Creating a self signed SAN Cert
Hi all,
I am wanting to create a self signed SAN cert. I am using the MMC snap-in to add the Certificates snap-in to create a custom request. However on the Private Key type, I don't see the option to select Key Type is Exchange.
This is the article I am following: http://blogs.msdn.com/b/andrekl/archive/2008/09/24/how-to-generate-a-csr-for-an-iis-website-using-the-windows-vista-server-2008-certificates-mmc-plugin.aspx
Anybody know why?
> I am wanting to create a self signed SAN cert
self-signed? Then the rest of your post is irrelevant, since Certificates MMC snap-in is not intended for self-signed certificate creation. In order to generate a self-signed certificate, you can use
New-SelfSignedCertificate cmdlet in Windows Server 2012 and newer. For previous versions, custom PS script is available
http://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6
Note: self-signed certificates must not be used in a production environment.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.
Similar Messages
-
Create/install self signed ssl cert
I'm evaluating the platform edition server. Is there a quick way to create and install a self signed ssl server certificate (I'm running Windows 2000 pro).
Thanks
MarkDownload the NSS tools from here:
http://wwws.sun.com/software/download/products/3e3afa8e.html
Documentation for NSS tools can be found here (see certutil):
http://www.mozilla.org/projects/security/pki/nss/tools/ -
Creating a self signed certificate - how do you set the 'storepass'
Hi, I'm trying to use the ADT to create an AIR 2.7 file, but it's the first time i've used the command line tool to build one and am having problems understanding the signing process.
I can generate a cert.p12 keystore file from within the flash IDE, and this asks for a password for the file (-storepass)
I can also use ADT to create a self-signed certificate from the command line, here you can specify the -keystore (cert location) and -keypass (password for the key in the store)
I cannot find a way of generating a self-signed certificate where you can specify both passwords though, one for the store (-storepass) and one for the key (-keypass).
This is a problem because when i go to package my AIR file using ADT it needs both passwords -storepass and -keypass before it can publish it.
Does anyone know how to generate a self-signed .p12 certificate and have control over both the keys...?
I have spent hours playing and searching now so may have the wrong end of the stick, could do with some help getting past this issue.
Thanks
SeanThere is only one password is required to package for ipa as far I know
Sample command:
C:\AdobeAIRSDK\bin\adt.bat -package -target ipa-test -storetype pkcs12 -keystore [KEYFILE].p12 -storepass [KEY PASSWORD] -provisioning-profile [MOBILE PROVISION FILE].mobileprovision [IPA NAME].ipa [XML FILE NAME].xml [SWF FILE NAME].swf Icon_29.png Icon_48.png Icon_57.png Icon_72.png Icon_512.png Default-Landscape.png Default-Portrait.png Default-PortraitUpsideDown.png Default-PortraitLandscapeLeft.png Default-PortraitLandscapeRight.png -
SCCM 2012 has been successfully installed on the server:
SRVSCCM.
The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
The cluster service is running on the account: sqlclusteruser
The account has the appropriate SPN are registered:
setspn -L domain\sqlclusteruser
Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
MSSQLSvc/CLS-SQL4
MSSQLSvc/CLS-SQL4.domain.local
MSSQLSvc/CLS-SQL4:11434
MSSQLSvc/CLS-SQL4.domain.local:11434
After some time on the cluster hosts every day started appearing new folders with files inside:
srvboot.exe
srvboot.ini
srvboot.log
srvboot.log contains the following information:
SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
Copyright (C) 2011 Microsoft Corp.
Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
Failed to retrieve SQL Server service account.
Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
Disconnecting from Site Server.
SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
Without successfull bootstrap the siteserver backup is not able to run successfully.
Try grant everyone the read permisson on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
This worked for me.
After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER" -
Problems with Creating a self-signed Certificate
hi,
I read the keytool Documentation and wanted to create my own self-signed certificate.
ok, I followed the steps :
1) keytool -keyclone -alias origkey -dest my_key
2) keytool -selfcert -alias my_key -dname "cn=Stefan Gross, ou=Computers, o=notintersting, c=D"
3) keytool -certreq -alias my_key (output in mycert.cer)
4)keytool -certreq -alias my_key -sigalg X.509 -file newcert.cer
.. Password Input...
Keytool-Error: java.lang.Exception: Alias <my_key> does not exist.
