Certificate Chain File
Hello,
I have certificates from two different CAs. How can I integrate them both in a root certificate chain file, so that the WLS accepts them both?
thnaks for zour help
hannele
What version of WLS? Are the CA's i PEM or DER format?
PaulF
Hannele <[email protected]> wrote in
news:3d6e2971$[email protected]:
Hello,
I have certificates from two different CAs. How can I integrate them
both in a root certificate chain file, so that the WLS accepts them
both? thnaks for zour help
hannele
Similar Messages
-
How to get the Server Certificate Chain File?
Hi all,
I config the SSL for weblogic 6.0 on a Win2k Machine .I followed WebLogic
documentation:
Generate a private key file, then submit to Verisign, get the certificate
file.
Because I have only one WebLogic server. I clear the "Server Certificate
Chain File" field.
But I get error message after reboot WebLogic. Following is the error
message:
<2001-1-21 04:57:56 pm> <Alert> <WebLogicServer> <Inconsistent security con
figuration, java.lang.Exception: Required file server-certchain.pem which is
spe
cified by ServerCertificateChainFileName, was not found>
java.lang.Exception: Required file server-certchain.pem which is specified
by Se
rverCertificateChainFileName, was not found
at
weblogic.t3.srvr.SSLListenThread.resolvePropertyFromLocalFile(SSLList
enThread.java:152)
at
weblogic.t3.srvr.SSLListenThread.resolvePropertyFromAdminServer(SSLLi
stenThread.java:180)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:425)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:939)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
My question is: Should I input the rootCA certificate into the Server
Certificate Chain File field? If yes, where can I get the rootCA certificate
file?
Thanks[sorry, deleted irrelevant wrong answer]
-
Verisign certificate & Chain File Name
Perhaps a newbie question, but here goes:
I am having trouble installing a Verisign certificate on my Weblogic 6.0
server. I have my private key and certificate file installed properly I
believe, but am unsure what to put in the Certificate Chain File entry
in the console. I only have 1 certificate for this server. I have tried
to
a) leave it empty - in which case it uses a default file name which does
not exist
b) use the certificate I got from Verisign
c) export a class 3 certificate from my browser and use that file
In all the cases that I give it an existing file name, I get the
following stack trace:
weblogic.security.CipherException: Incorrect encrypted block
at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:208)
at
weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
at weblogic.security.X509.verifySignature(X509.java:243)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
<Sep 5, 2001 8:18:55 AM PDT> <Alert> <WebLogicServer> <Inconsistent
security configuration, weblogic.security.AuthenticationException:
Incorrect encrypted block possibly incorrect
SSLServerCertificateChainFileName set for this server certificate>
weblogic.security.AuthenticationException: Incorrect encrypted block
possibly incorrect SSLServerCertificateChainFileName set for this server
certificate
at weblogic.security.X509.verifySignature(X509.java:251)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)OK. Found out what it was.
The Server Certificate Chain File name is what Verisign calls the
Intermediate Certificate. So what you need to do is grab that cert off the
Verisign site, paste it into a new file on your server and put that file
name in as the path to the Chain File name.
New question: Why the 2 names for the same thing ? The documentation could
be a bit clearer here, as it's a very simple process that seems more
complicated than it needs to be (IMHO).
Brian Hall wrote:
Perhaps a newbie question, but here goes:
I am having trouble installing a Verisign certificate on my Weblogic 6.0
server. I have my private key and certificate file installed properly I
believe, but am unsure what to put in the Certificate Chain File entry
in the console. I only have 1 certificate for this server. I have tried
to
a) leave it empty - in which case it uses a default file name which does
not exist
b) use the certificate I got from Verisign
c) export a class 3 certificate from my browser and use that file
In all the cases that I give it an existing file name, I get the
following stack trace:
weblogic.security.CipherException: Incorrect encrypted block
at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:208)
at
weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
at weblogic.security.X509.verifySignature(X509.java:243)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
<Sep 5, 2001 8:18:55 AM PDT> <Alert> <WebLogicServer> <Inconsistent
security configuration, weblogic.security.AuthenticationException:
Incorrect encrypted block possibly incorrect
SSLServerCertificateChainFileName set for this server certificate>
weblogic.security.AuthenticationException: Incorrect encrypted block
possibly incorrect SSLServerCertificateChainFileName set for this server
certificate
at weblogic.security.X509.verifySignature(X509.java:251)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35) -
SSL for Weblogic 6.0: Server Certificate Chain File & Verisign
http://www.bea.com/support/askbea/wls/S-07188.shtml
This issue attempts to explain what a "certificate chain file" is for. I still don't understand why this is so difficult. Where do I get this from?
At the end of the article it points me here:
http://www.verisign.com/repository/root.html
And vaguely tells me to convert the unspecified format on that page using a utility from OpenSSL. The format on that page is NOT .pem, what is it? Which utility do I use, and HOW do I convert the root server CA on that page to .der format?
Thanks for tips!Unfortunately this is a missleading exception you are getting.
Here is a suggested workaround (at-least to get SSL working )
https://www.verisign.com/server/prg/browser/root.html
I have been meet same question as you.
The Server Certificate Chain File obtained from your Browser (such as IE5.5 )
Jason Pettiss <[email protected]> wrote:
http://www.bea.com/support/askbea/wls/S-07188.shtml
This issue attempts to explain what a "certificate chain file" is for.
I still don't understand why this is so difficult. Where do I get
this from?
At the end of the article it points me here:
http://www.verisign.com/repository/root.html
And vaguely tells me to convert the unspecified format on that page using
a utility from OpenSSL. The format on that page is NOT .pem, what is
it? Which utility do I use, and HOW do I convert the root server
CA on that page to .der format?
Thanks for tips! -
Error creating AIR file: Unable to build a valid certificate chain for the signer.
Hi, My boss got a certificate from Thawte, and I'm getting this error message when building my AIR app.
Error creating AIR file: Unable to build a valid certificate chain for the signer.
I'm on windows XP.
thanks,
steveTo manage your code signing certificate, please see
http://www.adobe.com/devnet/air/articles/signing_air_applications_print.html
The error you are seeing is typically caused by exporting a cert without the trust chain. On Windows, in IE, you can manage your keystore by going to
Internet Options > Content > Certificates
When you export the certificate needed for signing your app, be sure to check “Include all certificates in the certificate path, if possible”. -
SUN Java System Web Server 7.0U1 How to install certificate chain
I am trying to install a certificate chain using the SUN Java Web Server 7.0U1 HTTPS User interface. What I have tried so far:
1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pem
2. Go to Certificates Tab/Server Certificates
3. Choose Install
4. Cut and paste contents of cert_chain.pem in the certificate data box.
5. Assign to httplistener
6. Nickname for this chain is 'server_cert'
7. Select httplistener and assign server_cert (for some reason, this is not automatically done after doing step 5).
8. No errors are received.
When I display server_cert (by clicking on it), only the first certificate of the chain is displayed and only that cert is provided to the client during the SSL handshake.
I tried to do the same, except using the Certificate Authority Tab, since this gave the option of designating the certificate as a CA or chain during installation. When I select ed "chain," I get the same results when I review the certificate (only the first cert in the file is displayed). This tells me that entering the chain in PEM format is not acceptable. I tried this method since it worked fine with the F5 BIG-IP SSL appliance.
My question is what format/tool do I need to use to create a certificate chain that the Web Server will accept?turrie wrote:
1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pemIn my opinion (I may be wrong) cut and pasting multiple begin end
--- BEGIN CERTIFICATE ---
... some data....
--- END CERTIFICATE ---
--- BEGIN CERTIFICATE ---
... some data....
--- END CERTIFICATE ---is NOT the way to create a certificate chain.
I have installed a certificated chain (it had 1 BEGIN CERTIFICATE and one END CERTIFICATE only and still had 2 certificates) and I used the same steps as you mentioned and it installed both the certificates.
some links :
[https://developer.mozilla.org/en/NSS_Certificate_Download_Specification|https://developer.mozilla.org/en/NSS_Certificate_Download_Specification]
[https://wiki.mozilla.org/CA:Certificate_Download_Specification|https://wiki.mozilla.org/CA:Certificate_Download_Specification] -
HTTPS Client not sending the certificate chain
Hi,
I have HTTPS java programme with client authendication.
When the server request for the certificate from the client, the client is not sending the certificate chain, the server says Thread-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
In the client I an setting the keystore properties properly
Below is the ssl trace from the server and the client.
The trace clearly says that the client has loded its certificate from the key store.
One thing I noticed is the validity period of the client certificate is different in client and the server.
I am not sure why it is different. I followed the steps properly to create the certificate.
