ASA5505 is using wrong identity certificate

I recently updated our ASA firmware from 8.4.(7)3 to 9.0.(4)24 and noticed afterwards that my web-facing interface (for SSL remote access vpn) was suddenly using a self-signed certificate. When I look at the identity certificates using ASDM, the only certificate listed is the one I installed from GoDaddy (and the one that it should be using - see screenshot). Anyone know what I can do to switch back to my GoDaddy cert?

Thanks, I ran that command and that appears to have fixed it. Strange, I don't have that line in any of my previous configs and it always worked fine.

Similar Messages

Use wildcard identity certificate for SSLVPN

I have a wildcard identity certificate *.example.com that I would like to use for SSLVPN connections, but haven't been able to get it installed. Has anyone been able to do this?

I found the issue. We were attempting to import the PEM version and not the PKCS12 version that contained the private key. I was able to get it to work.

Mail uses wrong identity when sending mail but only in a very specific case

Hey there we have a very strange thing happening here. There are two accounts in apple mail. user 1 is set as the default account and when user 1 replies to email sent to him it works as it should. When email is sent to user 2 and he replies it works correctly as well. But when an email comes addressed to both user 1 and user 2 and user 1 replies it is being sent as user 2 not user 1. Any ideas on what is causing this?
Thanks for your help

When both addresses in the To header are setup in Mail, Mail defaults to choose the first address listed in the distribution. You have to manually change that, or have separate User Accounts on this Mac for each user, and in that case each user would only setup his/her account.
Ernie

Using iPCU, how to select an identity certificate

When using iPCU, the option to select an identity certificate within the VPN configuration payload is greyed out (even though certificates have been defined in the Credentials section). Is there a different underlying requirement to be able to specify which certificate should be used for the VPN connection? (Windows 7 running iPCU version 3.6.2.300).
Thanks.

Umer, thanks for your response.
It seems like other applications are locking the card/reader for few seconds.
For listening to card-insertion, I am using terminals.waitForChange(); inside while (true) loop.
If I execute my code communicating to card immediately after terminals.waitForChange(); returns then my code fails(select applet still works but other card communication fails with ResponseAPDU: 2 bytes, SW=6d00).
But if I add sleep for 7 seconds or so before communicating to card then my code is able to communicate with card.
    static class EventWaitThread extends Thread {
        public void run() {
            while (true) {
                CardTerminals terminals = factory.terminals();
                try {
                    for (CardTerminal terminal : terminals.list(CardTerminals.State.CARD_INSERTION)) {
                        Card card = terminal.connect("*");
                        CardChannel channel = card.getBasicChannel();
                        selectApplet(channel);
                        printCardStatus(channel);
                    terminals.waitForChange();
                    sleep(7000);
                } catch (CardException e) {
                    e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
        }

How to globally set WiFi to use device management identity certificate for all users?

I'm using Apple's Profile Management service in Mountain Lion, and discovered through serendipity that an enrolled device can authenticate on EAP-TLS to our WPA2-Enterprise Wifi using the Device Managment Identity Certificate instead of an individually-generated-for-user x509 cert. This is extremely convenient, because then we can effectively revoke a device's cert by unenrolling the device.
However, I haven't been able to figure out how to make WiFi always designate EAP-TLS and select the Device Management Identity Certificate globally (whether through /usr/bin/networksetup or through the Profile Manager).
Does anybody have any pointers on how to do this? My goal is to have an OS X >= 10.7 machine at a network login prompt capable of logging into the machine, authenticated against the Open Directory server the machine is already bound to. At present a wireless user cannot do this, as the machine's Wifi preferences haven't yet been set to use the aforementioned device management cert.
Thanks!

Making customisation from the default profile is generally considered poor practice and quite often doesn't work out as planned. (If you're interested in some more information on this, [http://mockbox.net/windows-7/227-customise-windows-7-default-profile.html see here] see here)
This article should help you with developing and deploying your customised Firefox 4 installation (without touching the Windows 7 default user profile):
http://mockbox.net/configmgr-sccm/174-install-and-configure-firefox-silently.html

Mail is using wrong certificate file

I have a signed cert that has been imported into server admin. It shows correctly as being signed. There is also a Default certificate as well. So server admin shows one self signed cert named Default, and my signed cert. I have configured mail to use my signed certificate from the drop down cert list which shows both Default and my signed cert however when my clients connect they are being handed a self-signed cert with the same name as my signed cert. My thought is it is handing out the cert from before it was updated with .crt file. How can I correct this?

