CSCut26025 - Doc. ISE 1.3 certificate chain is not being send till services restarted

hi,
i got issues with a chained certificate for the guest portal too. could you please let me know which service/services need to be restarted? or should i restart the whole ise after importing the required certificates?
regards
thilo

Hi,
You would have to restart the services, there is a note in the Cisco ISE document. Please refer it below:
If you are using Firefox and Internet Explorer 8 browsers and you change the HTTPS local certificate on a node, existing browser sessions connected to that node do not automatically switch over to the new certificate. You must restart your browser to see the new certificate.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_cert.html#pgfId-1183856
Regards,
Tushar Bangia
Note : Please do rate post if you find it helpful!!

Similar Messages

  • Certificate Authority is not being seen by windows server 2003 machines

    Good Afternoon,
    We recently installed a certificate authority using windows server 2008 r2. There was an old certificate authority that had went bad and the role could not be uninstalled on the bad server. The new certificate authority works with windows 2008 machines but
    does not work with server 2003 machines. Mainly trying to get the domain controller certificate. At first it was stating that the rpc was unavailable for the CA. I tried to delete the remnants under the sites and services role of the old server. The error
    now it states that it can not find a certificate authority. As stated above the newer machines (Server 2008)  can see the certificate authority and request certificates but older machines cant. Any assistance on what to do next will be greatly appreciated.
    Attached is the error I receive when trying to request a certificate through the CA mmc.
    dmg

    It is possible to change the hash algorithm a CA uses  to support XP and 2003 "out of the box" without the hotfix.
    But it would be better to have two CAs in parallel - one using a more modern algorithm and a CA supporting a "legacy" algorithm - and the latter should only be used as long as there are clients that aren't able to validate the other algorithms.
    On the CA, start regedit and locate the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<Your CA>\CSP
    I am assuming that the Software CNG provider is used with SHA256 or higher (not with SHA1).
    Change CNGHashAlgorithm to SHA1 and restart the CA service.
    The setting can be reverted by changing the value back. All certificates and all CRLs signed by this CA will use the new hash algorithm after the restart.

  • ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

    Hello, I´m stucked with this problem for 3 weeks now.
    I´m not able to configure the EAP-TLS autentication.
    In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
    The ISE´s certificate has been issued with the "server Authentication certificate" template.
    The clients have installed the certificates  also the certificate chain.
    When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
    and "OpenSSLErrorMessage=SSL alert
    code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
    I don´t know what else can I do.
    Thank you
    Jorge

    Hi Rik,
    the Below are the certificate details
    ISE Certificate Signed by XX-CA-PROC-06
    User PKI Signed by XX-CA-OTHER-08
    In ISE certificate Store i have the below certificates
    XX-CA-OTHER-08 signed by XX-CA-ROOT-04
    XX-CA-PROC-06 signed by XX-CA-ROOT-04
    XX-CA-ROOT-04 signed by XX-CA-ROOT-04
    ISE certificate signed by XX-CA-PROC-06
    I have enabled - 'Trust for client authentication' on all three certificates
    this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
    when i check the certificates of current user in the Client PC this is how it shows.
    XX-CA-ROOT-04 is listed in Trusted root Certification Authority
    and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

  • PEM or DER Format certificate chain

    I have installe an ISE 1.2.0.899. It is used for Guest Services only, the customer require all its employees be able to access the sponsor portal and validated their credentials using LDAPS. Not LDAP, not AD feature in ISE. The problem is because in order to enable LDAPS I must upload to ISE the root CA certificate, the customer is not providing the root CA certificate for security reasons (?); they said the certificate chain should be enough. Even the ISE user guide indicates root CA or certificate chain. So, the customer downloaded the certificate chain from its PKI (Microsoft 2008) and give it to me, but it is in .p7b (PKCS#7) format (they said there is no choice to select another format). This format is not supported by ISE, so I needed to use third party tools to convert the file (www.sslshopper.com and openssl). It appears the convertion is successfull but when I try to upload on ISE Certificate Store always I get the same errror: "Unable to read certificate file - please be sure file is in PEM or DER format".
    So the questions are:
    1. Is the file provided by the PKI in p7b format always?
    2. What should be the most proper way to convert the file to something the ISE can understand?
    3. Should be the root CA certificate a vey best option?
    Even the conversion problems indicated above, I tried to open and convert the file using the mmc. I know the certificate chain has three files, I recovered them and uploaded to ISE. Whit two of these three files selected on LDAPS security configuration I can run the "Test bind to Server" successfully but everytime an user try with its own credentials always the access is denied with "invalid username or password" error.
    Locking in the ISE log I found this messages:
    ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): error message = SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally",LdapSslConnectionContext.cpp:226
    ERROR,0x2b263618c940,LdapConnectionBindingState::onInput(id = 634): bind ended with an error: 117,LdapConnectionStates.cpp:396
    631,WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=1, Crypto.SSLConnection.pvClientInfoCB - Alert raised: code=0x230=560, where=0x4008=16392, source=local,SSLConnection.cpp:2765
    WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=102, Crypto.SSLConnection.writeData - failed write the data,SSLConnection.cpp:970
    ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): crypto result = 102,LdapSslConnectionContext.cpp:202
    ERROR,0x2b263618c940,cntx=0000005789,user=tmxedscalcan,LdapServer::onAcquireConnectionResponse: failed to acquire connection,LdapServer.cpp:461
    ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::openCdcConnection] Can't open CDC session due to error 32: ADClient is not running,ActiveDirectoryClient.cpp:1328
    ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::connectClient] AD CDC client connection failed!,ActiveDirectoryClient.cpp:117
    ERROR,0x2b263436e940,NIL-CONTEXT,ActiveDirectoryIDStore::performConnection - Connecting client failed,ActiveDirectoryIDStore.cpp:608
    I don't have idea what do they mean.
    Someone told me the convertion made with mmc on my pc was an error and I need to repeat the same process using administrative tools on a server
    I'm really confused and I don't know how continue with a troubleshoot process.
    How can I know the original file is correct?
    How can I know the conversion is correct?
    As the original chain includes three certificates, I should upload them to ISE separately or as one file?
    Attached is the Sponsor policy screenshoot. I have two rules with the same conditions one por AD (just for test), one for LDAPS.
    I will appreciate your help
    Regards.
    Daniel Escalante

