Check SSL certificate?

What I want is to ensure that my app always connects only to
my server (https). If someone puts https proxy in the middle it's
possible to intercept all the communication. Yes, so the user will
get cert warning prompt but it never stops anybody from clicking
OK. I wonder whether if it's possible for my app (Flex 3) to check
that SSL certificate is the correct one and refuse working if not?
My guess is not since all SSL is handled by the browser but
it never hurts to ask... maybe some Javascript gimmick could
work?

Hi Simone,
I'm not aware of such feature on the 4710 but rather on the ACE XML .
Alessandro
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Similar Messages

Very strange behaviour of checking valid SSL certificates

While sniffing our network to solve a problem of using the Exchange Account on Iphone OS 3.1 I saw something strange:
To use the Exchange Account on the Iphone, you first have to type your E-mail address, then optional domain, then the username/password.
When you are finished the Iphone starts to check the validity of the SSL-Certificate in the following way:
It takes the Domain from the right side of the "@"-sign and does something like "dig @domain.tld" and checks there if an valid certificate can be found. In my opinion this does not make sense, because Iphone does not check the certificate of the Exchange/Reverse Proxy. It checks whereever the dig leads it.
I tried this with 4 different domains.
Did anybody have the same problem?

Cliff, Hi. I'm curious because this can't work. I have no problem synching with the exchange - as long as i accept the message that the certificate of the exchange (which is not the certificate of the exchange but the certificate of dig @reighthandsideofmailadress) is not valid (expired, wrong common name etc).

How to Create SSL certificate for HTTPS Connection in SAP PI

Hi,
          I have Proxy to HTTPS scenario. I need to provide my SSL certificate( SAP PI SSL Certificate) to the vendor.
          How to generate SAP PI SSL certificate. I have already imported vendor certificate using STRUST T-code.
         I am not sure from where to generate SAP PI SSL certificate that need to be shared with vendor.
         Please help me on this issue.
Thanks,
Siva

Hi,
Check if it helps:
http://help.sap.com/saphelp_nwpi711/helpdata/en/49/26af8339242583e10000000a421937/frameset.htm
But as mentioned for the colleague above, you can create that on Visual Administrator Tool -> Keystore
Regards,
Caio Cagnani

How can i refresh an SSL certificate for a specific page?

i am trying to access my electronic training jacket on Navy Knowledge Online to check the status of my security clearance. the ETJ page requires an SSL certificate. when i initially loaded the page the message window popped up prompting me to add the security exception and get the certificate. i got the certificate and continued to load the page but it came up with HTTP error 403.7 saying that i didn't have the certificate i needed. for some reason NKO isn't recognizing the certificate i got so i need to clear that certificate and get a new one that hopefully the server will recognize. how can i do this?

You can try to remove that certificate here:
Edit > Preferences > Advanced > Encryption: Certificates > View Certificates

Cannot display images after updating SSL certificate

Hello All,
With the changes in SSL certificates (no support for .local domains in public certificates), I had to update the SSL certificate used for our Exchange 2010 Server. We are a small organization with a single server running Exchange Server 2010.
There were some articles about how to change the URL's within Exchange to use the public (not .local) domain names. We followed these instructions and now, when a user using Outlook sends an e-mail with an image embedded to other users in the domain,
they see a placeholder for the graphic with the text "The linked image cannot be displayed. The file may have been moved, renamed, or deleted. Verify that the link points to the correct file and location." . This is causing a great
deal of concern to the users and I cannot find anything on how to fix or even troubleshoot this issue. Any assistance will be greatly appreciated.
Thanks in advance,
Allen
Long time IT professional always learning the new stuff! Thank you for your assistance.

