Applet signed w/ self-signed cert - different behavior w/ different servers

Similar Messages

• Applet signed w/ self-signed cert - different behaviors w different servers

  Folks,
  I'd really appreciate your help with the following.
  I'd like to deploy an applet as a signed jar. Probably at least in the beginning, and maybe indefinitely, I'd like to sign it with a self-signed cert. When I've tested this under Linux, loading the applet in a browser running on my desktop, from an apache2 webserver also running on the desktop, I get the expected behavior - I get a security dialog reporting that the applet was signed by an unrecognized CA, but allowing me to accept the applet's signature. However, when I try loading the applet from my server (i.e, browser still running on my desktop, but now loading the applet from the real webserver, which is also apache2), I don't get a security dialog, and the applet fails silently.
  Is there some way of configuring the webserver so that the security dialog is presented for a self-signed applet? What explains this difference?
  Thanks much,
  Matthew Fleming
  DermVision, LLC

  Double post answer has been given and ignored:
  http://forum.java.sun.com/thread.jspa?threadID=569012&messageID=2812525#2812525

• RDCMan different behavior for different machines

  I'm using Remote Desktop Connection Manager, which has been very useful since I have to remote into so many different machines.
  I am curious though and this is more of a question than a problem, but I notice different behavior remoting into different systems.
  On some servers, I get this popup when I connect:
  On other servers, I get brought to this screen to enter my password:
  I've checked the group policy settings, registry settings, made sure I didn't have any saved credentials, makes no difference.
  Any idea why?

  RDP Session Setting:
  Console Session Settings:
  Hi,
  As per my research, that is the default behavior and it correlates for 2 different scenario “Console and RDP”. When you are performing “Console” of server then it will provide you the direct screen of server to login. But when you want to take RDP
  then it will ask you as “Windows Security” login prompt.
  Please check my words on your screenshots
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Self Signing and Applets

