Demostic SSL cert with no demostic WLS

Similar Messages

• Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

  We have a Certificate Authority (Version: 5.2.3790.3959) configured on  Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
  Currently i am only able to generate SSL cert with md5RSA.

  Hi,
  Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
  Therefore, you need to build a new CA to use a new algorithm.
  More information for you:
  Is it possible to change the hash algorithm when I renew the Root CA
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
  Changing public key algorithm of a CA certificate
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
  modify CA configuration after Migration
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
  Best Regards,
  Amy Wang

• Remote Desktop Services Single SSL Cert with multiple hosts

  I am trying to use a single SSL Cert from a third party issuer.  I have 3 servers in my deployement all are 2012R2.  One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role.  The other 2 are
  RD Session Hosts.  I have the SSL cert for the server that has the Gateway and other roles.  My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL.  It works currently with the
  exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match.  Is anyone else using a similar setup and had success with it?  I am trying
  to avoid buying an expensive wildcard cert to cover all of them.

  Hi,
  Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC.  To do this, log on to RD Web Access using IE, right-click and choose View Source.  Find the goRDP function for the icon you want to examine and copy
  the text between the ' marks.  Next paste this into the escape text box the below page:
  http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
  Click complete unescape to get the plain text version.  After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file.  Once you have the .rdp file created you can compare
  it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
  Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
  Thanks.
  -TP

• OIM SSL cert with AD

  I have a OIM on a cluster with two nodes running on WLS. I have a VIP URL that I connect to OIM with.
  i am going to upload the OIM cert to AD for provisioning etc and get AD cert in OIM jdk keystore.
  What I need to know is what hostname shall I use in the cert? The for VIP or hostname of a node? If its a node then I need two certs for OIM then?

  thx, I just added one cert which has the vip address and that worked fine. it stays ssl session validated successfully.
  However, when I provision a user to AD, I see Password is required while provisioning user with SSL. Do you know what this means?
  I have password in AD process form and password for admin user that will provision to AD. What am I missing?
  thx for your reply sir.

• Use of Wildcard SSL cert with DRM

  DRM needs a URL to be embedded in the protected PDF document(e.g., mysite.mycompany.com).  The SSL certificate for the URL must be from a trusted provider (e.g., Verisign).  My question is will Adobe Reader accept for DRM a wild card SSL certificate (e.g., *.mycompany.com) from a trusted provider?

  Hi,
  The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
  certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• SSL Cert for 2008 R2 Reporting Services that is installed on a Failover Cluster - server address mismatch?

  I utilized the idea from
  http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance.  In short, create the new Clustered SQL instance on Node1,
  installing Reporting Services with it.  Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
  feature on Node2.  It points out using the SQL Cluster Network name for connecting to Reporting Services.
  I verified upon failover that I could still access the Reports and ReportServer URLs.  However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
  this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
  I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert.  The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
  cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
  What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?

  I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

• Oracle SSL Cert for downloads has errors

  Not sure if this is a cause or effect?
  Owner: This web site does not supply ownership information.
  Verified by: Not specified
  I get this after clicking download link and failure of user/pass prompt.
  Edited by: user6774993 on Jan 18, 2010 9:26 PM

  I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

• IMAP Mail Setup with self-signed SSL certs

  I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
  Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..

  If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
  And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case.

• Getting sec_error_inadequate_cert_type with Private SSL Cert

  Howdy,
  I run a Private Certificate Authority for my personal use and just to learn about SSL Certs. However, with the current build of FireFox I'm on ( 31 ) I can no longer visit sites I've secured with SSL Certs signed by this certificate authority, even though these SSL certs work just perfectly fine in Chrome and Internet Explorer. I keep getting a "sec_error_inadequate_cert_type" error. I can only assume that the certs I've been issuing are incorrect in some way, but the error is so vague and the error page doesn't specify more.
  I only discovered this when I realized some of my SSL certs had expired, and I went to re-issue them.
  One of the certs that hasn't expired yet but is experiencing problems can be found here:
  * https://forums.silicateillusion.org
  One of the Certs I've tried re-issuing, matching fields included as closely as I can to a Google SSL cert that I looked up is here:
  * https://phpmyadmin.endofevolution.com
  These certificates were generated using the application called SimpleAuthority, found here: http://simpleauthority.com/
  A Site like Networking4All.com seems to believe the Certs are valid, excepting the CA that is Self Signed: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=phpmyadmin.endofevolution.com&protocol=https
  Interestingly enough, using a different site like SSLShopper shows an error similar to FF31: http://www.sslshopper.com/ssl-checker.html#hostname=https://phpmyadmin.endofevolution.com
  The certs are running on an Apache Web server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.10
  The CA Cert is in FireFox's store as trusted.
  If needed, I can provide certs.