Can anyone help me to resolve this
==========================Server Trace==========================
SecureServer version 1.0
found key for : server
chain [0] = [
Version: V1
Subject: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd8e
Validity: [From: Sun Oct 08 12:36:57 GMT+04:00 2006,
To: Sat Jan 06 12:36:57 GMT+04:00 2007]
Issuer: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
SerialNumber: [ 4528b8a9]
Algorithm: [MD5withRSA]
Signature:
0000: 54 CC 61 97 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 T.a..il.KS..T.e.
0010: 15 C6 1A C0 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 ..........W.).^4
0020: 3F D3 9C 40 4E D8 0B AC 79 5B 01 64 4E DD D2 FE [email protected][.dN...
0030: 57 6A 02 1E 8F C7 00 11 77 0F C8 20 06 0E DB 78 Wj......w.. ...x
0040: E3 45 57 9B 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 .EW..... ......)
0050: 69 B5 CC DC A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 i.....2.ow....'.
0060: 96 98 E9 EB AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 .....tn9,....K..
0070: 0B B9 CD 0A 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E .......t].N.z,7.
trustStore is: d:\babu\ssltest\sscerts\jsseclient1
trustStore type is : jks
init truststore
adding as trusted cert: [
Version: V1
Subject: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@166
Validity: [From: Sun Jun 07 04:00:00 GMT+04:00 1998,
To: Tue Jun 07 03:59:59 GMT+04:00 2011]
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
SerialNumber: [ 32f057e7 153096f5 1fb86e5b 5a49104b]
Algorithm: [SHA1withRSA]
Signature:
0000: A6 96 37 75 1C FD 95 95 40 E0 C9 53 25 8D E7 12 [email protected]%...
0010: AC 44 51 10 AC F2 BA 98 4D 72 EF 0B 75 2D 51 19 .DQ.....Mr..u-Q.
0020: 11 C9 47 E2 2F 96 67 61 0F 36 1D CA E7 C7 23 48 ..G./.ga.6....#H
0030: 46 97 63 C4 32 AE FF 7B 5A 65 64 50 CA 67 F7 14 F.c.2...ZedP.g..
adding as trusted cert: [
Version: V3
Subject: CN=ebms, OU=ebg, O=emirates, L=dubai, ST=emirates, C=AE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffff956
Validity: [From: Mon Oct 09 04:00:00 GMT+04:00 2006,
To: Tue Oct 24 03:59:59 GMT+04:00 2006]
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
SerialNumber: [ 5f2e369d 92ccf119 5d9a0371 c2f19ba4]
Certificate Extensions: 6
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 28 30 26 30 24 06 08 2B 06 01 05 05 07 30 01 .(0&0$..+.....0.
0010: 86 18 68 74 74 70 3A 2F 2F 6F 63 73 70 2E 76 65 ..http://ocsp.ve
0020: 72 69 73 69 67 6E 2E 63 6F 6D risign.com
[2]: ObjectId: 2.5.29.31 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 35 30 33 30 31 A0 2F A0 2D 86 2B 68 74 74 70 .50301./.-.+http
0010: 3A 2F 2F 63 72 6C 2E 76 65 72 69 73 69 67 6E 2E ://crl.verisign.
0020: 63 6F 6D 2F 52 53 41 53 65 63 75 72 65 53 65 72 com/RSASecureSer
0030: 76 65 72 2E 63 72 6C ver.crl
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 56 30 15 16 0E 56 65 72 69 53 69 67 6E 2C 20 0V0...VeriSign,
0010: 49 6E 63 2E 30 03 02 01 01 1A 3D 56 65 72 69 53 Inc.0.....=VeriS
0020: 69 67 6E 27 73 20 43 50 53 20 69 6E 63 6F 72 70 ign's CPS incorp
0030: 2E 20 62 79 20 72 65 66 65 72 65 6E 63 65 20 6C . by reference l
0040: 69 61 62 2E 20 6C 74 64 2E 20 28 63 29 39 37 20 iab. ltd. (c)97
0050: 56 65 72 69 53 69 67 6E VeriSign
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 50 53 risign.com/CPS
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
[6]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [SHA1withRSA]
Signature:
0000: 9D FC BF B3 A3 5D 94 B8 44 32 23 A5 B4 C2 BD 01 .....]..D2#.....
0010: 90 54 CE 0F 23 1A 08 9D F3 E2 55 9A 4B C9 FE 3E .T..#.....U.K..>
0020: F8 AD 45 DF 84 53 52 87 00 FA 66 2D 35 3F 48 53 ..E..SR...f-5?HS
0030: 4A D5 77 0F FB E4 20 1B E5 4F 19 60 F9 EC 79 FF J.w... ..O.`..y.
trigger seeding of SecureRandom
done seeding SecureRandom
SecureServer is listening on port 443.
matching alias: server
Accepted connection to ebms.uae.ebg.com (172.16.178.62) on port 3379.
----------1-1-1-----
[read] MD5 and SHA1 hashes: len = 3
0000: 01 03 01 ...
[read] MD5 and SHA1 hashes: len = 74
0000: 00 24 00 00 00 20 00 00 04 01 00 80 00 00 05 00 .$... ..........
0010: 00 0A 07 00 C0 00 00 13 00 00 09 06 00 40 00 00 .............@..
0020: 12 00 00 03 02 00 80 00 00 11 45 29 F4 B8 D5 0B ..........E)....
0030: F1 F5 52 D2 E4 FF 50 FA 04 49 E7 50 46 AA 2D A7 ..R...P..I.PF.-.
0040: 29 47 67 95 15 48 97 75 97 2C )Gg..H.u.,
Thread-1, READ: SSL v2, contentType = Handshake, translated length = 59
*** ClientHello, TLSv1
RandomCookie: GMT: 1160311736 bytes = { 213, 11, 241, 245, 82, 210, 228, 255, 80, 250, 4, 73, 231, 80, 70, 170, 45, 167, 41, 71, 103, 149, 21, 72, 151, 117, 151, 44 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie: GMT: 1160311736 bytes = { 227, 31, 215, 114, 116, 219, 59, 159, 156, 232, 234, 78, 209, 15, 134, 102, 46, 207, 102, 33, 202, 146, 164, 74, 99, 27, 76, 229 }
Session ID: {69, 41, 244, 184, 75, 140, 3, 113, 8, 43, 97, 188, 121, 254, 105, 189, 119, 89, 132, 185, 240, 133, 165, 13, 109, 244, 91, 98, 210, 139, 161, 214}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Cipher suite: SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
Version: V1
Subject: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd8e
Validity: [From: Sun Oct 08 12:36:57 GMT+04:00 2006,
To: Sat Jan 06 12:36:57 GMT+04:00 2007]
Issuer: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
SerialNumber: [ 4528b8a9]
Algorithm: [MD5withRSA]
Signature:
0000: 54 CC 61 97 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 T.a..il.KS..T.e.
0010: 15 C6 1A C0 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 ..........W.).^4
0020: 3F D3 9C 40 4E D8 0B AC 79 5B 01 64 4E DD D2 FE [email protected][.dN...
0030: 57 6A 02 1E 8F C7 00 11 77 0F C8 20 06 0E DB 78 Wj......w.. ...x
0040: E3 45 57 9B 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 .EW..... ......)
0050: 69 B5 CC DC A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 i.....2.ow....'.
0060: 96 98 E9 EB AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 .....tn9,....K..
0070: 0B B9 CD 0A 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E .......t].N.z,7.
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=ebms, OU=ebg, O=emirates, L=dubai, ST=emirates, C=AE>
<OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc">
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 912
0000: 02 00 00 46 03 01 45 29 F4 B8 E3 1F D7 72 74 DB ...F..E).....rt.
0010: 3B 9F 9C E8 EA 4E D1 0F 86 66 2E CF 66 21 CA 92 ;....N...f..f!..
0020: A4 4A 63 1B 4C E5 20 45 29 F4 B8 4B 8C 03 71 08 .Jc.L. E)..K..q.
0030: 2B 61 BC 79 FE 69 BD 77 59 84 B9 F0 85 A5 0D 6D +a.y.i.wY......m
0040: F4 5B 62 D2 8B A1 D6 00 04 00 0B 00 02 18 00 02 .[b.............
0050: 15 00 02 12 30 82 02 0E 30 82 01 77 02 04 45 28 ....0...0..w..E(
0060: B8 A9 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 05 ..0...*.H.......
0070: 00 30 4E 31 0B 30 09 06 03 55 04 06 13 02 61 65 .0N1.0...U....ae
0080: 31 0A 30 08 06 03 55 04 08 13 01 61 31 0A 30 08 1.0...U....a1.0.
0090: 06 03 55 04 07 13 01 61 31 0A 30 08 06 03 55 04 ..U....a1.0...U.