    Hi,
    If you open the .p7b file on a Windows machine. (Open not install)
    Go to the Certification Path and click on the root certificate, click View Certificate.
    Now you have the root certificate.
    Go to Details and click Copy to File. This give you the option to exprot the root cert.
    Click next, here you can select to save as Base-64 encoded (DER) that you can import in ISE.
    Click next and save. Then try to import under Server certifiactes on ISE
    You can do this for sub-CA cert in the chain as well.
    HTH

  • The verification of the server's certificate chain failed

    Hi All,
    Not sure this is the right forum for this but never mind.
    I am trying to get abap2GApps working and am having problems with the client certificates.
    I am getting the below error in ICM :-
    [Thr 06] Mon Jul 30 09:34:47 2012
    [Thr 06] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
    [Thr 06]    session uses PSE file "/usr/sap/BWD/DVEBMGS58/sec/SAPSSLC.pse"
    [Thr 06] SecudeSSL_SessionStart: SSL_connect() failed
      secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
    [Thr 06] >>            Begin of Secude-SSL Errorstack            >>
    [Thr 06] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
    ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Equifax Secure Certificate Authority, O=E
    ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
    [Thr 06] <<            End of Secude-SSL Errorstack
    [Thr 06]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
    [Thr 06]   SSL NI-sock: local=172.30.7.170:59036  peer=172.30.8.100:80
    [Thr 06] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000053910f0)==SSSLERR_SSL_CONNECT
    [Thr 06] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000726d5} [icxxconn_mt.c 2031]
    Having already got the accounts.google.com SSL certificate chain installed and working I can't get the docs.google.com SSL chain working.
    For accounts.google.com they use (this set works) :-
    1) CN=accounts.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
    2) CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
    3) OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    For docs.google.com they use a different set of SSL certs. :-
    1) CN=*.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
    2) CN=Google Internet Authority, O=Google Inc, C=US
    3) OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    Can anyone explain what I am doing wrong or how to correct this?
    Thanks
    Craig

    Further UPDATE
    After removing every certificate related to docs.google.com I still get the same error!
    I have even tried downloading the root certificate directly from GeoTrust themselves and yet I still get the same error.
    I have even resorted to running SAP program ZSSF_TEST_PSE from note 800240 to check the PSE and all is well!
    Referring to SAP Note 1318906 suggests I am missing a certificate in the chain but I am not!
    "Situation: The ICM is in the client role and the following entry is displayed in the trace:
    ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
    Reason:You try to set up a secure connection to a server, but the validity of the certificate cannot be verified because the required certificates are not available.
    Solution:The missing certificates are listed in the trace file. You must use transaction STRUST to insert these certificates in the Personal Security Environment (PSE) that is used for the connection. The certificates are usually made available to you by the server administrator. If the certificates are public Certification Authority (CA) certificates, you can also request the certificates there."
    What could possibly causing this?
    Please help!
    Craig

  • SunPKCS11's keystore requirements (fails to build certificate chain)

