Can't find ssl cert db

Similar Messages

• Can't find SSL certificate in SQL server configuration manager?

  Hi 
  It's been 2 days and I need a help. I have visited a number of sites and I still can't make it work
  Two severs I have: Windows 2012 Standard with SQL 2008 R2 and SQL 2012 
  I am trying to set it up on SQL 2008 R2 right now. 
  I have a certificate from a CA and did the followings.
  1. Open MMC
  2. Add Certificates Snap-in as a computer account (In fact, I tried all the three accounts)
  3. Right click-on Personal folder and All taks and Import 
  4. Installed the certificate with Certificate import Wizard
  5. The certificate shows up under Personal/Certificates and Trusted Root Certification Authorities/Certificates
  I did this with a local administrator account as well as MSSQL account(SQL Server service account I created). Even though the server is part of domain, SQL server is set up with local accounts. 
  This is a simply summary. I tried everything in the article such as 'Create Custom Request'. 
  I am not sure what I am missing. Why can't I see the certificate in SQL Server configuration manager? 
  I even made MSSQL (service account) as administrator. Not working.  
  as I am not using the domain service account, I believe below is not relevant. 
  Missing detail on "Install a certificate in the Windows certificate store..."
  When following recommended security procedures and running SQL server under a domain service account, the service will fail to start after assigning a certificate to the protocols.  This is because the service account does not have permissions to read
  the private key.  Fix this in the Certificates MMC snap-in (preferably right after installing the certificate.)  Select the certificate you just imported, then in the Action menu select "Manage private keys."  Grant the domain service
  account read access to the private key of the server certificate.
  Below is the few of reference I looked at.. 
  https://support.microsoft.com/en-us/kb/316898/
  https://msdn.microsoft.com/en-us/library/ms191192(d=printer).aspx
  https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
  http://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-
  http://blogs.msdn.com/b/sqlserverfaq/archive/2010/05/28/inf-permissions-required-for-sql-server-service-account-to-use-ssl-certificate.aspx

  Hi Dinesh 
  Thanks for the reply. 
  I did looked into the both sites as well. but it did not work. 
  Below is the step to install SQLs server certificate. and I was stuck with Step 9. when click 'next' in the wizard, I am not getting into a place to select 'computer' as certificate type. 
  Do you know what is wrong please? 
  Open the Microsoft Management Console (MMC): click Start, then click Run and in the Run dialog box type: MMC
  On the File menu, click Add/Remove Snap-in...
  Select Certificates, click Add.
  You are prompted to open the snap-in for your user account, the service account, or the computer account. Select the Computer Account.
  Select Local computer, and then click Finish.
  Click OK in the Add/Remove Snap-in dialog box.
  Click to select the Personal folder in the left-hand pane.
  Right-click in the right-hand pane, point to All Tasks, and then click Request New Certificate...
  Click Next in the Certificate Request Wizard dialog box. Select certificate type 'Computer'.
  You can enter a friendly name in text box if you want or leave it blank, then complete the wizard.
  Now you should see the certificate in the folder with the fully qualified computer domain name

• SSL cert on ASA 5512 from Thwate or Digitcert

  I ran into the issue when I install SSL123 cert from Thwate . I did not have issue with SSL cert from DIgitcert- their process and steps are simple and using better encryoption - SHA256. Compare to Thwate - their support did not let me use SHA2 and I had to use SHA1 - according to some organisation SHA1 will be retired soon 
  Let me explain how to install SSL123 from Thwate into ASA 5510- you can follow their instruction - but generate CSR with 2048 - with 4096 did not work .Once you apply into their portal use SHA1 ( SHA2 did not work ) . Before you get email with their CA -  install Root and Secondary intermidiate certificate - located in their website . After you get email with the new cert - you can install under Idendity certificates where still says pending .Note - there are CSR checker tools - before you apply it into CA _ google CSR checker - make sure your CSR does not have any errors
  Note - When you install each certificate - trustpoint association could be in different order - example - ASDM_trustpoint0 , ASDM_trustpoint1 , ASDM_trustpoint2   etc . If you use the same ASDM_trustpoint0 for all certs- root , intermidiate and signed certificate - Did not work and you are getting ERROR - :Failed to parse or verify imported certificate
  here is the link you can follow - https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO16141&actp=search&viewlocale=en_US&searchid=1429125296765
  Finally you can check your SSL cert - google SSL checker to see if your chain as good all the way and what need to be fixed 

  First of all, you don't need the server names in the cert if your Exchange urls are configured to a load balanced url. Going forward, you will not be able to get a certificate from 3rd party with internal urls (server fqdn) in it.
  When you export the certificate from CAS1, make sure that you include the private key as well (there will be a check box to tick) and import it back on CAS2.
  If not, you can just import the certificate into CAS2 by selecting Import Exchange certificate in EMC and select the 3rd party cert (just like you imported on CAS1).
  Yes, you need the certificate on both servers, otherwise you will get certificate errors on clients (assuming that there is some form of load balancing in place - NLB or hardware).