00A0: 0A 13 01 61 31 0A 30 08 06 03 55 04 0B 13 01 61 ...a1.0...U....a
00B0: 31 0F 30 0D 06 03 55 04 03 13 06 69 74 6E 35 34 1.0...U....itn54
00C0: 37 30 1E 17 0D 30 36 31 30 30 38 30 38 33 36 35 70...06100808365
00D0: 37 5A 17 0D 30 37 30 31 30 36 30 38 33 36 35 37 7Z..070106083657
00E0: 5A 30 4E 31 0B 30 09 06 03 55 04 06 13 02 61 65 Z0N1.0...U....ae
00F0: 31 0A 30 08 06 03 55 04 08 13 01 61 31 0A 30 08 1.0...U....a1.0.
0100: 06 03 55 04 07 13 01 61 31 0A 30 08 06 03 55 04 ..U....a1.0...U.
0110: 0A 13 01 61 31 0A 30 08 06 03 55 04 0B 13 01 61 ...a1.0...U....a
0120: 31 0F 30 0D 06 03 55 04 03 13 06 69 74 6E 35 34 1.0...U....itn54
0130: 37 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 70..0...*.H.....
0140: 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 9C 86 .......0........
0150: FA C2 EC 96 1B 02 01 27 08 D2 70 4D 3B AE D0 38 .......'..pM;..8
0160: 15 97 E9 1D 94 D2 BE A1 2A 54 39 F8 2E AF 71 4C ........*T9...qL
0170: FD 9A 71 BF 8A 1E 92 9F 3A 07 DA E9 5E 49 2C C6 ..q.....:...^I,.
0180: 7D FD AA 1F C6 13 39 38 BC 16 34 04 FE E8 6B 4C ......98..4...kL
0190: EA E9 BA 29 58 9E 6C 61 B8 1F B8 29 6F 83 5D 44 ...)X.la...)o.]D
01A0: 7B 47 E5 BC 8E 2E D0 C1 E0 6F 73 15 E2 03 A8 49 .G.......os....I
01B0: C9 42 39 87 0B 70 A0 80 0D 11 98 76 AE 2B B6 A3 .B9..p.....v.+..
01C0: 5A BA 5D 3B BF C0 90 86 F6 E3 AB 9B A0 49 02 03 Z.];.........I..
01D0: 01 00 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 ...0...*.H......
01E0: 05 00 03 81 81 00 54 CC 61 97 1A 69 6C 1F 4B 53 ......T.a..il.KS
01F0: 1B 7C 54 B3 65 A9 15 C6 1A C0 1B BD FC E5 15 ED ..T.e...........
0200: 57 F7 29 E7 5E 34 3F D3 9C 40 4E D8 0B AC 79 5B W.).^[email protected][
0210: 01 64 4E DD D2 FE 57 6A 02 1E 8F C7 00 11 77 0F .dN...Wj......w.
0220: C8 20 06 0E DB 78 E3 45 57 9B 7D A4 95 0C 20 85 . ...x.EW..... .
0230: B8 A4 87 D8 AE 29 69 B5 CC DC A1 B4 32 8C 6F 77 .....)i.....2.ow
0240: F0 9A A8 12 27 C6 96 98 E9 EB AC 74 6E 39 2C D4 ....'......tn9,.
0250: 1B 1C A1 4B 81 C8 0B B9 CD 0A 18 DC 01 74 5D 99 ...K.........t].
0260: 4E 14 7A 2C 37 1E 0D 00 01 22 02 01 02 01 1D 00 N.z,7...."......
0270: 6D 30 6B 31 0B 30 09 06 03 55 04 06 13 02 41 45 m0k1.0...U....AE
0280: 31 11 30 0F 06 03 55 04 08 13 08 65 6D 69 72 61 1.0...U....emira
0290: 74 65 73 31 0E 30 0C 06 03 55 04 07 14 05 64 75 tes1.0...U....du
02A0: 62 61 69 31 11 30 0F 06 03 55 04 0A 14 08 65 6D bai1.0...U....em
02B0: 69 72 61 74 65 73 31 15 30 13 06 03 55 04 0B 14 irates1.0...U...
02C0: 0C 65 6D 69 72 61 74 65 73 62 61 6E 6B 31 0F 30 .ebg1.0
02D0: 0D 06 03 55 04 03 14 06 69 74 6E 35 34 37 00 AC ...U....ebms..
02E0: 30 81 A9 31 16 30 14 06 03 55 04 0A 13 0D 56 65 0..1.0...U....Ve
02F0: 72 69 53 69 67 6E 2C 20 49 6E 63 31 47 30 45 06 riSign, Inc1G0E.
0300: 03 55 04 0B 13 3E 77 77 77 2E 76 65 72 69 73 69 .U...>www.verisi
0310: 67 6E 2E 63 6F 6D 2F 72 65 70 6F 73 69 74 6F 72 gn.com/repositor
0320: 79 2F 54 65 73 74 43 50 53 20 49 6E 63 6F 72 70 y/TestCPS Incorp
0330: 2E 20 42 79 20 52 65 66 2E 20 4C 69 61 62 2E 20 . By Ref. Liab.
0340: 4C 54 44 2E 31 46 30 44 06 03 55 04 0B 13 3D 46 LTD.1F0D..U...=F
0350: 6F 72 20 56 65 72 69 53 69 67 6E 20 61 75 74 68 or VeriSign auth
0360: 6F 72 69 7A 65 64 20 74 65 73 74 69 6E 67 20 6F orized testing o
0370: 6E 6C 79 2E 20 4E 6F 20 61 73 73 75 72 61 6E 63 nly. No assuranc
0380: 65 73 20 28 43 29 56 53 31 39 39 37 0E 00 00 00 es (C)VS1997....
Thread-1, WRITE: TLSv1 Handshake, length = 912
Thread-1, READ: TLSv1 Handshake, length = 141
*** Certificate chain
Thread-1, SEND TLSv1 ALERT: fatal, description = bad_certificate
Thread-1, WRITE: TLSv1 Alert, length = 2
Thread-1, called closeSocket()
Thread-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
IOException occurred when processing request.
Thread-1, called close()
Thread-1, called closeInternal(true)
==========================Client Trace==========================
--->>>--------
keyStore is : d:\babu\ssltest\sscerts\clientpk1
keyStore type is : jks
init keystore
init keymanager of type SunX509
found key for : client
chain [0] = [
Version: V1
Subject: CN=ebms, OU=ebg, O=emirates, L=dubai, ST=emirates, C=AE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffff956
Validity: [From: Mon Oct 09 09:44:01 GMT+04:00 2006,
To: Sun Jan 07 09:44:01 GMT+04:00 2007]
Issuer: CN=ebms, OU=ebg, O=emirates, L=dubai, ST=emirates, C=AE
SerialNumber: [ 4529e1a1]
Algorithm: [MD5withRSA]
Signature:
0000: 20 C7 89 9C 04 64 E8 62 AD D2 64 DD 0A E4 2A A1 ....d.b..d...*.
0010: B6 9A B5 06 DC 3E F8 AA BE B5 8A 12 B5 75 91 EC .....>.......u..
0020: 33 77 12 27 85 15 14 15 52 B3 7F 4B 03 18 B5 E0 3w.'....R..K....
0030: 31 E4 0C A7 0A E1 52 3E 9F D1 58 B7 F2 CC F2 DD 1.....R>..X.....
0040: D4 61 D6 C8 12 39 60 4D C9 FB DC 01 0C 0D FC 98 .a...9`M........
0050: C6 AD A6 56 3E 05 1B 4E 20 1B 93 77 16 67 0E D1 ...V>..N ..w.g..
0060: E0 A1 B6 7F CA 13 53 F2 53 92 14 63 9A 82 01 AE ......S.S..c....
0070: 83 B2 FD FC 2E 29 22 F9 E7 18 DB 6A 14 73 83 E3 .....)"....j.s..
trustStore is: d:\babu\ssltest\sscerts\jsseserver
trustStore type is : jks
init truststore
adding as trusted cert: [
Version: V1
Subject: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd8e
Validity: [From: Sun Oct 08 12:36:57 GMT+04:00 2006,
To: Sat Jan 06 12:36:57 GMT+04:00 2007]
Issuer: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
SerialNumber: [ 4528b8a9]
Algorithm: [MD5withRSA]
Signature:
0000: 54 CC 61 97 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 T.a..il.KS..T.e.
0010: 15 C6 1A C0 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 ..........W.).^4
0020: 3F D3 9C 40 4E D8 0B AC 79 5B 01 64 4E DD D2 FE [email protected][.dN...
0030: 57 6A 02 1E 8F C7 00 11 77 0F C8 20 06 0E DB 78 Wj......w.. ...x
0040: E3 45 57 9B 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 .EW..... ......)
0050: 69 B5 CC DC A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 i.....2.ow....'.