Server Admin has a habit of incorrectly writing this information into imapd.conf.
Edit /etc/imapd.conf and change:
tlscommonname: Default
to:
tlscommonname: your.hostname.com (as used for the certificate)
Also make sure that:
tlscertfile:
tlskeyfile:
tlscafile:
point to the correct file.
HTH,
Alex

Mail uses wrong certificate for encrypting S/MIME messages

Encrypted email I send using Mail Version 4.2 (1077) under OS X 10.6.2 to my work account cannot be decrypted. It appears that Mail is using the signing certificate, rather than the encryption certificate, to encrypt the email.
The internal Certificate Authority at my employer has issued two certificates to me: A signing and an encryption certificate. Both certificates are properly stored in my keychain.
The encryption certificate carries a 0x20 in the key usage field to designate the certificate to be used for encipherment purposes. The signing certificate carries a 0x80 in the key usage field to designate the certificate to be used for digital signatures.
I understand that the S/MIME standard stipulates that for encrypting messages, the certificate with 0x20 in the key usage field should be used by the mail application.
However, messages I sent are encrypted using the signing certificate (0x80 in the key usage field) and therefore cannot be decrypted on the receiving end. I examined the encrypted email using an [application|http://www.eriugena.org/blog/?p=57] to extract the serial number of the certificate used for encryption.
We are using Outlook 2003 as our mail application at work.
Has anybody ever come across this problem? Am I missing something - is there a way to tell Mail what certificate to use for encryption?
Thanks,
-Michael.

I'm have a problem that sounds related.
Both my wife and I created self signed mail certificates, and sent email to each other and trusted each others certificates. We were then able to send encrypted emails back and forth and our emails showed up as having trusted digital signatures.
Then, we both purchased Verisign email certificates, and installed them in our keychains, deleting the old self-signed certificates, and repeated the process of establishing a chain of trust.
This worked fine for me running Snow Leopard but did not work for her on Leopard. Her emails to me appear to be signed by both the old self-signed certificate and to include the new verisign certificate. Looking at the message source there is only one application/pkcs7-signature block, but in the UI it is showing both certificates.
I don't understand how the self-signed certificate is showing up at all, since it has been deleted from her keychain.

The enrollment server did not provision a valid identity certificate

I'm working on rolling my own MDM service, and I'm trying to combine the SCEP and MDM payloads as the MDM protocol document from Apple suggests. I created my own SCEP web service in C# .Net and I know that the device can get a valid certificate when I just send the SCEP payload. However when I also include an MDM payload that points to the SCEP payload's UUID via the IdentityCertificateUUID key, I get the following error, "The enrollment server did not provision a valid identity certificate." This configuration is the one that is sent after the user chooses to install the initial enrollment configuration (step 1 of phase 2 in this diagram).
The device doesn't appear to even make an attempt at connecting to my server, and thanks to server side logging I know that it never reaches my SCEP web service page. This seems to indicate that there's something wrong with the certificate I use to sign the payload. I've separately tried signing it with my SSL certificate (from a pre trusted root authority), my customer MDM push certificate (chained from our vendor cert), and my self-signed root certificate authority certificate (created via makecert.exe) that the SCEP service uses to issue new certificates (i.e. device identity certificates).
I've looked at the output from the iPCU (iPhone Configuration Utility) when I create a profile with both the MDM and SCEP payloads, and it isn't a valid profile (I've even tried copying it nearly wholesale). However when I install the profile via the iPCU the error doesn't come up and it begins the SCEP enrollment process without issue.
A side note - using a preexisting MDM vendor is not an option here.
Below is the profile I'm using:
<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
        <dict>
          <key>PayloadContent</key>
          <array>
            <dict>
              <key>PayloadContent</key>
              <dict>
                <key>Challenge</key>
                <string>this is a challenge</string>
                <key>Key Type</key>
                <string>RSA</string>
                <key>Key Usage</key>
                <integer>5</integer>
                <key>Keysize</key>
                <integer>1024</integer>
                <key>Name</key>
                <string>mycompany</string>
                <key>Retries</key>
                <integer>3</integer>
                <key>RetryDelay</key>
                <integer>0</integer>
                <key>Subject</key>
                <array><array><array>
                  <string>CN</string>
                  <string>mycompany</string>
                </array></array></array>
                <key>URL</key>
                <string>https://mysite.com/scep.aspx</string>
              </dict>
              <key>PayloadDescription</key>
              <string>Configures SCEP</string>
              <key>PayloadDisplayName</key>
              <string>SCEP (mycompany)</string>
              <key>PayloadIdentifier</key>
              <string>com.mycompany.mdm.scep1</string>
              <key>PayloadOrganization</key>
              <string></string>
              <key>PayloadType</key>
              <string>com.apple.security.scep</string>
              <key>PayloadUUID</key>
              <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
              <key>PayloadVersion</key>
              <integer>1</integer>
            </dict>
            <dict>
              <key>AccessRights</key>
              <integer>3</integer>
              <key>CheckInURL</key>
              <string>mysite.com/checkin.aspx</string>
              <key>CheckOutWhenRemoved</key>
              <false/>
              <key>IdentityCertificateUUID</key>
              <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
              <key>PayloadDescription</key>
              <string>Configures MobileDeviceManagement.</string>
              <key>PayloadIdentifier</key>
              <string>com.mycompany.mdm.mdm2</string>
              <key>PayloadOrganization</key>
              <string></string>
              <key>PayloadType</key>
              <string>com.apple.mdm</string>
              <key>PayloadUUID</key>
              <string>ed0ae41d-1aa7-4721-9fe9-139c1072132c</string>
              <key>PayloadVersion</key>
              <integer>1</integer>
              <key>ServerURL</key>
              <string>https://mysite.com/checkin.aspx</string>
              <key>SignMessage</key>
              <false/>
              <key>Topic</key>
              <string>com.apple.mgmt.mypushsubject</string>
              <key>UseDevelopmentAPNS</key>
              <true/>
            </dict>
          </array>
          <key>PayloadDescription</key>
          <string>Profile description.</string>
          <key>PayloadDisplayName</key>
          <string>Test Profile</string>
          <key>PayloadIdentifier</key>
          <string>com.mycompany.mdm</string>
          <key>PayloadOrganization</key>
          <string>mycompany</string>
          <key>PayloadRemovalDisallowed</key>
          <false/>
          <key>PayloadType</key>
          <string>Configuration</string>
          <key>PayloadUUID</key>
          <string>13321058-4037-478c-9b1e-ef6f810065cb</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
        </dict>
      </plist>

