Creating a self signed SAN Cert

Similar Messages

• Create/install self signed ssl cert

  I'm evaluating the platform edition server. Is there a quick way to create and install a self signed ssl server certificate (I'm running Windows 2000 pro).
  Thanks
  Mark

  Download the NSS tools from here:
  http://wwws.sun.com/software/download/products/3e3afa8e.html
  Documentation for NSS tools can be found here (see certutil):
  http://www.mozilla.org/projects/security/pki/nss/tools/

• Creating a self signed certificate - how do you set the 'storepass'

  Hi, I'm trying to use the ADT to create an AIR 2.7 file, but it's the first time i've used the command line tool to build one and am having problems understanding the signing process.
  I can generate a cert.p12 keystore file from within the flash IDE, and this asks for a password for the file (-storepass)
  I can also use ADT to create a self-signed certificate from the command line, here you can specify the -keystore (cert location) and -keypass (password for the key in the store)
  I cannot find a way of generating a self-signed certificate where you can specify both passwords though, one for the store (-storepass) and one for the key (-keypass).
  This is a problem because when i go to package my AIR file using ADT it needs both passwords -storepass and -keypass before it can publish it.
  Does anyone know how to generate a self-signed .p12 certificate and have control over both the keys...?
  I have spent hours playing and searching now so may have the wrong end of the stick, could do with some help getting past this issue.
  Thanks
  Sean

  There is only one password is required to package for ipa as far I know
  Sample command:
  C:\AdobeAIRSDK\bin\adt.bat -package -target ipa-test -storetype pkcs12 -keystore [KEYFILE].p12 -storepass [KEY PASSWORD] -provisioning-profile [MOBILE PROVISION FILE].mobileprovision [IPA NAME].ipa [XML FILE NAME].xml [SWF FILE NAME].swf Icon_29.png Icon_48.png Icon_57.png Icon_72.png Icon_512.png Default-Landscape.png Default-Portrait.png Default-PortraitUpsideDown.png Default-PortraitLandscapeLeft.png Default-PortraitLandscapeRight.png

• Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

  SCCM 2012 has been successfully installed on the server:
  SRVSCCM.
  The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
  Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
  The cluster service is running on the account: sqlclusteruser
  The account has the appropriate SPN are registered:
  setspn -L domain\sqlclusteruser
  Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
  MSSQLSvc/CLS-SQL4
  MSSQLSvc/CLS-SQL4.domain.local
  MSSQLSvc/CLS-SQL4:11434
  MSSQLSvc/CLS-SQL4.domain.local:11434
  After some time on the cluster hosts every day started appearing new folders with files inside:
  srvboot.exe
  srvboot.ini
  srvboot.log
  srvboot.log contains the following information:
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
  Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
  Copyright (C) 2011 Microsoft Corp.
  Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
  Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
  Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
  Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
  Failed to retrieve SQL Server service account.
  Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
  Disconnecting from Site Server.
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

  The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
  Without successfull bootstrap the siteserver backup is not able to run successfully.
  Try grant everyone the read permisson on
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
  This worked for me.
  After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
  After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
  sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"

• Problems with Creating a self-signed Certificate

  hi,
  I read the keytool Documentation and wanted to create my own self-signed certificate.
  ok, I followed the steps :
  1) keytool -keyclone -alias origkey -dest my_key
  2) keytool -selfcert -alias my_key -dname "cn=Stefan Gross, ou=Computers, o=notintersting, c=D"
  3) keytool -certreq -alias my_key (output in mycert.cer)
  4)keytool -certreq -alias my_key -sigalg X.509 -file newcert.cer
  .. Password Input...
  Keytool-Error: java.lang.Exception: Alias <my_key> does not exist.
  But it exists, see :
  [usr]$ keytool -list
  Keystore-Typ: jks
  Keystore-Provider: SUN
  new_key, 06.05.2003, keyEntry,
  So it exists, but why do I get the error ?
  So far,
  Stefan Gross