• Can SSL cert be used in Mail Services?

  Hello,
  Can I use SSL server cert for Apache in Mail services, or must I use S/MIME certs? Anything that I must be aware when buying the S/MIME cert for 10.6 Mail Services?
  Thanks alot!

  Thanks very much!!!
  Do you know which port(s) external mail client will use to get the cert from the Mail Server during handshake? My preliminary testing shows the mail client gets the cert via 443, and therefore it is getting another cert from my supposedly web server!
  My set up in brief :
  Airport Extreme acts as the gateway, load distributed by port no. to multiple servers, each handling a different service, and each has a different internal IP address. The external DNS service provided by DynDNS has 2 CNAME entries (one is www.servername.com, another is mail.servername.com) both pointing to the same fixed IP address.

• Where can I find the SSL function on the iPad mail - having trouble with AOL sending e-mail out

  Where can I find the SSl function on the iPad mail - I am having trouble sending out e-mails on my AOL account on the iPad - no trouble with the MacBook Pro?

  Under the line where it has the SSL button, is Authintication set to password?  and the line below that, is there a server port number?  A typical outgoing server port number is 25.

• Remote Desktop Services Single SSL Cert with multiple hosts

  I am trying to use a single SSL Cert from a third party issuer.  I have 3 servers in my deployement all are 2012R2.  One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role.  The other 2 are
  RD Session Hosts.  I have the SSL cert for the server that has the Gateway and other roles.  My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL.  It works currently with the
  exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match.  Is anyone else using a similar setup and had success with it?  I am trying
  to avoid buying an expensive wildcard cert to cover all of them.

  Hi,
  Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC.  To do this, log on to RD Web Access using IE, right-click and choose View Source.  Find the goRDP function for the icon you want to examine and copy
  the text between the ' marks.  Next paste this into the escape text box the below page:
  http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
  Click complete unescape to get the plain text version.  After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file.  Once you have the .rdp file created you can compare
  it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
  Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
  Thanks.
  -TP

• Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

  Coldfusion 11
  Windows Server 2012 R2
  Both the Coldfusion admin and additonal site work fine on HTTP.
  As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
  Coldfusion 11 - Web Sockets via SSL
  The Coldfusion-error.log shows
  Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
  INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
  Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
  Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
  If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
  Any assistance welcome - I can't allow this site to made publicly available with using SSL.
  SM

  @Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release.  And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
  If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
  First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
  Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
  You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
  Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
  Finally, when you say that if you “comment out the SSL sections  it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
  To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
  /charlie

• SSL Cert used to sign Jars for distribution via WebStart

  Hi,
  I have an SSL cert (Comodo InstallSSL) for my website and wondered if I can use it to sign jars so, when distributed via webstart, the old "untrusted source" message doesn't get displayed. I've been doing a lot of reading but, to be honest, I can't really find my bearings! I have imported the cert into my keystore but get the message when I try to sign a jar:
  Certificate chain not found for: myalias  myalias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.I have the following files in relation to my cert:
  xxx.cabundle (this can be imported into keytool easily)
  cert/xxx.crt (looks like a PGP file, cannot be imported (-import) into keytool)
  private/xxx.key
  My questions I suppose are:
  1. Can I use a cert issued for SSL to sign jars for webstart distribution?
  2. If yes to 1; what steps other than importing the cert alone (which generates the message above) do I need to do to achieve this?
  Any help would be appreciated!
  Rich

  Hi,
  yes, the pkcs12 certificate includes the private key, as opposed to pb7 which does not.
  Sent from Cisco Technical Support Android App