    According to http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#KeyStoreRestrictions in order to build a certificate chain, SunPKCS11 performs the following to match certificates:
    From the end entity certificate, a call fo C_FindObjectsInit is made with a search template that includes the following attributes:
    CKA_TOKEN = true
    CKA_CLASS = CKO_CERTIFICATE
    CKA_SUBJECT = [DN of certificate issuer]
    This matching fails for an etoken (opensc/pkcs15, key and certs stored with keytool -importkeystore from jks) containing the following objects, where the issuer's DN is CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Private RSA Key [Private Key]
    Com. Flags : 3
    Usage : [0x4], sign
    Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
    ModLength : 1024
    Key ref : 16
    Native : yes
    Path : 3f005015
    Auth ID : 01
    ID : 612d736974
    X.509 Certificate [a-sit]
    Flags : 2
    Authority: no
    Path : 3f0050153178
    ID : 612d736974
    X.509 Certificate [Certificate]
    Flags : 2
    Authority: no
    Path : 3f005015313a
    ID : 636e3d766572697369676e20636c617373203320636f6465207369676e696e6720323030342063612c6f753d7465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f7270612028632930342c6f753d766572697369676e207472757374206e6574776f726b2c6f3d76657269
    The end entity certificate is successfully matched to the key:
    Version: V3
    Subject: CN=Zentrum fuer sichere Informationstechnologie - Austria (A-SIT), OU=Digital ID Class 3 - Java Object Signing, O=Zentrum fuer sichere Informationstechnologie - Austria (A-SIT), L=Vienna, ST=Vienna, C=AT
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key: Sun RSA public key, 1024 bits
    modulus: 113647510668539930848910584051009146136267080950854001463338500293556842878352765608061940674763417364058781591049348918719586172693823356224986624474642218762804163195838659801763621964100792207693593891254043592410389875992114868414436934974159621776873147367719845947683002652939166210516092495059090352681
    public exponent: 65537
    Validity: [From: Thu Nov 20 01:00:00 CET 2008,
                   To: Mon Nov 21 00:59:59 CET 2011]
    Issuer: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    SerialNumber: [    17e26e45 7f8659ef e6cf3ef5 52fa1224]
    Certificate Extensions: 9
    [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
    AuthorityInfoAccess [
    [accessMethod: 1.3.6.1.5.5.7.48.1
       accessLocation: URIName: http://ocsp.verisign.com, accessMethod: 1.3.6.1.5.5.7.48.2
       accessLocation: URIName: http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer]
    [2]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 08 F5 51 E8 FB FE 3D 3D 64 36 7C 68 CF 5B 78 A8 ..Q...==d6.h.[x.
    0010: DF B9 C5 37 ...7
    [3]: ObjectId: 1.3.6.1.4.1.311.2.1.27 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 08 30 06 01 01 00 01 01 FF ..0.......
    [4]: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
    [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
    [PolicyQualifierInfo: [
      qualifierID: 1.3.6.1.5.5.7.2.1
      qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
    0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 72 70 61        risign.com/rpa
    [5]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
    NetscapeCertType [
    Object Signing
    [6]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:false
    PathLen: undefined
    [7]: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    codeSigning
    [8]: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
    [DistributionPoint:
    [URIName: http://CSC3-2004-crl.verisign.com/CSC3-2004.crl]
    [9]: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    DigitalSignature
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 93 57 89 4A 4E 63 16 29 73 92 F1 D3 C7 B3 3C 87 .W.JNc.)s.....<.
    0010: C9 FB 22 52 DD DD 59 AB 3A 63 E3 65 8E 34 D4 C3 .."R..Y.:c.e.4..
    0020: 4E A0 6D 8E BB 89 DD 97 CE 63 2C 9F 43 CF 1F 55 N.m......c,.C..U
    0030: 39 74 32 5E 75 93 91 57 A3 63 F7 AD F3 5D 6F C7 9t2^u..W.c...]o.
    0040: D7 CB A7 8B 79 43 C6 00 2E C8 AD E1 D5 A7 95 97 ....yC..........
    0050: 21 AD 9E 7E 58 05 A0 80 5D 27 0E FA B6 6E 41 58 !...X...]'...nAX
    0060: 68 34 25 F7 EB CE 17 62 CE 48 A0 32 2B 79 50 14 h4%....b.H.2+yP.
    0070: E0 A0 1E 69 35 66 51 D7 E0 C7 BA BF 6B E4 9A B4 ...i5fQ.....k...
    0080: 22 36 C9 D2 E9 20 4D 10 8F 82 28 CE 3C 2C 8D 3C "6... M...(.<,.<
    0090: 51 73 AA EF 30 01 8A 3C CF A8 4F 25 60 DF 59 95 Qs..0..<..O%`.Y.
    00A0: EC 12 D8 1F 40 8A 13 AD E8 D5 D9 31 8C 3E CE C5 [email protected].>..
    00B0: 78 C8 C3 BA 33 07 54 78 93 B0 3E 2F 26 C8 83 64 x...3.Tx..>/&..d
    00C0: 78 B8 67 59 A2 7E 74 97 D9 DE 5C D9 E9 CC 83 8D x.gY..t...\.....
    00D0: A3 E4 11 7C E4 03 E2 01 6C EA 11 AB 13 37 A6 7D ........l....7..
    00E0: 12 CE 21 2F 62 5D 15 A1 CB 4D 31 1A CC CE A2 9D ..!/b]...M1.....
    00F0: 3C B2 D2 6C 53 D4 5C 9B B4 D4 72 E8 03 D0 A8 4E <..lS.\...r....N
    ]

