DPS and CA-signed ssl renewals
Maybe it's documented and I'm just not getting it. I have a 6.3.1 instance of DPS that contains a CA signed cert from Thawte. This cert will expire soon. In the old days (5.2), you would just go to the console and get a new CSR and submit it to the CA. If I go to dscc, there does not appear to be a way to generate a new CSR. If I go to the ceritficates tab and click on 'Request CA-Signed Certificate', it requires a certificate name, so if I enter the alias of my expiring cert, it tells me that I can't use that name. And that looks like about all I can do with the GUI. So I move to dpadm. I do a dpadm request-cert <blah, blah, blah> and I get this error back:
keytool error: java.lang.Exception: Key pair not generated, alias <server-cert> already exists
So my question is, is there a documented, recommended way to do CA-signed certificate renewals using the DPS tools? Or are we expected to go to our CA and tell them to use the previous CSR for the renewal? I thought that was not recommended from a security standpoint.
I also tried using keytool directly using certreq and only specifying the alias, keystore, and the output file but then it wants the key password for the alias which I have no idea what that might be.
Or am I going about this wrong?
Thanks for any assistance.
Don't know how to create a new CSR (using your old key pair) but if u still have your original CSR you may hand that over (again) to your CA for signing with a new expiration date.
Similar Messages
-
DSEE7 - DPS and CA-signed SSL certificates
I recently deployed two new DSEE7 DPS servers and last night was attempting to install CA-signed (GoDaddy) SSL certificates on them. I used dpadm to generate the required 2048-bit CSR and received my certificates. I added them to the servers using the DSCC interface and after adding them and restarting the instance the certs were not showing up. I thought perhaps the operation had failed so I tried again and saw that the alias already existed. I then noticed that the certificate was listed under the CA certificates. I deleted it from there and imported the cert using dpadm add-cert, only to have the same thing happen again.
dpadm add-cert /usr/local/dps/instance/ dps03.prod.domain.com /tmp/dps03.prod.domain.com.crt
# dpadm list-certs /usr/local/dps/instance
0 certificate found.
# dpadm list-certs -C /usr/local/dps/instance | grep dps03
dps03.prod.domain.com 2010/01/19 11:08 2013/01/19 11:08 n SERIALNUMBER=xxxxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=dps03.prod.domain.com, OU=Domain Control Validated, O=dps03.prod.domain.comI have installed SSL certificates from GoDaddy on all my other production DS and DSEE systems (6.3.1) without issue, including their intermediate and root certificates to complete the trust chain.
Does anyone have any insight into what the issue might be and how to correct it?Hi,
Have you used the same alias in both case ? . i.e
dpadm request-cert [options] /usr/local/dps/instance dps03.prod.domain.com
then
dpadm add-cert /usr/local/dps/instance/ dps03.prod.domain.com /tmp/dps03.prod.domain.com.crt -
IPhone LDAP contacts and Self signed SSL certificates
Hi,
I am using OpenLDAP with self signed SSL certificate, and i am unable to get SSL work with LDAP contacts on the IPhone (4.x). I have tried to add a CA cert with a server certificate for the LDAP server and downloaded it to the IPhone by web, it adds the CA, but even with it, it does not want to connect to the LDAP server with SSL enabled.
Does LDAP contacts should work by adding new CA ? if yes, what is the exact procedure to do it ? (maybe I used a wrong CA export format, or wrong SSL certificate encryption format ...)
can someone tell me how to do it ?
This is really anoying, since we have multiple iphones on the company.
Thanks for the help.Hello, found your post. I realize it's been 6 months since you posted, but I have a solution for you since I have struggled with the same problem since 2009.
I discovered that when the iPhone is using LDAPS, it tries to bind with LDAPv2. After it binds, it speaks LDAPv3 like it is supposed to. Apparently this is a somewhat common practice since OpenLDAP includes an option for it.