I got in touch with Apple about this.
Apparently you want to send the combined MDM & SCEP payload in step 2 of phase 3 of the diagram I linked in my question, which is the profile that's sent after OTA enrollment. According to Apple you need two separate certificates (which means two SCEP enrollments) - one for OTA enrollment, and one for MDM enrollment.

Java.io.IOException: Invalid identity certificate signature

Hi,
My WebLogic 11g is running on a Windows Server 2008 64 bit server. I have obtained a certificate with private key for this Windows server. Now I would like to use this certificate and private key for my WebLogic server.
What I have done:
1. Exported server certificate using mmc.exe to my_domain.pfx
2. Extracted my certificates and key with OpenSSL:
openssl pkcs12 -in my_domain.pfx -out tempcertfile.crt -nodes
3. Cut and pasted the section
-----BEGIN RSA PRIVATE KEY-----
(Block of Encrypted Text)
-----END RSA PRIVATE KEY-----
of the generated tempcertfile.crt to file my_domain.key
4. Copied the second set of -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- from tempcertfile.crt to file TrustedRoot.crt
5. Used keytool to create a new trust certificate keystore:
keytool -import -trustcacerts -file TrustedRoot.crt -alias server -keystore new_trust_keystore.jks -storepass NEWPASSWORD
where NEWPASSWORD is the new password of the keystore
6. Used utils.ImportPrivateKey to create a new identity certificate keystore:
java utils.ImportPrivateKey -keystore new_identity_keystore.jks -storepass NEWPASSWORD -storetype JKS -keypass NEWPASSWORD -alias server -certfile tempcertfile.crt
-keyfile my_domain.key -keyfilepass PFXPASSWORD
7. Configured WebLogic to use the new trust and identity certificate keystores
When I try to start the WebLogic server it shuts down again with the following log:
####<22-03-2012 07:10:42 CET> <Critical> <WebLogicServer> <HID-1041559> <AdminServer> <main> <<WLS Kernel>> <> <> <1332396642889> <BEA-000362> <Server failed. Reason:
There are 1 nested errors:
java.io.IOException: Invalid identity certificate signature: [***]
at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:64)
     at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:296)
     at weblogic.server.channels.AdminPortService.bindListeners(AdminPortService.java:76)
     at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:39)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: weblogic.management.configuration.ConfigurationException: Invalid identity certificate signature: [***]
Does anybody know what I'm doing wrong?
Thanks in advance, Steffen

The solution is that the certificates in tempcertfile.crt must be in the correct order. The order must be:
Identity certificate
Intermediate certificate
Root certificate
The identity certificate can be located easily in tempcertfile.crt since there must be header that shows the identity--information such as the name of a person or an organization, their address, and so forth. The intermediate certificate will be the last certificate in the tempcertfile.crt.
After I changed the order of the certificates it worked fine.
Regards Steffen

Windows 8.1 Device Identity Certificate

I am implementing Windows 8.1 MDM and seems to be stuck on Certificate Enrollment web service step.
I am sending the below response and Windows client seems to be proceeding further by sending DM Initialization and responding to SyncML requests from the server.
I also can see the certificate using certmgr under Certificate->Personal->Certificates, where the certificate is marked as "Valid" and notes that the device has a private key that corresponds to the certificate.
The CA is a self-signed CA and CA certificate is placed under Root/System in wap-provisioning response (see it below)
However, I was expected to see Client Identity certificate to be be a part of all SyncML requests coming from the client.
Should the client send identity certificate with SynML messages? If yes, what could be wrong in the way I set the certificate?
If no, what the right way to get device certificate?
<wap-provisioningdoc version="1.1">