    KeyStore ks = KeyStore.getInstance("JKS");What's that for?
    ks.load(null,null);It's empty.
    X509Certificate cert1 = (X509Certificate)cf.generateCertificate(inStream);So here you have an X509Certificate in 'cert1'.
    ks.setCertificateEntry("root", cert1);So here you put it into the KeyStore.
    X509Certificate rootCert = (X509Certificate)ks.getCertificate("root"); And here you get it out again.
    Why? What's the difference between 'rootCert' and 'cert1'?

  • Certificate Chain & Trust

    I am using wls for outbound one-way SSL. There are 3 CA's in the certificate provided by the server i.e. the certificate chain looks like:
    A --> B --> C--> Server Certficiate.
    To enable trust for this server, what my understanding is that we need to only add CA - A( root CA)'s digital certificate to the trust keystore. Is this correct or atleast the default behaviour?
    We found an issue where in where we were getting certificate untursted exception even when we had root ca certificate in the keystore. The issue was fixed only when we added certificate of CA - C ( issuer of the server certificate, immediate CA of the server). This is for a default configuration of domain.
    Any pointers on what's happening in this case.
    Regards,
    Atheek

    Thanks Faisal for the replies. see the certificate from server as in the ssl debug log: I have modified CN for security reasons.
    ####<Jun 15, 2010 3:45:52 PM EST> <Debug> <SecuritySSL> <LENOVO-E42AAA1A> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1276580752366> <000000> < cert[0] =
    cert[0] = Serial number: 826247394963294245233823401431561763564
    Issuer:C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=EssentialSSL CA
    Subject:OU=Domain Control Validated, OU=Free SSL, CN=a.b.c.d
    Not Valid Before:Mon Jun 14 10:00:00 EST 2010
    Not Valid After:Mon Sep 13 09:59:59 EST 2010
    Signature Algorithm:SHA1withRSA
    I think the server is not presenting the full certificate chain , only its certificate... could this be true ?
    And from what I understood from Oracle docs on certificate validation:
    Using Certificate Lookup and Validation Providers
    WebLogic Server SSL has built-in certificate validation. Given a set of trusted CAs, this validation:
    * Verifies that the last certificate in the chain is either a trusted CA or is issued by a trusted CA.
    * Completes the certificate chain with trusted CAs.The certificate from the server will be trusted if the last certificate in the chain is trusted. In case of other server(A-->B-->Server Certificate), it might have been presenting the full certificate chain and it got validated as root CA was present in the trust keystore. I'll need to test and confirm if this is the behaviour.
    Please let know your thoughts.

  • Creating Certificate Chains

    Hi friends,
    Could any one please tell me how I could programatically create a certificate chain?
    Reading through the JDK API docs, I found that there is java.security.cert.CertificateFactory.generateCertPath() and java.security.cert.CertPathBuilder.build() to build the CertPath object.
    I would like to know -
    a. Which among the 2 methods should be used to build a certificate chain?
    b. How do I get the certificate chain into a keystore for me to use it for digital signature?
    All help is most welcome.
    Thanks all.

    There's a lot of Sun documentation besides the API...
    Key Management:
    [http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#KeyManagement|http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#KeyManagement]
    Signature:
    [http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#Signature|http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#Signature]
    PKI/CertPath stuff:
    [http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html|http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html]
    Those should help you out.

  • SUN Java System Web Server 7.0U1 How to install certificate chain

    I am trying to install a certificate chain using the SUN Java Web Server 7.0U1 HTTPS User interface. What I have tried so far:
    1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pem
    2. Go to Certificates Tab/Server Certificates
    3. Choose Install
    4. Cut and paste contents of cert_chain.pem in the certificate data box.
    5. Assign to httplistener
    6. Nickname for this chain is 'server_cert'
    7. Select httplistener and assign server_cert (for some reason, this is not automatically done after doing step 5).
    8. No errors are received.
    When I display server_cert (by clicking on it), only the first certificate of the chain is displayed and only that cert is provided to the client during the SSL handshake.
    I tried to do the same, except using the Certificate Authority Tab, since this gave the option of designating the certificate as a CA or chain during installation. When I select ed "chain," I get the same results when I review the certificate (only the first cert in the file is displayed). This tells me that entering the chain in PEM format is not acceptable. I tried this method since it worked fine with the F5 BIG-IP SSL appliance.
    My question is what format/tool do I need to use to create a certificate chain that the Web Server will accept?

