CSS11501 and intermediate certificates

Hi,
First : we have the following css :
Product Name: CSS11501S-K9 F0 SW Version: 07.50.1.03
Version: sg0750103 (07.50.1.03)
Flash (Locked): 07.50.1.03
Flash (Operational): 07.50.1.03
Type: PRIMARY
Licensed Cmd Set(s): Standard Feature Set
I was wondering if there is a way to provide intermediate ssl certificates on the css. We used to upload the pem cert and key and this always worked. Recently we have changed to premium ssl certs from verisign and it looks like we will need to provide the intermediate certificate on the css.
Does anybody know any reference as to how we can do this ?
Kind regards,
Ronny

Hi,
No need to look, found it on the net.
Kind regards,
Ronny

Similar Messages

Third Party Certificate, 802.1X and Intermediate Certificate

Hi Guys,
Quick question:
Have 802.1x setup with Windows Radius Server - Installed a Godaddy certificate which came with an intermediate root certificate.
I would like clients to validate the certificate to connect to the 802.1x, -
Question: Do i need to rollout the intermediate root certificate to all windows devices - laptops to validate the godaddy certificate thats presented to the wireless clients? The trusted root on the intermediate root certificate is already installed on windows
desktops.
THanks

Hi,
1. When you deploy 802.1X authenticated wired access that uses smart cards or other digital certificates for client authentication, you must deploy a private CA on your network
by using AD CS.
2. Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.
Advantages:
Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have
only a few NPS servers.
Using purchased certificates can prevent specific security vulnerabilities that can exist if the proper precautions are not taken when deploying a private CA on your network.
Disadvantages:
This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase
with each NPS server you deploy.
Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.
The related KB：
PEAP-MS-CHAP v2-based Authenticated Wireless Access Design
http://technet.microsoft.com/zh-cn/library/dd348500(v=ws.10).aspx
EAP-TLS-based Authenticated Wired Access Design
http://technet.microsoft.com/zh-cn/library/dd378869(v=ws.10).aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Safari and Intermediate Certificates

HI
Per apple's safari post:
http://discussions.apple.com/thread.jspa?messageID=6321649
Safari has problems with certificate. Out of curiousity, can I import the intermdiate certificate's pem into the ace and then run a chaingroup? It didn't work for me but was wondering if It really didn't work or was I missing some other configs:
crypto chaingroup INTERMEDIATE-CERT
cert VerisignIntermediate.pem
ssl-proxy service sslproxy
chaingroup INTERMEDIATE-CERT

Also seeing this - Safari 5 / OS X 10.5.8 does not recognise Verisign Class 3 EV SSL CA (see screen grab). This is related to these software releases - the same site on Safari 5.1.6 / OS X 10.7.4 handles the same certificates just fine. Why is this CA not trusted in the first setup? - the Mac is fully patched via software update.

CSS11501 and client certificate processing

I use CSS 11501 to accelerate ssl sessions and autheticate users.
CSS gets the certificate from the client browser. The certificate DN contains for example:
"CN=info1, SERIALNUMBER=REGON: 321123321, OU=info2, O=info3, C=PL".
The CSS sends the certificate to beckend servers as:
"C=PL, O=info3, OU=info2 ADR, SN=REGON: 321123321, CN=info1".
There are two incorrect things:
1. The order of attributes in DN is reversed. This is not compliant with RCF 1779.
2. SERIALNUMBER is replaced to SN string.
How to resolve this problem ?

what's your version ?
Are you re-encrypting traffic in the backend ?
Or ar you using the header insert feature ?
What is your config ?
I do not think we touch the certificate.
We simply forward it as we receive it.
But I can verify.
Gilles.