<characteristic type="CertificateStore">

<characteristic type="Root">
<characteristic type="System">

<characteristic type="ED1CF6EB4BE80017DDD7A076957FC438B689A7D2">

<parm name="EncodedCertificate" value="MIIDbzCCAlegAwIBAgIJAKZI3oplYTv2MA0GCSqGSIb3DQEBCwUAME4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNQXBwZGlnaW8gVGVzdDEaMBgGA1UEAwwRQXBwZGlnaW8gVGVzdCBNRE0wHhcNMTQwODE0MDU1NDE5WhcNMjUwNzI3MDU1NDE5WjBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUFwcGRpZ2lvIFRlc3QxGjAYBgNVBAMMEUFwcGRpZ2lvIFRlc3QgTURNMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyOxdnl8PEtvfyhPzj9ANeLKF3YR6nFvOuIKHW/HDXAMIodtcRSf2qyPEZ3+l5f2/TZojjX401AnQeBdSKijdkKWqLboxp6237ZVdlezT1Xw7c6dmxJUwDKekUhEHJd6Ru8Rsu7c0Bzn79F7LOEGkNkGGy+LG12xzwDwg+tx3GZwVRfoMZcjtJNM9vwZCxrkgjYvJPDUl2yIca7MTl61w1wSZaOpnd2xJNbsIC3myD6oXIJoeVTEQE+XXlZcKGYs1Puv0ekdZt4P2+XUj3grHD7+XTqu0oPLFQRw0mbjyFbw4c6/8HDOrHYXr1SkHL5rm21eaN84ssFzXdf0aF2RY3wIDAQABo1AwTjAdBgNVHQ4EFgQUJRCDC1HaVsVZF8uMeakHmBrDwEIwHwYDVR0jBBgwFoAUJRCDC1HaVsVZF8uMeakHmBrDwEIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAncr1ZHB6wuwGaQXGvdVXF22VVLU41ojkw4EcU6/5H+LiRwBGpgDSwPnssqia+/zNukEI8s1zxbo3UHOS29hGFwEPKlsYVzbCaAnXDtfmMrxG8FmoSCEmcoYbCg0nEGsQXPbdgbwsF7V2equclxouvAHs36j0qNoIqu2Mwmkf6XBaLKEFiJ4nX89AFqNLDq5TjrJ9lSG6WnM3l8Gn4c28FPsPnrvtuoNNX4nBTJOXe57h48raawvN3UAstSGsofgQV1rbHj+qZ9EnIdiaaUVZk54CVY8Ic+4Z/8v18Z06s/2bMwHEgd+tICHdCPL9cs4SJNZ2vTick93rtYtMNYE8cA==" />
</characteristic>
</characteristic>
</characteristic>


<characteristic type="My" >
<characteristic type="User">

<characteristic type="4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E">

<parm name="EncodedCertificate" value="MIID1jCCAr6gAwIBAgIGDOsyplYiMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNQXBwZGlnaW8gVGVzdDEaMBgGA1UEAwwRQXBwZGlnaW8gVGVzdCBNRE0wHhcNMTUwMTA1MDQwNDIwWhcNMzAwMTAxMDQwNDIwWjAvMS0wKwYDVQQDEyQ4NjRlNjk5NC04NzJlLTQzOGMtYWJjNy1kYmM2N2ZmZTI1NzYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoFYRQG+OnkHm+Zv9wNeTICnSSrkWVf50rRWb1OVSuMTHEgNfDMpdbjb3tZZucmo1WWcJHiMpMiFmSF1KfNVttIPZK0+pX3eqAwnTlt7YcdV3OhQShE9mh7caalUxQLBZNBeKjXzj0erQgzt1CleIDWGikg11iuGHSlwRyb7aRMvYsXOppfdH9vIebNznKavaRG0IPi4joOR161bmwQ4bPmMiYuQ49MEvSx92F/g+F2dI7bPeo6is7AqQO7iA1woVyGgeI0M0IpQDLftO0EwSXlLNFjDTBsqWH2PZrCkQNXPyuP1/vPiHuiYyBugdCpK1quc4HnMrXEuYBz+xqUV+1AgMBAAGjgdgwgdUwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0OBBYEFOySgxF+y4dZX5ilGJi0yi7n1NjCMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMH4GA1UdIwR3MHWAFCUQgwtR2lbFWRfLjHmpB5gaw8BCoVKkUDBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUFwcGRpZ2lvIFRlc3QxGjAYBgNVBAMMEUFwcGRpZ2lvIFRlc3QgTURNggkApkjeimVhO/YwDQYJKoZIhvcNAQEFBQADggEBAD6ee4/RfIFddNmaY+Bw5KShe42mvDOoYeOxKbzA6S4qcMJxzfRMkXqtPxAqni7BdxxhIuVpBdfL3dEFWMyA6fRxX/mGo4cp4ZxdFhs5ADvTu51stRECVKo9LKoT2Y8NzQxc5th0GwXcCMKBm6iR1UV6DKhjFaLDNv8F2B+cOeSVaBrJdDBcokBkX/kPOWEzQHtMEMD3OBgLrJAW1Xv/OvBjE2KlhAfDWNImXT7DkUbaDmqbg25GO/qTkSCUspe978OTHrVkOy8n/sJLSkVn9VQe1HRVTZOo1XSZRFcz50OUI3lgetcDyQl/WWDJL6PLDDhNP+URq4mn/dGByN58NOk=" />
<characteristic type="PrivateKeyContainer">
<parm name="KeySpec" value="2"/>
<parm name="ContainerName" value="ConfigMgrEnrollment"/>
<parm name="ProviderType" value="1"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</characteristic>