You'll want to set the following option in OpenLDAP:
dn: cn=config
olcAllows: bind_v2
Walla! LDAPS works! (assuming you've correctly done all the certificate stuff). Took some deep reading through the debug logs to figure out this problem. Figured I'd share my answer with others. -
Differences between SSL and Code-Signing Certificates
Hello,
I unsuccessfully tried to use a SSL - certificate for signing an applet (converting from X.509 to PKCS12 prior to signing) and learned, that SSL certificates and code-signing certificates are different things (after seeking the web for ours). Can somebody point out some source of information about this topic ? What are these differences ? Can I convert my SSL certificate into a code-signing certificate ?
Things got even more confusing for me, since my first attempt with an wrongly converted SSL cetificate (I used my public and private key for conversion only, omitting the complete chain) at least worked partly: the certificate was accepted, but marked as coming from some untrustworthy organisation. After making a correct conversion (with the complete chain) the java plugin rejected the certificate completely ...
Ulfyep, looks like it.
keytool can be used with v3 x509 stores:
Using keytool, it is possible to display, import, and export X.509 v1, v2, and v3 certificates stored as files, and to generate new self-signed v1 certificates. For examples, see the "EXAMPLES" section of the keytool documentation ( for Solaris ) ( for Windows ).
jarsigner needs a keystore so I would assume public and private key pair.
you could list the keys from your store:
C:\temp>keytool -list -keystore serverkeys.key
Enter keystore password: storepass
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
client, Jul 5, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 13:50:77:64:94:36:2E:18:00:4B:90:65:D0:26:22:C8
server, Jul 5, 2005, keyEntry,
Certificate fingerprint (MD5): 20:90:49:6F:46:BA:AB:11:75:39:9F:6F:29:1F:AB:58
The server is the private key, this can be used with jarsigner (alias option).
C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
-signedjar sTest.jar test.jar client
jarsigner: Certificate chain not found for: client. client must reference a val
id KeyStore key entry containing a private key and corresponding public key cert
ificate chain.
C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
-signedjar sTest.jar test.jar server -
DPS and NativeLDAP clients over SSL
We wish to use Directory Proxy Server (DPS) to load balance two Directory Server (DS) 6.3 servers.
The DS 6.3 servers authenticate Solaris and Linux native ldap clients.
The native ldap clients login using TLS:simple.
Question:
Where do we terminate SSL ? At the DPS or at each instance of DS?
In other words is the client configured to authenticate to the DPS or the backend DS?The DPS is negotiating the ssl or tls with the client, and the authentication is with the DS. In the DSCC you can go to security tab and there is a protocols/ciphers button where you can choose what you want the DPS to support. I havent tried this myself but something to mention if you missed it. If you leave ssl on does that cause an issue? From what I recall tls starts its connection on non-secure port then switches to secure port.
-
How to erase all self signed certificates and force Server to use Signed SSL
I have been using a poorly managed combination of self-signed SSL certificates and a free one. I have purchased a good SSL from Digicert and am trying to configure the server to use it across the board. All of the services seem to be using it, but when I try to manage the server remotely, I seeing a self-signed certificate instead.
I look under the system keychain in K-Access and there are several self signed certificates there (including the one that I am seeing when I try to remote manage).
Can I replace those self-signed certs with the new one some how?Don't delete those. However, you are on the right track. Follow these steps to resolve.
1: Launch Keychain Access
2: Select the System Keychain
3: Find the com.apple.servermgrd IDENTITY PREFERENCE (looks like a contact card) and double click to open it
4: In the Preferred Certificate popup, change com.apple.servermgrd to your purchased certificate
5: Press Save Changes to save.
6: Reboot the server or kill the servermgrd process to restart the service.
That should resolve your issue.
