Configure OWA to require a client ssl certificate only for external connection

Similar Messages

• Problem to configure Blink Pro (App). Error SSL certificate verification error (PJSIP_TLS_ECERTVERIF) (503)

  Problem to configure Blink Pro (App). Error SSL certificate verification error (PJSIP_TLS_ECERTVERIF) (503)

  Hi, William
  My question is if you can help me and support me to configure the Blink Pro App, I have a Mac Book Air, OS X 10.9.1.
  hope for your answer

• DT require Oracle9i client and Oracle Services for MTS software

  "Distributed Transactions require Oracle9i client and Oracle Services for Microsoft Transaction Server software."
  I get the error above when attempt to run a COM+ transaction accessing Oracle9i. I'd been checked the installation of Oracle9i and Oracle Services in the client computer and it is ok.
  I am using Windows Server 2003 and the database server is on another Windows Server 2003. The database is Oracle9i Enterprise Edition.
  At Stanford's web site (http://www.stanford.edu/dept/itss/docs/oracle/9i/win.920/a95496/ch1.htm#1079911) I found Oracle's documentation that explains this, but it didn't worked for me.
  Oracle Services is installed in both machines.
  The Oracle MTS Recovery Service is running.
  The COM+ component is registered.
  When I use the same component with SQL Server 2005 beta 2 it works fine. What else do I need to do?
  Thanks in advance.
  Caio Pereira

  Hi.
  I have the same problem, one which works and another which don't (almost though).
  I got most of it to work by taking the mtsservices registry entry from the server that works and put it on to the other after i have made the service in Oracle management console for mts.
  Now i can search, delete, change but not make a new entry into the database.
  And thats where i'm stuck now.
  Hope it helps a bit..
  Michael
  Greenland

• Webdav with client ssl certificate

  I have created one webdav enable site in apple mac mini server using apache. The webdav site is secured with https as well as client certificate.
  While browsing the website using safari/IE everything is working fine,but with ipad's webdav utility it is not working.Client cert is not picking up by webdav nav tool, although the client ssl cert is installed in ipad.

  Some more checking using wireshark on the destination server.
  I created a simple html page that is contained under a directory that requires SSL and a client certificate, as configured in the apache configuration.
  This works fine from the IE and Firefox desktop browsers.
  Now, using Safari on the iPad with the appropriate certificates installed (client cert and CA cert) using the profile management tool, I attempted to connect to this page.
  Wireshark shows the iPad contacting the server and the TLSv1 protocol selection (Client Hello and Server Hello).
  Following this the server issues the requested server certificate and the CA cert to the iPad device.
  The iPad device responds with an ACK and this is where it stops the communication. No further packets appear.
  During this time, the iPad has requested that a client certificate be selected using the dialog and the appropriate client cert is selected, however the network transaction does not show the iPad ever sending this certificate to the server.

• Getting error "Problem with SSL Certificate" but I'm connecting to my private server without SSL

  I wanted to create a PDF from a subtree at a website. The first problem was that Acrobat Pro (11.0.7) wouldn't spider it (probably because there was a robot.txt file there) so I had to use SiteSucker to pull the pages down to my Mac.
  Then I discovered that Acrobat Pro can't handle file:/// URLs so that was no good either
  So then I copied all the pages to a folder on my Linux server where I use a non-standard port (86) for http connection as a minor security precaution.
  When I tried to access that from Acrobat Pro, it bitched about a problem with SSL Certificate but gave me no option to do anything about it. More relevantly, all the files were accessible using http protocol, not https so there shouldn't have been any need to deal with SSL certificates at all
  I had to temporarily enable port 80 on my apache server at which point it's now pulling all the files in and hopefully converting them.
  A) We're at version 11 ---- these kinds of issues should have been fixed years ago
  B) While you're at it, fix the stupid UI issue where the download dialog disappears completely if Acrobat Pro doesn't have the focus. On a long download, I'd like to be able to see progress while working on other stuff. Acrobat Pro is not the center of the universe!