<characteristic type="APPLICATION">
<parm name="APPID" value="w7"/>

<parm name="PROVIDER-ID" value="TestMDM"/>
<parm name="NAME" value="TestMDM"/>


<parm name="SSPHyperlink" value="https://192.168.1.121:8080" />

<parm name="ADDR" value="https://192.168.1.121:8080/server/mdm/windows/mdm.svc" />
<parm name="ServerList" value="https://192.168.1.121:8080/server/mdm/windows/mdm.svc" />
<parm name="ROLE" value="4294967295"/>

<parm name="CRLCheck" value="0"/>
<parm name="CONNRETRYFREQ" value="6" />
<parm name="INITIALBACKOFFTIME" value="30000" />
<parm name="MAXBACKOFFTIME" value="120000" />
<parm name="BACKCOMPATRETRYDISABLED" />
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" />


<parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3d864e6994-872e-438c-abc7-dbc67ffe2576&Stores=MY%5CSystem%EF%80%80MY%5CUser" />
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="dummy"/>

<parm name="AAUTHDATA" value="bm9uY2UK"/>

</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="DIGEST"/>

<parm name="AAUTHNAME" value="https://192.168.1.121:8080/test"/>
<parm name="AAUTHSECRET" value="dummy"/>
<parm name="AAUTHDATA" value="nonce"/>
</characteristic>
</characteristic>

<characteristic type="Registry">
<characteristic type="HKLM\Security\MachineEnrollment">
<parm name="RenewalPeriod" value="90" datatype="integer" />
</characteristic>
<characteristic type="HKLM\Security\MachineEnrollment\OmaDmRetry">

<parm name="NumRetries" value="8" datatype="integer" />

<parm name="RetryInterval" value="15" datatype="integer" />
<parm name="AuxNumRetries" value="5" datatype="integer" />
<parm name="AuxRetryInterval" value="3" datatype="integer" />
<parm name="Aux2NumRetries" value="0" datatype="integer" />
<parm name="Aux2RetryInterval" value="480" datatype="integer" />
</characteristic>
</characteristic>

<characteristic type="Registry">
<characteristic type="HKLM\Software\Windows\CurrentVersion\MDM\MachineEnrollment">
<parm name="DeviceName" value="" datatype="string" />
</characteristic>
</characteristic>
<characteristic type="Registry">
<characteristic type="HKLM\SOFTWARE\Windows\CurrentVersion\MDM\MachineEnrollment">

<parm name="SslServerRootCertHash" value="ED1CF6EB4BE80017DDD7A076957FC438B689A7D2" datatype="string" />

<parm name="SslClientCertStore" value="My%5CSystem" datatype="string" />

<parm name="SslClientCertSubjectName" value="CN=864e6994-872e-438c-abc7-dbc67ffe2576" datatype="string" />

<parm name="SslClientCertHash" value="4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E" datatype="string" />
</characteristic>
<nocharacteristic type="HKLM\Security\Provisioning\OMADM\Accounts" />
<characteristic type="HKLM\Security\Provisioning\OMADM\Accounts\037B1F0D3842015588E753CDE76EC724">
<parm name="SslClientCertReference" value="My;System;4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E" datatype="string" />
</characteristic>
</characteristic>
</wap-provisioningdoc>

Eric,
I do have APPAUTH portion in the wap-provisioningdoc
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="dummy"/>

