Concentrator SSL Certificate Expirtation
I'm getting the following message alert from my 3000 Concentrator: SSL certificate will expire in 26 daysIssuer. It appears that this certificate (public/private) as well as an identity certificate are being issued by one of our 2003 servers (not 3rd party). I'm tempted to press the renew buttons on each of these certificates; however, being new to this arena, I'm leary about what might (or might not ) happen. My research tells me that this may result in the certificate being rejected. Can someone give me an overview of what these certificates are doing and what I need to do to get myself back into comfortable breathing status again? Thanks.
generating the ssl certificates seemed to work; however, I accepted the defaults and instead of the certificates being issued by my local ca server, it thinks its being issued by cisco systems. I don't know if this is going to work or for how long. I tried renewing them and it bombed miserably. I don't even know what these certificates do but from what I've read, it has something to do with the https management interface. My identity certificate doesn't have a 'generate' option only renew or delete. I have tried renewing and it bombs as well. It shows up in enrollment status however when I click to install and use cut and paste, I get the following message: Error installing identity certificate: Bad file format. Not having had to deal with certificates until now, I find this whole thing confusing and frustrating. I'm finding Cisco documentation to be worthless as it might as well be trying to tell me how to shave a peanut. I thought I read somewhere that you need to delete the certificate first before trying to renew, but I am extremly reluctant to do so. Any comments would be most appreciated.
Similar Messages
-
Issue: Could not connect to my own server after deletion of SSL certificate despite having SSL disabled
Hello,
I admit I am lay user with rudimentary SSL knowledge and I therefore messed up my certificates and I could no longer access my own server (Wikis, WebDav, Device Manager) with Safari. (error: Safari can't connect to server)
Eventually, I could resolve the problem but I do not understand why there was problem in the first place.
Maybe someone can explain that to me ?
OK, here is what I did:
I created a Certificate Authority because I wanted to use a free SSL Server certificate for our private server.
(I followed http://www.techrepublic.com/blog/mac/create-your-own-ssl-ca-with-the-os-x-keycha in/388 )
Despite several attempts I never got the server to accept the certificate for web services, the certificate was accepted for iCal, Mail and iChat but not for Web services. I tested an older certificate that was created when I set up the server and that that worked for all services incl. Web. So the problem was with my certificate only.
Out of desperation and lack of concentration I deleted the "original" certificate.
Now, I soon noticed that I could no longer log in to my server. I solved the problem by restoring the original certificate.
My question:
I had SSL disabled in the Server app settings. Why does Safari still look for a proper certicate ? (the server logfile had an entry that a .pem file could not be found which makes sense if the cert has been deleted)
I would be very grateful for an expert advice.
Regards,
TwistanBecause....
the server does not have a 'trusted' certificate assigned to it.
Only the RDP Gateway has the trusted certificate for the external name.
If you want to remove that error, you have to do one of the following:
Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
So, something like,
server.domain.publicdomain.com
Or,
Install that certificate on your remote computer so it is trusted.
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+ -
What kind of SSL Certificate to use on Profile Manager?