Hi,
According to your post, I understand that client face an problem “The linked image cannot be displayed. The file may have been moved, renamed, or deleted. Verify that the link points to the correct file and location” after change SSL certificate.
If I misunderstand your concern, please do not hesitate to let me know.
Do you see the "page cannot be displayed" error only from your DC server or also from a Windows 7 client machine? What browser do you use and what version?
Please run “certutil –store” command from a command to verify that the certificate is correctly installed in the certificate store. Also run “certutil -store my” to check the certificate from CA.
If the certificate is already installed, please refer to below link to check the value of Cache in registry:
https://support.microsoft.com/en-us/kb/2753594
Thanks
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Allen Wang
TechNet Community Support

Can't get mail to work with SSL certificates

I'm setting up a 10.5.3 mail server and wanted to enable SSL for SMTP and IMAP.
It all works fine if I use the Default certificate that the server generates automatically. But if I want to generate a new certificate with a pass phrase it stops working.
You start seeing errors like the in the system log:
May 30 18:29:19 megalon postfix/smtpd[1143]: warning: cannot get private key from file /etc/certificates/myserver.mydomain.com.key
May 30 18:29:19 megalon postfix/smtpd[1143]: warning: TLS library problem: 1143:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:105:
May 30 18:29:19 megalon postfix/smtpd[1143]: warning: TLS library problem: 1143:error:0906A068:PEM routines:PEMdoheader:bad password read:pem_lib.c:401:
May 30 18:29:19 megalon postfix/smtpd[1143]: warning: TLS library problem: 1143:error:140B0009:SSL routines:SSLCTX_use_PrivateKeyfile:PEM lib:ssl_rsa.c:709:
May 30 18:29:19 megalon postfix/smtpd[1147]: warning: cannot get private key from file /etc/certificates/myserver.mydomain.com.key
May 30 18:29:19 megalon postfix/smtpd[1147]: warning: TLS library problem: 1147:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:105:
May 30 18:29:19 megalon postfix/smtpd[1147]: warning: TLS library problem: 1147:error:0906A068:PEM routines:PEMdoheader:bad password read:pem_lib.c:401:
May 30 18:29:19 megalon postfix/smtpd[1147]: warning: TLS library problem: 1147:error:140B0009:SSL routines:SSLCTX_use_PrivateKeyfile:PEM lib:ssl_rsa.c:709:
Anyone know how to fix this?

I still think there's something wrong with Server Admin in 10.5 that's stopping this from working.
I've checked the certificate I'm using on my 10.4.11 mail server and it's key file is encrypted but SMTP mail works fine over SSL. I imported the certificate using Server Admin, I didn't edit the config file manually.
How would the system be decrypting the key before postfix uses it in 10.4? Any why doesn't this work in 10.5?

Exchange 2010: How to renew an SSL certificate?

Hi all. I have done some reading but it seems I can't find just a simple step-by-step on how to renew an SSL certificate issued by a 3rd party CA for Exchange 2010. I really don't want to mess this one up by cobbling together partial answers
from various forums and end up omitting something, then being stuck unable to figure out why I broke email while the CEO flips out.
This is a standard GoDaddy 5-domain UCC certificate. There is only one Exchange server, SP3 (I don't think I have Rollup 6 on yet). The existing certificate expires in a month or so.
I have some specific questions but perhaps these would be answered via what I hope will be a step by step instruction set in your reply :) Sorry to appear lazy by asking for the full instructions just that so far no single forum post nor MS TechNet article
has addressed all my concerns, or in some cases information conflicts. So my concerns for example are: can you do a renewal for a certificate before the old one expires? It is actually a renewal, or are you adding a 2nd certificate?
Do you have to do anything in IIS or does EMC or EMS do all that for you?
Thank you.