<parm name="AAUTHDATA" value="bm9uY2UK"/>

</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="DIGEST"/>

<parm name="AAUTHNAME" value="https://192.168.1.121:8080/test"/>
<parm name="AAUTHSECRET" value="dummy"/>
<parm name="AAUTHDATA" value="nonce"/>
</characteristic>
My Windows 8.1 (tablet, not a phone) does not send SyncML DM Auth Request. I.e. it sends session initialization, then I send a <get> command to which client responds appropriately. But no <Cred> is sent.
I also do not see any connection attempts to the server name (https://192.168.1.121:8080/test)
Oleg

What Certificate store is used for machine certificates

I have a requirement to have windows 7/8 users connect to the company network using VPN & IKEv2.
I have a RH Linux 7 firewall/authentication server that the windows clients will connect to via a vpn.
I have generated a self-signed Certificate Authority, and a client certificate. (using NSS & certutil)
I have configured a VPN/IKEv2 connection on my windows 7 client system.
I have selected "use machine certificates" on the security tab.
However when I attempt to connect to the Linux 7 server. Windows returns a 13806 error. The windows process
for locating the certificate cannot find the certificate. (I used mmc to install both the CA certificate & the client certificate)
So I wondering since I specified the use of machine certificates, perhaps I've installed the certificates in the wrong "store".
Is there a special "store" for machine certificates?

Hi MeipoXu, many thanks for working with me on this issue.
Thru some trial & error testing I determined the Local Computer store "combo" that DOES NOT generate
a 13806 error (cert not found) is to import the client cert to the "Personal" store under "Local Computer"
and import the CA into the Trusted Root Certificates store, also under the "Local Computer"
However I still get the 13819 error Invalid Certificate Type. When I attempt to make a connection over vpn.
Here are the trace entries:
Frame: Number = 4, Captured Frame Length = 234, MediaType = NetEvent
+ NetEvent:
- MicrosoftWindowsWFP: IPsec: Receive ISAKMP Packet
- WfpUnifiedTracing_IKE_PACKET_RECV IKE_PACKET_RECV: IPsec: Receive ISAKMP Packet
     AsciiString ICookie: 76991f2483ab8271
     AsciiString RCookie: be81c4728325eb7f
     AsciiString ExchangeType: IKEv2 SA Init Mode
     UINT32 Length: 284 (0x11C)
     AsciiString NextPayload: SA
     UINT8 Flags: 32 (0x20)
     UINT32 MessageID: 0 (0x0)
     UnicodeString LocalAddress: 192.168.10.4
     UINT32 LocalPort: 500 (0x1F4)
     UINT32 LocalProtocol: 0 (0x0)
     UnicodeString RemoteAddress: 69.54.99.132
     UINT32 RemotePort: 500 (0x1F4)
     UINT32 RemoteProtocol: 0 (0x0)
     UINT64 InterfaceLuid: 1688849960927232 (0x6000006000000)
     UINT32 ProfileId: 2 (0x2)
Frame: Number = 5, Captured Frame Length = 121, MediaType = NetEvent
+ NetEvent:
- MicrosoftWindowsWFP: User Mode Error
- WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
     AsciiString Function: IkeFindLocalCertChainHelper
   - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_NO_CERT
      UINT32 WinErrorValue: 0x000035EE - ERROR_IPSEC_IKE_NO_CERT - The IKE failed to find a valid machine certificate. Contact your network security administrator about installing a valid certificate in the appropriate certificate store.
Frame: Number = 6, Captured Frame Length = 121, MediaType = NetEvent
+ NetEvent:
- MicrosoftWindowsWFP: User Mode Error
- WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
     AsciiString Function: IkeFindLocalCertChainHelper
   - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_NO_CERT
      UINT32 WinErrorValue: 0x000035EE - ERROR_IPSEC_IKE_NO_CERT - The IKE failed to find a valid machine certificate. Contact your network security administrator about installing a valid certificate in the appropriate certificate store.
Frame: Number = 7, Captured Frame Length = 117, MediaType = NetEvent
+ NetEvent:
- MicrosoftWindowsWFP: User Mode Error
- WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
     AsciiString Function: IkeEncodeCertChainIkeV2
   - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
      UINT32 WinErrorValue: 0x000035FB - ERROR_IPSEC_IKE_INVALID_CERT_TYPE - Invalid certificate type.
Frame: Number = 8, Captured Frame Length = 117, MediaType = NetEvent
+ NetEvent:
- MicrosoftWindowsWFP: User Mode Error
- WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
     AsciiString Function: IkeEncodeCertChainIkeV2
   - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
    - HRESULT ErrorValue: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
     - LEHResult:
        UINT32 Code:      (................0011010111111011) 0x000035FB - ERROR_IPSEC_IKE_INVALID_CERT_TYPE - Invalid certificate type.
        UINT32 Facility: (.....00000000111................) WIN32
        UINT32 X:         (....0...........................) Reserved
        UINT32 N:         (...0............................) Not NTSTATUS
        UINT32 C:         (..0.............................) Microsoft-defined
        UINT32 R:         (.0..............................) Reserved
        UINT32 S:         (1...............................) Failure
$$$$$$$ N O T E :   Frame Numbers 9 thru 13 are exact same error message as Frame numbers 8 (the first) and Frame 14 (the last) $$$$$$$$ Then I close the connection
and stop the trace.
Frame: Number = 14, Captured Frame Length = 123, MediaType = NetEvent
+ NetEvent:
- MicrosoftWindowsWFP: User Mode Error
- WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
     AsciiString Function: IkeConstructAndSendMMResponse
   - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
    - HRESULT ErrorValue: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
     - LEHResult:
        UINT32 Code:      (................0011010111111011) 0x000035FB - ERROR_IPSEC_IKE_INVALID_CERT_TYPE - Invalid certificate type.
        UINT32 Facility: (.....00000000111................) WIN32
        UINT32 X:         (....0...........................) Reserved
        UINT32 N:         (...0............................) Not NTSTATUS
        UINT32 C:         (..0.............................) Microsoft-defined
        UINT32 R:         (.0..............................) Reserved
        UINT32 S:         (1...............................) Failure
So after a response is received from the Server (to complete the SA Initiation)
Windows then "looks" for a cert to send to the server.
It appears initially it can't find one because 13806 errors are reported (Frames 5 & 6)
However the session does not issue an 13806.
It goes on to Frame 7: Note the function IkeEncodeCertChainIkeV2 detects the invalid cert type
Frames 8 thru 14 are just a repeat of the same error.
Could this be a flaw in the windows VPN logic ?
Guy