I would like to get my SSL CSR signed to use it with Profile Manager, but on the CA's website it asks me what kind of SSL Certificate I need giving me these options:
<option value=1>AOL</option>
<option value=2>Apache-ModSSL</option>
<option value=3>Apache-SSL (Ben-SSL, not Stronghold)</option>
<option value=4>C2Net Stronghold</option>
<option value=33>Cisco 3000 Series VPN Concentrator</option>
<option value=34>Citrix</option>
<option value=5>Cobalt Raq</option>
<option value=6>Covalent Server Software</option>
<option value=29>Ensim</option>
<option value=32>HSphere</option>
<option value=7>IBM HTTP Server</option>
<option value=8>IBM Internet Connection Server</option>
<option value=9>iPlanet</option>
<option value=10>Java Web Server (Javasoft / Sun)</option>
<option value=11>Lotus Domino</option>
<option value=12>Lotus Domino Go!</option>
<option value=13>Microsoft IIS 1.x to 4.x</option>
<option value=14>Microsoft IIS 5.x to 6.x</option>
<option value=35>Microsoft IIS 7.x and later</option>
<option value=15>Netscape Enterprise Server</option>
<option value=16>Netscape FastTrack</option>
<option value=17>Novell Web Server</option>
<option value=18>Oracle</option>
<option value=30>Plesk</option>
<option value=19>Quid Pro Quo</option>
<option value=20>R3 SSL Server</option>
<option value=21>Raven SSL</option>
<option value=22>RedHat Linux</option>
<option value=23>SAP Web Application Server</option>
<option value=24>Tomcat</option>
<option value=25>Website Professional</option>
<option value=26>WebStar 4.x and later</option>
<option value=27>WebTen (from Tenon)</option>
<option value=31>WHM/CPanel</option>
<option value=28>Zeus Web Server</option>
<option value=-1>OTHER</option>
which one should I use?If the Certificate is already on your Mac, you can examine it in the "Keychain Access" application. What they are asking you is who issued the Certificate. If you do not see the Issuer listed, try "Other".
-
How to Create SSL certificate for HTTPS Connection in SAP PI
Hi,
I have Proxy to HTTPS scenario. I need to provide my SSL certificate( SAP PI SSL Certificate) to the vendor.
How to generate SAP PI SSL certificate. I have already imported vendor certificate using STRUST T-code.
I am not sure from where to generate SAP PI SSL certificate that need to be shared with vendor.
Please help me on this issue.
Thanks,
SivaHi,
Check if it helps:
http://help.sap.com/saphelp_nwpi711/helpdata/en/49/26af8339242583e10000000a421937/frameset.htm
But as mentioned for the colleague above, you can create that on Visual Administrator Tool -> Keystore
Regards,
Caio Cagnani -
Office Web Apps Server SSL Certificate
Hi
I am deploying Office Web App Server for Integration with Lync 2013. I opted for secure communication with SSL Certificate. I want this server available to internal and external users.
I am little confused over CA for Issuance of SSL Certificate. On most of the forums, I found SSL Certificate to be issued by Internal CA. If so, will this also work for external users?
If not, then plz guide me for Generating Certificate Request on Office Web App Server to be submitted to External CA for Issuance of Certificate.
Regards.Hi,
Thanks for your posting in this forum.
I have moved this thread in Lync Server 2013-Management, Planning, and Deployment forum for more dedicated support.
Thanks for your understanding.
Best Regards,
Wendy
Wendy Li
TechNet Community Support -
SSL Certificate Export Password
Hi ,
I am trying to export certificate and Key from CSS, Unforunately i do not have password from them.
Is their anyway to recover password or can i export keys and certificate without password.
Thanks in Advance
AniruddhaI think the only way to export the key is to use the password issues when importing the key. The SSL Certificate and Key are stored in DES encryption. There is no way to get the key without the password for the certificate and key except to break DES or guess the password.
-
Cisco ASA 5505 and comodo SSL certificate
Hey All,
I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What am I missing here? I can post config if anyone needs it.
(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
ASA Version 9.0(2)
hostname MyDomain-firewall-1
domain-name MyDomain.com
enable password omitted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd omitted
names
name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
name 10.200.0.0 MyDomain_New_IP description MyDomain_New
name 10.100.0.0 MyDomain-Old description Inside_Old
name XXX.XXX.XX.XX Provider description Provider_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Provider 255.255.255.252
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MyDomain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MyDomain-Employee
subnet 192.168.208.0 255.255.255.0
description MyDomain-Employee
object-group network Inside-all
description All Networks
network-object MyDomain-Old 255.255.254.0
network-object MyDomain_New_IP 255.255.192.0
network-object host MyDomain-Inside
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel standard permit host 10.0.13.1
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MyDomain_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com,OU=IT
keypair vpn.mydomain.com
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
omitted
quit
crypto ca certificate chain VPN
certificate
omitted
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
omitted
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MyDomain_New_IP 255.255.192.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value MyDomain.com
group-policy MyDomain-Employee internal
group-policy MyDomain-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MyDomain.com
webvpn
anyconnect profiles value MyDomain-employee type user
username MyDomainadmin password omitted encrypted privilege 15
tunnel-group MyDomain-Employee type remote-access
tunnel-group MyDomain-Employee general-attributes
address-pool MyDomain-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MyDomain-Employee
tunnel-group MyDomain-Employee webvpn-attributes
group-alias MyDomain-Employee enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
: end
asdm image disk0:/asdm-712.bin
asdm location MyDomain_New_IP 255.255.192.0 inside
asdm location MyDomain-Inside 255.255.255.255 inside
asdm location MyDomain-Old 255.255.254.0 inside
no asdm history enable -
We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cachecookies.squite answer is Today at 5:15 PM .