R-
Apple Consultants Network
Apple Professional Services
Author "Mavericks Server – Foundation Services" :: Exclusively available on the iBooks store -
DSEE 6.3.1 and 2048-bit SSL certificates
Related to my previous post, I'm standing up a new 6.3.1 proxy server and directory server instance that are being added to my existing environment. We use GoDaddy for SSL certificates and they require 2048-bit CSRs, which cannot be generated with 6.3.1 software. That being the case I generated the CSR for each host using openssl with the command:
openssl req -new -newkey rsa:2048 -nodes -out ldp05_domain_com.csr -keyout ldp05_domain_com.key -subj "/C=us/ST=Massachusetts/L=Cambridge/O=My Corp/OU=Network Operations/CN=ldp05.domain.com"I then took the CSR and received a new signed 2048-bit cert from GoDaddy. I added the GoDaddy root bundle certs into my CA cert chain and then attempted to add the server cert.
On the directory server I have the problem:
# dsadm add-cert /usr/local/ds/domain/ ldp05.domain.com /tmp/ldp05.domain.com.crt
Unable to find private key for this certificate.
Failed to add the certificate.I get the same error when attempting to add the certificate through DSCC.
I have a different problem with the 2048-bit certificate on the proxy server. I added the CA cert and that was fine. However, when I add the server cert, it shows up in the CA cert chain.
# dpadm add-cert /usr/local/dps/domain/ dps05.domain.com /tmp/dps05.domain.com.crt
# dpadm list-certs /usr/local/dps/domain/
Alias Valid from Expires on Self-signed? Issued by Issued to
defaultservercert 2011/02/25 10:08 2013/02/24 10:08 y CN=dps05.domain.com:389 Same as issuer
1 certificate found.
# dpadm list-certs -C /usr/local/dps/domain/|grep dps05
dps05.domain.com 2011/02/25 11:43 2014/02/25 11:43 n SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=dps05.domain.com, OU=Domain Control Validated, O=dps05.domain.comHas anyone successfully added 2048-bit CA signed certificates to both DPS and DS instances? Is there a limitation on the size of a certificate that can be imported as a non CA cert in directory proxy server 6.3.1?Sadly after opening a case with Oracle support I was told that the hotfix wasn't built for Linux (which I'm running) and would take 1-2 weeks to complete. I have managed to solve 99% of the issue on my DPS host thus far and have only one remaining issue which is upon adding the cert.
In order to generate the 2048-bit CSR I had to run the following:
# cd /usr/local/dps/domain/alias
# modutil -changepw "NSS Certificate DB" -dbdir .
# certutil -R -s "CN=dps05.domain.com,OU=Network Operations,O=My Corp,L=City,ST=State,C=US" -o /tmp/dps05.domain.com.csr -d /usr/local/dps/domain/alias -a -g 2048For reference, running the dpadm command to set the cert db password didn't work.
# dpadm stop /usr/local/dps/domain
# dpadm get-flags /usr/local/dps/domain
# dpadm set-flags /usr/local/dps/domain/ cert-pwd-prompt=onOnce I had the properly sized CSR I had the cert issued and attempted to add the root certs to the CA chain and the server cert to the server certificates:
# dpadm add-cert /usr/local/dps/domain gd-root-bundle gd_bundle.crt
# dpadm list-certs -C /usr/local/dps/endeca |grep -i daddy
- This shows the Go Daddy root cert bundle in the CA cert chain
# dpadm add-cert /usr/local/dps/domain dps05.domain.com dps05.domain.com.crt
# dpadm list-certs /usr/local/dps/domain
- Shows only the defaultservercert
# dpadm list-certs -C /usr/local/dps/endeca |grep -i daddy
- The server cert now shows up in the CA chain.Does anyone have any idea how I can properly add the new cert to the server cert list so it can be used by the server? -
Accessing websites running on non-standard ports or with self-signed ssl certs?
I've got some sites running using self-signed ssl's that also run on non-standard ports. Firefox home doesn't seem to open these pages it just sits there with the spinner loading and a blank screen...
Anyone else noticed this?If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate. -
Implementing self-signed SSL on the coldfusion webserver
We've just recently implemented a self-signed SSL on the coldfusion webserver and find that the scheduled tasks are not running.
They don't even appear to "kick off". I'm not receiving an error or notice.