WS-Security: Fail to configure Keystore and Identity Certificates

Hi,
This is my first question here!
I want to set a secure web service, following the guide "Web Services Security Guide" i set up the keystore and Identity Certificates with a keystore that contains two certificates created by me, I set the keys to be used as signature and encryption. Not define any method for authentication.
I deployed the application to the server (oc4j_extended_101350) and up to this point apparently everything went well.
I created a web service proxy to test the web service with jdeveleper, but when I call the web service method the server responds with the error:
java.rmi.ServerException:
start fault message:
Internal Server Error
: End fault message
at oracle.j2ee.ws.client.StreamingSender._raiseFault (StreamingSender.java: 571)
at oracle.j2ee.ws.client.StreamingSender._sendImpl (StreamingSender.java: 401)
at oracle.j2ee.ws.client.StreamingSender._send (StreamingSender.java: 114)
at clientmessageoc4jstda.proxy.runtime.MyWebService1SoapHttp_Stub.getHelloWorld (MyWebService1SoapHttp_Stub.java: 77)
at clientmessageoc4jstda.proxy.MyWebService1SoapHttpPortClient.getHelloWorld (MyWebService1SoapHttpPortClient.java: 42)
at clientmessageoc4jstda.proxy.MyWebService1SoapHttpPortClient.main (MyWebService1SoapHttpPortClient.java: 30)
On the server the following error occurs:
ERROR OWS-04005 error has occurred on port: () http://messagelevelsecurity/ MyWebService1SoapHttpPort: oracle.j2ee.ws.common.soap.fault.SOAP11FaultException: java.lang.NullPointerException.
The client and server are not in the same directory.
The class exposed by the web service is a simple Hello World.
public class HelloWorld {
public HelloWorld() {
public String getHelloWorld(){
return "Hello World";
Thanks in advance
I apologize for my English

I had to add : " outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");" to the client code and it started working !