  Interesting point 2, I am working on a Mac plugin at the moment. It does not hide its dialogs when switching to a different app. I consider this a bug and will fix it so the dialog disappears. I hadn't considered the question of progress but there is a very strong reason to do this on the Mac.
  My tests seem to show that
  (a) to get a dialog to sit above PDF documents all the time, it must be on a higher "level".
  (b) if a dialog is at a higher level, this is a global setting.
  So, if the dialog is not hidden when switching all, it will typically sit on top of the other app's document windows. This would not be popular, as the end user, unless they have mountains of screen space and choose to use it that way, must either close or move the dialog when switching app, then bring the dialog back.  So, because Acrobat Pro is not the centre of the universe, it will hide dialogs (or rather, the Mac will, as it's a standard option when creating a window).

• SSL certificate expired for Google Mail

  Hi there everyone, I am new here so please be gentle with me!  I have had a Palm Pre on the 02 network since October and have been able to use my email fine.  I use Googlemail and 02 using IMAP and today it keeps giving me error messages saying the SSL certificate has expired.  I have tried turning SSL on and off, and have downloaded the software update for Palm OS but it's still not working. Is there an easy fix for this? If I change to POP will that work and how do I do that? Many thanks. Hellywobs.
  This question was solved.
  View Solution.

  Just to say that I have solved this from another source - the date was wrong on my phone.  No idea why, but now I've set the date to today, it's working again. I went to the Date and Time App and made the change.  Just thought I would post here in case anyone else has the same trouble - it is an easy solution.

• SSL Certificate necessary for web Service with HTTPS encoding?

  Hi experts,
  I wanna create a Web Service with HTTPS. Now when I create an endpoint in Transaction SOAMANAGER, I use "Transport Guarantee Type" HTTPS. I'm a little bit confused, becuase at "Authentication Method I have different options which I don't understand.
  At Authentication Method, there are some check boxes.
  Whats the difference between HTTP Authentication and Message Authentication?
  (Why) can I use User ID/Password as Authentication Method with HTTPS? I think I need X.509 SSL Client Certificate.
  What is a Logon Ticket?
  Is there a good Documentation in the web, who explains the meaning of the different options and when to use which option?
  Thanks and regards,
  Sebastian

  Hi,
  >>>WSDL in Integration Directoryb but that WSDL containt a like staring with the HTTP instead of HTTPS! My question is how to generate a wsdl file with an HTTPS url tot he web service,
  you don't use the URL from ID - you need to create one yourself and put it there in the generator
  Regards,
  Michal Krawczyk