  stefan hi,
  i have tried to produce a certificate my_cert.cer and it went well. as far as i understood you have to create a keystore first. this keystore holds a key pair.
  and then using the keystore you can create as many certificates as possible based on the key pair.
  try following the steps below. it should work, i mean i have followed them and all was fine. you can find the original form of the following from documentation of keytool (sun).
  hope this time it'll work, let me know.
  cem.
  note: the last step is importing the certificate to the keystore which is not necessary if you only want the certificate.
  To set up a digital certificate,
  Generate a key pair.
  The keytool utility enables you to generate the key pair. The keytool utility that ships with the J2SE SDK programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
  To generate the keystore file, run the keytool utility as follows, replacing <keystore_filename> with the name of your keystore file, for example, server.keystore. If you are using the Tomcat server, the file must either be named .keystore and located in the home directory of the machine on which Tomcat is running, or you will need to tell Tomcat where the kestore file is by adding a keystoreFile attribute to the <Factory> element in the Tomcat configuration file or by specifying the location of the file on the Connector (8443) node of admintool.
  keytool -genkey -keyalg RSA -alias tomcat-server
  -keystore <keystore_filename>
  The keytool utility prompts you for the following information:
  Keystore password--Enter the default password, which is changeit. Refer to the keytool documentation for information on changing the password.
  First and last name--Enter the appropriate value, for example, JWSDP.
  Organizational unit--Enter the appropriate value, for example, Java Web Services.
  Organization--Enter the appropriate value, for example, Sun Microsystems.
  City or locality--Enter the appropriate value, for example, Santa Clara.
  State or province--Enter the unabbreviated name, for example, CA.
  Two-letter country code--For the USA, the two-letter country code is US.
  Review the information you've entered so far, enter Yes if it is correct.
  Key password for the Web server--Do not enter a password. Press Return.
  The next step is generate a signed certificate for this keystore. A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, continue with Creating a Self-Signed Certificate. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.
  Creating a Self-Signed Certificate
  This example assumes that the keystore is named server.keystore, the certificate file is server.cer, and the CA file is cacerts.jks. Run these commands in your <HOME> directory so that they are created there.
  Export the server certificate to a certificate file:
  keytool -keystore server.keystore -export -alias tomcat-server -file server.cer
  Enter the password (changeit).
  Keytool returns the following message:
  Certificate stored in file <server.cer>
  Import the new server certificate into the Certificate Authority file cacerts.jks:
  keytool -import -alias serverCA -keystore <HOME>/cacerts.jks
  -file server.cer
  Enter the password (changeit).
  Keytool returns a message similar to the following:
  Owner: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Issuer: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Serial number: 3e39e3e0
  Valid from: Thu Jan 30 18:48:00 PST 2003 until: Wed Apr 30 19:48:00 PDT 2003
  Certificate fingerprints:
  MD5: 44:89:AF:54:FE:79:66:DB:0D:BE:DC:15:A9:B6:09:84
  SHA1:21:09:8A:F6:78:E5:C2:19:D5:FF:CB:DB:AB:78:9B:98:8D:06:8C:71
  Trust this certificate? [no]: yes
  Certificate was added to keystore
  ----------------------------------

• Http Analyzer connecting to server with self-signed SSL cert

  When making webservice calls using Axis 1.3 to our development site that uses a self-signed SSL cert I am getting the following error when running the Http Analyzer:
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  Works fine if I turn off proxy in run configuration for project or when used against a site with a purchased cert. I assume the problem is with Http Analyzer not being able to find the server cert in a local keystore, is there a way to import the cert so that I can run Http Analyzer against the site?
  Tried adding server cert to <jdkhome>/jre/lib/security/cacerts keystore but still have the problem.
  Am using JDeveloper 10.1.3.
  Thanks,
  John

  I fixed that by getting certs from: https://www.startssl.com/?app=1.
  The certs are free and work fine.
  Since Iphone 4 apple does not accept unknown CA Authorities.

• Create self signed ssl cert

  I'm trying to test the app server. Is there a quick way to install a self signed server certificate (I'm running Windows 2000 pro).
  Thanks
  Mark

  Download the NSS tools from here:
  http://wwws.sun.com/software/download/products/3e3afa8e.html
  Documentation for NSS tools can be found here (see certutil):
  http://www.mozilla.org/projects/security/pki/nss/tools/

• IOS 4.2.1 Causes "cannot verify server identity" for self-signed SSL Cert.