    turrie wrote:
    1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pemIn my opinion (I may be wrong) cut and pasting multiple begin end
    --- BEGIN CERTIFICATE ---
    ... some data....
    --- END CERTIFICATE ---
    --- BEGIN CERTIFICATE ---
    ... some data....
    --- END CERTIFICATE ---is NOT the way to create a certificate chain.
    I have installed a certificated chain (it had 1 BEGIN CERTIFICATE and one END CERTIFICATE only and still had 2 certificates) and I used the same steps as you mentioned and it installed both the certificates.
    some links :
    [https://developer.mozilla.org/en/NSS_Certificate_Download_Specification|https://developer.mozilla.org/en/NSS_Certificate_Download_Specification]
    [https://wiki.mozilla.org/CA:Certificate_Download_Specification|https://wiki.mozilla.org/CA:Certificate_Download_Specification]

  • TMG - 0x80090325 -Certificate Chain was issued by an authority that is not trusted

    Hello,
    I am having some problems with testing a OWA (SSL) rule. I get that message.
    The TMG belongs to the domain and therefore as far as I know it gets the root certificate of my CA (I have deployed a Enterprise CA for my domain).
    That is why I don't understand the message: "...that is not trusted."
    The exact message:
    Testing https://mail.mydomain.eu/owa
    Category: Destination server certificate error
    Error details: 0x80090325 - The certificate chain was issued by an authority that is not trusted
    Thanks in advance!
    Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

    Thanks Keith for your reply and apologies for the delay in my answer.
    I coud not wait and I reinstalled the whole machine (W28k R2 + TMG 2010) . I suppose I am still a bad troubleshooter, I have experience setting up ISA, TMG, PKI, Active directory but to a certain extent.
    1. Yes, I saw it when hitting the button "Test Rule" in the Publising rule in the TMG machine.
    2. No, it did not work in this implementation but it has worked in others, this is not difficult to set up, until now, hehe.
    3. You said: "...If you are seeing it when running "Test Rule" then it simply means that TMG does not trust something about the certificate that is on your Exchange Server...."
    But the certificates are auto-enrolled, and when I saw the details of the certificates they all are "valid" , there is a "valid" message.
    4. You wrote: "...Easiest way see everything is create an access rule that allows traffic from the LocalHost of TMG to the CAS and open up a web browser. Does the web browser complain?..."
    But as I said, I re-installed the whole thing because nobody jumped in here , and I needed to move forward, I hope you understand.
    5. S Guna kindly proposed this:
    If you are using internal CA,
    You need to import the Root CA certificate to TMG servers.
    Import Private Key of the certificate to Server personal
    Create a Exchange publishing Rule and Point the lisitner to the Correct certificate.
    Since you are using internal CA, You need to import the Root CA certificate to all the client browers from where you are accessing OWA
    But I think I do not have to perform any of those tasks, although I am not an expert but have worked with Certificate for one year or so.
    Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

  • "The certificate chain was issued by an authority that is not trusted" when migrating to SQL 2012