0060: 96 98 E9 EB AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 .....tn9,....K..
0070: 0B B9 CD 0A 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E .......t].N.z,7.
init context
trigger seeding of SecureRandom
done seeding SecureRandom
---<<<--------
THE HEADERS
---111--------
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1160311736 bytes = { 213, 11, 241, 245, 82, 210, 228, 255, 80, 250, 4, 73, 231, 80, 70, 170, 45, 167, 41, 71, 103, 149, 21, 72, 151, 117, 151, 44 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 45 29 F4 B8 D5 0B F1 F5 52 D2 ...7..E)......R.
0010: E4 FF 50 FA 04 49 E7 50 46 AA 2D A7 29 47 67 95 ..P..I.PF.-.)Gg.
0020: 15 48 97 75 97 2C 00 00 10 00 04 00 05 00 0A 00 .H.u.,..........
0030: 13 00 09 00 12 00 03 00 11 01 00 ...........
main, WRITE: TLSv1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 04 01 00 80 00 ....$... .......
0010: 00 05 00 00 0A 07 00 C0 00 00 13 00 00 09 06 00 ................
0020: 40 00 00 12 00 00 03 02 00 80 00 00 11 45 29 F4 @............E).
0030: B8 D5 0B F1 F5 52 D2 E4 FF 50 FA 04 49 E7 50 46 .....R...P..I.PF
0040: AA 2D A7 29 47 67 95 15 48 97 75 97 2C .-.)Gg..H.u.,
main, WRITE: SSLv2 client hello message, length = 77
main, READ: TLSv1 Handshake, length = 912
*** ServerHello, TLSv1
RandomCookie: GMT: 1160311736 bytes = { 227, 31, 215, 114, 116, 219, 59, 159, 156, 232, 234, 78, 209, 15, 134, 102, 46, 207, 102, 33, 202, 146, 164, 74, 99, 27, 76, 229 }
Session ID: {69, 41, 244, 184, 75, 140, 3, 113, 8, 43, 97, 188, 121, 254, 105, 189, 119, 89, 132, 185, 240, 133, 165, 13, 109, 244, 91, 98, 210, 139, 161, 214}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 01 45 29 F4 B8 E3 1F D7 72 74 DB ...F..E).....rt.
0010: 3B 9F 9C E8 EA 4E D1 0F 86 66 2E CF 66 21 CA 92 ;....N...f..f!..
0020: A4 4A 63 1B 4C E5 20 45 29 F4 B8 4B 8C 03 71 08 .Jc.L. E)..K..q.
0030: 2B 61 BC 79 FE 69 BD 77 59 84 B9 F0 85 A5 0D 6D +a.y.i.wY......m
0040: F4 5B 62 D2 8B A1 D6 00 04 00 .[b.......
*** Certificate chain
chain [0] = [
Version: V1
Subject: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd8e
Validity: [From: Sun Oct 08 12:36:57 GMT+04:00 2006,
To: Sat Jan 06 12:36:57 GMT+04:00 2007]
Issuer: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
SerialNumber: [ 4528b8a9]
Algorithm: [MD5withRSA]
Signature:
0000: 54 CC 61 97 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 T.a..il.KS..T.e.
0010: 15 C6 1A C0 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 ..........W.).^4
0020: 3F D3 9C 40 4E D8 0B AC 79 5B 01 64 4E DD D2 FE [email protected][.dN...
0030: 57 6A 02 1E 8F C7 00 11 77 0F C8 20 06 0E DB 78 Wj......w.. ...x
0040: E3 45 57 9B 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 .EW..... ......)
0050: 69 B5 CC DC A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 i.....2.ow....'.
0060: 96 98 E9 EB AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 .....tn9,....K..
0070: 0B B9 CD 0A 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E .......t].N.z,7.
stop on trusted cert: [
Version: V1
Subject: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd8e
Validity: [From: Sun Oct 08 12:36:57 GMT+04:00 2006,
To: Sat Jan 06 12:36:57 GMT+04:00 2007]
Issuer: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
SerialNumber: [ 4528b8a9]
Algorithm: [MD5withRSA]
Signature:
0000: 54 CC 61 97 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 T.a..il.KS..T.e.
0010: 15 C6 1A C0 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 ..........W.).^4
0020: 3F D3 9C 40 4E D8 0B AC 79 5B 01 64 4E DD D2 FE [email protected][.dN...
0030: 57 6A 02 1E 8F C7 00 11 77 0F C8 20 06 0E DB 78 Wj......w.. ...x
0040: E3 45 57 9B 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 .EW..... ......)
0050: 69 B5 CC DC A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 i.....2.ow....'.
0060: 96 98 E9 EB AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 .....tn9,....K..
0070: 0B B9 CD 0A 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E .......t].N.z,7.
[read] MD5 and SHA1 hashes: len = 540
0000: 0B 00 02 18 00 02 15 00 02 12 30 82 02 0E 30 82 ..........0...0.
0010: 01 77 02 04 45 28 B8 A9 30 0D 06 09 2A 86 48 86 .w..E(..0...*.H.
0020: F7 0D 01 01 04 05 00 30 4E 31 0B 30 09 06 03 55 .......0N1.0...U
0030: 04 06 13 02 61 65 31 0A 30 08 06 03 55 04 08 13 ....ae1.0...U...
0040: 01 61 31 0A 30 08 06 03 55 04 07 13 01 61 31 0A .a1.0...U....a1.
0050: 30 08 06 03 55 04 0A 13 01 61 31 0A 30 08 06 03 0...U....a1.0...
0060: 55 04 0B 13 01 61 31 0F 30 0D 06 03 55 04 03 13 U....a1.0...U...
0070: 06 69 74 6E 35 34 37 30 1E 17 0D 30 36 31 30 30 .ebms0...06100
0080: 38 30 38 33 36 35 37 5A 17 0D 30 37 30 31 30 36 8083657Z..070106
0090: 30 38 33 36 35 37 5A 30 4E 31 0B 30 09 06 03 55 083657Z0N1.0...U
00A0: 04 06 13 02 61 65 31 0A 30 08 06 03 55 04 08 13 ....ae1.0...U...
00B0: 01 61 31 0A 30 08 06 03 55 04 07 13 01 61 31 0A .a1.0...U....a1.
00C0: 30 08 06 03 55 04 0A 13 01 61 31 0A 30 08 06 03 0...U....a1.0...
00D0: 55 04 0B 13 01 61 31 0F 30 0D 06 03 55 04 03 13 U....a1.0...U...
00E0: 06 69 74 6E 35 34 37 30 81 9F 30 0D 06 09 2A 86 .ebms0..0...*.
00F0: 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 H............0..
0100: 02 81 81 00 9C 86 FA C2 EC 96 1B 02 01 27 08 D2 .............'..
0110: 70 4D 3B AE D0 38 15 97 E9 1D 94 D2 BE A1 2A 54 pM;..8........*T
0120: 39 F8 2E AF 71 4C FD 9A 71 BF 8A 1E 92 9F 3A 07 9...qL..q.....:.
0130: DA E9 5E 49 2C C6 7D FD AA 1F C6 13 39 38 BC 16 ..^I,.......98..
0140: 34 04 FE E8 6B 4C EA E9 BA 29 58 9E 6C 61 B8 1F 4...kL...)X.la..
0150: B8 29 6F 83 5D 44 7B 47 E5 BC 8E 2E D0 C1 E0 6F .)o.]D.G.......o
0160: 73 15 E2 03 A8 49 C9 42 39 87 0B 70 A0 80 0D 11 s....I.B9..p....
0170: 98 76 AE 2B B6 A3 5A BA 5D 3B BF C0 90 86 F6 E3 .v.+..Z.];......
0180: AB 9B A0 49 02 03 01 00 01 30 0D 06 09 2A 86 48 ...I.....0...*.H
0190: 86 F7 0D 01 01 04 05 00 03 81 81 00 54 CC 61 97 ............T.a.
01A0: 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 15 C6 1A C0 .il.KS..T.e.....
01B0: 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 3F D3 9C 40 ......W.).^4?..@
01C0: 4E D8 0B AC 79 5B 01 64 4E DD D2 FE 57 6A 02 1E N...y[.dN...Wj..
01D0: 8F C7 00 11 77 0F C8 20 06 0E DB 78 E3 45 57 9B ....w.. ...x.EW.
01E0: 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 69 B5 CC DC .... ......)i...
01F0: A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 96 98 E9 EB ..2.ow....'.....
0200: AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 0B B9 CD 0A .tn9,....K......
0210: 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E ...t].N.z,7.