• Could not find trusted cert in chain

  Hi,
  Environment:
  The server and client are both located on the same Sun Solaris 2.8 box.
  MQ Series V 5.3 CSD07
  Could not find trusted cert in chain.
  main, SEND SSL v3.0 ALERT: fatal, description = certificate_unknown
  main, WRITE: SSL v3.0 Alert, length = 2
  JMSException thrown javax.jms.JMSException: MQJMS2005: failed to create MQQueueManager for 'localhost:QM_SSL'
  Linked Exception com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397
  Has anyone encounter this error? I have self-signed certificates and the CA is installed on both client and server and I have CA signed certificate on Client (clients.jks)
  Any pointer would be highly appreciated. Thank you.
  Raj

  1.Check the cacerts path if u are using cacerts
  2.U Can use keystore
  3.U need to install the certificate on the client machine as the warning is treated as error on handshake.
  4.to debug use:
  On IBM's JVM, add: -Djavax.net.debug=true
  On Sun's JVM, add: -Djavax.net.debug=ssl

• Updating an intermediate CA for a 128 bit SSL cert

  We found a 128 bit SSL cert that was affected by the Verisign server shutdown on 1/7/2004. I need to update the intermediate CA for a 5.1 and 6.1 Web Logic server. Where can I find information on how to do this?
  Thanks.

  download from
  http://www.verisign.com/support/roots.html
  Scott Stanforth <[email protected]> wrote:
  We found a 128 bit SSL cert that was affected by the Verisign server
  shutdown on 1/7/2004. I need to update the intermediate CA for a 5.1
  and 6.1 Web Logic server. Where can I find information on how to do
  this?
  Thanks.

• Anyone having issues with Self-Signed SSL-certs on mail servers?

  Can't get it to allow connecting via SSL to outgoing mail servers with self-signed certificates. Problem did not exist in earlier versions of OSX as far as I know.

  YES. I have a cert from lunarpages, where my accounts are hosted. I'm seeing two issues, and they are different for the different servers at lunarpages:
  1. Multiple logins from different machines --> problem
  2. Multiple accounts accessing same server --> problem
  So, with 1 account on one of lunarpages machines, I can have several machines running Mail with ssl on at the same time and get no problem (that is, once I've saved the certificate and marked it trusted). But as soon as another account (my wife's email on the same domain, for example) tries to access the same server, it gives me an ssl error, a choice to save that cert. and if I do then my account will generate the ssl error. Seems like only one account can have the certificate.
  On another account on a different lunarpages machine, I can't have several machines running Mail at the same time, only the first will get through and the rest will give an SSL error.
  Lunarpages says they can't find a problem, though my last email with them told me to use TLS rather than SSL. Of course, there's no way to specify that in Mail anyway, but I'd thought Mail automatically used TLS anyway, and I'm running the right ports (587 for smtp, 993 for incoming).
  Feels like it's an issue with Mail or the OS's handling of certificates. Any clues on a fix will be most appreciated as this is getting annoying. I've had to turn off SSL on my wife's and daughter's accounts just so that I can use it. And I have to quit Mail so that on the other account I can get my mail on my iPhone. Having to quit Mail on my main work machine is frustrating -- if I forget to do it I can't get mail.

• Wrong SSL Cert pop ups in outlook

  Hi
  We have a client with exchange 2010 and we just got a new SSL cert from Go Daddy and installed it. Weird thing is even before we ordered and installed that go daddy cert they were getting pop ups in out look for an expired cert which is from a place "asdl.newzealand.co.nz"
  when we are in Canada and I can't find anything anywhere that refers to that.
  Can anyone please guide me where to start looking?
  thanks.

  Hi,
  Based on my experience, the certificate credential is always caused by that there is some connection using the name "asdl.newzealand.co.nz".
  Thus, except with check the property Autodiscoverserviceinternaluri, I also recommend you check the URLs for all web services. And we can use the tool Test Email AutoConfiguration and check the URLs it gets.
  For more information about using Test Email AutoConfiguration, you can refer to the following article:
  http://social.technet.microsoft.com/Forums/en-US/54bc6b17-9b60-46a4-9dad-584836d15a02/troubleshooting-and-introduction-for-exchange-20072010-autodiscover-details-about-test-email?forum=exchangesvrgeneral
  Thanks,
  Angela Shi
  TechNet Community Support

