DS 6: SSL certificate mapping with subject/issuer containing (")

Similar Messages

• SSL certificates possible with different tools

  I had the impression that the SSL certificate can be configured with Linux eg. RHEL only by following the normal procedure of installing mod_ssl package, using genkey …etc
  But, I came to know that SSL certificate can be generated with the web server like Tomcat also. Is it correct that generation of SSL certificates is not limited to Linux only?
  I hope my query is clear that if SSL certificates can be generated not only with Linux but with other tools also.
  Please revert with the reply to my query.
  Regards

  Try using Google to get information.
  Just because you happen to be a user of these forums (and also glancing at your posting history to see what sort of issues you are curious about) doesn't mean you should ask every question here at this web forum site.
  When I place one of your sentences into Google,
  "I came to know that SSL certificate can be generated with the web server like Tomcat also"
  I get more than 800,000 search results that would easily guide toward better information than waiting for someone here to teach you about a non-Oracle topic.

• SSL Certificate Mismatch with AnyConnect client

  Hello,
  We are having a problem with the AnyConnect client when connecting to our VPN.  We are running the following:
  AnyConnect v2.4.0202
  (2 each) ASA v8.2(1) -- active/standby failover
  AnyConnect Essentials Licensing
  NOTE:  We are not using certificates for authentication.
  Primary clients:  Windows XP and Windows 7
  Problem
  We have purchased an Entrust certificate for our ASA failover cluster called "vpn.company.com" and the it is attached to the outside interface on the ASA.
  Steps to Reproduce
  Install the AnyConnect (AC) client via https://vpn.company.com/.  Connection occurs here without issue.
  Once the AC client is installed and we try to use it in stand-alone mode (i.e., w/o hitting the ASA w/ a browser), a certificate mismatch occurs, and AC brings up the Windows/IE Security Alert dialog (see attachment CertError.jpg).
  The user must press Yes to bypass mismatch.
  PROBLEM:  On Windows 7, the user must have administrative privileges and run the AC client as administrator -- otherwise, they get a dialog saying "Unable to establich VPN" (see attachment Unable.jpg).
  The issue is we have a valid certificate that should be used for the connection.  However, when looking at the connections made by the AC client with Fiddler, it would appear that the AC client is trying to connect directly to the ASA's IP address, and not the name.  This is a nuisance for XP users, and a show-stopper for Win7 users as they do not have admin privileges.
  I have not been able to find any documentation on Cisco.com relating to this issue.  In short, how do I get the AC client to use "vpn.company.com" so there is no Cert mismatch?
  Thanks,
  -Matt

  Tim,
  I will read through the article more thoroughly; I've already been through parts of it -- won't hurt to go through again.  I did initially have the IP address in my XML file, and immediately removed it when I noticed that it was using the IP address in the FIddler dump.  It hasn't had any effect unfortunately -- even with uninstalling and re-installing the AC client locally.
  The only other article/post I've come across on Cisco's site that comes close is here:
  Cisco Support Community: ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide
  which seems to suggest that I will need a UCC certificate (which seems ridiculous) to do some of what I need to do.  However the issue with that post is that it still wouldn't fix the issue where the AC client is using the IP address.
  I will let you know if I find any smoking guns in the doco link you sent.  Any other thoughts appreciated.  I can't believe Cisco made the setup of the AC client this convoluted.
  Thanks!
  -Matt

• Clickable Map with button issue

  So, in Captivate 5.5 I have a map.   
  Within this map there are 8 areas and like most maps, some of the regions aren't nice polygons.
  What I have done is taken snap shots of the map, produced buttons that highlight the specific area fo each individual region and added a link to the information about that given area.  These buttons are put over the original image and look seamless.
  It looks slick but the issue is that these areas are not all perfect rectangles and so some of the areas overlap into others.  So when I have my cursor over one area, it might actually highlight another based on the button outer edge.  I'd like to either hide the non-region area of the button or come up with a way that only the highlight area of each region shows up. 
  Is there a way to do this?  I'm not overly advanced in this adobe world but I seem to be getting the majority of the way on a lot of my ideas but just need that little tip/hint to get over the hump.
  Thanks gang!

  Captivate 5x allows you to draw a freeform polygon drawing object shape that can have as many sides as you want? Once you have this shape the way you want, you could use Event Handler wIdgets to make them interactive and trigger effects or events on rollover or on click.
  Trial versions are available from the Infosemantics website.