I've attempted pulling-in the cert directly into the Coldfusion JRE folder, and running through the most common answers on the internet regarding use of the cert keytool import - no luck.I currently have the configureation you are talking about. To allow an iOS device to connect do the following.
1. From the iOS device go to your servers homepage in safari.
2. Login to the profile manager using that individuals userid and password. For some reason I have to login twice the first time I enter the userid and password it will not authenticate the second time it will log the user in.
3. Click the install button next to the "Trust profile" to install it to the iOS device. This will make the iOS device trust the certificate from your personal server.
4. After that you may also install the server profile which will install your vpn and calendar etc... profiles for connecting to the services you have setup on the server onto the iOS device.
5. Once you accomplish this you will be able to access your services via your local lan or vpn. -
Files encrypted and digital signed with cFolders
Dear all,
Currently I'm involved on a PPS project with cFolders. This project has legal requirements that consist in implementing encryption and digital signature in files which will be uploaded to cFolders. I've been searching on SAP Help, SDN and Service Marketplace about APIs to work with cFolders with encryption and digital signatures, but I didn't find related documents. It seems there is no documentation regarding such scenarios...
Anyone has experience in cFolders with files encrypted and digital signed?
Thanks in advance & regards,
Ricardo.Hi Federico
If I understood your solution you are signing your documents in a Webservice provided from a CA. For that youu2019ve created an RFC dest type G over ssl (https) and used the class CL_HTTP_CLIENT. So your requirement is only to sign documents, right?
Well my scenario seems a little bit different as Iu2019ve to encrypt the file and also sign it. The signature is done on useru2019s laptop trough a smartcard (hardware device connected via USB that reads the chip the certificate assigned to our identity card) and cannot be signed from other entity than the user itself.
Did you explore the PGP alternative? cFolders supports this kind of files (*.pgp). The PGP (Pretty Good Privacy) is a popular program used to encrypt and decrypt files, e-mails, etc.
Today I installed a trial version of a PGP tool. I tested the encryption/signature with files on my desktop and it works fine. I tested a Public Key scenario where the owner publishes his PK in cFolders and the requester gets this PK in cFolders as well. The requester now can encrypt documents and upload them to cFolders with the public key provided by the owner; the owner itself has the private key to open the encrypted file (extension .pgp) after upload. But over the encrypted file the requester must sign it with his private key (another certificate) provided by a CA and here starts the second challenge...
In cFolders after the file upload the system should gets the requester digital signature and sends it to CA for validation, only after that we know if the requester is a trusted partner or not. To do this we are thinking to use a Webservice provided by the CA, however I don't know how to extract/get the signature in the file encrypted/signed from PGP and uploaded to cFolders.
Do you have any idea?
Thanks & regards,
Ricardo. -
IMAP Mail Setup with self-signed SSL certs
I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case. -
Hi,
My Exchange 2013 Hybrid environment is at CU5 level. Multiple administrators have started experiencing the error message
"error
Sorry, your request couldn't be completed. Try deleting the cookies from your browser, and then sign in again. If the problem continues, contact your helpdesk."
It only started two weeks ago and did not coincide with any infrastructure changes. The message occurs when clicking anything on the EAC GUI and it eventually allows you to perform the operation but only after the message
pops up a few times.
I have tried clearing the browser cookies, history, etc. Note that using the Office 365 EAC does not yield the same messages and it only happens in IE (IE 11).
Thanks.Hi,
From your description, please make sure that the "Require SSL" is checked in IIS Manager -> Sites -> Exchange Back End -> ECP -> SSL Settings.
What's more, ensure that EAC site is added to the “Compatibility Mode”.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support -
I'm having a strange problem, I can't get SMTP to work using a self-signed SSL certificate. I can get IMAP to work with the cert no problem. And I can submit non-ssl using port 587. But if I try to use SSL, using the self-signed certificate, I get an error in Mail.app saying it can't connect to the server. Any ideas about this?
I did have to edit a few lines in master.cf to make submission on :587 work.You can see the two lines i uncommented halfway down this thread:
http://discussions.apple.com/thread.jspa?threadID=1433081&tstart=0
SSL is set to USE.