    Environment:
    1 Primary Site (USSCCM-Site.domain.com)
    1 CAS (USSCCM-CAS.domain.com)
    SQL 2008 R2 (USSCCM-CAS.domain.com)
    SQL 2012 SP1 CU6 (USSQL12.domain.com)
    Issue:
    We were successfully able to migrate the CAS to the new SQL 2012 server, almost without incident. When attempting to migrate the Site instance however, we are getting errors. Screenshot below.
    Attached is a copy of the log. But below is a highlight of what I think are the errors… It appears that either SQL or SCCM doesn’t like a certificate somewhere, but it is contradicting because the logs say that it has successfully tested connection to SQL.
    I am lost.
    Logs stating it can connect successfully to SQL
    Machine certificate has been created successfully on server USSQL12.domain.com.        Configuration Manager Setup                10/21/2013 10:20:10
    AM               2100 (0x0834)
    Deinstalled service SMS_SERVER_BOOTSTRAP_USSCCM-Site.domain.com_SMS_SQL_SERVER on USSQL12.domain.com.  Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    SQL Server instance [sccmsite] is already running under the certificate with thumbprint[f671be844bf39dec7e7fdd725dc30e225991f28a].       Configuration Manager Setup    10/21/2013 10:20:10 AM        
    2100 (0x0834)
    INFO: Testing SQL Server [USSQL12.domain.com] connection ...                Configuration Manager Setup    10/21/2013 10:20:10 AM      
    2100 (0x0834)
    INFO: SQL Connection succeeded. Connection: USSQL12.domain.com SCCMSITE\MASTER, Type: Unsecure                Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    INFO: Tested SQL Server [USSQL12.domain.com] connection successfully.  Any preceding SQL connection errors may be safely ignored.            Configuration Manager Setup    10/21/2013
    10:20:10 AM               2100 (0x0834)
    INFO: Certificate: 308202FC308201E4A003020102021011BA47041BB0609D4097BC19F5AB96B5300D06092A864886F70D01010B0500301D311B301906035504031312555353514C31322E7063756265642E636F6D3020170D3133313031373139343632345A180F32313133303932343139343632345A301D311B301906035504031312555353514C31322E7063756265642E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100CFAC23CEA8920051C8C24DF4E96D76D9E034931867C4DBF74F8AE863C5BDE6D1EAEAAF363F6B97DEF1D7A1FC292CB870F353D72F04472EBE3D31DCA009BD3F8C58E2AAB69C892C20598306537F5EEAA43FA6DE55D4A784CEB6FD07486AB2CC2DE1A8651648EBC31A5CD918E8ED6E184FC560B3A8B0F76F83E310BBA8C4EB27F46707E3A6377D8DD06C6808146E407EF9DB464F453798B6C1748216665884A7F2CDE03D9DA1CB4E59E67516E4F345755E35450F84F4B039642851EFFA96B22D8E77EC11C01D389989F740923B58799E34FC8F4F19CD55830FA7E786C993A08A1EEDCA87F209268CE9D5E86AC9E2A14668207721D94ACE9FACE3AA55B53507F6BF0203010001A3363034301D0603551D11041630148212555353514C31322E7063756265642E636F6D30130603551D25040C300A06082B06010505070301300D06092A864886F70D01010B05000382010100A0E33BF490B60C2B8A73BF7FA90EBB69D92DA27B439EF0569650F388EBA34B9F382CEF52DAAB543C2924E1B8DC7BEE828FB0C276330B0FF67340CBFA0CC24F47431E5272DC76C7610C290A04411036441E9822FBF8AB52B4BBE43F5FF48074BA420FF690A94D53AFCEF7AC75E2D2723520A9EF64AF06759814AE92D41CEA2F0D6CC8D9E5DEF121234F5DD97A7E886BE55F57DC0B79052A554724E8A0146C08A74AE75672FBD8C8BD6B7FCA82C1CC69906A45128CDDD1BC3985ED9603C16E712FFBAA8AA6878F853367F3E1F69E727DB96864DF6B47EBDA82659036EC82A8B04E77535CEA314D7518D02C401969C77B91C8C210C57AA991A622D679B994AEED3C               
    Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: Created SQL Server machine certificate for Server [USSQL12.domain.com] successfully.    Configuration Manager Setup 10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: Configuration Manager Setup - Application Shutdown       Configuration Manager Setup    10/21/2013 10:20:10 AM         2100 (0x0834)
    INFO: Running SQL Server test query.    Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: SQL Connection succeeded. Connection: USSQL12.domain.com SCCMSITE\MASTER, Type: Secure                Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    INFO: SQL Server Test query succeeded.              Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    INFO: SQLInstance Name: sccmsite         Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: SQL Server version detected is 11.0, 11.0.3381.0 (SP1).      Configuration Manager Setup    10/21/2013 10:20:10 AM         2100 (0x0834)
    Logs saying certificate is not trusted
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:49 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:49
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:49 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:49 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:49
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:52 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:52 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:52
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:52 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:52 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:52
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:55 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:55 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:55
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:55 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:55 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:55
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:58 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:58 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:58
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:58 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:58 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:58
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:01 AM              
    2100 (0x0834)
    More logs saying cert is not trusted
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:20 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:21:20 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:21:20
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:21:20 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:21:20 AM              
    2100 (0x0834)
    INFO: Updated the site control information on the SQL Server USSQL12.domain.com.    Configuration Manager Setup                10/21/2013 10:21:39 AM              
    2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:39 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:21:39 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:21:39
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:21:39 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:21:39 AM              
    2100 (0x0834)
    CSiteSettings::WriteActualSCFToDatabase: Failed to get SQL connection                Configuration Manager Setup               
    10/21/2013 10:21:39 AM               2100 (0x0834)
    CSiteSettings::WriteActualSCFToDatabaseForNewSite: WriteActualSCFToDatabase(USA) returns 0x87D20002                Configuration Manager Setup    10/21/2013 10:21:39
    AM               2100 (0x0834)
    ERROR: Failed to insert the recovery site control image to the parent database. Configuration Manager Setup                10/21/2013 10:21:39 AM              
    2100 (0x0834)
    Troubleshooting:
    I have read on a few articles of other people having this issue that states to find the certificate on SQL 2012 that’s being used and export it to the SCCM server – which I’ve done.
    http://damianflynn.com/2012/08/22/sccm-2012-and-sql-certificates/
    http://trevorsullivan.net/2013/05/16/configmgr-2012-sp1-remote-sql-connectivity-problem/
    http://scug.be/sccm/2012/09/19/configmgr-2012-rtm-sp1-and-remote-management-points-not-healthy-when-running-configmgr-db-on-a-sql-cluster/
    -Brad