  I have spent hours reading over the Signed Applets forum and Sun applet security training pages. There seems to be so much confusion in this area that the use and proliferation of Java Applets must be suffering.
  As the usual underfunded developer, I am not able to buy a certificate before proving the concept. Therefore, I am relegated to using self signed applets to demonstrate the use of signed applets and the power they have. This would also be the case for students of Java applets, of which I am also one.
  I have tried the sample applets in the Sun security training. They in fact write the file to my system, but they also display a security error as well.
  The Sun training indicates that I should be using a policy file with the security and that when my applet is run by another user, that user must also manually update their policy file, using keytool, before running the applet. If this is true, I see no use for Java Applets that work outside of the sandbox confines. There must be a better way to use applets that require security.
  I have also read Irene's 10 steps and numerous comments about them. They seem to work fine until I get to step 10. If I am using a self signed applet, why should the user of the applet have to click on a HREF to load the certificate into the keystore? Why shouldn't the user be prompted to trust the self signed certificate, just like a certificate obtained from a CA?
  I have tried to develop a batch file (Windows NT 4.0) to illustrate the signing process, but I have been unsuccessful. I have listed the output from it below followed by the batch file itself. Would someone please indicate what would make this batch file work? If possible, I would like it to work for both IE 5.5 and Netscape 4.06; especially ie 5.5.
  My environment consists of:
  NT 4.0 (SP6)
  IE 5.5 (SP1)
  JRUN 3.1
  JRE 1.3.1_01
  JDK 1.3.1_01
  javac writeFile.java
  keytool -delete -alias writefile
  Enter keystore password: password
  keytool -genkey -alias writefile
  Enter keystore password: password
  What is your first and last name?
  [Unknown]: Robert Klawuhn
  What is the name of your organizational unit?
  [Unknown]: mygroup
  What is the name of your organization?
  [Unknown]: mycompany
  What is the name of your City or Locality?
  [Unknown]: mycity
  What is the name of your State or Province?
  [Unknown]: mystate
  What is the two-letter country code for this unit?
  [Unknown]: US
  Is <CN=Robert Klawuhn, OU=mygroup, O=mycompany, L=mycity, ST=mystate, C=US> correct?
  [no]: yes
  Enter key password for <writefile>
  (RETURN if same as keystore password): password
  keytool -selfcert -alias writefile
  Enter keystore password: password
  keytool -list -alias writefile
  Enter keystore password: password
  writefile, Wed Dec 19 10:41:35 PST 2001, keyEntry,
  Certificate fingerprint (MD5): 90:4D:63:0E:9E:56:CF:7F:93:2B:92:EE:AA:2B:87:E3
  jar cvf writefile.jar writeFile.class
  added manifest
  adding: writeFile.class(in = 1678) (out= 940)(deflated 43%)
  jar tvf writefile.jar
  0 Wed Dec 19 10:41:58 PST 2001 META-INF/
  71 Wed Dec 19 10:41:58 PST 2001 META-INF/MANIFEST.MF
  1678 Wed Dec 19 10:40:46 PST 2001 writeFile.class
  jarsigner writefile.jar writefile
  Enter Passphrase for keystore: password
  jarsigner -verify -verbose -certs writefile.jar
  139 Wed Dec 19 10:42:02 PST 2001 META-INF/MANIFEST.MF
  192 Wed Dec 19 10:42:08 PST 2001 META-INF/WRITEFIL.SF
  1098 Wed Dec 19 10:42:08 PST 2001 META-INF/WRITEFIL.DSA
  0 Wed Dec 19 10:41:58 PST 2001 META-INF/
  smk 1678 Wed Dec 19 10:40:46 PST 2001 writeFile.class
  X.509, CN=Robert Klawuhn, OU=mygroup, O=mycompany, L=mycity, ST=mystate, C=US (writefile)
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  jar verified.
  1 file(s) copied.
  1 file(s) copied.
  1 file(s) copied.
  An error appears:
  java.security.cert.CertificateException: Unable to verify the certificate with root CA
  @ECHO OFF
  REM Doit.bat
  REM
  REM This batch file leads the user through the creating
  REM and signing of an applet class and how it is accessed
  REM from a browser. The applet creates the file: C:\tmpfoo.
  REM
  REM The JRE 1.3.1 plug-in should be installed. See the
  REM control panel for an icon leading to the plug-in.
  REM
  REM This demo is for JRE 1.3.1_01, NT 4 (SP6), HTMLConverter
  REM 1.3, and IE 5.5.
  REM
  REM Run the HTMLConverter 1.3 against the following HTML
  REM file to generate the converted HTML that will support
  REM both Netscape and IE. Get the converter from Sun.
  REM
  REM <html>
  REM <head>
  REM <title> Java Security Example: Writing Files</title>
  REM </head>
  REM <body>
  REM Hi there. There is a signed applet following...
  REM <hr>
  REM <applet code=writeFile.class archive="/writefile.jar" width=500 height=50>
  REM </applet>
  REM <hr>
  REM </body>
  REM </html>
  REM
  REM The following is the code for the applet.
  REM
  REM import java.awt.*;
  REM import java.io.*;
  REM import java.lang.*;
  REM import java.applet.*;
  REM
  REM public class writeFile extends Applet {
  REM String myFile = "/tmp/foo";
  REM File f = new File(myFile);
  REM DataOutputStream dos;
  REM
  REM public void init() {
  REM
  REM String osname = System.getProperty("os.name");
  REM if (osname.indexOf("Windows") != -1) {
  REM myFile="C:" + File.separator + "tmpfoo";
  REM }
  REM }
  REM
  REM public void paint(Graphics g) {
  REM      try {
  REM      dos = new DataOutputStream(new BufferedOutputStream(new FileOutputStream(myFile),128));
  REM      dos.writeChars("Cats can hypnotize you when you least expect it\n");
  REM      dos.flush();
  REM      g.drawString("Successfully wrote to the file named " + myFile + " -- go take a look at REM it!", 10, 10);
  REM      } catch (SecurityException e) {
  REM      g.drawString("writeFile: caught security exception", 10, 10);
  REM } catch (IOException ioe) {
  REM      g.drawString("writeFile: caught i/o exception", 10, 10);
  REM }
  REM }
  REM }
  REM
  @ECHO javac writeFile.java
  javac writeFile.java
  REM Generate a selfsigned certificate and put it into
  REM the keystore.
  REM
  REM password = password
  REM first and last name = Robert Klawuhn
  REM org unit = COMPASS
  REM org = Applied Materials
  REM city = Santa Clara
  REM state = California
  REM country = US
  REM The -selfcert option may not be necessary the first
  REM time this is run
  @ECHO keytool -delete -alias writefile
  keytool -delete -alias writefile
  @ECHO keytool -genkey -alias writefile
  keytool -genkey -alias writefile
  @ECHO keytool -selfcert -alias writefile
  keytool -selfcert -alias writefile
  REM
  REM Export the key that was just created into a .crt file.
  REM This is then sent to a CA to obtain a 'real' certificate
  REM which is then imported into the keystore. These are
  REM commented because I am trying to use a self-issued key.
  REM
  REM keytool -certreq -alias writefile -file writefile.crt
  REM keytool -import -alias writefile -file writefile.crt
  @ECHO keytool -list -alias writefile
  keytool -list -alias writefile
  REM Jar the applet
  REM
  @ECHO jar cvf writefile.jar writeFile.class
  jar cvf writefile.jar writeFile.class
  REM Verify the jar
  REM
  @ECHO jar tvf writefile.jar
  jar tvf writefile.jar
  REM Sign the jar
  REM
  REM passphrase = password
  @ECHO jarsigner writefile.jar writefile
  jarsigner writefile.jar writefile
  REM Verify the signed jar file
  REM
  @ECHO jarsigner -verify -verbose -certs writefile.jar
  jarsigner -verify -verbose -certs writefile.jar
  REM The next statements assume that the applet will be
  REM obtained from Macromedia's JRun default server.
  REM
  copy writefile.crt %JRUN_HOME%\servers\default\default-app\.
  copy writefile.jar %JRUN_HOME%\servers\default\default-app\.
  copy writefile.html %JRUN_HOME%\servers\default\default-app\.
  "C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE" "http://localhost:8100/writefile.html"