• SSL Certificate Exception everytime a connection is established

  Hello guys!
  I am trying to authenticate a website running SharePoint 2010. But everytime a connection is established, an SSL/TLS exception is thrown. The following is the code I am using. Any idea??
  The exception is: "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
  using System;
  using System.Collections.Generic;
  using System.IO;
  using System.Linq;
  using System.Runtime.InteropServices.WindowsRuntime;
  using Windows.Foundation;
  using Windows.Foundation.Collections;
  using Windows.UI.Xaml;
  using Windows.UI.Xaml.Controls;
  using Windows.UI.Xaml.Controls.Primitives;
  using Windows.UI.Xaml.Data;
  using Windows.UI.Xaml.Input;
  using Windows.UI.Xaml.Media;
  using Windows.UI.Xaml.Navigation;
  using System.Net;
  using System.Net.NetworkInformation;
  using Windows.Networking.Connectivity;
  using System.Net.Http;
  using System.Xml.Linq;
  using System.Text;
  using Windows.Web.Http.Filters;
  using Windows.Security.Cryptography.Certificates;
  // The Blank Page item template is documented at http://go.microsoft.com/fwlink/?LinkId=234238
  namespace TestApp
      /// <summary>
      /// An empty page that can be used on its own or navigated to within a Frame.
      /// </summary>
      public sealed partial class MainPage : Page
          public MainPage()
              this.InitializeComponent();
          private static HttpWebRequest CreateWebRequest(string url, NetworkCredential credentials)
              //Initialize new instance of HttpBaseProtocolFilter, which implements IHttpFilter.  
              string action = "http://schemas.microsoft.com/sharepoint/soap/GetWebCollection";
              HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
              req.Credentials = credentials;
              req.Headers["SOAPAction"] = action;
              req.ContentType = "text/xml;charset=\"utf-8\"";
              req.Accept = "text/xml";
              req.Method = "POST";
              return req;
          static string soapEnvelope = @"<soap:Envelope xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'><soap:Body></soap:Body></soap:Envelope>";
          //static string soapEnvelope =
            //         @"<?xml version=""1.0"" encoding=""utf-8""?> <soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema""
  xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/""> <soap:Body> <Login xmlns=""http://schemas.microsoft.com/sharepoint/soap/""> <username>{0}</username> <password>{1}</password>
  </Login> </soap:Body> </soap:Envelope>";
          private static XDocument CreateSoapEnvelope(string content)
              StringBuilder sb = new StringBuilder(soapEnvelope);
              sb.Insert(sb.ToString().IndexOf("</soap:Body>"), content);
              XDocument soapEnvelopeXml = XDocument.Parse(sb.ToString());
              return soapEnvelopeXml;
          private static void InsertSoapEnvelopeIntoWebRequest(XDocument soapEnvelopeXml, HttpWebRequest webRequest)
          webRequest.BeginGetRequestStream((IAsyncResult asynchronousResult) =>
                  HttpWebRequest request = (HttpWebRequest)asynchronousResult.AsyncState;
                  Stream postStream = request.EndGetRequestStream(asynchronousResult);
                  soapEnvelopeXml.Save(postStream);
                  //postStream.Close();
                  request.BeginGetResponse(new AsyncCallback(GetResponseCallback), request);
                  }, webRequest);
          private static void GetResponseCallback(IAsyncResult asynchronousResult)
              HttpWebRequest request = (HttpWebRequest)asynchronousResult.AsyncState;
              HttpWebResponse response = (HttpWebResponse)request.EndGetResponse(asynchronousResult);
              Stream streamResponse = response.GetResponseStream();
              StreamReader streamRead = new StreamReader(streamResponse);
              string responseString = streamRead.ReadToEnd();
              //do whatever with the response 
              //streamResponse.Close();
              //streamRead.Close();
              //response.Close();
          private void Button_Click(object sender, RoutedEventArgs e)
              NetworkCredential credentials = new NetworkCredential("<user>", "<password>", "<domain>");
              HttpWebRequest request = CreateWebRequest("https://the_website_I_am_trying_to_connect_to", credentials);
              XDocument soapEnvelope = CreateSoapEnvelope("<GetWebCollection xmlns=\"http://schemas.microsoft.com/sharepoint/soap/\" />");
              InsertSoapEnvelopeIntoWebRequest(soapEnvelope, request);
                  

  Hi,
  According to your description, my understanding is that when you access a https web service, it occurs the “The underlying connection was closed. Could not establish trust relationship for the SSL/TLS secure channe” error.
  To overcome this error, you need to install the certificate that is used by the web service provider in the server that will be calling the web service.
  Open Microsoft Management Console (Start --> Run      --> mmc.exe);
  Choose File --> Add/Remove Snap-in;
  In the Standalone tab, choose Add;
  Choose the Certificates snap-in, and click Add;
  In the wizard, choose the Computer Account, and then      choose Local Computer. Press Finish to end the wizard;
  Close the Add/Remove Snap-in dialog;
  Navigate to Certificates (Local Computer)
  Choose a store to import:
  If you have the Root CA       certificate for the company that issued the certificate, choose Trusted       Root Certification Authorities;
  If you have the       certificate for the server itself, choose Other People
  Right-click the store and choose All Tasks -->      Import
  Follow the wizard and provide the certificate file you      have;
  Here are some detailed articles for your reference:
  http://www.c-sharpcorner.com/uploadfile/anavijai/could-not-establish-trust-relationship-for-the-ssltls-secure-channel/
  http://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap
  Thanks
  Best Regards
  Jerry Guo
  TechNet Community Support
  Hello Jerry,
  Thank you very much for your reply.
  But what about Windows Phone? I am running the same code on´WP 8.1 as a store app, and returns an exception at the same place: the GetResponseCallBack.
  Any workaround? Can I run a code from the app that uses the certificate or at least installs it?
  Thanks a lot. 