-->Can you do a renewal for a certificate before the old one expires?
Yes. Normally 3rd party CA allows you to renew certificate before the current one expires.
-->It is actually a renewal, or are you adding a 2nd certificate?
You have to renew the certificate and a new/second certificate will be added to your server certificate store. Please check below for detailed step of Godaddy renewal. http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
-->Do you have to do anything in IIS or does EMC or EMS do all that for you?
You will have to do it from MMC or EMS. No need to do anything from IIS.
Follow the steps below to make your work easy or follow the video in this site site.http://www.netometer.com/video/tutorials/Exchange-2010-how-to-renew-SSL-certificate/
1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR
folder
Set-Content -path "C:\CSR\newcsr.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=WA, l=Bellavue, o=Contoso, cn=commonname.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True)
2. Renew the certificate from Godaddy (from Godaddy portal) using the new CSR (i.e. newcsr.txt). Download the certificate from Godaddy after renewal.
3. Open Exchange MMC. Go to Server configuration. Right click on the pending request. Click on complete pending request and browse to the newly downloaded certificate. Make sure you have internet when doing this.
4. Assign services using the steps in the below site. Make sure you have selected the new certificate. You will see the thumbprint just before completion http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services/
5.Delete the old one certificate from MMC.
From EMS use this command
Remove-ExchangeCertificate -Thumbprint <old cert thumprint>
You can see the the certificate thumprints using Get-ExchangeCertificate command
MAS. Please dont forget to mark as answer if it helped.

File Adapter FTP SSL SSL Certificate Exception

After reviewing the results of searching on this error, I do not find anything that fits my situation:
SAP File Adapter (PI 7.1) using FTP with FTPS connection security.
I am not using X.509 certificate for client authentication.
My connection is using a non-public certificate.
I have added the SSL certificate to TrustedCAs and DEFAULT keystores.
I am getting the following error:
Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error when getting an FTP connection from connection pool: com.sap.aii.af.lib.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Since I am using an non-public certificate, it will not validate. Even adding to the TrustedCAs and DEFAULT keystore it seems the configuration is still attempting to validate the certificate.
Any recommendations?

Hi,
The main reasons for this error are:
1. The correct server certificate could not be present in the TrustedCA
keystore view of NWA. Please ensure you have done all the steps
described in these two URLs:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
0a1550b0/frameset.htm
2. The server certificate chain contains expired certificate. Check for
it (that was the cause for other customers as well) and if it's the case
renew it or extend the validation.
3. Some other people have reported similar problem and mainly the
problem was that the certificate chain was not in correct
order. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate
is A which is issued by an intermediate CA B and then B's certificate is
issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to
have the right order of certificate in the chain. If the order is B
first followed by A followed by C, then the IAIK library used by PI
cannot verify the server as trusted. Please generate the certificate in
the right order and then import this certificate in the TrustedCA
keystore view and try again. Please take this third steps as the
principal one.
Hope it solves your querie.
Regards,
Caio Cagnani

Error after SSL Certificat update

I updated the SSL certificate on a Win2003 SP2 server with IIS6.0
The initial certificat was a single URL certificate and is replaced by a wildcard one.
After installing the certificate (and it's CA chain) using the mmc I changed the certificate in IIS and configured the SSLBinding using "cscript.exe
adsutil.vbs".
The result is an SSL ERROR.
The CA chain and the certificate are two CRT files.
Here is the result of the "certutil.exe -store my"
command :
C:\Documents and Settings\Administrateur.W2K79>certutil -store my
================ Certificat 0 ================
Numéro de série : 4899717f3b1ba89dedb7c472d575cb01
Émetteur: CN=Thawte SSL CA, O=Thawte, Inc., C=US
Objet: CN=*.bourgenbresse.fr, OU=Collectivite, O=COMMUNE DE BOURG EN BRESSE, L=B
OURG EN BRESSE, S=Ain, C=FR
Il ne s'agit pas d'un certificat racine
Hach. cert. (sha1): eb 03 df 43 a8 03 e5 5f b1 52 fc e7 5b a9 0b 0c 19 2a 15 8a
Aucune information sur le fournisseur de clé
Pas de propriétés pour le jeu de clé dans le magasin
================ Certificat 1 ================
Numéro de série : 023fcc
Émetteur: CN=GeoTrust DV SSL CA, OU=Domain Validated SSL, O=GeoTrust Inc., C=US
Objet: CN=www.portailenfance.bourgenbresse.fr, OU=Domain Control Validated - Qui
ckSSL(R) Premium, OU=See www.geotrust.com/resources/cps (c)11, OU=GT68088061, O=
www.portailenfance.bourgenbresse.fr, C=FR, SERIALNUMBER=R2RJ3sRPOrW0Q3XZYvvpcP05
TqodNAru
Il ne s'agit pas d'un certificat racine
Hach. cert. (sha1): 12 49 a6 95 9a 67 05 86 d9 a3 64 cb a7 a7 78 ee 6c eb 94 52
Conteneur de clé = cecd6bee4621365b6e763b9bfcd773cf_b3f7eefb-5c14-4333-a5bb-29
d40b271698
Fournisseur = Microsoft RSA SChannel Cryptographic Provider
Succès du test de cryptage
CertUtil: -store La commande s'est terminée correctement.
Please help !