But it exists, see :
[usr]$ keytool -list
Keystore-Typ: jks
Keystore-Provider: SUN
new_key, 06.05.2003, keyEntry,
So it exists, but why do I get the error ?
So far,
Stefan Grossstefan hi,
i have tried to produce a certificate my_cert.cer and it went well. as far as i understood you have to create a keystore first. this keystore holds a key pair.
and then using the keystore you can create as many certificates as possible based on the key pair.
try following the steps below. it should work, i mean i have followed them and all was fine. you can find the original form of the following from documentation of keytool (sun).
hope this time it'll work, let me know.
cem.
note: the last step is importing the certificate to the keystore which is not necessary if you only want the certificate.
To set up a digital certificate,
Generate a key pair.
The keytool utility enables you to generate the key pair. The keytool utility that ships with the J2SE SDK programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
To generate the keystore file, run the keytool utility as follows, replacing <keystore_filename> with the name of your keystore file, for example, server.keystore. If you are using the Tomcat server, the file must either be named .keystore and located in the home directory of the machine on which Tomcat is running, or you will need to tell Tomcat where the kestore file is by adding a keystoreFile attribute to the <Factory> element in the Tomcat configuration file or by specifying the location of the file on the Connector (8443) node of admintool.
keytool -genkey -keyalg RSA -alias tomcat-server
-keystore <keystore_filename>
The keytool utility prompts you for the following information:
Keystore password--Enter the default password, which is changeit. Refer to the keytool documentation for information on changing the password.
First and last name--Enter the appropriate value, for example, JWSDP.
Organizational unit--Enter the appropriate value, for example, Java Web Services.
Organization--Enter the appropriate value, for example, Sun Microsystems.
City or locality--Enter the appropriate value, for example, Santa Clara.
State or province--Enter the unabbreviated name, for example, CA.
Two-letter country code--For the USA, the two-letter country code is US.
Review the information you've entered so far, enter Yes if it is correct.
Key password for the Web server--Do not enter a password. Press Return.
The next step is generate a signed certificate for this keystore. A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, continue with Creating a Self-Signed Certificate. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.
Creating a Self-Signed Certificate
This example assumes that the keystore is named server.keystore, the certificate file is server.cer, and the CA file is cacerts.jks. Run these commands in your <HOME> directory so that they are created there.
Export the server certificate to a certificate file:
keytool -keystore server.keystore -export -alias tomcat-server -file server.cer
Enter the password (changeit).
Keytool returns the following message:
Certificate stored in file <server.cer>
Import the new server certificate into the Certificate Authority file cacerts.jks:
keytool -import -alias serverCA -keystore <HOME>/cacerts.jks
-file server.cer
Enter the password (changeit).
Keytool returns a message similar to the following:
Owner: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
ST=CA, C=US
Issuer: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
ST=CA, C=US
Serial number: 3e39e3e0
Valid from: Thu Jan 30 18:48:00 PST 2003 until: Wed Apr 30 19:48:00 PDT 2003
Certificate fingerprints:
MD5: 44:89:AF:54:FE:79:66:DB:0D:BE:DC:15:A9:B6:09:84
SHA1:21:09:8A:F6:78:E5:C2:19:D5:FF:CB:DB:AB:78:9B:98:8D:06:8C:71
Trust this certificate? [no]: yes
Certificate was added to keystore
---------------------------------- -
Http Analyzer connecting to server with self-signed SSL cert
When making webservice calls using Axis 1.3 to our development site that uses a self-signed SSL cert I am getting the following error when running the Http Analyzer:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Works fine if I turn off proxy in run configuration for project or when used against a site with a purchased cert. I assume the problem is with Http Analyzer not being able to find the server cert in a local keystore, is there a way to import the cert so that I can run Http Analyzer against the site?
Tried adding server cert to <jdkhome>/jre/lib/security/cacerts keystore but still have the problem.
Am using JDeveloper 10.1.3.
Thanks,
JohnI fixed that by getting certs from: https://www.startssl.com/?app=1.
The certs are free and work fine.
Since Iphone 4 apple does not accept unknown CA Authorities. -
I'm trying to test the app server. Is there a quick way to install a self signed server certificate (I'm running Windows 2000 pro).
Thanks
MarkDownload the NSS tools from here:
http://wwws.sun.com/software/download/products/3e3afa8e.html
Documentation for NSS tools can be found here (see certutil):
http://www.mozilla.org/projects/security/pki/nss/tools/ -
IOS 4.2.1 Causes "cannot verify server identity" for self-signed SSL Cert.