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=ebms, OU=ebg, O=emirates, L=dubai, ST=emirates, C=AE>
<OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc">
[read] MD5 and SHA1 hashes: len = 294
0000: 0D 00 01 22 02 01 02 01 1D 00 6D 30 6B 31 0B 30 ..."......m0k1.0
0010: 09 06 03 55 04 06 13 02 41 45 31 11 30 0F 06 03 ...U....AE1.0...
0020: 55 04 08 13 08 65 6D 69 72 61 74 65 73 31 0E 30 U....emirates1.0
0030: 0C 06 03 55 04 07 14 05 64 75 62 61 69 31 11 30 ...U....dubai1.0
0040: 0F 06 03 55 04 0A 14 08 65 6D 69 72 61 74 65 73 ...U....emirates
0050: 31 15 30 13 06 03 55 04 0B 14 0C 65 6D 69 72 61 1.0...U....emira
0060: 74 65 73 62 61 6E 6B 31 0F 30 0D 06 03 55 04 03 tesbank1.0...U..
0070: 14 06 69 74 6E 35 34 37 00 AC 30 81 A9 31 16 30 ..ebms..0..1.0
0080: 14 06 03 55 04 0A 13 0D 56 65 72 69 53 69 67 6E ...U....VeriSign
0090: 2C 20 49 6E 63 31 47 30 45 06 03 55 04 0B 13 3E , Inc1G0E..U...>
00A0: 77 77 77 2E 76 65 72 69 73 69 67 6E 2E 63 6F 6D www.verisign.com
00B0: 2F 72 65 70 6F 73 69 74 6F 72 79 2F 54 65 73 74 /repository/Test
00C0: 43 50 53 20 49 6E 63 6F 72 70 2E 20 42 79 20 52 CPS Incorp. By R
00D0: 65 66 2E 20 4C 69 61 62 2E 20 4C 54 44 2E 31 46 ef. Liab. LTD.1F
00E0: 30 44 06 03 55 04 0B 13 3D 46 6F 72 20 56 65 72 0D..U...=For Ver
00F0: 69 53 69 67 6E 20 61 75 74 68 6F 72 69 7A 65 64 iSign authorized
0100: 20 74 65 73 74 69 6E 67 20 6F 6E 6C 79 2E 20 4E testing only. N
0110: 6F 20 61 73 73 75 72 61 6E 63 65 73 20 28 43 29 o assurances (C)
0120: 56 53 31 39 39 37 VS1997
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 145, 198, 68, 101, 78, 79, 139, 241, 6, 243, 13, 208, 161, 242, 0, 185, 46, 87, 212, 79, 239, 132, 145, 14, 13, 134, 115, 250, 44, 44, 112, 33, 173, 105, 52, 186, 160, 119, 55, 202, 205, 212, 136, 92, 7, 120 }
[write] MD5 and SHA1 hashes: len = 141
0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 3A 83 FA .............:..
0010: 1E B3 43 52 3B B5 B9 A5 9D 2D 30 5E 71 34 DF 45 ..CR;....-0^q4.E
0020: 99 99 2D 9A 4A 42 54 3D 47 D8 94 22 BC F3 92 0D ..-.JBT=G.."....
0030: 23 AA 95 B5 75 EA B2 2B 8B DD DA 91 AA 94 24 4B #...u..+......$K
0040: 56 34 C8 3C 1D 2D 15 63 CF 03 FF 65 6C DF B9 00 V4.<.-.c...el...
0050: C3 5E BF 72 F4 70 64 45 D8 5B 58 E2 DF D6 12 1B .^.r.pdE.[X.....
0060: BE A3 71 E9 1C 49 BB 7E C0 4A 1F CA 1F F5 63 23 ..q..I...J....c#
0070: 0D 40 0D C6 3B FE 03 E9 DE 2E E5 09 1F 72 D7 6B .@..;........r.k
0080: D6 ED 5E 99 B0 A8 A0 D3 D2 73 F0 A0 8E ..^......s...
main, WRITE: TLSv1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 91 C6 44 65 4E 4F 8B F1 06 F3 0D D0 A1 F2 ....DeNO........
0010: 00 B9 2E 57 D4 4F EF 84 91 0E 0D 86 73 FA 2C 2C ...W.O......s.,,
0020: 70 21 AD 69 34 BA A0 77 37 CA CD D4 88 5C 07 78 p!.i4..w7....\.x
CONNECTION KEYGEN:
Client Nonce:
0000: 45 29 F4 B8 D5 0B F1 F5 52 D2 E4 FF 50 FA 04 49 E)......R...P..I
0010: E7 50 46 AA 2D A7 29 47 67 95 15 48 97 75 97 2C .PF.-.)Gg..H.u.,
Server Nonce:
0000: 45 29 F4 B8 E3 1F D7 72 74 DB 3B 9F 9C E8 EA 4E E).....rt.;....N
0010: D1 0F 86 66 2E CF 66 21 CA 92 A4 4A 63 1B 4C E5 ...f..f!...Jc.L.
Master Secret:
0000: 3A 36 9A CA 6F 82 0B 32 17 28 04 CD 33 B4 5D BF :6..o..2.(..3.].
0010: 5F 87 23 71 6B 49 2D 0E 59 DE 2C EA 8E B3 43 C8 _.#qkI-.Y.,...C.
0020: 5D 3B 3B 4C B7 B9 AB 4E EA A3 E6 CE 54 40 FB 2D ];;[email protected]
Client MAC write Secret:
0000: C3 72 45 7B 93 DE 55 FF 0A 8C 9E 91 43 48 6E E4 .rE...U.....CHn.
Server MAC write Secret:
0000: E2 05 07 CB 3F 2D 95 41 EF 69 3F 09 6D CB 81 EE ....?-.A.i?.m...
Client write key:
0000: EE 7E EE 7D D8 5F 46 CD 88 15 9E F6 C7 EC 05 5F ....._F........_
Server write key:
0000: 43 DE B1 D2 FA 54 F0 E6 CA EC E8 1E 6C AD 77 EC C....T......l.w.
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher RC4
*** Finished
verify_data: { 196, 3, 24, 202, 107, 99, 158, 203, 62, 203, 204, 35 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C C4 03 18 CA 6B 63 9E CB 3E CB CC 23 ........kc..>..#
Plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C C4 03 18 CA 6B 63 9E CB 3E CB CC 23 ........kc..>..#
0010: 22 2A 55 36 5F 75 DB D4 CF 19 6F 40 93 AF B8 3B "*U6_u....o@...;
main, WRITE: TLSv1 Handshake, length = 32
waiting for close_notify or alert: state 1
Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
Plaintext before ENCRYPTION: len = 18
0000: 02 0A 3E CA 24 9F 8F 40 B8 65 A6 44 5D 7E 0B B5 ..>[email protected]]...
0010: A9 C7 ..
main, WRITE: TLSv1 Alert, length = 18
Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
---000--------Here are the steps I am perfoming to create the certificates. Can anyone please validate the steps...
//Create private key
keytool -genkey -keystore clientpk1 -keyalg rsa -alias client -storepass password -keypass password
//Create CSR
keytool -certreq -alias client -file client.csr -keypass password -keystore clientpk1 -storepass password
//Received client-ca.cer and root certificate from verisign
//Import signed certificate to client keystore
keytool -import -keystore clientpk1 -keyalg RSA -import -trustcacerts -file client-ca.cer
//Import signed certificate and the root certificate to keystore(server thruststore)
keytool -import -keystore jsseclient1 -alias client -file getcacert.cer
keytool -import -keystore jsseclient1 -alias client -file client-ca.cer
Thanks in advance,
Babu -
PEM or DER Format certificate chain
I have installe an ISE 1.2.0.899. It is used for Guest Services only, the customer require all its employees be able to access the sponsor portal and validated their credentials using LDAPS. Not LDAP, not AD feature in ISE. The problem is because in order to enable LDAPS I must upload to ISE the root CA certificate, the customer is not providing the root CA certificate for security reasons (?); they said the certificate chain should be enough. Even the ISE user guide indicates root CA or certificate chain. So, the customer downloaded the certificate chain from its PKI (Microsoft 2008) and give it to me, but it is in .p7b (PKCS#7) format (they said there is no choice to select another format). This format is not supported by ISE, so I needed to use third party tools to convert the file (www.sslshopper.com and openssl). It appears the convertion is successfull but when I try to upload on ISE Certificate Store always I get the same errror: "Unable to read certificate file - please be sure file is in PEM or DER format".
So the questions are:
1. Is the file provided by the PKI in p7b format always?
2. What should be the most proper way to convert the file to something the ISE can understand?
3. Should be the root CA certificate a vey best option?
Even the conversion problems indicated above, I tried to open and convert the file using the mmc. I know the certificate chain has three files, I recovered them and uploaded to ISE. Whit two of these three files selected on LDAPS security configuration I can run the "Test bind to Server" successfully but everytime an user try with its own credentials always the access is denied with "invalid username or password" error.