Non-Deterministic Exception When Connecting With Wrong Client Certificate

I am working on an internal application and need to determine the correct client-side SSL certificate to use when connecting to a server (the user can supply multiple client-side certificates). I had expected that if I connected to a server using the wrong client certificate the java client would throw a SSLHandshakeException and I could then try the next certificate. This seems to work some of the time, however the java client will sometimes throw a SocketException: Software caused connection abort: recv failed, in which case it is not possible to know that the wrong certificate caused the problem.
Below is the code I have been using to test as well as the intermittent SocketException stack trace. Does anyone have an idea as to how to fix this problem? Thanks in advance.
Note: the TrustAllX509TrustManager is a trust manager that trusts all servers.
protected void connectSsl() throws Exception {
      final String host = "x.x.x.x";
      final int portNumber = 443;
      final int socketTimeout = 10*1000;
      // Note: Wrong certificate (expect SSLHandshakeException).
      final String certFilename = "C:\\xxx\\clientSSL.P12";
      final String certPassword = "certPassword";
      final BufferedInputStream bis = new BufferedInputStream(new FileInputStream(new File(certFilename)));
      final char[] certificatePasswordArray = certPassword.toCharArray();
      final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
      final KeyStore keyStore = KeyStore.getInstance("PKCS12");
      keyStore.load(bis, certificatePasswordArray);
      keyManagerFactory.init(keyStore, certificatePasswordArray);
      final KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
      final SSLContext context = SSLContext.getInstance("SSL");
      context.init(keyManagers, new TrustManager[]{new TrustAllX509TrustManager()}, new SecureRandom());
      final SocketFactory secureFactory = context.getSocketFactory();
      final Socket socket = secureFactory.createSocket();
      final InetAddress ip = InetAddress.getByName(host);
      socket.connect(new InetSocketAddress(ip, portNumber), socketTimeout);
      socket.setSoTimeout(socketTimeout);
      // Write the request.
      final OutputStream out = new BufferedOutputStream(socket.getOutputStream());
      out.write("GET / HTTP/1.1\r\n".getBytes());
      out.write("\r\n".getBytes());
      out.flush();
      InputStream inputStream = socket.getInputStream();
      ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
      byte[] byteArray = new byte[1024];
      int bytesRead = 0;
      while ((bytesRead = inputStream.read(byteArray)) != -1) {
         outputStream.write(byteArray, 0, bytesRead);
      socket.close();
      System.out.println("Response:\r\n" + outputStream.toString("UTF-8"));
   }Unexpected SocketException:
main: java.net.SocketException: Software caused connection abort: recv failed
     at java.net.SocketInputStream.socketRead0(Native Method)
     at java.net.SocketInputStream.read(SocketInputStream.java:129)
     at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
     at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1435)
     at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
     at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:612)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:808)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:734)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197)
     at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
     at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
     at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
     at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
     at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)

Thanks for the quick response. Here are answers to the questions:
1) No, this issue is not associated with one particular certificate. I have tried several certificates and see the same issue.
2) I agree it would be simpler to only send the required certificate, but unfortunately the project requires that the user be able to specify multiple certificates and, if a client-side certificate is required, the application try each one in turn until the correct certificate is found.
3) Yes, I realize the TrustAllX509TrustManager is insecure, but I am using this for testing purposes while trying to diagnose the client certificate problem.
In terms of testing, I am just wrapping the above code in a try/catch block and executing it in a loop. It is quite odd that the same exact code will sometimes generate a SSLHandshakeException and other times a SocketException.
One additional piece of information: if I force the client code to use "SSLv3" using the Socket.setEnabledProtocols(...) method, the problem goes away (I consistently get a SSLHandshakeException). However, I don't think this solves my problem as forcing the application to use SSLv3 would mean it could not handle TLS connections.
The code to specify the SSLv3 protocol is:
SSLSocket sslSocket = (SSLSocket) socket;
sslSocket.setEnabledProtocols(new String[] {"SSLv3"});
One other strange issue: if instead of specifying the SSLv3 protocol using setEnabledProtocols(...) I instead specify the protocol when creating the SSLContext, the SocketException problem comes back. So if I replace:
final SSLContext context = SSLContext.getInstance("SSL");
with:
final SSLContext context = SSLContext.getInstance("SSLv3");
and remove the "sslSocket.setEnabledProtocols(new String[] {"SSLv3"})" line, I see the intermittent SocketException problem.
All very weird. Any thoughts?

BEA-090156 Invalid identity certificate signature:

I have a pfx format certificate and private key for my weblogic 9.2 server. I followed all necessary steps of importing the private key and certificates into the correct keystores. But I got a "Invalid identity certificate signature" error when my weblogic server starts. I am able to import this pfx file into my Internet Explorer 6 and view its details. So how would I go about resolving this issue? Thanks.

If you want to use keytool to self sign the certificate then use the below command:
command to generate certificate:
keytool -genkey -alias pidcbox1 -keyalg RSA -keysize 1024 -keypass mykeypass -keystore pidcbox1identity.jks -storepass mystorepass
command to check the certificate:
keytool -list -v -keystore pidcbox1identity.jks -storepass mystorepass
command to self sign the certificate:
keytool -selfcert -v -alias pidcbox1 -keypass mykeypass -keystore pidcbox1identity.jks -storepass mystorepass -storetype jks
Thanks
Rahul Gupta

BEA-090156 Invalid identity certificate signature with custom stores

How does one go about resolving BEA-090156 <Invalid identity certificate signature> when using custom keystores. As I have DoD certificates with a root that isn't in the standard JDK keystore, how does one go about resolving this issue. I created the keystores with the DoD certs, but get this message when trying to use them. Pls advise.
Thanks.

The solution is that the certificates in tempcertfile.crt must be in the correct order. The order must be:
Identity certificate
Intermediate certificate
Root certificate
The identity certificate can be located easily in tempcertfile.crt since there must be header that shows the identity--information such as the name of a person or an organization, their address, and so forth. The intermediate certificate will be the last certificate in the tempcertfile.crt.
After I changed the order of the certificates it worked fine.
Regards Steffen

ASA5505 is using wrong identity certificate

Similar Messages

Maybe you are looking for