We are running Exchange 2007 SP3 with a self assigned certificate. After upgrading to 4.2.1 all users receive the message "Cannot Verify Server Identity" whenever the phone pulls down email/calendar/etc. Pressing "Continue" allows mail to download, however you have to press "continue" multiple times (apparently one for each message).
You can press "Details" and choose accept, however the problem continues. I have tried doing a hard reset, but this fixes nothing. I am sure it is a bug with 4.2.1 (4.1 worked just fine) specifically with self-signed certificates. If anyone has a fix please let me know. However, I'm sure that I should just be pleading to the Apple gods to quickly release a fix.Making it very irritating to log in to exchange owa. I currently have the root, Exchange server and personal certificates installed on the device and it acts like they do not exist. I basicly have to keep punching the cert to use, probably close to 30 times, until the page has loaded. Once the page is loaded the certificate requests stop. Strangely in the console i keep getting:
Thu Dec 2 09:45:21 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:26 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x9871fc0
Thu Dec 2 09:45:26 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x9871fc0
Thu Dec 2 09:45:28 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:28 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x986fd20
Thu Dec 2 09:45:28 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x986fd20
Thu Dec 2 09:45:28 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:30 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:30 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83e47f0
Thu Dec 2 09:45:30 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83e47f0
Thu Dec 2 09:45:30 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:31 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:31 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83a3b30
Thu Dec 2 09:45:31 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83a3b30
Thu Dec 2 09:45:31 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:32 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:32 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:36 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:36 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:37 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
Thu Dec 2 09:45:37 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
and this all started after the upgrade to 4.2.1
Makes me wonder if perhaps it is a problem with iPCU. -
IMAP Mail Setup with self-signed SSL certs
I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case. -
Anyone having issues with Self-Signed SSL-certs on mail servers?
Can't get it to allow connecting via SSL to outgoing mail servers with self-signed certificates. Problem did not exist in earlier versions of OSX as far as I know.
YES. I have a cert from lunarpages, where my accounts are hosted. I'm seeing two issues, and they are different for the different servers at lunarpages:
1. Multiple logins from different machines --> problem
2. Multiple accounts accessing same server --> problem
So, with 1 account on one of lunarpages machines, I can have several machines running Mail with ssl on at the same time and get no problem (that is, once I've saved the certificate and marked it trusted). But as soon as another account (my wife's email on the same domain, for example) tries to access the same server, it gives me an ssl error, a choice to save that cert. and if I do then my account will generate the ssl error. Seems like only one account can have the certificate.
On another account on a different lunarpages machine, I can't have several machines running Mail at the same time, only the first will get through and the rest will give an SSL error.
Lunarpages says they can't find a problem, though my last email with them told me to use TLS rather than SSL. Of course, there's no way to specify that in Mail anyway, but I'd thought Mail automatically used TLS anyway, and I'm running the right ports (587 for smtp, 993 for incoming).
Feels like it's an issue with Mail or the OS's handling of certificates. Any clues on a fix will be most appreciated as this is getting annoying. I've had to turn off SSL on my wife's and daughter's accounts just so that I can use it. And I have to quit Mail so that on the other account I can get my mail on my iPhone. Having to quit Mail on my main work machine is frustrating -- if I forget to do it I can't get mail. -
Self-signed root cert - is it from Lenovo?
I heard about a small program rcc.exe that will check your Windows SSL cert root store for funny certificates. Out of 350 root certs, there was one flagged. it is marked as permitted for ALL purposes (email, SSL, software signing, etc.). It has NO information whatsoever. Its validity starts sometime in 2009 and runs out to 2060. The identity is a long string of characters, I think it starts with letter M (can't confirm now). Is it possible this cert is used by Lenovo software? it would be just like them to do something sloppy like that. I don't want to remove it and find all sorts of Lenovo tools disabled.
Sorry for delay - didn't see notification of any reply. I am using Windows. Exact item in question is a self-signed cert that is found in my trusted root store. The only infomration is the long ID, merely a lengthy random character string, so no point in posting it here. There are absolutely no certificate fields with any data in them. The cert claims to be designated for ALL purposes - that would include code-signing I presume! In other words, the Issued-To and Issued-By fields are the same long character string; the expiration date is way out there (did I say 2060?). I was using the most current version of rcc.exe when I posted. However, I can look at my certificate store and see the cert there with absolutely no additional info. I am not able to access that computer right now, but I wouldn't have any more info! I am on another computer now (non-Lenovo) and just scanned the trusted root store and everything in it is identified.