Locking in the ISE log I found this messages:
ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): error message = SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally",LdapSslConnectionContext.cpp:226
ERROR,0x2b263618c940,LdapConnectionBindingState::onInput(id = 634): bind ended with an error: 117,LdapConnectionStates.cpp:396
631,WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=1, Crypto.SSLConnection.pvClientInfoCB - Alert raised: code=0x230=560, where=0x4008=16392, source=local,SSLConnection.cpp:2765
WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=102, Crypto.SSLConnection.writeData - failed write the data,SSLConnection.cpp:970
ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): crypto result = 102,LdapSslConnectionContext.cpp:202
ERROR,0x2b263618c940,cntx=0000005789,user=tmxedscalcan,LdapServer::onAcquireConnectionResponse: failed to acquire connection,LdapServer.cpp:461
ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::openCdcConnection] Can't open CDC session due to error 32: ADClient is not running,ActiveDirectoryClient.cpp:1328
ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::connectClient] AD CDC client connection failed!,ActiveDirectoryClient.cpp:117
ERROR,0x2b263436e940,NIL-CONTEXT,ActiveDirectoryIDStore::performConnection - Connecting client failed,ActiveDirectoryIDStore.cpp:608
I don't have idea what do they mean.
Someone told me the convertion made with mmc on my pc was an error and I need to repeat the same process using administrative tools on a server
I'm really confused and I don't know how continue with a troubleshoot process.
How can I know the original file is correct?
How can I know the conversion is correct?
As the original chain includes three certificates, I should upload them to ISE separately or as one file?
Attached is the Sponsor policy screenshoot. I have two rules with the same conditions one por AD (just for test), one for LDAPS.
I will appreciate your help
Regards.
Daniel EscalanteHi,
If you open the .p7b file on a Windows machine. (Open not install)
Go to the Certification Path and click on the root certificate, click View Certificate.
Now you have the root certificate.
Go to Details and click Copy to File. This give you the option to exprot the root cert.
Click next, here you can select to save as Base-64 encoded (DER) that you can import in ISE.
Click next and save. Then try to import under Server certifiactes on ISE
You can do this for sub-CA cert in the chain as well.
HTH -
Hey All,
I am trying to set up a Managed Server and have it talk to the NodeManager running
(Weblogic 8.1 SP2) on the same machine. I can't, however, seem to get a good
SSL handshake between the two. I get the following error:
####<Mar 11, 2004 9:55:56 AM EST> <Warning> <Security> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <BEA-090508>
<Certificate chain received from hostname - ipaddress was incomplete.>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <Validation
error = 4>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <Certificate
chain is incomplete>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <SSLTrustValidator
returns: 4>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <Trust
status (4): CERT_CHAIN_INCOMPLETE>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <NEW
ALERT: com.certicom.tls.record.alert.Alert@1642565 Severity: 2 Type: 42
java.lang.Throwable: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(StreamEncoder.java:336)
at sun.nio.cs.StreamEncoder$CharsetSE.implFlushBuffer(StreamEncoder.java:404)
at sun.nio.cs.StreamEncoder$CharsetSE.implFlush(StreamEncoder.java:408)
at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:152)
at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:213)
at java.io.BufferedWriter.flush(BufferedWriter.java:230)
at weblogic.nodemanager.client.CommandInvoker.execute(CommandInvoker.java:113)
at weblogic.nodemanager.client.CommandInvoker.invoke(CommandInvoker.java:91)
at weblogic.nodemanager.client.NodeManagerClient.executeCommand(NodeManagerClient.java:161)
at weblogic.nodemanager.client.NodeManagerRuntime.executeNMCommand(NodeManagerRuntime.java:1058)
at weblogic.nodemanager.client.NodeManagerRuntime.ping(NodeManagerRuntime.java:688)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl.java:711)
at weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:690)
at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1557)
at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1525)
at weblogic.management.internal.RemoteMBeanServerImpl.private_invoke(RemoteMBeanServerImpl.java:947)
at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:908)
at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:946)
at weblogic.management.internal.MBeanProxy.invokeForCachingStub(MBeanProxy.java:481)
at weblogic.management.runtime.NodeManagerRuntimeMBean_Stub.ping(NodeManagerRuntimeMBean_Stub.java:543)
at weblogic.management.console.webapp._domain.__machine._jspService(__machine.java:669)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:971)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:402)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:305)
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:301)
at weblogic.servlet.jsp.PageContextImpl.forward(PageContextImpl.java:150)
at weblogic.management.console.actions.ForwardAction.perform(ForwardAction.java:35)
at weblogic.management.console.actions.internal.ActionServlet.doAction(ActionServlet.java:173)
at weblogic.management.console.actions.internal.ActionServlet.doGet(ActionServlet.java:91)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:971)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:402)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:305)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6350)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3635)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2585)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <write
ALERT offset = 0 length = 2>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <close():
28959207>
Here is what I have done:
1) I created a managed server using admin console
2) I created both an Identity and Trust keystore (jks type file) with the server's
private key (Identity) and the root trusted certificate authority (Trust).
3) I configured my managed server to use the two keystores
4) I edited the NodeManager.properties file to use the same keystores.
5) I started the NodeManager on the machine and I used the following command line
options by editing the %WL_HOME%\server\bin\startNodeManager.cmd file:
-Dweblogic.nodemanager.debugLevel=90
-Dssl.debug=true
-Djava.protocol.handler.pkgs=weblogic.net
6) I also added the following commands to my startWebLogic.cmd file:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dssl.debug=true
-Djava.protocol.handler.pkgs=weblogic.net
7) I started my admin server and created a Machine that included the managed server.
8) I configured the NodeManager properties for the Machine I created to point
to the NodeManager already running on that physical box.
9) I clicked on the tab to "Monitor" the NodeManager/Machine and it died giving
the above exception.
I would have no idea why the Certificate chain would be "incomplete". The Issuer
and Subject DNs match up fine:
PRIVATE KEY BEING LOADED BY SSL MANAGER:
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> < cert[0]
= [
Version: V3
Subject: CN=host dns name, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@1a0
Validity: [From: Fri Mar 05 08:59:26 EST 2004,
To: Mon Mar 06 08:59:26 EST 2006]
Issuer: CN=DOD CLASS 3 CA-3, OU=PKI, OU=DoD, O=U.S. Government, C=US
ROOT CERTIFICATE AUTHORITY BEING LOADED:
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> < cert[1]
= [
Version: V3
Subject: CN=DOD CLASS 3 CA-3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffa28
Validity: [From: Wed Jul 05 09:00:29 EDT 2000,
To: Tue Jul 04 09:00:29 EDT 2006]
Issuer: CN=DoD CLASS 3 Root CA, OU=PKI, OU=DoD, O=U.S. Government, C=US
Anyway, if anyone could provide me with some insight as to why I might be receiving
this error I would be sincerely indebted to you. I can't seem to find any other
people with the same problem in the Support archives. Thanks for all of the help!
Regards,
Cabell FisherHi,
Can you please help me;
I have a similar problem on WL7 SP4 ( UNIX )
I have made a site that check https site.
When I try to read the page of the site, I've got Certificate chain is incomplete message.
On WL8 version ( WINDOWS ), I have no problem to retrieve certificate and then access to the site.
I have read that this error occure when Root CA Self signed certificat is not include in the keystore.
I'm using CACERTS keystore.
Can you tell me the process to generate the CA Root certificate and then import in the CACERTS.
Thanks a lot for your help.
Sincerely
Stephane -
Code signing cert error using Digicert - Unable to build a valid certificate chain for the signer
Steps to fix this error on code signing adobe air using .p12 cert from Digicert - Unable to build a valid certificate chain for the signer
a. Open Firefox and browse to https://www.digicert.com/digicert-root-certificates.htm
b. On the middle of the page, download -
DigiCert Assured ID Code Signing CA-1
Valid until: 10/Feb/2026
Serial #: 07:F4:73:6F:AF:EF:40:8A:1F:66:40:F2:65:D1:0A:C1
Thumbprint: B170A10819BEA936905D719E643399783E1F4567
Download
c. Install the cert in Firefox
d. Once done, export again the code signing cert from digicert, through (click Firefox -> Preferences -> View Certificates -> HIghlight the digicert code signing cert -> click Backup)
e. Done, the newly exported file should now have the valid certificate chain and that should fix the error "Unable to build a valid certificate chain for the signer"
Even though this is from Digicert, this should also work for other Certificate Authority providers assuming you download your provider's root cert for code signing.
Regards,
Reigner S. YrastorzaAre you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
If you are using RoboHelp, which version?
See www.grainge.org for RoboHelp and Authoring tips
@petergrainge -
The verification of the server's certificate chain failed
Hi All,
Not sure this is the right forum for this but never mind.