• Firefox doesn't show ssl certificate form for add exception....no problem with other browser

  I'm using a proxy server and when I go to gmaps (for example...but also youtube) I don't view the page to confirm the certificate (I've found a trick that consist to go on the maps, right click and press view image; after that I can see the exception ssl page but other element of the page like "satelite view" aren't visible......In other case the frame of the cerficate contained in the web pages is resized so I can't show the button to confirm the exception.
  Hoping the issue is understandable....:-)
  Thanks!!

  Hi dafunk, yes, only HTTPS sites are affected because Firefox only checks certificates for HTTPS sites.
  The root certificate from the proxy service provider allows Firefox to trust all the fake certificates they issue, so that should be the only one your need. I don't know whether it is supposed to be pushed into Firefox automatically, but since it didn't work, importing is your next step.
  I found some instructions on how to do it from unofficial sources. Maybe one of these will help?
  * [https://www.mcnc.org/forums/ncren/web-security/how-install-zscaler-ssl-trusted-root-certificates How to Install Zscaler SSL Trusted Root Certificates | MCNC | Connecting North Carolina's Future Today]
  * [http://www.orange.k12.nc.us/staff/staff_zscaler.html Orange County Schools]
  * [http://www.bertie.k12.nc.us/central_services_departments/instructional_technology/bring_your_own_device/ Bring Your Own Device - Bertie County Schools]
  '''VERY IMPORTANT:''' Do not actually use the certificate supplied by these sites. Only consult them for steps that you might use the install a certificate provided by your IT. Otherwise who know what you're trusting.

• SSL Certificate setup for Web/Address Book/iCal in 10.7 Lion?

  I know nothing about certificates. I plan to use my Mini server to help manage my family's computers which are pretty spread out across the U.S. My plan is to use profile manager for device management, host a couple websites (one secure for home security cams) and share address books and calendars. This is as much a geek gadget project as it is "useful" so I understand I may be creating some work for myself
  Anyway, can someone walk me through the correct setup for certificates? My research is showing me a LOT of options/parameters. Due to the expense, i don't want to create one just to find it won't serve my purposes.
  Also, I think i'm going with RapidSSL...$50 is the cheapest I've come across...hopefully the offer what I need?

  I have just spent 30 minutes on the phone to a pleseant chap in Athens, and now have a solution.
  We tried several options and the final one worked - so simple.
  Click on the apple symbol > system preferences > iCloud > disable contact sync > keep contacts
  Check search, in my case it worked for the first time in several weeks :-)
  then re-enable contact sync as follows:
  Click on the apple symbol > system preferences > iCloud > re-tick contacts > merge contacts
  Search still works
  Hallelujah!

• What SSL certificates needed for the FTP server

  Hi,
  I want to create certificate fot the FTP server is there any specific format for the FTP server. what i have to create for Secure communication.
  plz tell me in detail.
  Thanks
  Ravi

  Does anyone have any comments on this post? We would especially appreciate some input from Microsoft reps to help us ensure we're setting up the correct firewall rules.
  Thanks,
  -Taylorbox

• How to enable SSL optimization only for a single remote WAE and specific website?

  Hi guys.
  I have to enable SSL optimization for a specifc HTTPS website only and for a specific remote site only (branch office).
  The scenario is as follows:
  Multiple sites connected via a MPLS cloud. Each site has its own WAE device (module or appliance).
  There is a central manager and core WAE in the main site (central site).
  There is a website accessed via HTTPS by all the remote sites. This specific website is hosted within the main site.
  For only a specific branch office (remote site) we want to enable SSL optimization for this specific website.
  I saw this great and useful doc, but I still have some concerns.
  https://supportforums.cisco.com/docs/DOC-16452
  Basically, according to I see, I should do the following if I want to enable SSL optimization with the entire environment:
  - export the certificate and keys;
  - enable secure store in the central manager;
  - In the remote and core WAE, Check "initialize CMS secure store" and "Open CMS Secure Store";
  - In the core WAE, import the CA certificate (upload PEM file);
  - In the core WAE, create the SSL Accelerated Service by:
      --importing the client certificate and the key;
      -- Match interesting traffic;
      -- Put the SSL Acc Service in service;
  - Finally, make sure SSL acceleration is enabled in both remote and core WAE.
  The concerns:
  I only need to enable SSL optimization for a specific location accessing a specific website.
  Should the steps above work fine If I enable the SSL service for this specific website in the core WAE and enabling secure store only in a single remote site (brach office)?
  how will the other remote locations behave?
  Will they access the website normally with no SSL optimization even passing thru the core WAE?
  What about the other SSL sites which have no certificate? They will be treated as normal HTTPS with no optimization, right?
  If the site uses proxy, will any flow be impacted?
  If the steps above do not fit my case, how can I configure SSL optimization for only one remote WAE?
  Thanks in advance.
  importing  the client certificate and key (client.crt and client.key exported from  the Web server - See more at:  https://supportforums.cisco.com/docs/DOC-16452#sthash.3BKz05zU.dpu