-
Renew Exchange 2007 self signed SSL cert : Warning
Hi,
We are getting an issue with the new SSL certificate being created.
WARNING: This certificate will not be used for external TLS connections with an
FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint
'1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following
connectors match that FQDN: Send to Internet.
Heres the code below:
[PS] C:\Windows\System32>get-exchangecertificate | list
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
.com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
NotAfter : 7/23/2014 1:46:15 PM
NotBefore : 7/23/2012 1:46:15 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 52F90CEC000000000005
Services : IMAP, POP, IIS
Status : Valid
Subject : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
ph
Thumbprint : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.
[mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
NotAfter : 7/23/2014 11:44:05 AM
NotBefore : 7/23/2012 11:44:05 AM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 5289341C000000000003
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
ph
Thumbprint : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
[PS] C:\Windows\System32>get-exchangecertificate 1B6705DB9755A75E94F5B05081AEDED
3A0065D4A | New-ExchangeCertificate
WARNING: This certificate will not be used for external TLS connections
with an FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate
with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes
precedence. The following connectors match that FQDN: Default PPLOEX2K7.
WARNING: This certificate will not be used for external TLS connections
with an FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate
with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes
precedence. The following connectors match that FQDN: Send to Internet.
Confirm
Overwrite existing default SMTP certificate,
'99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB' (expires 7/23/2014 11:44:05
AM), with certificate 'F835E526BC8D3805E7AA230A17C5971872D3759C'
(expires 7/22/2015 10:17:51 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):y
Thumbprint Services
Subject
F835E526BC8D3805E7AA230A17C5971872D3759C ..... C=ph, S=NCR, L=Pasig, O...
[PS] C:\Windows\System32>get-exchangecertificate | list
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
.com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
HasPrivateKey : True
IsSelfSigned : True
Issuer : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c
om
NotAfter : 7/22/2015 10:17:51 AM
NotBefore : 7/22/2014 10:17:51 AM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 6B5A6E27C63C36A54FDD3E07FF982497
Services : IMAP, POP, SMTP
Status : Valid
Subject : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c
om
Thumbprint : F835E526BC8D3805E7AA230A17C5971872D3759C
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
.com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
NotAfter : 7/23/2014 1:46:15 PM
NotBefore : 7/23/2012 1:46:15 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 52F90CEC000000000005
Services : IMAP, POP, IIS
Status : Valid
Subject : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
ph
Thumbprint : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.
[mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
NotAfter : 7/23/2014 11:44:05 AM
NotBefore : 7/23/2012 11:44:05 AM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 5289341C000000000003
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
ph
Thumbprint : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
Services: [PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint F835E5
26BC8D3805E7AA230A17C5971872D3759C -Service IIS, SMTP, IMAP, POP
WARNING: This certificate will not be used for external TLS connections with an
FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate with
thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The
following connectors match that FQDN: Default PPLOEX2K7.
WARNING: This certificate will not be used for external TLS connections with an
FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint
'1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following
connectors match that FQDN: Send to Internet.
[PS] C:\Windows\System32>Hi Jammizi,
I collect some information from the command results as below:
1. When run Get-ExchangeCertificate | FL command, it returned 2 certificates.
•Certificate01
Thumbprint : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
IsSelfSigned : False
Services : IMAP, POP, IIS
•Certificate02
Thumbprint : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
IsSelfSigned : False
Services : IMAP, POP, SMTP
2. When run Get-ExchangeCertificate 1B….4A (Certificate01) | New-ExchangeCertificate, got warning.
Overwrite Certificate02 (99…BB) to Certificate03 (F8…9C).
3. When run Get-ExchangeCertificate | FL command, it returned 3 certificates.
•Certificate03
Thumbprint : F835E526BC8D3805E7AA230A17C5971872D3759C
IsSelfSigned : True
Services : IMAP, POP, SMTP
•Certificate01
Thumbprint : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
IsSelfSigned : False
Services : IMAP, POP, IIS
•Certificate02
Thumbprint : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
IsSelfSigned : False
Services : IMAP, POP, SMTP
4. When run Enable Certificate03 command, got warning.
According to the information above, please notice that both Certificate01 and Certificate02 are not Self-signed certificate. And the New-ExchangeCertifiate command in Exchange 2007 server is to new an Exchange Self-signed certificate. I suggest double check
whether your org has self-signed certificates. If your org only need 3rd party certificates without self-signed certifcate, I suggest apply a new certificate from CA.
