keytool.
  I've successfuly generated it and exported a dummy.cer file.
  I've updated the weblogic.properties file with weblogic.security.certificate.server=dummy.cer
  and I've got this exception
  java.lang.NullPointerException:
  at weblogic.security.RSAKey.toString(RSAKey.java:203)
  at java.lang.String.valueOf(String.java, Compiled Code)
  at java.lang.StringBuffer.append(StringBuffer.java, Compiled
  Code)
  at weblogic.security.X509.toString(X509.java:261)
  at java.lang.String.valueOf(String.java, Compiled Code)
  at java.lang.StringBuffer.append(StringBuffer.java, Compiled
  Code)
  at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:206)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java,
  Compiled
  Code)
  at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
  at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
  at java.lang.reflect.Method.invoke(Native Method)
  at weblogic.Server.startServerDynamically(Server.java:99)
  at weblogic.Server.main(Server.java:65)
  at weblogic.Server.main(Server.java:55)
  at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
  at java.lang.Thread.run(Thread.java:479)
  mar. dÚc. 18 12:20:03 GMT+01:00 2001:<E> <SSLListenThread> Security Configuration
  Problem with SSL server certificate file (d:\weblogic\myserver\dummy.cer)
  What's the right way to do this ?

• Fetchmail - Self-Signed Certificate Warnings

  Hi All,
  I have been reading these forums for a while and they have definitely helped me configure my OSX Server. Probably the first place I check for any dramas I have with my server.
  To start with I though i would offer a solution that I have found to the warning that comes up with fetchmail seeing a common name mismatch in an ssl certificate. If you are using fetchmailrc add:
  sslcommonname 'the.name.the.server.points.to'
  to your poll user line.
  Eg.
  poll mail.mailserver.com with proto IMAP
  user '[email protected]' there with password 'password' is 'users-mailbox' here options fetchall sslcommonname 'the.name.the.server.points.to'
  Now to my problem.
  I have the following warning in my logs that I cannot get rid of:
  .fetchmailrc[xxx]: Server certificate verification error: self signed certificate in certificate chain
  What i have done to try and rid myself of this warning:
  Download the certificates using openssl -connect, save the cert, c_rehash the cert, add the command sslcertpath '/path/of/the/cert'
  I thought this would simply check the certificate against my copy rather than check if it is self-signed.
  No bone. This didn't seem to make any difference.
  Any suggestions?

  Good news.
  I believe I have figured it out. Hope this helps someone.
  So to get rid of those pesky errors I manually checked the ssl fingerprint on each certificate. Not sure why a certificate comparison via sslcertpath didn't work, but it's working with sslfingerprint.
  Basically, what you need to do is:
  1/ Get the SSL fingerprint of the certificate of your mail server. There are many ways of doing this but I found the easiest being just running fetchmail -v. If you read through the output you will find the fingerprint of each mail servers certificates. The output is usually redirected to your console so check there under all messages.
  2/ Go to your fetchmailrc and next to each of your poll's add:
  sslfingerprint 'xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx'
  Where xx:xx etc is your fingerprint for each servers ssl certificates.
  3/ That's it.

• How to successfully import ASA self-signed certificate?

  On ASA 9.1 i am trying to export an Identity certificate, self-signed certificate into p12 file so i can import it into laptop and used it for secure connection to ASA over ASDM. I can add certificate OK using ASDM, certificate show up OK in Certificate management/dentity certificate. Exported certificate into .p12 file with passphrase OK.
  In Win XP and Windows 7 every time i try to import certificate i got message that password is incorrect. Yes, i did type correct password.
  Even thru cli i got the same error when trying to import the file.
  ASA(config)# crypto ca export ASDM_TRUSTPOINT pkcs12 password
  Exported pkcs12 follows:
  -----BEGIN PKCS12-----
  MIIHPwIBAzCCBvkGCSqGSIb3DQEHAaCCBuoEggbmMIIG4jCCBt4GCSqGSIb3DQEH
  BqCCBs8wggbLAgEAMIIGxAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQItd0L
  7e5QezkgxXzmCJKpv3GqQV5/tfk66ySnBMCGrMzsQKBa32wzHYcSerSEePNXzudJ
  Frdyc3ETMXECvO83gujQZLyJ9DfPaDy4gZHwEs9fwGqpJel/NTwUo16dtzO2Vbko
  1kc8kd
  -----END PKCS12-----
  Any tips or tricks how to get this simple task completted? Is maybe file format not right?