New profile, same problem.
We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
(3) different virus scanners, no hard core problems.
Suspect how I have something in Windows setup that no one else is using? -
Is it possible to use single ssl certificate for multiple server farm with different FQDN?
Hi
We generated the CSR request for versign secure site pro certificate
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
SSL Certificate for cn=abc.com considering abc.com as our major domain. now we have servers in this domain like www.abc.com, a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
And the same message when trying to access https://www.abc.com from Google Chrome.
"This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
Now my question is
1. Is is possible to remove above errors doing some ssl configuration on ACE?
2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate for CSR generated uisng cn =abc.com to be installed on ACE and will be used for all servers like www.abc.com , a.abc.com etc..
Thanks
WaliullahIf you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate. Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate. And right now it won't beause your certificate is for abc.com. You need a wildcard cert that will be for something like *.abc.com.
Hope this helps,
Sean -
How can I change an SSL Certificate display name on Firefox?
I have 6 SSL Certificate to install in order for an application to open in 6 ways. Each certificate represent a way. The problem is that the pop up window i am receiving to choose one of these 6 SSL displays the Issuer CN while i need it to display the friendly name / or the description since i can modify them.
Any way this is possible?
Thanks,This article may help you
https://support.mozilla.org/en-US/kb/enable-ssl-fix-cannot-connect-securely-error?esab=a&s=SSL+certificate+display+on+Firefox&r=7&as=s
regards,
Gautam sharma. -
Is there a way to change the CSR for install SSL Certificate for CCMADMIN
HI there,
Our customer want a solution for the https failure on CCMAdmin and CCMUser sites.
For that, I have exported a csr to buy a ssl certificate from verisign.
The problem is the csr includes fqdn an not just the servername
But the users just have to type in the servername to reach the server.
Is there a way to export a csr which include as common name only the server name without changing the domain settings in the cucm?
thanks
MarcoHi
You can go to the server via SSH, and enter the 'set web-security' command with the alternate-host-name parameter:
Command Syntax
set web-security orgunit orgname locality state country alternate-host-name
Parameters
• orgunit represents the organizational unit.
• orgname represents the organizational name.
• locality represents the organization location.
• state represents the organization state.
• country represents the organization country.
• alternate-host-name (optional) specifies an alternate name for the host when you generate a
web-server (Tomcat) certificate.
Note When you set an alternate-host-name parameter with the set web-security command,
self-signed certificates for tomcat will contain the Subject Alternate Name extension with
the alternate-host-name specified. CSR for Cisco Unified Communications Manager will
contain Subject Alternate Name Extension with the alternate host name included in the CSR.
Typically you would still use an FQDN, but a less specific one (e.g. ccm.company.com)...
Regards
Aaron
Please rate helpful posts... -
How can i refresh an SSL certificate for a specific page?
i am trying to access my electronic training jacket on Navy Knowledge Online to check the status of my security clearance. the ETJ page requires an SSL certificate. when i initially loaded the page the message window popped up prompting me to add the security exception and get the certificate. i got the certificate and continued to load the page but it came up with HTTP error 403.7 saying that i didn't have the certificate i needed. for some reason NKO isn't recognizing the certificate i got so i need to clear that certificate and get a new one that hopefully the server will recognize. how can i do this?