As far as logs go, what do you want to see? SMTP logs after trying to send something via SSL? -
Abandoning Self-Signed SSL Certificates?
Hello,
I'm working on remediation of some security flaws and have encountered a finding that calls out each of my domain-added workstations as having self signed SSL certificates. I'm not an expert on the subject, but I do know the following things:
1) An earlier finding lead to me disabling all forms of SSL on my servers and workstations
2) Workstations use certificates to identify themselves to other domain assets.
Now my servers all have their own certs signed by an outside authority. However, it would be a huge amount of work to go through the process for each and every workstation. So my questions are these:
1) Can I create a NON-SSL self signed cert for these machines to use?
2) How do I remove these current SSL certs without having to hover over each workstation?
Basically, what's the least effort to remove self-signed SSL certs and replace them with something more secure?
Thanks,
M.What do you mean when you say that you've disabled all forms of SSL on your servers and workstations? SSL serves to provide secure communications for all of your domain operations, so disabling SSL, in general, would likely break your entire domain. If you're
using certificates on your workstations, then you're using certificate-based security (IPSec) in some manner.
Do you have AD CS or some other certificate signing authority/PKI in your environment? If not, you would have to pay a public provider (i.e. VeriSign) to provide certificates, and I can assure you that gets very expensive.
If you have Microsoft servers in your environment, you can install and use Certificate Services to provide an internal signing mechanism which can be managed through group policy. You can replace all of the workstation certificates with ones signed by your
internal certificate authority (CA,) and those will pass muster with any auditor provided the appropriate safeguards are put into place elsewhere in your environment.
Least effort for you would be to implement an internal CA, which admittedly isn't a low-effort endeavor, and have the CA assign individual certificates to all of your machines, users, and any other assets you need to protect. If your auditors are requiring
the removal of the self-signed certificates, you might find a way to script the removal of the certificates. In my experience, however, most auditors just want IPSec to be done with certificates that terminate somewhere other than the local workstation (i.e.
an internal CA). -
E-Mail Setup fails with self-signed SSL certificat...
Hi, one of my e-mails is with a small provider who just moved the mail server to Imap and SSL. In Thunderbird, everything works fine, setup on my Nokia C-6-fails with an unspecific error message (and trows away the settings). I asked the provider, and it seems that the problem comes up because the Nokia e-mail application doesn't asked me if I want to accept the certificate but instead rejects it. Is there a workaround to this problem? Is there a way to setup the mail account without using the wizard? Or to take over the settings from Thunderbird? Or a way to put the certificate in the right place manually? In Opera mobile I have no trouble with self-signed SSL certificates. Thanks Cave
Any one around who can help? Self-Signed certificates are rather common, after all. I would be grateful cave
Maybe you are looking for
-
How do I restrict access so users can only visit certain sites?
At work we are setting up a laptop in order to do only one thing - use one particular website. I'd like to make sure nobody can visit any other sites.
-
Everyone, I'm not new to using SCCM, but i'm VERY new to setting up and managing it. I have just laid it down for the school district that I manage, and i'm loving it. Imaging is going great, all but one thing now...drivers installing. Let me tell
-
A general purpose TV tuner driver or software for SL?
I have a tv tuner card which is windows compatible and I would like to use it with my mac. this... http://entermultimedia.com/tvtuner_external_usb210U.html is the one. Is there like a general purpose tv tuner driver for mac?
-
Hai, Product Date pd0 2012-08-11 18:45:55.780 Pd1 2012-08-11 18:55:17.020 pd2 2012-08-11 19:06:58.623 pd3 2012-08-18 12:00:01.193 pd4 2012-08-25 12:13:04.077 pd5 2012-08-25 17:28:30.347 pd6 2012-08-25 18:23:16.473 pd7 2012-09-18 18:29:58.360 I want s
-
What is the best way for using a C++ in the EJB?
What is the best way for using C++ in the EJB ie either 1. Socket programming 2. JNI