It seems that the key for the wild card certificate has not been found. The output shows a valid key for the other cert. ("1") but no key information for the wild card cert ("0"). I assume, that when you double-click the certificate in
the computer's Personal store you don't see the message You have a Private Key...
(on the bottom of the General tab), right?
Windows 2003 sometimes needed some extra effort to "connect" key and certificate, in addition to just importing it (I am assuming that you imported it to the machine where you had created the key).
Check if the command line tool certutil is available. If not, install the W2K3 admin pack (download e.g.
here).
Double-click the new server certificate, go to Details...
Scroll down the list of attributes and locate the Serial Number. Copy the serial number value.
At the command shell run as a local admin:
certutil -repairstore my "<Serial Number>"
If this has been successful you should now see the message You have a Private Key... when double-clicking the certificate.
Elke

SSL certificate problem on most https websites

Some https sites can not be reached in my system, and it is going to include more https sites as times goes by. I have noticed that the problem is the SSL certificate. I even check an arch iso and there I have the same problem. I tetsted two thing in case it rings any bell for you
omid@localhost›~⁑ curl -v https://github.com
* Rebuilt URL to: https://github.com/
* Adding handle: conn: 0x1757250
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x1757250) send_pipe: 1, recv_pipe: 0
* About to connect() to github.com port 443 (#0)
* Trying 192.30.252.128...
* Connected to github.com (192.30.252.128) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to github.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to github.com:443
in which you can see the problem. But
omid@localhost›~35↵⁑ curl -v3 https://github.com
* Rebuilt URL to: https://github.com/
* Adding handle: conn: 0xf31250
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0xf31250) send_pipe: 1, recv_pipe: 0
* About to connect() to github.com port 443 (#0)
* Trying 192.30.252.129...
* Connected to github.com (192.30.252.129) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; serialNumber=5157550; street=548 4th Street; postalCode=94107; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
* start date: 2013-06-10 00:00:00 GMT
* expire date: 2015-09-02 12:00:00 GMT
* subjectAltName: github.com matched
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert High Assurance EV CA-1
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.33.0
> Host: github.com
> Accept: */*
>
< HTTP/1.1 200 OK
* Server GitHub.com is not blacklisted
< Server: GitHub.com
< Date: Fri, 06 Dec 2013 09:55:10 GMT
< Content-Type: text/html; charset=utf-8
< Status: 200 OK
< Cache-Control: private, max-age=0, must-revalidate
< Strict-Transport-Security: max-age=2592000
< X-Frame-Options: deny
< Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Tue, 06-Dec-2033 09:55:10 GMT; secure; HttpOnly
which seems OK. Is there even anyway to add certificate to avoid this strange behavior. I use an updated x86_64 KDE.
Last edited by nikta (2013-12-06 11:37:06)