• SSL Certificate problem with WL 5.1

  "We are still using WLServer 5.1 SP12
  I just installed a new certificate (request generated with WL, signed by our 'local' CA)
  I always get the following message:
  Do Okt 10 15:17:25 CEST 2002:<I> <WebLogicServer> Loaded License : /apps/weblogic/license/WebLogicLicense.xml
  Do Okt 10 15:17:25 CEST 2002:<I> <WebLogicServer> Server loading from weblogic.class.path. EJB redeployment enabled.
  java.lang.StringIndexOutOfBoundsException: String index out of range: 15
  at java.lang.String.charAt(String.java:506)
  at weblogic.security.ASN1.ASN1Utils.parseDateInt(ASN1Utils.java:300)
  at weblogic.security.ASN1.ASN1Utils.inputASN1Date(ASN1Utils.java:292)
  at weblogic.security.X509.input(X509.java:118)
  at weblogic.security.X509.initialize(X509.java:64)
  at weblogic.security.Certificate.<init>(Certificate.java:54)
  at weblogic.security.X509.<init>(X509.java:44)
  at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:207)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:318)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:238)
  at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1245)
  at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:879)

  hi
  Did you solved it?
  If it is may i know how you solved it
  thanks

• Jcontrol.exe not starting after creating ssl certificate

  hi,
  Iu00B4ve got a netweaver AS Java (only) 640 SP19. I tried to create a SSL certificate (Test) with visual admin and after importing "getCert" i wanted to restart the SAP-System. The problem is that jcontrol.exe has not been started and stayed grey (status: stopped).
  Hereu00B4s a part of the dev-trace:
  [Thr 3796] Thu Nov 20 16:17:36 2008
  [Thr 3796] *** ERROR => invalid return code of process [bootstrap_ID103537200] (exitcode=-2) [jstartxx.c   1465]
  [Thr 3796] JControlExecuteBootstrap: error executing bootstrap node [bootstrap_ID103537200] (rc=-2)
  [Thr 3796] JControlExecuteBootstrap: execute bootstrap process [bootstrap_ID103537250]
  [Thr 3796] INFO: Unknown property [JLaunchParameters=]
  [Thr 3796] [Node: server0 bootstrap] java home is set by profile parameter
       Java Home: D:\apps\j2sdk1.4.2_17-x64
  dev_bootstrap:
  trc file: "D:\usr\sap\CCM\JC10\work\dev_bootstrap", trc level: 1, release: "640"
  node name   : bootstrap
  pid         : 1992
  system name : CCM
  system nr.  : 10
  started at  : Thu Nov 20 16:17:32 2008
  arguments   :
      arg[00] : D:\usr\sap\CCM\JC10/j2ee/os_libs/jlaunch.exe
      arg[01] : pf=D:\usr\sap\CCM\SYS\profile\CCM_JC10_iswdmz5
      arg[02] : -DSAPINFO=CCM_10_bootstrap
      arg[03] : pf=D:\usr\sap\CCM\SYS\profile\CCM_JC10_iswdmz5
  [Thr 3736] Thu Nov 20 16:17:32 2008
  [Thr 3736] INFO: Unknown property [box.number=CCMJC10iswdmz5]
  [Thr 3736] INFO: Unknown property [ms.host=iswdmz5]
  [Thr 3736] INFO: Unknown property [ms.port=3611]
  [Thr 3736] INFO: Unknown property [system.id=10]
  JStartupReadInstanceProperties: read instance properties [D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties]
  -> ms host    : iswdmz5
  -> ms port    : 3611
  -> OS libs    : D:\usr\sap\CCM\JC10\j2ee\os_libs
  -> Admin URL  :
  -> run mode   : NORMAL
  -> run action : NONE
  -> enabled    : yes
  Used property files
  -> files [00] : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
  Instance properties
  -> ms host    : iswdmz5
  -> ms port    : 3611
  -> os libs    : D:\usr\sap\CCM\JC10\j2ee\os_libs
  -> admin URL  :
  -> run mode   : NORMAL
  -> run action : NONE
  -> enabled    : yes
  Bootstrap nodes
  -> [00] bootstrap            : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
  -> [01] bootstrap_ID10353720 : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
  -> [02] bootstrap_ID10353725 : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
  Worker nodes
  -> [00] ID103537200          : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
  -> [01] ID103537250          : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
  [Thr 3736] JLaunchRequestQueueInit: create named pipe for ipc
  [Thr 3736] JLaunchRequestQueueInit: create pipe listener thread