  ''SniperFodder [[#answer-626818|said]]''
  <blockquote>
  I however, do not. It's something specific to Firefox I seem to be having. Maybe I'm running an outdated version of Chrome? Which would be hard seeing as chrome itself says it's up to date: Version 37.0.2062.120 m
  I appreciate the link to Bug 1034124, However the SSL certificate itself IS NOT self signed. Only the CA is, which signed the SSL Cert. I guess what I mean to be asking is... Is Firefox Rejecting my SSL Cert, because my CA Is Self Signed?
  I also offer the CA Cert for download since no one would have the cert in their stores. Would this also affect it?
  I've attached a screen shot of the error I'm getting so that it's available for the ticket. The following is also the "plaintext" verison of the error I'm getting:
  "Certificate type not approved for application."
  </blockquote>

• ACE: Single SSL Cert for two domains with same VIP

  At present I have a design that will use individual SSL cert per domain and link both certs to (two or one) serverfarm.
  policy-map multi-match popvip_01
  class POP_VIP01
  loadbalance vip inservice
  loadbalance policy POP-POp3_PMT or popPMT1
  loadbalance vip icmp-reply
  ssl-proxy server GINPOP_SSLPROXY
  connection advanced-options TCP_PARAM_Y
  class POP3_VIP02
  loadbalance vip inservice
  loadbalance policy POP-POp3_PMT or POPPMT2
  loadbalance vip icmp-reply
  ssl-proxy server GINPOP3_SSLPROXY
  connection advanced-options TCP_PARAM_Y
  however,
  if I can get one single certificate to process both pop and pop3 domains, that use the same VIP/port, and if this will work with ACE, i'm inclined to design using this alternative.
  ie,
  pop.mydomain.com = 10.10.10.1 995
  pop3.mydomain.com = 10.10.10.1 995
  Any suggestions would be appriciated.

  Hello,
  In order to achieve this then you will need to order a wildcard certifictae ie
  *.mydomain.com
  These certificates are more expensive and so you will probably find it cheaper to buy two certificates than one wildcard certificate.
  Regards

• Http Analyzer connecting to server with self-signed SSL cert

  When making webservice calls using Axis 1.3 to our development site that uses a self-signed SSL cert I am getting the following error when running the Http Analyzer:
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  Works fine if I turn off proxy in run configuration for project or when used against a site with a purchased cert. I assume the problem is with Http Analyzer not being able to find the server cert in a local keystore, is there a way to import the cert so that I can run Http Analyzer against the site?
  Tried adding server cert to <jdkhome>/jre/lib/security/cacerts keystore but still have the problem.
  Am using JDeveloper 10.1.3.
  Thanks,
  John

  I fixed that by getting certs from: https://www.startssl.com/?app=1.
  The certs are free and work fine.
  Since Iphone 4 apple does not accept unknown CA Authorities.

• How to setup SSL cert for SharePoint apps in a three tier farm with nlb

  I am having trouble understanding how to setup the SSL certificate on SharePoint apps or in general its configuration

  Please check the below thread..
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/53465d30-10b2-48c9-9541-5ade738156b4/how-to-setup-ssl-cert-for-apps
  Don't forget to mark it as an Answer if it resolves your issue and Vote Me as helpful if it useful.
  Mahesh

• NAC with EV SSL certs

  Does anyone know if the NAC appliance supports EV SSL certs; especially version v4.7.x.
  Any insight into older versions (4.1.3 and higher) for compatibility would be appreciated. Thanks!
  ben

  Hello! The higher key length is a problem on an older version (4.1.3), not 4.7.x; etc where you can specify it. 4.1.3 you cannot specify it and it's not strong enough.
  Ben

• FTP with SSL cert on ACNS via WCCP

  I have a client using an SSL cert to connect to an ftp server. The user is being redirected to a CE-511 via WCCP v2 but the FTP connection does not work. If I bypass the user (in my wccp acl) it works fine - following a default route to my PIX.
  Any info, good or bad will be greatly appreciated.
  - Matt

  What is the software version running on the CE-511. Did you try upgrading to the latest version of the firmware. This should solve the issue.

• Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

  Coldfusion 11
  Windows Server 2012 R2
  Both the Coldfusion admin and additonal site work fine on HTTP.
  As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
  Coldfusion 11 - Web Sockets via SSL
  The Coldfusion-error.log shows
  Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
  INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
  Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
  Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
  If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
  Any assistance welcome - I can't allow this site to made publicly available with using SSL.
  SM

  @Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release.  And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
  If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
  First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
  Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
  You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
  Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
  Finally, when you say that if you “comment out the SSL sections  it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
  To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
  /charlie