I am trying to get abap2GApps working and am having problems with the client certificates.
I am getting the below error in ICM :-
[Thr 06] Mon Jul 30 09:34:47 2012
[Thr 06] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 06] session uses PSE file "/usr/sap/BWD/DVEBMGS58/sec/SAPSSLC.pse"
[Thr 06] SecudeSSL_SessionStart: SSL_connect() failed
secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
[Thr 06] >> Begin of Secude-SSL Errorstack >>
[Thr 06] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Equifax Secure Certificate Authority, O=E
ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
[Thr 06] << End of Secude-SSL Errorstack
[Thr 06] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
[Thr 06] SSL NI-sock: local=172.30.7.170:59036 peer=172.30.8.100:80
[Thr 06] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000053910f0)==SSSLERR_SSL_CONNECT
[Thr 06] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000726d5} [icxxconn_mt.c 2031]
Having already got the accounts.google.com SSL certificate chain installed and working I can't get the docs.google.com SSL chain working.
For accounts.google.com they use (this set works) :-
1) CN=accounts.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
2) CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
3) OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
For docs.google.com they use a different set of SSL certs. :-
1) CN=*.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
2) CN=Google Internet Authority, O=Google Inc, C=US
3) OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Can anyone explain what I am doing wrong or how to correct this?
Thanks
CraigFurther UPDATE
After removing every certificate related to docs.google.com I still get the same error!
I have even tried downloading the root certificate directly from GeoTrust themselves and yet I still get the same error.
I have even resorted to running SAP program ZSSF_TEST_PSE from note 800240 to check the PSE and all is well!
Referring to SAP Note 1318906 suggests I am missing a certificate in the chain but I am not!
"Situation: The ICM is in the client role and the following entry is displayed in the trace:
ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
Reason:You try to set up a secure connection to a server, but the validity of the certificate cannot be verified because the required certificates are not available.
Solution:The missing certificates are listed in the trace file. You must use transaction STRUST to insert these certificates in the Personal Security Environment (PSE) that is used for the connection. The certificates are usually made available to you by the server administrator. If the certificates are public Certification Authority (CA) certificates, you can also request the certificates there."
What could possibly causing this?
Please help!
Craig -
Unable to build valid certificate chain
Hi,
I am trying to sign my AIR application using the Code Signing Certificate I got from Apple (iPhone Dev). I have Apple's Root Certificate and my certificate. I installed both and then exported my certificate as pkcs12 (.p12 file) using many methods like Windows Certificate Manager and Firefox. I also used Keychain Access on my Mac. However, when I try to sign, I get the following error:
Unable to build a valid certificate chain for the signer.
Some help would be great. Thanks.Ok, I am making progress here.
I signed on to a fresh mac with an empty keychain. I imported AppleWWDRCA and then developer_identity. Now it shows that the certificate is valid. Now I deleted the certificate and I imported cert.p12 file that I had made. Now the certificate re-appeared in keychain along with a private key. I had to put a password set by me earlier when I made the p12 file.
The certificate is displayed under my private key. So it means that the p12 file has the private key and the certificate.
Now the only thing is that AIR gives me the error stating that it cannot build a certificate chain, which means there's no Root CA in the p12 file, or WWDRCA for that matter. From what I understand, these 2 certs need to be put inside the p12 file.
On second note, Apple also provides a distribution cert besides the developer cert. But when I try to export the distribution cert, it asks for a password that I don't know (not got one for that). But I still think that I need to use the developer cert. nd not the distribution cert. by Apple.
The question again boils down to putting the Apple Root CA inside the p12 in order for AIR SDK to build the chain. -
Unable to build a valid certificate chain for the signer
Updating an AIR application after a few years and needed a new signing certificate which I purchased from Comodo. Imported it successfully into Keychain Access and exported it as a pfx file. When I identified this certificate to Flash Builder it went all the way through the build process and then came up with the error "Unable to build a valid certificate chain for the signer".
I can see there was a discussion on this matter in October 2011 but this did not seem to answer my question as that guy was trying to use an Apple Dev Centre key rather than paying for one like I did.
TIA
DavidIn Keychain Access, command-click your Class 2/3 certificate, the CA's intermediate certificate, and the CA's root certificate before hitting export.
Short guide: Code Signing Certificates for Adobe Air in OS X -
[Security:090508]Certificate chain received from 'hostname' was incomplete
Hey All,
I am trying to set up a Managed Server and have it talk to the NodeManager running
(Weblogic 8.1 SP2) on the same machine. I can't, however, seem to get a good
SSL handshake between the two. I get the following error:
####<Mar 11, 2004 9:55:56 AM EST> <Warning> <Security> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <BEA-090508>
<Certificate chain received from hostname - ipaddress was incomplete.>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <Validation
error = 4>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <Certificate
chain is incomplete>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <SSLTrustValidator
returns: 4>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <Trust
status (4): CERT_CHAIN_INCOMPLETE>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <NEW
ALERT: com.certicom.tls.record.alert.Alert@1642565 Severity: 2 Type: 42
java.lang.Throwable: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(StreamEncoder.java:336)
at sun.nio.cs.StreamEncoder$CharsetSE.implFlushBuffer(StreamEncoder.java:404)
at sun.nio.cs.StreamEncoder$CharsetSE.implFlush(StreamEncoder.java:408)
at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:152)
at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:213)
at java.io.BufferedWriter.flush(BufferedWriter.java:230)
at weblogic.nodemanager.client.CommandInvoker.execute(CommandInvoker.java:113)
at weblogic.nodemanager.client.CommandInvoker.invoke(CommandInvoker.java:91)
at weblogic.nodemanager.client.NodeManagerClient.executeCommand(NodeManagerClient.java:161)
at weblogic.nodemanager.client.NodeManagerRuntime.executeNMCommand(NodeManagerRuntime.java:1058)
at weblogic.nodemanager.client.NodeManagerRuntime.ping(NodeManagerRuntime.java:688)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl.java:711)
at weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:690)
at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1557)
at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1525)
at weblogic.management.internal.RemoteMBeanServerImpl.private_invoke(RemoteMBeanServerImpl.java:947)
at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:908)
at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:946)
at weblogic.management.internal.MBeanProxy.invokeForCachingStub(MBeanProxy.java:481)
at weblogic.management.runtime.NodeManagerRuntimeMBean_Stub.ping(NodeManagerRuntimeMBean_Stub.java:543)
at weblogic.management.console.webapp._domain.__machine._jspService(__machine.java:669)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:971)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:402)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:305)
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:301)
at weblogic.servlet.jsp.PageContextImpl.forward(PageContextImpl.java:150)
at weblogic.management.console.actions.ForwardAction.perform(ForwardAction.java:35)
at weblogic.management.console.actions.internal.ActionServlet.doAction(ActionServlet.java:173)
at weblogic.management.console.actions.internal.ActionServlet.doGet(ActionServlet.java:91)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:971)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:402)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:305)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6350)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3635)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2585)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <write
ALERT offset = 0 length = 2>
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> <close():
28959207>
Here is what I have done:
1) I created a managed server using admin console
2) I created both an Identity and Trust keystore (jks type file) with the server's
private key (Identity) and the root trusted certificate authority (Trust).
3) I configured my managed server to use the two keystores
4) I edited the NodeManager.properties file to use the same keystores.
5) I started the NodeManager on the machine and I used the following command line
options by editing the %WL_HOME%\server\bin\startNodeManager.cmd file:
-Dweblogic.nodemanager.debugLevel=90
-Dssl.debug=true
-Djava.protocol.handler.pkgs=weblogic.net
6) I also added the following commands to my startWebLogic.cmd file:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dssl.debug=true
-Djava.protocol.handler.pkgs=weblogic.net
7) I started my admin server and created a Machine that included the managed server.
8) I configured the NodeManager properties for the Machine I created to point
to the NodeManager already running on that physical box.
9) I clicked on the tab to "Monitor" the NodeManager/Machine and it died giving
the above exception.
I would have no idea why the Certificate chain would be "incomplete". The Issuer
and Subject DNs match up fine:
PRIVATE KEY BEING LOADED BY SSL MANAGER:
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> < cert[0]
= [
Version: V3
Subject: CN=host dns name, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@1a0
Validity: [From: Fri Mar 05 08:59:26 EST 2004,
To: Mon Mar 06 08:59:26 EST 2006]
Issuer: CN=DOD CLASS 3 CA-3, OU=PKI, OU=DoD, O=U.S. Government, C=US
ROOT CERTIFICATE AUTHORITY BEING LOADED:
####<Mar 11, 2004 9:55:56 AM EST> <Debug> <TLS> <GENESIS2> <GENESIS2_Admin_Server>
<ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <admin> <> <000000> < cert[1]
= [
Version: V3
Subject: CN=DOD CLASS 3 CA-3, OU=PKI, OU=DoD, O=U.S. Government, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffa28
Validity: [From: Wed Jul 05 09:00:29 EDT 2000,
To: Tue Jul 04 09:00:29 EDT 2006]
Issuer: CN=DoD CLASS 3 Root CA, OU=PKI, OU=DoD, O=U.S. Government, C=US
Anyway, if anyone could provide me with some insight as to why I might be receiving
this error I would be sincerely indebted to you. I can't seem to find any other
people with the same problem in the Support archives. Thanks for all of the help!