  Hi guys.
  I have to enable SSL optimization for a specifc HTTPS website only and for a specific remote site only (branch office).
  The scenario is as follows:
  Multiple sites connected via a MPLS cloud. Each site has its own WAE device (module or appliance).
  There is a central manager and core WAE in the main site (central site).
  There is a website accessed via HTTPS by all the remote sites. This specific website is hosted within the main site.
  For only a specific branch office (remote site) we want to enable SSL optimization for this specific website.
  I saw this great and useful doc, but I still have some concerns.
  https://supportforums.cisco.com/docs/DOC-16452
  Basically, according to I see, I should do the following if I want to enable SSL optimization with the entire environment:
  - export the certificate and keys;
  - enable secure store in the central manager;
  - In the remote and core WAE, Check "initialize CMS secure store" and "Open CMS Secure Store";
  - In the core WAE, import the CA certificate (upload PEM file);
  - In the core WAE, create the SSL Accelerated Service by:
      --importing the client certificate and the key;
      -- Match interesting traffic;
      -- Put the SSL Acc Service in service;
  - Finally, make sure SSL acceleration is enabled in both remote and core WAE.
  The concerns:
  I only need to enable SSL optimization for a specific location accessing a specific website.
  Should the steps above work fine If I enable the SSL service for this specific website in the core WAE and enabling secure store only in a single remote site (brach office)?
  how will the other remote locations behave?
  Will they access the website normally with no SSL optimization even passing thru the core WAE?
  What about the other SSL sites which have no certificate? They will be treated as normal HTTPS with no optimization, right?
  If the site uses proxy, will any flow be impacted?
  If the steps above do not fit my case, how can I configure SSL optimization for only one remote WAE?
  Thanks in advance.
  importing  the client certificate and key (client.crt and client.key exported from  the Web server - See more at:  https://supportforums.cisco.com/docs/DOC-16452#sthash.3BKz05zU.dpu

• How to authenticate BPEL process to a PL with Client SSL Cerificate

  Hi,
  I need to invoke a partner link which requires authentication with Client SSL certificate. So, here is the use case:
  - The PL's endpoint is https://some.server.com/web_service;
  - I have a client SSL certificate supplied by the web service provider in the form of PKCS12 (PFX) file. I should use this certificate for authentication.
  I read carefully the BPEL Administration Guide, the part about SSL authentication (http://download.oracle.com/docs/cd/B31017_01/integrate.1013/b28982/security.htm#CHDHIBEG), but in this guide is described how outer services can be authenticated by the BPEL Process Manager with client SSL certificates, not the vice versa.
  So, I completed the following tasks:
  - I imported the server certificate of https://some.server.com/web_service into $ORACLE_HOME/jdk/jre/lib/security/cacerts file;
  - since I didn't find a way to import the client certificate as a PFX file, I converted it PEM file, using OpenSSL utilities and manage to import in cacerts client certificate's public key, but not the private key. Of course this didn't help me in any way to get authenticated.
  I would appreciate any help on this topic!
  Thank you!
  Simeon