  I believe I finally found my problem. If I use JRun as a web server and put the applet on the default server within JRun, I am only able to run the applet from a different client. It doesn't seem to load right on the same system as JRun.
  This may be due to other software I have running on my JRun server system, but it finally works.
  For those that are still having problems with self-signing applets, here is a batch file, that I am using, that works for me.
  @ECHO OFF
  REM Doit.bat
  REM
  REM This batch file leads the user through the creating
  REM and signing of an applet class and how it is accessed
  REM from a browser. When the Publish button is pressed
  REM     the selected file is copied to C:\TEMP\BOBK_copy.txt.
  REM
  REM The JRE 1.3.1 plug-in will be installed on the client.
  REM See the control panel for an icon leading to the plug-in.
  REM
  REM This demo is for JRE 1.3.1_01, HTMLConverter
  REM 1.3, and IE 5.5.
  REM
  REM Run the HTMLConverter 1.3 against the following HTML
  REM file to generate the converted HTML that will support
  REM both Netscape and IE. Get the converter from Sun.
  REM
  REM <html>
  REM <head>
  REM <title> Java Security Example</title>
  REM </head>
  REM <body>
  REM Hi there. There is a signed applet following...
  REM <hr>
  REM <applet code=FilePrompt.class archive="/fileprompt.jar" width=800 height=500>
  REM </applet>
  REM <hr>
  REM </body>
  REM </html>
  REM
  REM This applet can be executed by starting the default server in JRun and then
  REM then entering the following for the IE URL: http://K011614:8100/FilePrompt.html
  REM This assumes that JRun is installed and running on K011614.
  REM
  REM The first time the applet is executed, the 1.3.1_02 JRE is loaded if allowed.
  REM The main problem here is the JRE is about 5.3MB and takes a while.
  REM
  REM For some reason, running IE and pointing it to the applet on the same system that
  REM JRun is executing, doesn't work. You have to run it from another client that
  REM references the applet.
  REM
  @ECHO keytool -delete -alias fileprompt
  keytool -delete -alias fileprompt
  @ECHO keytool -genkey -alias fileprompt
  keytool -genkey -alias fileprompt
  @ECHO keytool -selfcert -alias fileprompt
  keytool -selfcert -alias fileprompt
  @ECHO keytool -export -alias fileprompt -file fileprompt.crt
  keytool -export -alias fileprompt -file fileprompt.crt
  @ECHO keytool -list -alias fileprompt
  keytool -list -alias fileprompt
  @ECHO jar cvf fileprompt.jar *.class
  jar cvf fileprompt.jar *.class
  @ECHO jar tvf fileprompt.jar
  jar tvf fileprompt.jar
  @ECHO jarsigner fileprompt.jar fileprompt
  jarsigner fileprompt.jar fileprompt
  @ECHO jarsigner -verify -verbose -certs fileprompt.jar
  jarsigner -verify -verbose -certs fileprompt.jar
  copy fileprompt.jar %JRUN_HOME%\servers\default\default-app\.
  copy FilePrompt.html %JRUN_HOME%\servers\default\default-app\.
  REM The following doesn't seem to work when executed on the same
  REM system as the JRun server. Access the applet from another client.
  REM "C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE" "http://localhost:8100/FilePrompt.html"
  pause