  [Thr 3564] JLaunchRequestFunc: Thread 3564 started as listener thread for np messages.
  [Thr 3732] WaitSyncSemThread: Thread 3732 started as semaphore monitor thread.
  [Thr 3736] NiInit2: NI already initialized; param 'maxHandles' ignored
  [Thr 3736] [Node: bootstrap] java home is set by profile parameter
       Java Home: D:\apps\j2sdk1.4.2_17-x64
  JStartupIReadSection: read node properties [bootstrap]
  -> node name       : bootstrap
  -> node type       : bootstrap
  -> node execute    : yes
  -> java path       : D:\apps\j2sdk1.4.2_17-x64
  -> java parameters : -Djco.jarm=1 -Djco.jarm=1
  -> java vm version : 1.4.2_17-b06
  -> java vm vendor  : Java HotSpot(TM) 64-Bit Server VM (Sun Microsystems Inc.)
  -> java vm type    : server
  -> java vm cpu     : amd64
  -> heap size       : 128M
  -> root path       : D:\usr\sap\CCM\JC10\j2ee\cluster
  -> class path      : .\bootstrap\launcher.jar
  -> OS libs path    : D:\usr\sap\CCM\JC10\j2ee\os_libs
  -> main class      : com.sap.engine.offline.OfflineToolStart
  -> framework class : com.sap.bc.proj.jstartup.JStartupFramework
  -> registr. class  : com.sap.bc.proj.jstartup.JStartupNatives
  -> framework path  : D:\usr\sap\CCM\JC10\j2ee\os_libs\jstartup.jar
  -> parameters      : com.sap.engine.bootstrap.Bootstrap ./bootstrap ID1035372
  -> debuggable      : yes
  -> debug mode      : no
  -> debug port      : 60000
  -> shutdown timeout: 120000
  [Thr 3704] JLaunchIStartFunc: Thread 3704 started as Java VM thread.
  JHVM_LoadJavaVM: VM Arguments of node [bootstrap]
  -> stack   : 2097152 Bytes
  -> arg[  0]: exit
  -> arg[  1]: abort
  -> arg[  2]: -Denv.class.path=d:\apps\SAPJCo\sapjco.jar
  -> arg[  3]: -Djco.jarm=1
  -> arg[  4]: -Djco.jarm=1
  -> arg[  5]: -Dsys.global.dir=D:\usr\sap\CCM\SYS\global
  -> arg[  6]: -Dapplication.home=D:\usr\sap\CCM\JC10\j2ee\os_libs
  -> arg[  7]: -Djava.class.path=D:\usr\sap\CCM\JC10\j2ee\os_libs\jstartup.jar;.\bootstrap\launcher.jar
  -> arg[  8]: -Djava.library.path=D:\apps\j2sdk1.4.2_17-x64\jre\bin\server;D:\apps\j2sdk1.4.2_17-x64\jre\bin;D:\apps\j2sdk1.4.2_17-x64\bin;D:\usr\sap\CCM\JC10\j2ee\os_libs;D:\usr\sap\Python\.;d:\sapdb\programs\bin;d:\sapdb\programs\pgm;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\CA\SharedComponents\ScanEngine;C:\Program Files\CA\SharedComponents\CAUpdate\;C:\Program Files\CA\SharedComponents\ThirdParty\;C:\Program Files\CA\SharedComponents\SubscriptionLicense\;C:\Program Files\CA\eTrustITM;D:\apps\SAPJCo;D:\apps\j2sdk1.4.2_17-x64\bin;D:\usr\sap\CCM\JC10\exe;D:\usr\sap\CCM\SYS\exe\run
  -> arg[  9]: -Dmemory.manager=128M
  -> arg[ 10]: -Xmx128M
  -> arg[ 11]: -DLoadBalanceRestricted=no
  -> arg[ 12]: -Djstartup.mode=BOOTSTRAP
  -> arg[ 13]: -Djstartup.ownProcessId=1992
  -> arg[ 14]: -Djstartup.ownHardwareId=D2128917885
  -> arg[ 15]: -Djstartup.whoami=bootstrap
  -> arg[ 16]: -Djstartup.debuggable=yes
  -> arg[ 17]: -DSAPINFO=CCM_10_bootstrap
  -> arg[ 18]: -DSAPSTARTUP=1
  -> arg[ 19]: -DSAPSYSTEM=10
  -> arg[ 20]: -DSAPSYSTEMNAME=CCM
  -> arg[ 21]: -DSAPMYNAME=iswdmz5_CCM_10
  -> arg[ 22]: -DSAPDBHOST=
  -> arg[ 23]: -Dj2ee.dbhost=iswdmz5
  [Thr 3704] JHVM_LoadJavaVM: Java VM created OK.
  JHVM_BuildArgumentList: main method arguments of node [bootstrap]
  -> arg[  0]: com.sap.engine.bootstrap.Bootstrap
  -> arg[  1]: ./bootstrap
  -> arg[  2]: ID1035372
  [Thr 3708] Thu Nov 20 16:17:34 2008
  [Thr 3708] JLaunchIExitJava: exit hook is called (rc=0)
  [Thr 3708] JLaunchCloseProgram: good bye (exitcode=0)
  and the jvm_bootstrap.out:
  Bootstrap MODE:
  <INSTANCE GLOBALS>
  determined by parameter [ID1035372].
  Missing RunningMode property - runningin NORMAL mode.
  Instance [ID1035372] will run in [NORMAL] mode, performing action [NONE]
  Discovered property [instance.en.port] with value [3211] !
  Discovered property [instance.en.host] with value [iswdmz5] !
  Synchronizing file [.\.hotspot_compiler].
  ...Synched ok!
  Synchronizing file [..\..\SDM\program\.hotspot_compiler].
  ...Synched ok!
  Synch time: 922 ms
  I hope this is enough information. Before importing the certificate from the SAP Support Portal the AS Java runned perfectly.
  regards
  Tobias Nagel