    Hi,
    How about importing certificate in the personal folder under SQL server computer account into SCCM server computer account or SCCM server service account? That certificate is for SQL Server Identification. And you could
    set the value of the ForceEncryption option to NO. (SQL Server Configuration Manager->SQL Server Network Configuration->
    Protocols for <server instance>->Properties)
    Best Regards,
    Joyce Li
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Hybrid Connection fails for Windows SQL Server 2014 - SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted

    Hello,
    I have configured BizTalk Services Hybrid Connection between Standard Azure Website and SQL Server 2014 on premise.
    Azure Management portal shows the status of Hybrid Connection as established.
    However, the website throws an error when trying to open a connection
    <
    addname="DefaultConnection"
    connectionString="Data
    Source=machine name;initial catalog=AdventureWorks2012;Uid=demouser;Password=[my password];MultipleActiveResultSets=True"
    providerName="System.Data.SqlClient"
    />
    (The same website, with the same connection string deployed on SQL Server machine works correctly).
    I tried various options with the connections sting (IP address instead of machine name, Trusted_Connection=False, Encrypt=False, etc. the result is the same
    [Win32Exception (0x80004005): The certificate chain was issued by an authority that is not trusted]
    [SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.
    I tried various machines - on premise and a clean Azure VM with SQL Server and it results in the same error - below full stack
    The certificate chain was issued by an authority that is not trusted             
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.            
    Exception Details: System.ComponentModel.Win32Exception: The certificate chain was issued by an authority that is not trusted
    Source Error:
    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.                  
    Stack Trace:
    [Win32Exception (0x80004005): The certificate chain was issued by an authority that is not trusted]
    [SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)]
    System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) +5341687
    System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +546
    System.Data.SqlClient.TdsParserStateObject.SNIWritePacket(SNIHandle handle, SNIPacket packet, UInt32& sniError, Boolean canAccumulate, Boolean callerHasConnectionLock) +5348371
    System.Data.SqlClient.TdsParserStateObject.WriteSni(Boolean canAccumulate) +91
    System.Data.SqlClient.TdsParserStateObject.WritePacket(Byte flushMode, Boolean canAccumulate) +331
    System.Data.SqlClient.TdsParser.TdsLogin(SqlLogin rec, FeatureExtension requestedFeatures, SessionData recoverySessionData) +2109
    System.Data.SqlClient.SqlInternalConnectionTds.Login(ServerInfo server, TimeoutTimer timeout, String newPassword, SecureString newSecurePassword) +347
    System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover) +238
    System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout) +892
    System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance) +311
    System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData) +646
    System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) +278
    System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) +38
    System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +732
    System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +85
    System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +1057
    System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +78
    System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +196
    System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +146
    System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +16
    System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry) +94
    System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry) +110
    System.Data.SqlClient.SqlConnection.Open() +96
    System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure) +44
    [EntityException: The underlying provider failed on Open.]
    System.Data.EntityClient.EntityConnection.OpenStoreConnectionIf(Boolean openCondition, DbConnection storeConnectionToOpen, DbConnection originalConnection, String exceptionCode, String attemptedOperation, Boolean& closeStoreConnectionOnFailure) +203
    System.Data.EntityClient.EntityConnection.Open() +104
    System.Data.Objects.ObjectContext.EnsureConnection() +75
    System.Data.Objects.ObjectQuery`1.GetResults(Nullable`1 forMergeOption) +41
    System.Data.Objects.ObjectQuery`1.System.Collections.Generic.IEnumerable<T>.GetEnumerator() +36
    System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) +369
    System.Linq.Enumerable.ToList(IEnumerable`1 source) +58
    CloudShop.Services.ProductsRepository.GetProducts() +216
    CloudShop.Controllers.HomeController.Search(String SearchCriteria) +81
    CloudShop.Controllers.HomeController.Index() +1130
    lambda_method(Closure , ControllerBase , Object[] ) +62
    System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
    System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +193
    System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
    System.Web.Mvc.Async.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41() +28
    System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +10
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
    System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
    System.Web.Mvc.Async.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() +58
    System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +225
    System.Web.Mvc.Async.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) +10
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
    System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
    System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +23
    System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +99
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
    System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
    System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +14
    System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
    System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +39
    System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
    System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +29
    System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
    System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +25
    System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
    System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
    System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +31
    System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
    System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9651188
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
    Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.36213            
    Regards,
    Michal
    Michal Morciniec

    Same issue here, looking for more information !

  • TMG Error code 500 Certificate chain was issued by an authority that is not trusted

    Hello colleagues
    I have site https://site.domain.ru:9510/pmpsvc
    In site work: http://imgur.com/2cQ6vlF
    I publish this site through TMG 2010, but I have error:
    500 Internal Server Error. The certificate chain was issued by an authority that is not trusted (-2146893019).
    On TMG server via MMC I imported certificate to:
    http://imgur.com/eYqjrQg and reboot TMG server, but problem is not solved.
    Maybe someone solved this problem?
    Thanks.