  We are running Exchange 2007 SP3 with a self assigned certificate. After upgrading to 4.2.1 all users receive the message "Cannot Verify Server Identity" whenever the phone pulls down email/calendar/etc. Pressing "Continue" allows mail to download, however you have to press "continue" multiple times (apparently one for each message).
  You can press "Details" and choose accept, however the problem continues. I have tried doing a hard reset, but this fixes nothing. I am sure it is a bug with 4.2.1 (4.1 worked just fine) specifically with self-signed certificates. If anyone has a fix please let me know. However, I'm sure that I should just be pleading to the Apple gods to quickly release a fix.

  Making it very irritating to log in to exchange owa. I currently have the root, Exchange server and personal certificates installed on the device and it acts like they do not exist. I basicly have to keep punching the cert to use, probably close to 30 times, until the page has loaded. Once the page is loaded the certificate requests stop. Strangely in the console i keep getting:
  Thu Dec 2 09:45:21 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:26 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x9871fc0
  Thu Dec 2 09:45:26 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x9871fc0
  Thu Dec 2 09:45:28 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:28 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x986fd20
  Thu Dec 2 09:45:28 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x986fd20
  Thu Dec 2 09:45:28 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:30 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:30 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83e47f0
  Thu Dec 2 09:45:30 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83e47f0
  Thu Dec 2 09:45:30 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:31 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:31 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83a3b30
  Thu Dec 2 09:45:31 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83a3b30
  Thu Dec 2 09:45:31 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:32 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:32 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:36 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:36 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:37 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:37 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  and this all started after the upgrade to 4.2.1
  Makes me wonder if perhaps it is a problem with iPCU.

• IMAP Mail Setup with self-signed SSL certs

  I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
  Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..

  If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
  And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case.

• Anyone having issues with Self-Signed SSL-certs on mail servers?

  Can't get it to allow connecting via SSL to outgoing mail servers with self-signed certificates. Problem did not exist in earlier versions of OSX as far as I know.

  YES. I have a cert from lunarpages, where my accounts are hosted. I'm seeing two issues, and they are different for the different servers at lunarpages:
  1. Multiple logins from different machines --> problem
  2. Multiple accounts accessing same server --> problem
  So, with 1 account on one of lunarpages machines, I can have several machines running Mail with ssl on at the same time and get no problem (that is, once I've saved the certificate and marked it trusted). But as soon as another account (my wife's email on the same domain, for example) tries to access the same server, it gives me an ssl error, a choice to save that cert. and if I do then my account will generate the ssl error. Seems like only one account can have the certificate.
  On another account on a different lunarpages machine, I can't have several machines running Mail at the same time, only the first will get through and the rest will give an SSL error.
  Lunarpages says they can't find a problem, though my last email with them told me to use TLS rather than SSL. Of course, there's no way to specify that in Mail anyway, but I'd thought Mail automatically used TLS anyway, and I'm running the right ports (587 for smtp, 993 for incoming).
  Feels like it's an issue with Mail or the OS's handling of certificates. Any clues on a fix will be most appreciated as this is getting annoying. I've had to turn off SSL on my wife's and daughter's accounts just so that I can use it. And I have to quit Mail so that on the other account I can get my mail on my iPhone. Having to quit Mail on my main work machine is frustrating -- if I forget to do it I can't get mail.

• Self-signed root cert - is it from Lenovo?

  I heard about a small program rcc.exe that will check your Windows SSL cert root store for funny certificates. Out of 350 root certs, there was one flagged. it is marked as permitted for ALL purposes (email, SSL, software signing, etc.). It has NO information whatsoever. Its validity starts sometime in 2009 and runs out to 2060. The identity is a long string of characters, I think it starts with letter M (can't confirm now). Is it possible this cert is used by Lenovo software? it would be just like them to do something sloppy like that. I don't want to remove it and find all sorts of Lenovo tools disabled.