  Additional information:
  When I deactivate SSL by switching from automatic starting to manual starting in the configtool the jcontrol.exe process starts without any errors.

• A fix for the Mozilla Firefox SSL Certificate Validation Security Weakness vulnerability? This appears to be an issue with not revalidating certificates when loading HTTPS pages from cache.

  We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
  Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache

  cookies.squite answer is Today at 5:15 PM .
  New profile, same problem.
  We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
  Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
  (3) different virus scanners, no hard core problems.
  Suspect how I have something in Windows setup that no one else is using?

• Ssl-handshake fails with scandinavian chars in client certificate

  Hello,
  We've run into a problem with 2-way-ssl and certificates that have scandinavian
  characters in the subject. The problem cert is used as client-certificate for
  authentication and it goes like this:
  1. Client surfs with http in our site, until clicks https-link that will immediately
  start the ssl-handshake
  2. Server presents it's trusted cert-list fine
  3. PIN is being asked fine
  4. Next the request processing stops on the exception below and nothing will happen
  on the client side.
  Certs without these äöå -chars work fine, so our guess is that they cause it,
  but the certs ought to be according to specs: name-fields encoding is UTF-8 according
  to RFC 2459 from year 1999. A failing example-cert is also below.
  Would this be a problem with the certificate rather than BEA-implementation?
  Same behavior on Windows and Solaris Weblogic 8.11 as such and with SP2 (and with
  sp2 + CASE_ID_NUM: 501454 hotfix).
  Best Regards,
  Igor Styrman
  <avalable(): 20303264 : 0 + 0 = 0>
  <write ALERT offset = 0 length = 2>
  <SSLIOContextTable.removeContext(ctx): 1765100>
  PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <Filtering JSSE
  SSLSocket>
  PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.addContext(ctx):
  6487148>
  PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLSocket will
  be Muxing>
  PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.findContext(is):
  11153746>
  <SSLFilter.isActivated: false>
  <isMuxerActivated: false>
  <SSLFilter.isActivated: false>
  <21647856 readRecord()>
  <21647856 SSL Version 2 with no padding>
  <21647856 SSL3/TLS MAC>
  <21647856 received SSL_20_RECORD>
  <HANDSHAKEMESSAGE: ClientHelloV2>
  <write HANDSHAKE offset = 0 length = 58>
  <write HANDSHAKE offset = 0 length = 1789>
  <Converting principal: OU=Class 4 Public Primary Certification Authority, O="VeriSign,
  Inc.", C=US>
  <Converting principal: CN=SHP ROOT CA, O=SHP, C=FI>
  <Converting principal: CN=topsel, O=Fujitsu Services Oy, C=FI>
  <Converting principal: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
  Inc.", O=GTE Corporation, C=US>
  <Converting principal: CN=SatShp CA, O=Satakunnan sairaanhoitopiiri, C=FI>
  <Converting principal: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
  Inc.", C=US>
  <Converting principal: [email protected], CN=Thawte Personal
  Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
  ST=Western Cape, C=ZA>
  <Converting principal: [email protected], CN=Thawte Personal
  Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
  ST=Western Cape, C=ZA>
  <Converting principal: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
  Inc.", C=US>
  <Converting principal: CN=GTE CyberTrust Root, O=GTE Corporation, C=US>
  <Converting principal: [email protected], CN=Thawte Server
  CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western
  Cape, C=ZA>
  <Converting principal: [email protected], CN=Thawte Personal
  Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
  ST=Western Cape, C=ZA>
  <Converting principal: [email protected], CN=Thawte Premium
  Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
  Town, ST=Western Cape, C=ZA>
  <Converting principal: OU=Secure Server Certification Authority, O="RSA Data Security,
  Inc.", C=US>
  <Converting principal: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore,
  C=IE>
  <Converting principal: CN=Fujitsu Test CA, O=Fujitsu Services Oy, C=FI>
  <Converting principal: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions,
  Inc.", O=GTE Corporation, C=US>
  <Converting principal: CN=PSHP CA, O=Pirkanmaan sairaanhoitopiiri, C=FI>
  <Converting principal: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
  O=Baltimore, C=IE>
  <Converting principal: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
  Inc.", C=US>
  <write HANDSHAKE offset = 0 length = 2409>