    This is because your certificate is unable to reach CA to verify the certificate
    Ensure your TMG can reach the certificate authority
    Import Root CA certificate to Trusted Root certificate authority in CertMGR
    If you are using intermediate CA then import the intermediate CA certificate to intermediate CA in certmgr
    Thanks, but I use certificate "*.domain.ru" and another https sites without port 9510 works fine. Maybe problem with site on TMG because problem with certificate on web-server (about Certificate error) -
    http://imgur.com/2cQ6vlF ??

  • Error code 265: The certificate chain was issued by an authority that is not trusted.

    We are in the process of trying to set up a wireless network that uses NPS servers to authenticate domain users with computers that are not on our domain (BYOD).
    We are using a valid, wildcard SSL (with intermediate certificates) to authenticate via PEAP.  The certificate was issued by Godaddy.
    When trying to connect, we are getting the authentication request.
    The result of a connection attempt is no connection with an event log error code of - “265: The certificate chain was issued by an authority that is not trusted.”
    We have tried ensuring that the certificates are in the correct containers on the respective NPS servers: “Certificates\Personal\Certificates” With the intermediate certificates located: “Certificates/Intermediate Certification Authorities”
    All these attempts have proven fruitless.  Any assistance or direction would be very much appreciated.

    Hi,
    Do you import the intermediate certificate in the right account? It should be imported in the Computer Account.
    Have you imported the intermediate certificate in your client? Client need it to validate the certificate of your NPS server.
    Here is a similar thread in which Greg has explained this issue in detail.
    http://social.technet.microsoft.com/Forums/en-US/b770fcf6-d1e9-4aac-9005-62cb5ff6d485/the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted?forum=winserverNAP
    Hope this helps.
    Steven Lee
    TechNet Community Support

  • Untrusted Server Certificate Chain error

    I am trying to use a certificate (digital signature) on the client, when accessing a Webservice. This fails with the following error :
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain
    My code is :
    KeyStore ks = null;
    String strURL = "https://myserver.com/myurl/lookup.asmx";
    SSLSocketFactory sslSocketFactory = null;
    System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
    Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    // Load certificate dynamically
    SSLContext sslContext = SSLContext.getInstance("SSLv3");
    TrustManagerFactory trustMgtFactory = TrustManagerFactory.getInstance("SunX509");
    CertificateFactory cert = CertificateFactory.getInstance("X.509");
    FileInputStream lo_fileinputstream = null;
    lo_fileinputstream = new FileInputStream("c:\\temp\\digital.cer");
    X509Certificate servercacert = (X509Certificate)cert.generateCertificate(lo_fileinputstream);
    lo_fileinputstream.close();
    String s1 = servercacert.getSerialNumber().toString();
    if(ks == null)
    ks = KeyStore.getInstance("JKS");
    ks.load(null, null);
    ks.setCertificateEntry(s1, servercacert);
    trustMgtFactory.init(ks);
    sslContext.init(null, trustMgtFactory.getTrustManagers(), null);
    sslSocketFactory = sslContext.getSocketFactory();
    HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
    // Call webservice
    URL cascadeURL = new URL(strURL);
    HttpsURLConnection conn = (HttpsURLConnection) cascadeURL.openConnection();
    String inputline=null;
    if (conn instanceof HttpsURLConnection) {
    conn.connect();
    BufferedReader in = new BufferedReader(
    new InputStreamReader(
    conn.getInputStream()));
    while ((inputline = in.readLine()) != null) {
    System.out.println(inputline);
    in.close();
    Please help - I am on a very tight deadline (as usual).

    Found the problem. I simply needed to add another certificate.

Maybe you are looking for

  • Self Assigned IP Address, wher the heck did that come from?????

    Getting flipping well annoyed with this 10.4 software release! Come on Apple say something find the fix. The problem started with 10.4.4 EVERYTHING was working fine prior to installing, Wifes imac on airport, me on my G5 chatting happily away, the re

  • Aligning a layer relative to another layer with an Action

    I was wondering if there is a way to get a layer to align itself underneath another layer. Example: Layer 1 is text: NEW YORK Layer 2 is text: YANKEES NEW YORK is where I want it at the top of the design. YANKEES is way at the bottom. I click on the

  • Problem with Queues

    I have two sensors on a conveyor system that will determine if an object needs to be rejected or not. Another sensor is located 80 cm away where the object will be kicked off the conveyor belt. I was told to use queues but haven't had any luck so far

  • Trying to populate a JTable

    Hello Im having some issues populating a JTable. I know that one of the ways to populate it is using the constructor JTable(Object[][] rowData, Object[] columnNames) All the exmples I�ve seen on the net initialize the arrays this way private String[]

  • Can't click on users during startup screen

    Hi, I am unable to select user accounts by clicking them in the startup screen. But my trackpad is working fine once I am logged in by selecting the user account by pressing arrow. Please advice on this. Regards, Adarsh Sudheesan