Regards,
Cabell FisherHi,
Can you please help me;
I have a similar problem on WL7 SP4 ( UNIX )
I have made a site that check https site.
When I try to read the page of the site, I've got Certificate chain is incomplete message.
On WL8 version ( WINDOWS ), I have no problem to retrieve certificate and then access to the site.
I have read that this error occure when Root CA Self signed certificat is not include in the keystore.
I'm using CACERTS keystore.
Can you tell me the process to generate the CA Root certificate and then import in the CACERTS.
Thanks a lot for your help.
Sincerely
Stephane -
OAM Access Server - Cannot load cert chain file aaa_chain.pem
Hi experts,
I am in the midst of changing the Transport Layer Security (TLS) of OAM Access Server from Open mode to Cert mode, and encountering the error not able to load aaa_chain.pem.
Below are the steps which I have did:-
1. Change the TLS mode for both Access Server and Webgate from Open >> Cert mode in the Access System console
2. Stop the Access Server from Services
3. From the <access server install dir> run ConfigureAAAServer.exe to generate aaa_req.pem and aaa_key.pem.
4. Copy the certificate request from the aaa_req.pem and submit to Internal CA (Ms CA).
5. Download the Certificate and Certificate Chain in Base 64 encoding, and rename into *.pem. E.g. certnew.cer >> aaa_cert.pem certnew.p7b >> aaa_chain.pem.
6. Copy *.pem files in to <access server install dir>/oblix/config
7. Rerun ConfigureAAAServer.exe to install the cert, all went smoothly without issue.
8. Start Access Server from Services. <<< Service failed to start.
NOTE: I did the same thing for Policy Manager, used genCert.exe to generate certificate request, submit the CA to sign and installed.
Check on the event viewer, the following error was found.
**===========================================================================**
Log Name: Application
Source: ObAAAServer-AccSvr01
Date: 16/8/2010 1:06:39 AM
Event ID: 1
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IDMsvr.SSO.com
Description:
The description for Event ID 1 from source ObAAAServer-AccSvr01 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Access Server Exception: Error: Cannot load cert chain file C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem
the message resource is present but the message is not found in the string/message table
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ObAAAServer-AccSvr01" />
<EventID Qualifiers="49152">1</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-08-15T17:06:39.000Z" />
<EventRecordID>1072</EventRecordID>
<Channel>Application</Channel>
<Computer>IDMsvr.SSO.com</Computer>
<Security />
</System>
<EventData>
<Data>Access Server Exception: Error: Cannot load cert chain file C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem</Data>
</EventData>
</Event>
**===========================================================================**
The ConfigureAAAServer.exe_
C:\Program Files (x86)\NetPoint\access\oblix\tools\configureAAAServer>configureA
AAServer.exe reconfig "C:\Program Files (x86)\NetPoint\access"
Please enter the Mode in which you want the Access Server to run : 1(Open) 2(Si
mple) 3(Cert) : 3
Do you want to request a certificate (1) or install a certificate (2) ? : 1
Please enter the Pass phrase for this Access Server :
Do you want to store the password in the file ? : 1(Y) 2(N) : 1
Preparing to generate certificate. This may take up to 60 seconds. Please wai
t.
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.............++++++
..++++++
writing new private key to 'C:\Program Files (x86)\NetPoint\access\oblix\config\
aaa_key.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Some-Organization Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, hostName.domainName.com) []:IDMsvr.sso.com
Email Address []:.
writing RSA key
Your certificate request is in file : C:\Program Files (x86)\NetPoint\access/ob
lix/config/aaa_req.pem
Please get your certificate request signed by the Certificate Authority.
On obtaining your certificate, please place your certificate in 'C:\Program Fil
es (x86)\NetPoint\access/oblix/config/aaa_cert.pem' file and the certificate aut
hority's certificate for the corresponding component (for example: WebGate, AXML
Server) in 'C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem'
file.
Once you have your certificate placed at the above mentioned location, please f
ollow the instructions on how to start the Access Server.
More Information on setting up Access Server in Certificate mode can be obtaine
d from the Setup Installation Guide.
Access Server mode has been re-configured successfully.
Please note that new security mode will take effect only after the security mod
e for this Access Server is changed to 'cert' from the Access Manager System Con
sole.
Do you want to specify or update the failover information ? : 1(Y) 2(N) :2
Please restart the Access Server from the Control Panel Services once you have
placed your certificates at the above mentioned location.
Press enter key to continue ...
C:\Program Files (x86)\NetPoint\access\oblix\tools\configureAAAServer>configureA
AAServer.exe reconfig "C:\Program Files (x86)\NetPoint\access"
Please enter the Mode in which you want the Access Server to run : 1(Open) 2(Si
mple) 3(Cert) : 3
Do you want to request a certificate (1) or install a certificate (2) ? : 2
Please enter the Pass phrase for this Access Server :
Do you want to store the password in the file ? : 1(Y) 2(N) : 1
Please provide the full path to the Certificate key file [C:\Program Files (x86)
\NetPoint\access/oblix/config/aaa_key.pem] : C:\Program Files (x86)\NetPoint\acc
ess\oblix\config\aaa_key.pem
Please provide the full path to the Certificate file [C:\Program Files (x86)\Net
Point\access/oblix/config/aaa_cert.pem] : C:\Program Files (x86)\NetPoint\access
\oblix\config\aaa_cert.pem
Please provide the full path to the Certificate authority's certificate chain fi
le [C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem] : C:\Prog
ram Files (x86)\NetPoint\access\oblix\config\aaa_chain.pem
Access Server mode has been re-configured successfully.
Please note that new security mode will take effect only after the security mod
e for this Access Server is changed to 'cert' from the Access Manager System Con
sole.
Do you want to specify or update the failover information ? : 1(Y) 2(N) :2
Please restart the Access Server from the Control Panel Services.
Press enter key to continue ...
**===========================================================================**
I followed through the documentation on OAM Identity & Common Admin - Chapter 8 guide.
Is there anything which I have missed or something to do with the certificate.
Thanks in advance.
Regards,
Wing
Edited by: user13340813 on Aug 19, 2010 8:56 PMNo, you didn't do anything wrong, JeanPhilippe. I'm right there with you. There's even another thread on this issue:
<http://discussions.apple.com/thread.jspa?messageID=10808126>
I had the same problem: IMAP & POP services would not launch using SSL. Finally got it resolved today. It had nothing to do with certificates and their names, or creating them in openssl, and everything to do with a botched dovecot.conf file, courtesy of Server Admin.
It appears that every time I changed the certificate for IMAP & POP SSL in Server Admin, it appended the new selection to the dovecot.conf file on 3 separate lines. The result was an unhealthy list of every certificate file Server Admin had ever been pointed to for this service.
After making a backup, I edited the file (/etc/dovecot/dovecot.conf) down to the single cert file I wanted it to use. It happened to be first in the list, FWIW.
If you want to duplicate this, look for the lines beginning with:
"sslcertfile"
"sslkeyfile"
"sslcafile"
Obviously you need to be careful in there. But I did not even have to bounce the service before it took my changes. Thankfully, Server Admin did not overwrite my edits (which I've seen happen with manual config of other services, such as the iChat service.)
Good luck, and let me know if I can provide more detail.
Maybe you are looking for
-
SSO to Web application Cookies blocked in IE
Hi Experts I need to create SSO to a webpage (that contains a standard html login form) into a NetWeaver 2004 Portal I have used the App Integrator iView and it all seems to work fine except cookies are block in the users Internet Explorer and there
-
I cannot open my applications in IPad provided it is a brand new one
I have problems in opening my applications
-
Why can't I send and receive pictures after the new update
Why can't I sent and receive pictures after the new update
-
Hello everybody. I have a problem with rendering of JList cells. I have a JList-derived class which sets its own ListCellRenderer. The renderer returns an instance of a JPanel derived class, namely GraphicsPanel, which is responsible for drawing a hi
-
Plug-Ins not auto-updating, but auto update is set.
I wanted to warn others about this problem. I read an earlier answer where someone said that Plug-Ins won't auto-update, perhaps that is correct, but if Plug-Ins don't auto-update, why is there an auto-update feature? (Tools-AddOns-Updated Automatica