Uploading of signed certificate Server certificate and Intermediate certifi

Hello,
We are implementing SSL for the first time on NW AS JAVA 7.0. I have received signed certificate from the CA.
It contains Web server certificate and Intermediate certificate.
I guess we import the Webserver CSR response. I not sure on what is the intermediate certificate and they say it is mandatory.
Can you please guide.
Thanks.
Siddhartha

Sorry Here,
Hope I understand this correctly.
The Comodo Positive SSL is a Web certificate. Although I ask OD to use it, it didn't.
Then Profile Manager expects a "code signing" certificate which is why all it saw was Open Directory's one.
Francois

Root and Intermediate Certifcate

I have a probleme with installing a Certificate into the ASA. I have followed the following link http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml but I keep getting a error bij installing the certificate that I received from my 3rd Party CA Vendor.
I have followed the instructions 5 times and I still get the error ERROR: Failed to parse or verify imported certificate or Certificate does not contain general purpose public key. I think that reason why I am getting this error is because of my certificate needs a root and intermerdiate certificate.
The certificate I want to install is Comodo PositiveSSL. So can anyone help me how I can solve this problem?

I have checked the certiticate on my computer after I installed the root and intermediate certificate and certificate looks perfect.
I get tehe errors after I installed the root or intermediate certificate. So the questionnis how can I install a root and intermediate ceritficate.
The certificate is based on CSR.
Sent from Cisco Technical Support iPad App
heck if you can decode it with SSL before you jump to conclusions.
Are you installing identity or SA/subCA certs? Is the cert based on a CSR or pre-genrated by CA?

Godaddy SSL certificate installation problems - intermediate certificate not being recognized

domain = mail.gottfried.org
Installed both the certificate and the intermediate certificate from godaddy (used the 10.6 mac os x version)
Response from:
http://www.sslshopper.com/ssl-checker.html#hostname=mail.gottfried.org
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
When I check in 0000_any_443_.conf
I see:
SSLCertificateFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. cert.pem
SSLCertificateKeyFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. key.pem
SSLCertificateChainFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem
I am assuming that the intermediate certificate should be:
mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.chain.pem
When I look at that certicate it is the same as
mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.cert.pem
When I check keychain and exported both the mail.gottfried.org certificate and also the starfield secure certification authority they match what was installed initially (what I downloaded from Godaddy).
It looks like in the install process the intermediate certificate is not being linked to the ssl certificate and that the ssl certificate is being used for the chain.
Anyone have any suggestions?
I have talked to both Godaddy and Apple Enterprise support. Godaddy has nothing past 10.6 instruction wise (though the support person really tried to help). The Apple rep couldnt really help and if I really want help from them I need to talk to integration where costs start at $700....
Anyone have an SSL provider that worked properly with 10.8 or has really good support for mountain lion server?
Please let me know.
Thanks!

While you still can, get a refund for the certificate, and get a certificate from somebody else, and preferably one that doesn't need an intermediate? That'll be the easiest.
If you're not doing ecommerce or otherwise dealing with web browsers and remote clients that you don't have some control over or affiliation with, you can use a private certificate and get equivalent (or arguably better) security. Running your own certificate authority does mean you'll learn more about certificates, though.
Here and here are general descriptions of getting certificates and intermediate certificates loaded, and some troubleshooting here and particularly here (TN2232). I have found exiting Keychain Access to be a necessary step on various versions. It shouldn't be, but...
FWIW and depending on your particular DNS setup and whether you're serving multiple web sites, you'll need a multiple-domain certificate.
Full disclosure: I've chased a few of these cases around for customers, and it can take an hour or three to sort out what the particular vendor of math, err, certificates has implemented, to confirm the particular certificate formats and possibly convert the certificates where necessary, and to generally to sort out the various posted directions and confusions. (I'm not particularly fond of any of the major math, err, certificate vendors, either.)

Intermediate Certificates and Yosemite Server

After several attempts at installing my server's certificate from StartSSL, which requires an intermediate certificate, I finally have everything working except opendirectory/LDAP. The slapd service simply refuses to send the intermediate certificate along with the server certificate on SSL/636 connections. It is supposed to send both.
Anyone know what I need to do to kick slapd into serving all the proper certificates in the chain like the other services (Calendar, Web Server, etc) are doing?

Been wrestling with this myself for months. Found this on serverfault:
http://serverfault.com/questions/653419/how-can-one-force-open-directory-server- to-provide-its-full-certificate-chain-to
Short Answer: slapd can't send the full chain.