  i get this action plan and works for me...
  1. Download the new Client Certificate.
  2. Convert the Client PFX to JKS as per:
  http://www.cb1inc.com/2007/04/30/converting-pfx-certificates-to-java-keystores
  3. Using firefox go to the WSDL site:
  * Add the exception, if Firefox ask for it.
  * Import the server certificate to Firefox following the instructions displayed
  4. Once you imported the certificate on Firefox, go to:
  * Tools -> Options
  * Select Advanced and click on "Encryption" tab
  * Click on View Certificates
  * Go to the Servers tab
  * Select the "servercfa" and click on "Export"
  * Save the certificate adding the .cer extention to the name.
  * Ensure that you select in Save as Type "X.509 Certificate with Chain (PEM)"
  5. Import using keytool the exported certificate from step 4 to the JKS obtained in step
  2:
  * i.e: keytool -import -alias servercert -file servercfa.crt -keystore client.jks -storepass welcome1
  6. Add both keyStore and trustStore properties to the jdev.conf pointing to the same JKS :
  AddVMOption -Djavax.net.ssl.keyStore=C:\jdevstudio10133\jdk\jre\lib\security\client.jks
  AddVMOption -Djavax.net.ssl.keyStorePassword=welcome1
  AddVMOption -Djavax.net.ssl.keyStoreType=JKS
  AddVMOption -Djavax.net.ssl.trustStoreType=JKS
  AddVMOption -Djavax.net.ssl.trustStore=C:\jdevstudio10133\jdk\jre\lib\security\client.jks
  AddVMOption -Djavax.net.ssl.trustStorePassword=welcome1
  7. Open Jdev and retest the issue.
  Tocarli.

• SSL Certificate Problem

  I finally took the plunge and brought our chat server back up to Leopard. I'm in an SSL mess right now.
  I got a new cert for the server from Thawte (got the ApacheSSL cert, which is what I had successfully used on Tiger Server.)
  I started the process by creating a new CSR in Server Admin (advanced server), sent the CSR to thawte, they signed and returned the cert. Went back to server admin, imported it, and it looks good!
  Well, I selected the cert in the iChat service and clients cannot login. They can login with the Default cert (but get the warning message).
  ...and we see the following in the iChat service log:
  Jan 7 07:27:48 chat jabberd/c2s[6453]: failed to load local SSL pemfile, SSL will not be available to clients
  So, I looked in /etc/certificates and it looks good:
  chat:certificates herb$ ls -la
  total 72
  drwxr-xr-x 12 root wheel 408 Jan 7 07:24 .
  drwxr-xr-x 124 root wheel 4216 Jan 7 07:25 ..
  -rw-r--r--@ 1 root wheel 0 Jan 5 13:35 .defaultCertificateCreated
  -rw-r--r-- 1 root wheel 660 Jan 5 13:35 Default.crt
  -rw-r----- 1 root certusers 1551 Jan 5 13:35 Default.crtkey
  -rw-r----- 1 root wheel 534 Jan 5 13:35 Default.csr
  -rw-r----- 1 root certusers 891 Jan 5 13:35 Default.key
  -rw-r--r-- 1 root wheel 1155 Jan 7 07:24 chat.northampton.edu.chcrt
  -rw-r--r-- 1 root wheel 1306 Jan 7 07:24 chat.northampton.edu.crt
  -rw-r----- 1 root certusers 2269 Jan 7 07:24 chat.northampton.edu.crtkey
  -rw-r----- 1 root wheel 720 Jan 5 14:09 chat.northampton.edu.csr
  -rw-r----- 1 root certusers 963 Jan 7 07:24 chat.northampton.edu.key
  I am really at a loss, any ideas?
  I notice that in the jabberd c2s.conf configuration file:
  <!-- File containing a SSL certificate and private key to use when
  setting up an encrypted channel with the router. If this is
  commented out, or the file can't be read, no attempt will be
  made to establish an encrypted channel with the router. -->
  <pemfile>/etc/certificates/Default.crtkey</pemfile>
  Now that is odd since I chose the chat.northampton.edu cert!
  Later in the file we do see references to the chat.northampton.edu cert so I left that entry alone. Later I read that first entry is okay the way it is.
  Any help appreciated!