• Self Signed Certs Safari and Windows

  My company is using a proxy with self-signed certificates and with each https connection I'm being prompted that the site may not be safe.  How do I permanently accept the self-signed proxy certificate using Safari 5.0.5 (7533.21.1) on Windows 7?

  For me push is the next thing I want to get working, the web is annoying but not pressing. I'm not even prompted that the cert is not able to be authenticated which is what I expected. It cold be though the the particular cert I'm looking at may have a different machine name or something weird that is causing different behavior.

• Anyone having issues with Self-Signed SSL-certs on mail servers?

  Can't get it to allow connecting via SSL to outgoing mail servers with self-signed certificates. Problem did not exist in earlier versions of OSX as far as I know.

  YES. I have a cert from lunarpages, where my accounts are hosted. I'm seeing two issues, and they are different for the different servers at lunarpages:
  1. Multiple logins from different machines --> problem
  2. Multiple accounts accessing same server --> problem
  So, with 1 account on one of lunarpages machines, I can have several machines running Mail with ssl on at the same time and get no problem (that is, once I've saved the certificate and marked it trusted). But as soon as another account (my wife's email on the same domain, for example) tries to access the same server, it gives me an ssl error, a choice to save that cert. and if I do then my account will generate the ssl error. Seems like only one account can have the certificate.
  On another account on a different lunarpages machine, I can't have several machines running Mail at the same time, only the first will get through and the rest will give an SSL error.
  Lunarpages says they can't find a problem, though my last email with them told me to use TLS rather than SSL. Of course, there's no way to specify that in Mail anyway, but I'd thought Mail automatically used TLS anyway, and I'm running the right ports (587 for smtp, 993 for incoming).
  Feels like it's an issue with Mail or the OS's handling of certificates. Any clues on a fix will be most appreciated as this is getting annoying. I've had to turn off SSL on my wife's and daughter's accounts just so that I can use it. And I have to quit Mail so that on the other account I can get my mail on my iPhone. Having to quit Mail on my main work machine is frustrating -- if I forget to do it I can't get mail.

• Self signed applet problem

  Hello java gurus,
  I have a self signed applet which must read and write from mysql DB.
  The sign is OK, the popup "warning security" is here but I still have a SQL Exception :
  java.security.AccessControlException: access denied (java.util.PropertPermission file.encoding read)
  I don't want to change the java policy and I work on plugin 1.4.1_02.
  I think the problem is with the certificate cause it should give permission to applet, but it doesn't.
  Any help will be very pleasant

  From the plug-in control panel, click certificates
  then the Signer CA radio button. These are the
  certifying authorities that the client plug-in will
  accept as valid for signed code. Obviously, if any
  client would just accept self-signed code as trusted,
  it wouldn't provide much security. For a purely
  internal app, you can generate a cert and install it
  on the clients which will accept your own signing as
  trustworthy.I think I can deal with this properly if you just clear up one thing for me: when you say 'install it on the clients' do you mean use the Plug-In Control Panel to load the certificate using the "Certificates" tab? From there click the "Signed Applet" radio button and "Import" and browse for the cert file? Or does creating this HTML file and clicking on a link to the certificate do something else? I think I am generating my self-signed certificate correctly and signing my jar correctly, but my applet is failing to initialize. Any further help on this much-maligned topic? :)
  Thanks,
  B. Rintoul

• Using keytool to generate self signed cert. for Microsft Certificate Mrg.