Project server and exhcnage certificate or EWS url problem

We are having trouble enabling synchronization between our Project 2010 Server and our Exchange 2010 CAS server.
When we initially saw this error below,
“The root of the certificate chain is not a trusted root authority.”, we then downloaded the GoDaddy intermediates certificate that goes with the “mail.sfbcic.com” cert and    imported it as a trusted root authority
on the project server. However, we are still getting the error you see below.
You can see that we have two certificates that are valid.
Our CAS server has 2 certificates: (Both are valid certificates)
                1 – Self-Signed      HOSEXCHCAS4
                2 – Third-party (GoDaddy) certificate      mail.sfbcic.com
Our Questions:
1. In PWA, do the computer names of the cas servers need to match the third party certificate (is that what's causing the error)? Currently, we have the CAS server names listed (cas2, cas3, cas 4). The Go Daddy certificate
is for mail.ourdomain.com
2 If the answer is no, do you have any idea what we are missing?
3. Do we need to get a new third party certificate and not use the self-signed certificate?
4. Would one of the CAS servers not being active right now cause this issue?
------- Event logs ---------------------
Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Date:          4/18/2012 4:11:08 PM
Event ID:      8311
Task Category: Topology
Level:         Error
Keywords:
User:          DOMAIN1\svc_spfarm
Computer:      HOPROJECTSVR.sfbcic.com
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=mail.sfbcic.com, OU=Information Technology, O=Southern Farm Bureau Casualty Insurance Company, L=Ridgeland, S=MS, C=US\nIssuer Name:
SERIALNUMBER=xxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US\nThumbprint:
xxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority..
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
    <EventID>8311</EventID>
    <Version>14</Version>
    <Level>2</Level>
    <Task>13</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2012-04-18T21:11:08.362997800Z" />
    <EventRecordID>12044</EventRecordID>
    <Correlation ActivityID="{09F06ACB-9929-4F57-A7E8-9786C165ECAE}" />
    <Execution ProcessID="5424" ThreadID="1200" />
    <Channel>Application</Channel>
    <Computer>HOPROJECTSVR.sfbcic.com</Computer>
    <Security UserID="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />
</System>
<EventData>
    <Data Name="string0">CN=mail.sfbcic.com, OU=Information Technology, O=Southern Farm Bureau Casualty Insurance Company, L=Ridgeland, S=MS, C=US</Data>
    <Data Name="string1">SERIALNUMBER=xxxxxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository,
O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US</Data>
    <Data Name="string2">xxxxxxxxxxxxxxxxxxxxxxxxxxx</Data>
    <Data Name="string3">The root of the certificate chain is not a trusted root authority.</Data>
</EventData>
</Event>
Exchange queue errors…..
ExchangeSync() failed to retrieve specified user_s      (c3d0c753-21b3-4ff1-8312-61fba2defe8e) Exchange Server url. No exception
was thrown, but EWS url came back empty.:
ExchangeSyncEWSUrlFailed (40509). Details: id='40509'
name='ExchangeSyncEWSUrlFailed' uid='42585c0c-d4b2-4dfc-9303-af128e5e3a00'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
ExchangeSyncEWSUrlFailed (40509). Details: id='40509'
name='ExchangeSyncEWSUrlFailed'       uid='5a607457-2eb4-4d53-a80e-13e538fb46ff'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
ExchangeSyncEWSUrlFailed (40509). Details: id='40509'
name='ExchangeSyncEWSUrlFailed'       uid='490d7241-a2b9-42f5-b81b-a4f3ee67c2a6'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
ExchangeSyncEWSUrlFailed (40509). Details: id='40509'
name='ExchangeSyncEWSUrlFailed'       uid='eefd753b-a3da-4a17-a278-bf12fc68e58c'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
ExchangeSyncEWSUrlFailed (40509). Details: id='40509'
name='ExchangeSyncEWSUrlFailed' uid='f525cd5e-2a57-414b-a20d-1dc2528733e9'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
ExchangeSyncEWSUrlFailed (40509). Details: id='40509'
name='ExchangeSyncEWSUrlFailed'       uid='34f74c12-a812-4a80-85a3-0ece1e426f33'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
ExchangeSync() handle ExchangeSyncStatusingMessage for      user c3d0c753-21b3-4ff1-8312-61fba2defe8e queue message caused an
exception.:
ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512'
name='ExchangeSyncGeneralProcessingFailure' uid='7b7ab045-ba46-47cd-8504-23272e09dbcc'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'       exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
      Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
      exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket,
MessageContext mContext)'.
ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512'
name='ExchangeSyncGeneralProcessingFailure'       uid='a3783e9a-2b39-4878-8099-20681a4715d3'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'       exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
      Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
      exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket,
MessageContext mContext)'.
ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512'
name='ExchangeSyncGeneralProcessingFailure'       uid='71656d71-38d4-4acf-a26d-9f0d6f84da0b'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'       exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
      Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
      exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket,
MessageContext mContext)'.
ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512' name='ExchangeSyncGeneralProcessingFailure'
      uid='2454abb1-6a2b-4716-bd45-03a7edf80347'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'       exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
      Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
      exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket,
MessageContext mContext)'.
ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512'
name='ExchangeSyncGeneralProcessingFailure'       uid='3dbd4f65-f478-47e7-aeb3-d05575be69fe'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'       exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
      Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket, MessageContext mContext)'.
ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512'
name='ExchangeSyncGeneralProcessingFailure'       uid='17a05fda-8702-4e20-93d1-068bf9182cf1'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e' exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
      Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
      exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket,
MessageContext mContext)'.
Queue:
GeneralQueueJobFailed (26000) -
ExchangeSyncTasks.ExchangeSyncTasks. Details: id='26000' name='GeneralQueueJobFailed' uid='cfd94c57-78c0-4c1a-b343-22e36d940276' JobUID='11ff22eb-364b-4ff6-a05f-10e29407e04a' ComputerName='HOPROJECTSVR' GroupType='ExchangeSyncTasks' MessageType='ExchangeSyncTasks'
MessageId='1' Stage=''. For more details, check the ULS logs on machine
HOPROJECTSVR for entries with JobUID 11ff22eb-364b-4ff6-a05f-10e29407e04a.
Cletus51