  Here's how to get iChat Server working with a real SSL cert. Also, in my case users come from Open Directory (on a Novell eDirectory directory). So this solution kills 2 birds with one stone.
  1. Set up your server, in my case a new install. Install updates NOW, not later!!!!!!!
  2. In Server Admin, clicked Certificates, then the + sign to create a new cert.
  3. Fill in appropriate info, such as Common Name (DNS name of your server!), Organizational Unit, etc.
  4. Enter a 24 character passphrase. (Good security please!)
  5. Click Save, then second middle button to create a CSR.
  6. Drag the CSR icon into the place for the CSR on the thawte(Verisign, whatever) request page. Or email the CSR to them.
  7. Verify the CSR on the thawte(Verisign, whatever you're using) site. The information should match what you entered for Common Name, etc.
  8. Submit it to them for signing; get the reply from them.
  9. Go back into server admin | Certificates, select the my.domain.com cert, click the button and select "import signed..."
  10. Paste the response from thawte(Verisign, whatever) in there, then click save.
  You should now see that the cert is trusted and the certifying authority (thawte, etc) listed, where it used to say Self-signed.
  Fire up web services and see if it your new cert works for web. If it does, continue on.
  Your new cert may or may not work for Jabber. If it does, well you're done. If it doesn't...
  1. Ensure you've selected the cert for iChat in Server admin. (I know, it doesn't work yet.)
  2. Either Remote Desktop to your server and open Terminal or ssh in and get a prompt. BECOME ROOT!! sudo su -
  3. Take a look in /etc/certificates.
  4. You should see a my.domain.com.key file and a my.domain.com.crt file.
  Now using vi, pico, or whatever look at the .key file. Do you see DES encryption lines in there? If you do, your private key is encrypted with your passphrase.
  5. Make a copy of my.domain.com.key (Let's call it my.domain.com.jb)
  5a. Make a copy of my.domain.com.crt (Let's call it my.domain.com.crt.jb
  6. Decrypt the private key: (Remember you're root!) openssl rsa -in my.domain.com.jb -out my.domain.com.jb
  It will ask you for your passphrase.
  7. Create a new file containing your public key (my.domain.com.crt), and combine with the decrypted private key (my.domain.com.jb):
  cat my.domain.com.jb >> my.domain.com.crt.jb
  8. Rename my.domain.com.crt.jb to my.domain.com.crtkey.jb
  9. Change ownership of my.domain.com.crtkey.jb to root:jabber ( chown root:jabber my.domain.com.crtkey)
  Not done yet....
  10. Change perms / ownership of my.domain.com.jb to match your original .key file.
  EDIT /etc/jabberd/c2s.xml
  1. Amend the settings in the local section (under the ssl-port 5223 line) to:
  /etc/certificates/my.domain.com.crtkey.jb
  1a. I also commented out the cachain line in that area. You may not need to but I did.
  2. No matter how tempting, do NOT touch anything else at this time. Trust me.
  Leave the 0.0.0.0 IP's alone; where you see your Default cert, leave it be!
  Done editing.
  3. Restart ichat service (don't touch the settings in the Admin application)
  On the iChat client set connect using SSL, port 5223.
  All should work.
  To get OD logins to work, comment out cram-md5 authentication, like this:
  Hopefully the code comes out in the pose there. If not, it's the fix from the Apple:
  http://docs.info.apple.com/article.html?artnum=306749 (option 2)
  Thanks to MacTroll from AFP548, and Tim Harris at Apple Discussions for their collective pieces in solving this!!

• How Do You Generate a 2048bit CSR for a Third Party SSL Certificate for LMS 4.0.1?

  Our site requires Third Party SSL certificates to be installed on our servers.  We have an agreement with inCommon. I have to supply a CSR in order to obtain the SSL certificate.
  My installation is on a Windows 2008 server and I had the self-signed CSR already but it is only 1024 bits.  Is there someplace in the GUI or OS where I can change the encryption?

  This is a shot in the dark, but since CiscoWorks is using (I believe) Tomcat as the web server, could you run keytool to generate the CSR?
  http://help.godaddy.com/article/5276
  You could also use an online CSR gererator such as:
  http://www.gogetssl.com/eng/support/online_csr_generator/
  The key (pun intended) is having the private key on your server so that when you get the signed certificate and install it (using sslutil) it will be usable.
  Hope this helps.