[omid@localhost ~]$ ldd `which curl`
linux-vdso.so.1 (0x00007fff8bd7c000)
libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f9f479c6000)
libz.so.1 => /usr/lib/libz.so.1 (0x00007f9f477b0000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f9f47592000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007f9f471e7000)
libssh2.so.1 => /usr/lib/libssh2.so.1 (0x00007f9f46fbe000)
libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f9f46d51000)
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f9f46949000)
/lib64/ld-linux-x86-64.so.2 (0x00007f9f47c2b000)
libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f9f46745000)
[omid@localhost ~]$ pacman -Q|egrep '(openssl|curl|ca-cert)'
ca-certificates 20130906-1
ca-certificates-java 20130815-1
curl 7.33.0-3
lib32-openssl 1.0.1.e-2
mingw-w64-openssl 1.0.1e-4
openssl 1.0.1.e-5
Last edited by nikta (2013-12-06 13:15:18)

Exchange 2013 autodiscover finds external & internal SSL certificate causing autodiscover to fail

<p>Hi:</p><p>I'm currently working on a windows 2012 server, with exchange 2013, lets say our internal domain is "cars.com" and ALSO the case for our external domain. We have purchased an SSL wildcard positive certificate
*.cars.com so that we could configure Outlook Anywhere, we have created the needed DNS records at godaddy and our internal server, OWA, ECP it all works if you go to  <a href="https://bird.cars.com/owa">https://bird.cars.com/owa</a>
because we have a DNS record for bird in godaddy and out local server, so all of that is working like a pro ! here comes the tricky part, our website is registered in godaddy but hosted by someone else a company called poetic systems; when we test the connection
with the remote connectivity analyzer website we get a very peculiar error that says SSL certificate not valid, now it provides the name of the certificate it found and is not ours, we found that the hosting company is listening in port 443, therefore, it
is pulling their self signed certificate also, does anyone have a fix for this, I have done this same setup before for other companies and this is the first time a situation like this happens. I REALLY NEED HELP !!!!!</p>

Hi,
According to your description, there is a certificate error when you test Outlook Anywhere connection by ExRCA.
If I misunderstand your meaning, please feel free to let me know.
And to understand more about the issue, I’d like to confirm the following information:
What’s detail error page?
Check the Outlook Anywhere configuration: get-outlookanywhere |fl
Check the certificate : get-exchangecertificate |fl
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support

Problem in installation of free SSL certificate on Weblogic using keytool

We tried to install SSL certificate on weblogic certificate using Keystore ..but it is giving error in console at startup and server shutdowns automatically...
Steps followed:-
1) To generate keystore and private key and digital cerficate:-
keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
2) To generate CSR
keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
4) Same certificate is put into same keystore using following command
keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
(intermediateCa.cer file is downloaded from verisign site)
keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
6) After this configuration we used weblogic admin module to configure Keystore and SSL.
7) For KeyStore tab in weblogic admin module, we have select option Custom Identity And Custom Trust provided following details under Identity and Trust columns:-
Private key alias: mykey2
PassKeyphrase: webconkeystorepassword
Location of keystore: location of webconkeystore.jks file on server
8) For SSL tab in weblogic admin module, we have select option KeyStores for Identity and Trust locations.
Error on console:
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore.jks under alias mykey2 on server AdminServer.>
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
<Nov 3, 2009 3:00:17 PM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: Server failed to bind to any usable port. See preceeding log message for details.>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Nov 3, 2009 3:00:17 PM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
If anyone knows the solution ,please help us out.Thanx in advance.
I was really happy to get reply yesterday from "mv".I was not expecting such instant response.