  Hi
  Please show the error ASA is reporting during import.
  It's working correctly with 9.1(0)2, example:
  ASA9(config)# crypto ca trustpoint TP
  ASA9(config-ca-trustpoint)# enrollment self
  ASA9(config)# crypto ca enroll TP
  WARNING: Trustpoint TP has already enrolled and has
  a device cert issued to it.
  If you successfully re-enroll this trustpoint,
  the existing certificate will be replaced.
  Do you want to continue with re-enrollment? [yes/no]: yes
  % The fully-qualified domain name in the certificate will be: ASA9
  % Include the device serial number in the subject name? [yes/no]: yes
  Generate Self-Signed Certificate? [yes/no]: yes
  ASA9(config)#
  ASA9(config)# crypto ca export TP pkcs12 123456
  Exported pkcs12 follows:
  -----BEGIN PKCS12-----
  MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
  BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
  +5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
  fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
  IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
  QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
  QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
  WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
  4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
  8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
  pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
  h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
  XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
  OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
  0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
  mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
  fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
  kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
  PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
  8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
  fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
  yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
  gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
  Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
  WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
  VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
  qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
  FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
  JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
  bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
  p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
  v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
  0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
  -----END PKCS12-----
  ASA9(config)#
  ASA9(config)#
  ASA9(config)# no crypto ca trustpoint TP
  WARNING: Removing an enrolled trustpoint will destroy all
  certificates received from the related Certificate Authority.
  Are you sure you want to do this? [yes/no]: yes
  ASA9(config)# crypto key zeroize rsa
  WARNING: All RSA keys will be removed.
  WARNING: All device digital certificates issued using these keys will also be removed.
  Do you really want to remove these keys? [yes/no]: yes
  ASA9(config)# crypto ca trustpoint TP2
  ASA9(config)# crypto ca import TP2 pkcs12 123456
  Enter the base 64 encoded pkcs12.
  End with the word "quit" on a line by itself:
  MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
  BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
  +5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
  fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
  IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
  QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
  QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
  WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
  4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
  8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
  pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
  h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
  XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
  OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
  0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
  mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
  fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
  kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
  PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
  8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
  fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
  yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
  gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
  Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
  WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
  VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
  qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
  FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
  JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
  bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
  p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
  v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
  0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
  quit
  INFO: Import PKCS12 operation completed successfully
  ASA9(config)#
  ASA9(config)# sh crypto ca certificates
  Certificate
    Status: Available
    Certificate Serial Number: 6e85f150
    Certificate Usage: General Purpose
    Public Key Type: RSA (1024 bits)
    Signature Algorithm: SHA1 with RSA Encryption
    Issuer Name:
      hostname=ASA9+serialNumber=123456789AB
    Subject Name:
      hostname=ASA9+serialNumber=123456789AB
    Validity Date:
      start date: 15:52:01 UTC Jan 12 2013
      end   date: 15:52:01 UTC Jan 10 2023
    Associated Trustpoints: TP2
  You might want to enable debugs: "debug crypto ca 255".
  Be carefull when typing password - watch out for trailing space !
  Michal

• ACS 5.3 / Self Signed / Certificate base auth

  Hello,
  Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.
  We have exported it to have a Trusted Certificate for client machine.
  This certificat has been installed on a laptop.
  The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)
  I have this error in the log:
  12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in  the client certificates chain
  I think the Access Policies (identity & authorization) are misconfigured:
  > I allowed Host Lookup, PAP/ASCII, MSCHAPV2, EAP-MD5, EAP-TLS, PEAP, EAP-FAST
  > Identity: System:EAPauthentication match EAP-TLS
  id Source: AD in which AD, Internal Users, Password based, certificate based CN Username are enabled
  > authorization: System:WasMachineAuthenticated=True
  Thanks for your help,
  regards,

  Hello,
  I found the answer here:
  https://supportforums.cisco.com/message/1298039#1298039
  ACS self-signed certificate is not compatible with EAP-TLS
  Thanks,

• Does anyone know how to use a self signed certificate with apple mail??

  Ive read about it in mail's help and tried to set it up according to it. Ive created a self-signed certificate but have no idea how to set it up as it would work with Mail so that i would be able to send signed messages. could anyone help me??

  Hello rado:
  Welcome to Apple discussions.
  I am assuming this is what you read:
  http://docs.info.apple.com/article.html?path=Mac/10.5/en/8916.html
  If you follow the instructions when you set up the certificate, you should be fine.
  Incidentally, most +"ordinary users"+ (like me) do not use this function. I am curious as to why you want to jump through hoops in your Mail application.
  Barry

• Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

  SCCM 2012 has been successfully installed on the server:
  SRVSCCM.
  The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
  Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
  The cluster service is running on the account: sqlclusteruser
  The account has the appropriate SPN are registered:
  setspn -L domain\sqlclusteruser
  Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
  MSSQLSvc/CLS-SQL4
  MSSQLSvc/CLS-SQL4.domain.local
  MSSQLSvc/CLS-SQL4:11434
  MSSQLSvc/CLS-SQL4.domain.local:11434
  After some time on the cluster hosts every day started appearing new folders with files inside:
  srvboot.exe
  srvboot.ini
  srvboot.log
  srvboot.log contains the following information:
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
  Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
  Copyright (C) 2011 Microsoft Corp.
  Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
  Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
  Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
  Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
  Failed to retrieve SQL Server service account.
  Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
  Disconnecting from Site Server.
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

  The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
  Without successfull bootstrap the siteserver backup is not able to run successfully.
  Try grant everyone the read permisson on
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
  This worked for me.
  After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
  After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
  sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"