  Sorry for delay - didn't see notification of any reply. I am using Windows. Exact item in question is a self-signed cert that is found in my trusted root store. The only infomration is the long ID, merely a lengthy random character string, so no point in posting it here. There are absolutely no certificate fields with any data in them. The cert claims to be designated for ALL purposes - that would include code-signing I presume! In other words, the Issued-To and Issued-By fields are the same long character string; the expiration date is way out there (did I say 2060?). I was using the most current version of rcc.exe when I posted. However, I can look at my certificate store and see the cert there with absolutely no additional info. I am not able to access that computer right now, but I wouldn't have any more info! I am on another computer now (non-Lenovo) and just scanned the trusted root store and everything in it is identified. 

• Renew Exchange 2007 self signed SSL cert : Warning

  Hi,
  We are getting an issue with the new SSL certificate being created. 
  WARNING: This certificate will not be used for external TLS connections with an
  FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint
  '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following
  connectors match that FQDN: Send to Internet. 
  Heres the code below:
  [PS] C:\Windows\System32>get-exchangecertificate | list
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
                       .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
                       X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 1:46:15 PM
  NotBefore          : 7/23/2012 1:46:15 PM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 52F90CEC000000000005
  Services           : IMAP, POP, IIS
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                       ty.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.
                       [mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 11:44:05 AM
  NotBefore          : 7/23/2012 11:44:05 AM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 5289341C000000000003
  Services           : IMAP, POP, SMTP
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  [PS] C:\Windows\System32>get-exchangecertificate 1B6705DB9755A75E94F5B05081AEDED
  3A0065D4A | New-ExchangeCertificate
  WARNING: This certificate will not be used for external TLS connections
  with an FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate
  with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes
  precedence. The following connectors match that FQDN: Default PPLOEX2K7.
  WARNING: This certificate will not be used for external TLS connections
  with an FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate
  with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes
  precedence. The following connectors match that FQDN: Send to Internet.
  Confirm
  Overwrite existing default SMTP certificate,
  '99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB' (expires 7/23/2014 11:44:05
  AM), with certificate 'F835E526BC8D3805E7AA230A17C5971872D3759C'
  (expires 7/22/2015 10:17:51 AM)?
  [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
  (default is "Y"):y
  Thumbprint                                Services  
  Subject
  F835E526BC8D3805E7AA230A17C5971872D3759C  .....      C=ph, S=NCR, L=Pasig, O...
  [PS] C:\Windows\System32>get-exchangecertificate | list
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                       ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                       ssControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
                       .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
                       X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : True
  Issuer             : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c
                       om
  NotAfter           : 7/22/2015 10:17:51 AM
  NotBefore          : 7/22/2014 10:17:51 AM
  PublicKeySize      : 2048
  RootCAType         : None
  SerialNumber       : 6B5A6E27C63C36A54FDD3E07FF982497
  Services           : IMAP, POP, SMTP
  Status             : Valid
  Subject            : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c
                       om
  Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
                       .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
                       X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 1:46:15 PM
  NotBefore          : 7/23/2012 1:46:15 PM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 52F90CEC000000000005
  Services           : IMAP, POP, IIS
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                       ty.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.
                       [mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 11:44:05 AM
  NotBefore          : 7/23/2012 11:44:05 AM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 5289341C000000000003
  Services           : IMAP, POP, SMTP
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  Services: [PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint F835E5
  26BC8D3805E7AA230A17C5971872D3759C -Service IIS, SMTP, IMAP, POP
  WARNING: This certificate will not be used for external TLS connections with an
  FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate with
  thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The
  following connectors match that FQDN: Default PPLOEX2K7.
  WARNING: This certificate will not be used for external TLS connections with an
  FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint
  '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following
  connectors match that FQDN: Send to Internet.
  [PS] C:\Windows\System32>