Thanx all guys for your interest and support.
I have solved this issue.
We have weblogic 9 on unix env.
Following steps which I followed:
#generate private key
keytool -genkey -v -alias uinbrdcsap01_apac_nsroot_net -keyalg RSA -keysize 1024 -dname "CN=linuxbox042, OU=ASIA, O=Citigroup, L=CALC, S=MH, C=IN" -validity 1068 -keypass "webconkeystorepassword" -keystore "cwebconkeystore"
#generate csr
keytool -certreq -v -alias uinbrdcsap01_apac_nsroot_net -file linuxbox042.csr -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass webconkeystorepassword
Then we uploaded this csr on verisigns free ssl certificate to generate and receive certificate text.
We copied that text file in "ert4nov2009.crt" rt file used below.
Apart from that , mail which we received from verisign also contains links to download root ca certificate and intermediate ca certificate.We downloaded them.
roo ca in "root4nov2009.cer" file.
intermediate ca in "intermediateca4nov2009.cer"
both these files used in
#import root certificate
keytool -import -alias rootca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "root4nov2009.cer"
#import intermediate ca certificate
keytool -import -alias intermediateca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "intermediateca4nov2009.cer"
#install free ssl certifiate
keytool -import -alias uinbrdcsap01_apac_nsroot_net -file "cert4nov2009.crt" -trustcacerts -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass "webconkeystorepassword"
#after this admin configuration
In weblogic admin console module, we did following settings:-
1. under Configuration tab
a. Under KeyStore tab
For keystore , we selected "Custom identity and Custom Trust"
Under Identity,
Custom Identity Keystore:location of keystore "webconkeystore" on weblogic server
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase:password for keystore mentioend above.In our case, webconkeystorepassword
Same we copied Under "Trust", as we have not created separate keystore for trust.
Save setting.
b. Under SSL tab
Identity and Trust Locations: select "Keystores"
Private Key Alias: alias used while creating private keyi.e. in our case "uinbrdcsap01_apac_nsroot_net"
Save setting.
c. Under General tab
Check checkbox "SSL Listen Port Enabled"
and mention ssl port "SSL Listen Port"
Save setting.
After this activate changes.You might see error on admin module.
Using command prompt, stop the server and again restart and then try to access using https and port ...
you will definately get output...
in our case issue might be due to key size..we used 1024 key size ..it solve problem.
for your further reference plz find link below..it is also helpful.
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674

SSL Certificate Install Problem

To all Sun App Server Gurus,
I face a major challenge trying to install an SSL certificate on our Application Server.
The Manage Database was successful.
I filled out the certificate request form in the Security > Certificate Management > Request section and forwared the information / CSR to the CA.
The certificate is issued and validated by our CA.
I follow the steps according the documentation to import the certificate.
I specify the following to import the certificate
1) Certificate for : o This Server
2) Cryptographic Module: internal
3) Key Pair File Password: **************
4) Message Text (with headers):
-----BEGIN CERTIFICATE-----
U0UgT05MWSAtIE5PIFdBUlJBTlRZIEFUVEFDSE.....
-----END CERTIFICATE-----
5) Click OK
The next screen shows the certificate information which are correct as well.
After pressing "Add Server Certificate" it take about 20 seconds until I receive a pop error message. It says: "Incorrect Useage: No Private Key. The server could not find the private key associated with this certificate."
After I click OK the Admin GUI displays the following error in the browser: "Not Found
The requested object does not exist on this server. The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it. "
Security > General
Log Level: finest
Audit Logging Enabled: unchecked
Default Realm: file
Anonymous Roule: ANYONE
In the admin server log I get the following entry:
WARNING ( 1182): for host x.x.x.x trying to GET /instance-server1/admin/bin/(null), cgi_start_exec reports: HTTP4049: cannot find CGI program /opt/SUNWappserver7/lib/admincgi/(null) (File not found)
I checked the directories and they all exist and the admincgi even has files included. I don't know which one should be missing.
I also reinstalled the App Server twice so far and used the default options.
If anyone could please help me with this that would be extremly helpful.
Thank you.
Regards,
Martin