• Mail App Not Working with Self-Signed Certificates

  First and foremost, I apologise for starting another thread that is 90% similar to others but I wanted to avoid falling into an existing context.  Like may others, I am having issues with the Mail App in Mavericks but I have an email account other than G-Mail.
  That being said, here is the issue I am having.  Until recently I never had an issue sending and receiving email from various accounted.  My Internet provider, an Exchange account, even a G-Mail account.
  Yesterday, my Web hosting provider issued a new (self-signed) certificate as the old one had expired (which was also a self-signed certificate).  While I am able to still receive messages, I am no longer able to send any.
  I have tried numberous possible solutions to no avail.  I have removed and readded my email account, I have refreshed my SMTP settings, I have removed all semblence of the account from my Key Chain, added the Certificate manually with full trust, and I have even flushed the caches from my ~/Library/ folder.  The last one perked up the Mail App but did not restore my ability to send messages from my Web provider's SMTP server.
  I suspect this is a bug in the Mail App but I'm hoping I can find a few last solutions before I file a bug report.
  In the meantime, I am using another outgoing server from my Internet provider.  It will do but for consistency I'd much rather use the outgoing server that came with the email account in question.
  I am all but convinced it is the Mail App as Thunderbird is able to use the SMTP server just fine and I am still able to send messages using the exact same settings on my iPhone and iPad.
  In case it helps, I am using a Early 2011 MacBook Pro with the latest Mavericks update (which ironically was meant to solve some issues other users had with the Mail App).
  On a related note, I wish I had stayed on Snow Leopard.  I did not have a single issue with that OS.  Now I feel like I am working on Windows Vista again and I am waiting for the Apple version of Windows 7 to set things right.

  MrsCDS wrote:
  I am using an iPhone 6 plus on iOS 8.1 and suddenly my Yahoo email account will not populate to my Mail app. I have deleted and re-added the account and also re-booted the phone with no luck. I get the spinning wheel up by my Wi-Fi signal that suggests it's attempting to do something, but the bottom of the Inbox only says "Updated Yesterday." Has anyone else experienced this or can someone, especially an Apple employee, tell me how to fix this?
  There is no Apple in this user to user technical forum, if you want an Apple employee you would need to take your phone to the Apple store.
  What happens when you switch to using cellular data?  Does your email update?
  FYI - Yahoo email account is notoriously bad, you can try their app.

• Installing self signed certificate

  I'm trying to install a self signed certificate in iPhone OS 3.1.3 so that I can securely access a web service at home via mobile Safari and an application that uses the same web service. I've tried emailing myself the certificate and installing it but Safari still prompts with it's "Accept Website Certificate" warning. The certificate is clearly installed under Settings->General->Profiles.
  I've also tried installing the certificate via iPhone Configuration Utility with the same result. I also followed these steps on my iPad and everything worked flawlessly which points to an OS issue. I was wondering if anyone else has seen this behavior?
  Thanks!

  I have a self-signed cert on my 5.2 DS. I used a version of certutil that ships with DS52. The cert DB files have the following name format under the alias directory, slapd-instancename-cert7.db. For auto startup you;ll need to create a slapd-instancename-pin.txt file that contains the string "Internal (Software) Token: yourDBpassword"
  If you have more questions, ask away.
  HTH,
  Roger S.

• How to access Flash Apps over https with a self signed certificate?

  I have a Flex app that needs to access data from a SOAP web service over https with a self signed certificate. The app needs to ignore the https warnings, just as a browser would warn & allow the user to proceed. Buying a valid signed certificate is not an option for us.
  It works fine over http.
  How can I achieve this?
  I read that URLRequest has a property: authenticate, that I can set to false. However, this property is available only for Adobe AIR applications from what I can see. This doesn't seem available for Flex apps.
  I have tried this in both Flex 3 & the latest Flash Builder 4. Have the same issue in both cases.
  Help appreciated.
  Thanks

  You'd really need to ask in the Flex or Flash Builder forums as this is a front end code modification and Flash Player can't do any of that.

• Use self signed certificate

  Hi,
  I have got a theoretical question: Is it right to use self-signed certificate in production environment?
  We don't want to use this cert. for authentication but for SSL decryption. Is this a good solution?
  Thanks!
  V.

  Hi Rick,
  May be I was not completely clear in my wordings :)
  VPN connection is not a mandate. The VPN connection already existed between our organization and the provider service (instead of going over the internet) and hence the security person in our organization was fine with us using self signed certificates.
  I gave you a scenario where the use of self signed certs was authorized. And also once more scenario where using self signed certs in test environments is not allowed.
  Two contrasting thoughts, so basically it is up to the perception of the security people to assess the risk and give a go ahead.
  Personally I feel that if the communication channel is secure between the systems (2 way ssl) then using self signed certs for message encryption might be fine.
  If the channel is not secured (may be even 1 way SSL), I would prefer using CA certified certs.
  Hope I make more sense now :)
  Thanks,
  Patrick