We found the problem.
We downloaded the "Go Daddy Class 2 Certification Authority Root Certificate". Via Sharepoint 2010 Central Administration, we created a new trust relationship using the certificate we downloaded.
Cletus51

Add intermediate certificate to signed jar

Is it possible to add an intermediate certificate to a signed jar file?
The users of my applet are asked to trust the certificate showing the hint that the source is not trusted. The root certificate of my code signing certificate is included in the trusted sources.
Thanks,
Reinhard

I have already a full trusted chain consisting of the root, an intermediate certificate and my code signing certificate. The root is included in Java�s trusted roots. But if I sign my jar with my code signing certificate, Java can not build the trust chain, as it does not have the intermediate certificate. If it would be possible to include the intermediate certificate certificate it would work, but appearantly this is not possible with jarsigner.

Does root and CA certificate both are same?

Hi All,
Can anyone help us in understanding root and ca cet are same?
keytool -genkey -alias kumar-keyalg RSA -keystore keystore.jks(created keystore)
keytool -certreq -alias "kumar" -keystore keystore.jks -file domain.csr(Created CSR)
keytool -import -trustcacerts -kumar -file Thawte.crt -keystore keystore.jks
Afte this we are facing an error "Failed to establish chain from reply"
Next i m goint to do this
keytool -import -trustcacerts -alias kumar -file mytrustedcert.crt -keystore keystore.jks
Please help me why i am getting error
Please check the alias clearly( do we need to use the only same)
Regards
vasu

Hi Vasu,
You need to use same alias while creating private key in keystore(keytool -genkey), creating a certificate request(keytool -certreq) and importing the signed certificate (sent by CA) (keytool -import) to keystore.
According to you if we create a differerent alias while importing a CA and signed cer(ex: alias a for CA cert and alias b for signed cert) then which alias will be providing at host tp..?You should use alias b (signed cert alias or private key alias)
if they has given only one cert then wat we will share with trading partnes?You should share the public cert of your corresponding private key.
we submitted csr to out cert team and they has given only one cert which includes CA, is this enough or do we need to ask for other certificate also?Your cert team should provide you one signed certificate and one (or two) CA certificates. You should first import CA certs (root and intermediate CA) and then import the signed CSR.
Regards,
Anuj

Digicert Intermediate Certificate suddenly failing...