  Hi Jammizi,
  I collect some information from the command results as below:
  1. When run Get-ExchangeCertificate | FL command, it returned 2 certificates.
  •Certificate01
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  IsSelfSigned       : False
  Services           : IMAP, POP, IIS
  •Certificate02
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  IsSelfSigned       : False
  Services           : IMAP, POP, SMTP
  2. When run Get-ExchangeCertificate 1B….4A (Certificate01) | New-ExchangeCertificate, got warning.
     Overwrite Certificate02 (99…BB) to Certificate03 (F8…9C).
  3. When run Get-ExchangeCertificate | FL command, it returned 3 certificates.
  •Certificate03
  Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C
  IsSelfSigned       : True
  Services           : IMAP, POP, SMTP
  •Certificate01
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  IsSelfSigned       : False
  Services           : IMAP, POP, IIS
  •Certificate02
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  IsSelfSigned       : False
  Services           : IMAP, POP, SMTP
  4. When run Enable Certificate03 command, got warning.
  According to the information above, please notice that both Certificate01 and Certificate02 are not Self-signed certificate. And the New-ExchangeCertifiate command in Exchange 2007 server is to new an Exchange Self-signed certificate. I suggest double check
  whether your org has self-signed certificates. If your org only need 3rd party certificates without self-signed certifcate, I suggest apply a new certificate from CA.
  Thanks
  Mavis
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Mavis Huang
  TechNet Community Support

• How to create a Self-Signed Digital Certificate in Office 2013

  In office 2010 we had a "Digital Certificate for VBA Projects" tool for creating self-signed certificates.  How do we do this with the newer Office 2013 suite?

  Eugene,
  This answer is wrong.  The Answer from rLogic above is better.  Things in fact
  have changed.  The article: Digitally sign your macro project
   is fine for Office 2010 but not for Office 2013.  The article: Digitally sign your macro project  tells you to do this:
  Windows 7, Windows Vista, or Windows XP
  Click Start, point to All Programs, click Microsoft Office, click Microsoft
  Office Tools, and then click Digital Certificate for VBA Projects.
  The Create Digital Certificate dialog box appears.
  </section>
  But, you can't follow these instructions if you have office  2013. In Office
  2013 Digital Certificate for VBA
  no longer exists in the Microsoft
  Office Tools folder.  You  need to hunt for
  "C:\Program Files\Microsoft Office
  15\root\office15\SELFCERT.EXE"
  and then run that .exe by clicking on it.  Then you can follow the rest of the instructions
  in Digitally sign your macro project

• Accessing websites running on non-standard ports or with self-signed ssl certs?

  I've got some sites running using self-signed ssl's that also run on non-standard ports. Firefox home doesn't seem to open these pages it just sits there with the spinner loading and a blank screen...
  Anyone else noticed this?

  If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
  That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
  If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
  In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
  In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate.

• How do I trust a self-signed issuer certificate?

  I created a self-signed CA cert using openssl, and imported it into Firefox, but when I select it in the Certificate Manager under “Your Certificates” and click “View…”, I see the message “Could not verify this certificate because the issuer is not trusted.”
  https://www.dropbox.com/s/i38v78802ym9fug/Screenshot%202014-04-15%2010.49.14.png
  When I visit the site that I set up with an SSL cert signed by that same self-signed CA cert, I get an untrusted connection warning with the following technical details: “staging.cakemade.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)”
  https://www.dropbox.com/s/rvq00r0pdn99rd6/Screenshot%202014-04-15%2010.57.54.png
  When I view the site certificate, it correctly identifies the issuer as the CA cert that I imported, but also displays the message “Could not verify this certificate because the issuer is not trusted.”
  https://www.dropbox.com/s/b3no5pdhf9ddx5h/Screenshot%202014-04-15%2010.57.29.png
  I am using Firefox Aurora, and apply updates daily. I am using the default settings for OCSP.
  https://www.dropbox.com/s/in58viu3q6wkxvn/Screenshot%202014-04-15%2011.02.22.png
  What do I need to do to get Firefox to trust the CA cert that I imported?

  I'm assuming you've imported your CA cert underneath the 'Authorities' tab.
  Restart FF after importing the cert.
  I'd expect you're being prompted to set the trust level upon importing the cert. If not you can do that manually via the 'Edit Trust' button.