• Adding SSL Certs to Apache Config

  I checked the Wiki & did not find a section on how I can add my SSL certificates to my Arch server running Apache.
  I noticed that there is no 'Virtual Host' section in /etc/httpd/conf/httpd.conf file. I did however find /etc/httpd/conf/extra/httpd-ssl.conf. I add the following:
  Listen 443
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl .crl
  SSLPassPhraseDialog builtin
  SSLSessionCache "shmcb:/var/run/httpd/ssl_scache(512000)"
  SSLSessionCacheTimeout 300
  SSLMutex "file:/var/run/httpd/ssl_mutex"
  <VirtualHost _default_:443>
  DocumentRoot "/srv/http/webmail"
  ServerName www.mydomain.tld:443
  ServerAdmin [email protected]
  ErrorLog "/var/log/httpd/error_log"
  TransferLog "/var/log/httpd/access_log"
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile "/path/to/server.crt"
  SSLCertificateKeyFile "/path/to/server.key"
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
  SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory "/srv/http/cgi-bin">
  SSLOptions +StdEnvVars
  </Directory>
  BrowserMatch ".*MSIE.*" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0
  CustomLog "/var/log/httpd/ssl_request_log" \
  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  </VirtualHost>
  When I restart Apache, it still does not work on port 443. Do I need to simply move the above in to my 'httpd.con' file?

  I really don't remember how I setup my apache for ssl but checking my config files these are what I have
  in httpd.conf
  # ssl
  Include /etc/httpd/conf/extra/httpd-ssl.conf
  httpd-ssl.conf (removed the comments)
  Listen 443
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl .crl
  SSLPassPhraseDialog builtin
  SSLSessionCache "shmcb:/var/run/httpd/ssl_scache(512000)"
  SSLSessionCacheTimeout 300
  <VirtualHost _default_:443>
  DocumentRoot "/srv/http"
  ServerName www.example.com:443
  ServerAdmin [email protected]
  ErrorLog "/var/log/httpd/error_log"
  TransferLog "/var/log/httpd/access_log"
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile "/certs/httpd/server.crt"
  SSLCertificateKeyFile "/certs/httpd/server.key"
  SSLCACertificateFile "/certs/ca.crt"
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
  SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory "/srv/http/cgi-bin">
  SSLOptions +StdEnvVars
  </Directory>
  BrowserMatch ".*MSIE.*" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0
  </VirtualHost>
  if I remember correctly I had to generate the ca.crt, server.key and server.crt with openssl ... check this site out: http://www.tc.umn.edu/~brams006/selfsign.html Hope this helps.
  Last edited by kermana (2009-12-21 05:01:56)

• ACE: Single SSL Cert for two domains with same VIP

  At present I have a design that will use individual SSL cert per domain and link both certs to (two or one) serverfarm.
  policy-map multi-match popvip_01
  class POP_VIP01
  loadbalance vip inservice
  loadbalance policy POP-POp3_PMT or popPMT1
  loadbalance vip icmp-reply
  ssl-proxy server GINPOP_SSLPROXY
  connection advanced-options TCP_PARAM_Y
  class POP3_VIP02
  loadbalance vip inservice
  loadbalance policy POP-POp3_PMT or POPPMT2
  loadbalance vip icmp-reply
  ssl-proxy server GINPOP3_SSLPROXY
  connection advanced-options TCP_PARAM_Y
  however,
  if I can get one single certificate to process both pop and pop3 domains, that use the same VIP/port, and if this will work with ACE, i'm inclined to design using this alternative.
  ie,
  pop.mydomain.com = 10.10.10.1 995
  pop3.mydomain.com = 10.10.10.1 995
  Any suggestions would be appriciated.

  Hello,
  In order to achieve this then you will need to order a wildcard certifictae ie
  *.mydomain.com
  These certificates are more expensive and so you will probably find it cheaper to buy two certificates than one wildcard certificate.
  Regards

• Http Analyzer connecting to server with self-signed SSL cert

  When making webservice calls using Axis 1.3 to our development site that uses a self-signed SSL cert I am getting the following error when running the Http Analyzer:
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  Works fine if I turn off proxy in run configuration for project or when used against a site with a purchased cert. I assume the problem is with Http Analyzer not being able to find the server cert in a local keystore, is there a way to import the cert so that I can run Http Analyzer against the site?
  Tried adding server cert to <jdkhome>/jre/lib/security/cacerts keystore but still have the problem.
  Am using JDeveloper 10.1.3.
  Thanks,
  John

  I fixed that by getting certs from: https://www.startssl.com/?app=1.
  The certs are free and work fine.
  Since Iphone 4 apple does not accept unknown CA Authorities.