  Hi All,
  I want to be able to generate a self signed certificate that I can Import into
  Microsoft's Certificate Manager, to enable an HTTPS Listener for
  Microsoft's WinRM and WinRS.
  The certificate would only be for internal use, not used externally.
  Here's the problem. I can create a certificate using this (path obscured):
  "C:\Program Files\.....\jre\bin\keytool" -genkey -al
  ias dMobX -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=your-f5c57803
  53" -keypass changeit -validity 90 -storetype pkcs12 -keystore "C:\Program Files
  \......\jre\lib\keystore\.keystore" -storepass changeit
  "C:\Program Files\......\jre\bin\keytool" -export -alias dMob
  X -file "C:\Program Files\......\jre\lib\keystore\dMobX.cer" -stor
  etype pkcs12 -keystore "C:\Program Files\.......\jre\lib\keystore\.
  keystore" -storepass changeit -v
  Microsoft's Certificate Manager will accept it, the .cer, using "Import", into
  Trusted Root Certification Authorities, but when I run the command to create the HTTPS Listener, I get this error message:
  The WS-Management service cannot find the certificate that was requested.
  If I use another tool, like selfssl, I can generate a self signed certificate using:
  selfssl /N:CN=your-f5c5780353 /K:1024 /V:90 /P:443 /T
  This will populate a certificate in Trusted Root Certification Authorities,
  and when I run the command to create the HTTPS Listener, it succeeds with
  no problem.
  So my question is, am I doing something wrong with keytool, or are there
  extra steps that I need to take, or is it even capable of generating a "self signed
  certificate" that will work in the above case?
  There are some concepts involved, certificate wise, that I'm not sure about.
  Do I need to create a CSR and use a tool like openssl, as a CA, and
  use the resulting certificate?
  I just want to be able to programmatically create the needed certificate using keytool, or
  using an API.
  Thanks,

  Download the latest JDK on http://download.java.net/jdk7/binaries/.
  Run "keytool -genkeypair -ext KU=? -ext EKU=? ...". Substitute the "?" with the usages you see in the other cert (for example, "digitalSignature" or "codeSigning". If there are multiple ones, separate with comma).

• IOS 4.2.1 Causes "cannot verify server identity" for self-signed SSL Cert.

  We are running Exchange 2007 SP3 with a self assigned certificate. After upgrading to 4.2.1 all users receive the message "Cannot Verify Server Identity" whenever the phone pulls down email/calendar/etc. Pressing "Continue" allows mail to download, however you have to press "continue" multiple times (apparently one for each message).
  You can press "Details" and choose accept, however the problem continues. I have tried doing a hard reset, but this fixes nothing. I am sure it is a bug with 4.2.1 (4.1 worked just fine) specifically with self-signed certificates. If anyone has a fix please let me know. However, I'm sure that I should just be pleading to the Apple gods to quickly release a fix.

  Making it very irritating to log in to exchange owa. I currently have the root, Exchange server and personal certificates installed on the device and it acts like they do not exist. I basicly have to keep punching the cert to use, probably close to 30 times, until the page has loaded. Once the page is loaded the certificate requests stop. Strangely in the console i keep getting:
  Thu Dec 2 09:45:21 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:26 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x9871fc0
  Thu Dec 2 09:45:26 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x9871fc0
  Thu Dec 2 09:45:28 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:28 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x986fd20
  Thu Dec 2 09:45:28 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x986fd20
  Thu Dec 2 09:45:28 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:30 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:30 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83e47f0
  Thu Dec 2 09:45:30 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83e47f0
  Thu Dec 2 09:45:30 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:31 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:31 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83a3b30
  Thu Dec 2 09:45:31 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83a3b30
  Thu Dec 2 09:45:31 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:32 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:32 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:36 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:36 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:37 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:37 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  and this all started after the upgrade to 4.2.1
  Makes me wonder if perhaps it is a problem with iPCU.

• IMAP Mail Setup with self-signed SSL certs

  I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
  Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..

  If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
  And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case.

• Getting XP Clients to trust ACS Self sign Cert

  Hi,
  I'm implementing ACS 4.0 to provide PEAP Security on a customers WLAN. I'd like to use the Self signed certificate feature within ACS, because it's easy to use and I don't want to 'play' with the customers Servers to install CA unless I really have to (deniability!!).
  My question is, how do I get the XP Clients to trust the certificate installed on the ACS when the 'Authenticate Server' option is enabled on the PEAP client?
  Due to the range of client adapters on the network and the only common factor being that they all run XP SP2, I plan to use the 'wireless zero configuration' option on those clients.
  I presume I have to tick the relevent CA box on the Client trust list, but how do I get the cert to appear in that trust list?
  Regards all,
  Dan

  Thanks for your reply,
  I need to validate the server certificate to strengthen against 'man in the middle' attacks. But I'm struggling to figure out how to trust the SSC from the ACS.
  There must be a way of adding that CA to the Clients Certificate Trust List?
  This network will be the subject of a Pen test when it's finished and I need to make it as secure as possible.
  I Know EAP-TLS is stronger, but Certificates on all the clients is too cumbersome to manage. (Customers point of view).
  At least using this method (if implemented properly), The customer only has to maintain the Server cert every year.
  Regards,
  Dan

• How to install self-signed ROOT CA certs in safari 4 for windows?