Thanks
Mavis
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Mavis Huang
TechNet Community Support -
How to create a Self-Signed Digital Certificate in Office 2013
In office 2010 we had a "Digital Certificate for VBA Projects" tool for creating self-signed certificates. How do we do this with the newer Office 2013 suite?
Eugene,
This answer is wrong. The Answer from rLogic above is better. Things in fact
have changed. The article: Digitally sign your macro project
is fine for Office 2010 but not for Office 2013. The article: Digitally sign your macro project tells you to do this:
Windows 7, Windows Vista, or Windows XP
Click Start, point to All Programs, click Microsoft Office, click Microsoft
Office Tools, and then click Digital Certificate for VBA Projects.
The Create Digital Certificate dialog box appears.
</section>
But, you can't follow these instructions if you have office 2013. In Office
2013 Digital Certificate for VBA
no longer exists in the Microsoft
Office Tools folder. You need to hunt for
"C:\Program Files\Microsoft Office
15\root\office15\SELFCERT.EXE"
and then run that .exe by clicking on it. Then you can follow the rest of the instructions
in Digitally sign your macro project -
Accessing websites running on non-standard ports or with self-signed ssl certs?
I've got some sites running using self-signed ssl's that also run on non-standard ports. Firefox home doesn't seem to open these pages it just sits there with the spinner loading and a blank screen...
Anyone else noticed this?If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate. -
How do I trust a self-signed issuer certificate?
I created a self-signed CA cert using openssl, and imported it into Firefox, but when I select it in the Certificate Manager under “Your Certificates” and click “View…”, I see the message “Could not verify this certificate because the issuer is not trusted.”
https://www.dropbox.com/s/i38v78802ym9fug/Screenshot%202014-04-15%2010.49.14.png
When I visit the site that I set up with an SSL cert signed by that same self-signed CA cert, I get an untrusted connection warning with the following technical details: “staging.cakemade.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)”
https://www.dropbox.com/s/rvq00r0pdn99rd6/Screenshot%202014-04-15%2010.57.54.png
When I view the site certificate, it correctly identifies the issuer as the CA cert that I imported, but also displays the message “Could not verify this certificate because the issuer is not trusted.”
https://www.dropbox.com/s/b3no5pdhf9ddx5h/Screenshot%202014-04-15%2010.57.29.png
I am using Firefox Aurora, and apply updates daily. I am using the default settings for OCSP.
https://www.dropbox.com/s/in58viu3q6wkxvn/Screenshot%202014-04-15%2011.02.22.png
What do I need to do to get Firefox to trust the CA cert that I imported?I'm assuming you've imported your CA cert underneath the 'Authorities' tab.
Restart FF after importing the cert.
I'd expect you're being prompted to set the trust level upon importing the cert. If not you can do that manually via the 'Edit Trust' button.
Maybe you are looking for
-
While downloading - the app appears in the dock, but then disappears. Like the money for the app :-( Any idea? Thanks a lot
-
Adobe reader not working. Needs help badly!!
I get this error message and will not read or open my PDF files pissing me off Please read and why is this doing this and how do I fix this. Not happy!! My error messge I get. I need help badly to fox this !! Adobe reader could not open micro niche
-
ITunes Match freezes PC during Step 1!?!?!
I am running Windows Vista on my PC and purchased iTunes Match to put my music collection in the cloud. 3/4 of the way through Step 1, iTunes freezes and so does my computer. I have to unplug my computer (which is definitely not healthy for it) and
-
Set automatic block for subsequent document
Dear Gurus, I have 2 situations like this: Case 1: Step 1: Create a SO with down-payment condition type inside condition proc (not with Billing plan). Step 2: It will automatically set block for waiting make settlement for down-payment. Step 3: After
-
Can't open Fl-published .html Site in Dw; get warning re: script/need Fl
I designed a Web site in Fl CS3 with AS2. I published .fla to create .html file. Usually I can then open this .html in Dw and manipulate positioning etc. but I have been getting this warning when I try: // Provide alternate content for browsers that