You can try to remove that certificate here:
Edit > Preferences > Advanced > Encryption: Certificates > View Certificates -
How do I install this self-signed SSL certificate?
I haven't been able to connect to the jabber server I've been using (phcn.de) for quite some time now, so I filed a bug report with mcabber. The friendly people there told me to install phcn.de's self-signed certificate, but I can't figure out for the life of me how to do that.
I know I can download something resembling a certificate using
$ gnutls-cli --print-cert -p 5223 phcn.de
Which does give me something to work with:
Resolving 'phcn.de'...
Connecting to '88.198.14.54:5223'...
- Ephemeral Diffie-Hellman parameters
- Using prime: 768 bits
- Secret key: 767 bits
- Peer's public key: 767 bits
- PKCS#3 format:
-----BEGIN DH PARAMETERS-----
MIHFAmEA6eZCWZ01XzfJf/01ZxILjiXJzUPpJ7OpZw++xdiQFBki0sOzrSSACTeZ
hp0ehGqrSfqwrSbSzmoiIZ1HC859d31KIfvpwnC1f2BwAvPO+Dk2lM9F7jaIwRqM
VqsSej2vAmAwRwrVoAX7FM4tnc2H44vH0bHF+suuy+lfGQqnox0jxNu8vgYXRURA
GlssAgll2MK9IXHTZoRFdx90ughNICnYPBwVhUfzqfGicVviPVGuTT5aH2pwZPMW
kzo0bT9SklI=
-----END DH PARAMETERS-----
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `CN=phcn.de', issuer `CN=phcn.de', RSA key 1024 bits, signed using RSA-SHA, activated `2009-05-04 08:26:21 UTC', expires `2014-04-08 08:26:21 UTC', SHA-1 fingerprint `d01bf1980777823ee7db14f8eac1c353dedb8fb7'
-----BEGIN CERTIFICATE-----
MIIBxzCCATCgAwIBAgIINN98WCZuMLswDQYJKoZIhvcNAQEFBQAwEjEQMA4GA1UE
AwwHcGhjbi5kZTAeFw0wOTA1MDQwODI2MjFaFw0xNDA0MDgwODI2MjFaMBIxEDAO
BgNVBAMMB3BoY24uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALqS+tnB
tNruBGdcjw0o+BWSdfkKH4T3VpS7bkrsS0q7RD5iUIao7jH2lJqTk1TrLbQe28+R
H0X9Ya+w22iYFea2l3wkrTnBfgdSZbRhpSxgVvC2QEBMoSrEQoRpo5lzXadRlob/
RQ+rhu/cWCNeiRJzfkmNirPVEciGKQHrwKxxAgMBAAGjJjAkMCIGA1UdEQQbMBmg
FwYIKwYBBQUHCAWgCwwJKi5waGNuLmRlMA0GCSqGSIb3DQEBBQUAA4GBALFBalfI
oESZY+UyVwOilQIF8mmYhGSFtreEcUsIQvG1+cgD16glKehx+OcWvJNwf8P6cFvH
7yiq/fhMVsjnxrfW5Hwagth04/IsuOtIQQZ1B2hnzNezlnntyvaXBMecTIkU7hgl
zYK97m28p07SrLX5r2A2ODfmYGbp4RD0XkAC
-----END CERTIFICATE-----
- The hostname in the certificate matches 'phcn.de'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
Unfortunately, the above command spits out more than a certificate. Do I need the additional information? If so, what do I need it for? Where do I need to put the certificate file?Hi,
I recently found out a way how to install test or self-signed certificates and use it with S1SE.
See:
http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html
Follow the instructions there
1. Create CA
2. Create root ca certificate
Now install the root-ca-certificate in S1SE -> Security>Certificate Management and Install a "Trusted Certificate Authority".
Paste the contents of the file: cacert.pem into the message-text box.
Then restart the server. Now your CA-Cert should be visible in the Manage Certificates menu.