try converting your key from der2pem using
java utils.der2pem {keyfile in der} {keyfile out in pem}
thanks
kiran
"eraldo" <[email protected]> wrote in message
news:[email protected]..
hi,
I tried to install SSL certicate on a Weblogic 6.1 SP3 (running on a
Solaris 8). Following the post 5457 (found in your newsgroup) I made
this steps:
- I generated CSR using web application /certificate
- I sent CSR to Entrust.com obtaining a certicate and a chain
certificate
- I configured the server under "Configuration - SSL" with following
parameters:
- Enabled = true
- Listen port = 8002
- Server Key File Name = <path to private key ".der" file>
- Server Certificate File Name = <path to Entrust CRT ".pem" file>
- Server Certificate Chain File Name = <path to Entrust CA ".pem"
file>
- Key Encrypted = true
- I changed startWebLogic.sh:
- added "-Dweblogic.management.pkpassword=<my_pwd>" to JAVA command
line
Launchin' the script I got the following exception:
<Nov 22, 2002 2:34:44 PM GMT-01:00> <Alert> <WebLogicServer> <Security
configuration problem with ce
rtificate file config/sdfdomain/H3MIS097_H3G_IT-key.der,
java.io.IOException: weblogic.security.Ciph
erException: Invalid padding length 48>
java.io.IOException: weblogic.security.CipherException: Invalid
padding length 48
atweblogic.security.RSAPrivateKeyPKCS8.input(RSAPrivateKeyPKCS8.java:157)
atweblogic.security.RSAPrivateKeyPKCS8.<init>(RSAPrivateKeyPKCS8.java:125)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:391)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1097)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:490)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:206)
at weblogic.Server.main(Server.java:35)
Any idea?
Thanks in advance,
Eraldo

Importing external web service with SSL certificate security

Hello,
I'm trying to import an external web service (that resides in another server, independent of ours). However, right after I enter the WSDL in the import window I get the following error in the NWDS:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target      [Error: com.sap.ide.es.core.ui.internal.wizards.fragments Thread[ModalContext,6,main]]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
          at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
          at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
          at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
          at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
          at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
          at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
          at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
          at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
          at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
          at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
          at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.getURLAsStream(UrlValidationRunnable.java:137)
          at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.validate(UrlValidationRunnable.java:75)
          at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.run(UrlValidationRunnable.java:55)
          at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
          at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
          at sun.security.validator.Validator.validate(Validator.java:218)
          at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
          at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
          at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
          at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
          ... 15 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
          at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
          at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
          ... 21 more
Has anyone ever consumed an external web service with SSL certificate security? How do you import this in your Web Dynpro project?
Cheers!

Hi Alain,
I just checked on a newer NW environment (NW 7.2) and was presented an empty list as well... It seems the mapping procedure I described is deprecated since NW 7.11, and the modeled CAF application service is already exposed as a web service.
You may want to have a look at http://help.sap.com/saphelp_nwce711/helpdata/en/43/f173947bbb025be10000000a1553f7/content.htm or http://scn.sap.com/message/7852996 for more info

SSL Certificate Error in AIX server~~~SCOM 2012 R2

Hi Everyone,
While installing SCOM client i am getting below error. Plz suggest.
Agent verification failed. Error detail: The server certificate on the destination computer (FQDN(Server Name):1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.
The SSL certificate is signed by an unknown certificate authority.
It is possible that:
1. The destination certificate is signed by another certificate authority not trusted by the management server.
2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection. The FQDN used for the connection is: FQDN serve
3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.
The server certificate on the destination computer (FQDN(Server Name:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.
The SSL certificate is signed by an unknown certificate authority.
It is possible that:
1. The destination certificate is signed by another certificate authority not trusted by the management server.
2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection. The FQDN used for the connection is: FQDN serve.
3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.

Hi Pawan
Have you exported/imported scx certificates?
Check out Kevin Holmans blog on installation of UNIX/Linux agents:
http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx
www.coretech.dk - blog.coretech.dk

Check SSL certificate?

Similar Messages

Maybe you are looking for