  Hello, I do some web development and I use Safari for windows to test all my works for mac users, since v4 I haven't been able to test my apps because safari ask me for a certificate to use for connecting to the test environment (uses self signed cert chain) while other browsers (opera, firefox, IE) just alert me of an untrusted CA certificate. How do I install the CA certificate or whatever I need to do to test my apps on safari 4 windows? thanks for your support

  For what it's worth, you can install a self signed cert only for pages that you go directly to. So if the self signed page is one that is included in page from another server (like images being served from a separate content server) you can install the cert but it still won't serve that content until.....you go directly to that self signed page. Also, this solution only works for the currently running browser and as soon as you shut down the browser the cert is apparently lost. Annoying as heck especially if you happen to be a shop setup that way and you are testing your site on Safari for Windows. arrrgggg! Dear Apple, please fix so we can test that our sites work with your browser.....help us help you!

• Self signed cert in safari 4 and windows xp

  Hello there,
  in our company wi have an self signed certificate for testing purposes. over an automatic testing cenario will be tested an application with various browsers. safari under windows brings now an problem and does not accept the self signed cert. the running steps terminating at this point. importing in windows cert store is not helpful.
  has any one an solution to make this cert working with safari and windows? or exist an solution to disable the cert check in safari it self.
  thanks
  greetings
  vito21

  Hello Mick,
  sorry to be late, but may help someone other :)
  Setting:
  NumberFormat currencyFormat = NumberFormat.getCurrencyInstance();and:
  String value = currencyFormat.format(valToDisplay);you can now use value in any component and its view is correct.
  For some objects like files you also need to set the right charset (i.e. the one support the symbol you need).
  For the euro symbol try "windows-1250" as charset.
  Bye

• Can't access IBM mainframe 3270 session via SSL self-signed cert.

  Can't access IBM mainframe 3270 session via SSL self-signed cert since sometime last week. Using Mochasoft tn3270 lite on android works fine but iPad ios7 says "IBM mainframe has closed the session".  Any clues would be appreciated.

  I'm thinking the problem may be the IBM cert is 1024 bit. Investigating choices to implement 2048 bit cert into IBM.

• Sign self-signed AIR app with trusted cert

  I have an AIR application that has been signed with a self-signed certificate that was created by the "Create Self-Signed Digital Certificate" wizard in the Export Release Build wizard in Flash Builder 4. This application has had multiple releases with auto-updating that clients have been successfully using but now we want to stop scaring our clients with the big red question mark symbol on the installer when they are first time installers.
  Now I have in  my possession a real trusted certificate that I want to start signing with. This certificate was given to me as a .crt file. I think it is from Verisign ... I didn't purchase it.
  First, how do convert that .crt file into a .p12 file and second how do I sign the existing app upon the next build so that clients can auto-update to the next version signed by this trusted cert without any headaches .. because I have read there can be some nasty issues and warnings.

  Hi,
  If the admin URL is specified with the https protocol, then http tunneling must be enabled for the server from the console -> servers -> AdminServer ->Protocols -> http.
  Moreover we also need to add following java options to the stopWebLogic.cmd or setDomainEnv.cmd:
  set JAVA_OPTIONS=$JAVA_OPTIONS$ -Dweblogic.security.IdentityKeyStore=CustomIdentity -Dweblogic.security.CustomIdentityKeyStoreFileName=identity.jks -Dweblogic.security.CustomIdentityKeyStorePassPhrase=password -Dweblogic.security.Identity.KeyStoreType=JKS -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=trust.jks -Dweblogic.security.CustomTrustKeyStoreType=JKS -Dweblogic.security.CustomTrustKeyStorePassPhrase=password -Dweblogic.security.IgnoreHostNameVerification=true -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Regards,
  Kal