The next step is to send a certificate-request from S1SE to your e-mail-address.
The contents of the e-mail the server sends to you (certificate request) must be pasted into the file: newreq.pem.
Now just sign the Request:
CA.pl -sign
The last step is that you have to paste the contents of the file newcert.pem into the message-box of the Security>Certificate Management - now under the option Certificate for "This Server".
Then you have to reboot the server/instance again and it should work with your certificate.
Regards,
Dominic -
Our site requires Third Party SSL certificates to be installed on our servers. We have an agreement with inCommon. I have to supply a CSR in order to obtain the SSL certificate.
My installation is on a Windows 2008 server and I had the self-signed CSR already but it is only 1024 bits. Is there someplace in the GUI or OS where I can change the encryption?This is a shot in the dark, but since CiscoWorks is using (I believe) Tomcat as the web server, could you run keytool to generate the CSR?
http://help.godaddy.com/article/5276
You could also use an online CSR gererator such as:
http://www.gogetssl.com/eng/support/online_csr_generator/
The key (pun intended) is having the private key on your server so that when you get the signed certificate and install it (using sslutil) it will be usable.
Hope this helps. -
Copying SSL Certificates from one server to another.
I have a question that hopefully someone might have the answer for... I have a IPlanet 6.0 SP4 server that has an SSL certificate I'm trying to move to a new server that's on SunOne 6.1. I was under the impression that I could easily copy the <Iplanet_Root>/alias/https-<ServerInstance>-<server>-<key3/cert7>.db files to the new server from that server's alias directory. However before I copied the files, I immediately noticed the new server's cert file is called cert8 instead of cert7 and is 64K as opposed to the 6.0 server's 16K.
I stopped the web instance and renamed the current db files and copied in the new and changed the cert7 to cert8. When I restarted the server, it stayed up and didn't report any problems. However, when I go the security tab and click on any of the links on the left column, an internal server error (http500) page is displayed. No additional errors show up in the errors log.
Unfortunately, we don't have the original certificate request. I'm sure when it was applied for; it was cut and pasted into the install certificate page. Otherwise, I'd simply do the install on the other server. Is there a simply means to copy an already installed cert from one sever to another?
Any assistance would be greatly appreciated.Migration from 6.0 to 6.1 should take care of this. You don't have to rename the files to cert7.db after the migration, just leave them with their new names and size as is. The new file created in 6.1(after migration is complete) will be called cert8 and this is fine because 6.1 uses newer version of security libs. Doc links:
http://docs.sun.com/source/817-1830-10/migrate2.html
http://docs.sun.com/source/817-1831-10/agcert.html#wp1017112
Thanks,
Manish
Maybe you are looking for
-
How to schedule one instance at a time consecutively
Hi Everyone, We are at BOXIR3.1 SP5 installed in RHEL and business is looking for below mentioned scheduling option for specific webi reports which are complex and having high volume of data. Lets say the scenario is if the users schedules the specif
-
Hi everyone! I am having a very poor battery life and I have a lot of apps, which I do believe its time to refresh the system so I thought about restoring my iPhone to a new iPhone, but I don't want to lose my contacts, they're very important; on my
-
RE: Can an OEM Plug-IN use the JavaWrapper fetchlet ?
Hi: - Can I create an OEM Plug-In using the JavaWrapper fetchlet for data acquisition ? - If yes, can I add my own jar files to the OEM Plug-In archive and call my own classes ? And, what would be the path to my own jar files in the XML metadata file
-
Is it possible to use Speech Recognition with Final Cut Studio?
Is it possible to use Speech Recognition with Final Cut Studio? Using either Speech, AppleScript, Automator or a 3rd party app like iListen, can I enable Final Cut Studio apps to respond to voice commands? (e.g. I say "I" in Final Cut Pro and it sets
-
Enabling java to run on windows xp professional
I just got a new gateway pc & it wont let me play any games (like bingo.com)...I downloaded sdk 4.0, but it still wont let me in. HELP!!!