Hi all!
We have an install base of a few hundred Macs ranging from 10.7 to 10.10. Suddenly, several of the machines seem to be missing the Digicert SHA2 Secure Server CA intermediate certificate. We noticed the problem after several users reported warnings with our VPN appliance, which uses Digicert certs for ID.
Reinstalling the certificate from Digicert's site clears up the issue, but I'm trying to root cause the problem. The issue appears to happen only on 10.9.x, and seems to happen before OR after the 2015.004 security patch. The patch does not resolve the problem.
I know folks have reported similar issues with Verisign certs and the 2015.004 update.
Any ideas? I've only seen this on a very small fraction of systems, so I'm not super concerned, but it is annoying...

I have this issue also. I opened this
HT204658

Intermediate certificates not refreshed

Hi,
We have just renewed our ssl certificate with Verisign. They use an intermediate certificate so I have also updated the chain file on the server.
The problem is that whilst firefox picks up the new site cert file, it is still using a cached version on the intermediate cert (with expiry date of 25/10/2011 instead of the new 25/10/2016).
If I use a fresh firefox profile (or delete the cert8.db file) then the correct 2016 cert is picked up.. but I can't really expect site visitors to have to do this, and im worried that come the end of next year, people who have visited the site before and hence have the old intermediate cert, will start getting "this site is untrusted" messages from firefox.
Anyone else come across this / have a solution?
== URL of affected sites ==
https://www.ruralretreats.co.uk/cert-test.txt

Danian,
Examine this page, it covers the details of how to do this. The section of interest to you is the box which discussed obtaining and installing the verisign intermediate cert -
http://www.cisco.com/warp/customer/117/expired_verisign.html
Basically you have the concept correct, but the order of certs in the chain is important.
Peter

Intermediate certificates

On the CSS, how do you install intermediate certificates so client browsers can know to trust your SSL certificate? Do you combine all three certificates into one associated certificate. e.g.
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
yyy
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
zzz
-----END CERTIFICATE-----
or associate each certificate?

Danian,
Examine this page, it covers the details of how to do this. The section of interest to you is the box which discussed obtaining and installing the verisign intermediate cert -
http://www.cisco.com/warp/customer/117/expired_verisign.html
Basically you have the concept correct, but the order of certs in the chain is important.
Peter

Why are intermediate certificates needed within STRUST with SAP as SSL client?

Scenario: My company is hosting various applications on a web server. Our customers connect their SAP systems to our applications using web services. We changed one of our VeriSign web server SSL certificates a few weeks ago. This new SSL certificate was signed by a VeriSign intermediate CA which itself is signed by a new VeriSign root CA.
In the past, we only took care that our customers have the corresponding VeriSign root certificate imported into their SAP via STRUST; in our case this is the following root certificate: http://www.verisign.com/repository/roots/root-certificates/PCA-3G5.pem
Now as we changed the certificate on our web server, our customers can't connect to it with their SAP systems any more. We found out that it works again, if the customers additionally import the VeriSign intermediate certificates into their SAP via STRUST; in our case the following ones: https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
This is something we don't understand for two reasons:
1.) Usually it shouldn't be necessary to have intermediate certificates on client side, only on the web server. We saved the two VeriSign intermediate certificates into one file and linked it within our Apache via the "SSLCertificateChainFile" directive. This is what we expected to be enough for all SSL clients which have the corresponding root certificate within their certificate stores.
2.) Our old certificate was signed by an (other) intermediate certificate, too and we didn't have this one on client side at our customers… it worked. Why? The only difference seems to be, that the old chain had only one intermediate certificate and the new one has two.
Anyone has an answer to these questions or an idea how to avoid uploading the intermediate certificates all the time?

Hi !
have a look at this thread may be helpful for you .
Cannot import certificate response in STRUST
Regds
Abhishek

CSS11501 and intermediate certificates

Similar Messages

Maybe you are looking for