  <write HANDSHAKE offset = 0 length = 4>
  <SSLFilter.isActivated: false>
  <isMuxerActivated: false>
  <SSLFilter.isActivated: false>
  <21647856 readRecord()>
  <21647856 SSL3/TLS MAC>
  <21647856 received HANDSHAKE>
  <HANDSHAKEMESSAGE: Certificate>
  PM EEST> <Error> <Kernel> <> <satshpeduServer> <ExecuteThread: '14' for queue:
  'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-000802> <ExecuteRequest failed
  java.lang.NullPointerException: Could not set value for ASN.1 string object..
  java.lang.NullPointerException: Could not set value for ASN.1 string object.
       at com.certicom.security.asn1.ASN1String.setValue(Unknown Source)
       at com.certicom.security.asn1.ASN1String.setBufferTo(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeString(Unknown Source)
       at com.certicom.security.asn1.ASN1String.decode(Unknown Source)
       at com.certicom.security.pkix.AttributeTypeAndValue.decodeContents(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
       at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
       at com.certicom.security.asn1.ASN1SetOf.decodeContents(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeSetOf(Unknown Source)
       at com.certicom.security.asn1.ASN1SetOf.decode(Unknown Source)
       at com.certicom.security.asn1.ASN1SequenceOf.decodeContents(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
       at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
       at com.certicom.security.pkix.Name.decodeContents(Unknown Source)
       at com.certicom.security.asn1.ASN1Choice.decode(Unknown Source)
       at com.certicom.security.pkix.TBSCertificate.decodeContents(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
       at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
       at com.certicom.security.pkix.Certificate.decodeContents(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
       at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
       at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
       at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
       at com.certicom.tls.record.handshake.MessageCertificate.<init>(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeMessage.create(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
  Source)
       at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
  Source)
       at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
  Source)
       at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  -----BEGIN CERTIFICATE-----
  MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
  MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQQDEw9GdWppdHN1
  IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMjE4WjB3MQswCQYD
  VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSMO2bG3DtmzDpGlu
  ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSMO2bG3DtmzDpGlu
  ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO44
  Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0Ef
  C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
  YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
  HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFgQUtS4z8K26uW2d
  IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKwYKKwYBBAGCNxQC
  A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS5ob2xtb2xhaW5l
  bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi8vMjEyLjI0Ni4y
  MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89RnVqaXRzdSUyMFNl
  cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwHQYD
  VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQAZ
  KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF+fcK+q0T
  3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUULcmQGQFAd69R0Ur
  JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1uh8hgtStujmqsI
  0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHth7qoV3BtUKv4+z
  SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2wJzwNigt4zWiNg
  tvrGCMOrvrb5QTxVtLNr
  -----END CERTIFICATE-----

  BMPString is another asn1 type that can be used for certificate attributes with
  non-ascii characters. The workaround is simply to use the BMPString instead of
  UTF8String for that subject name attribute in the certificate request. This off-course
  assumes that you can replace the certificate, and have control over what asn1
  type is used for the subject name attributes in the certificate request (via a
  tool options, or by generating the request yourself), so it is probably not applicable.
  Pavel.
  "Ari Räisänen" <[email protected]> wrote:
  >
  Thanks again, Pavel!
  I'm filing a support case about this. You talked about a workaround (BMPString).
  Could you be more spesific? I haven't talked about this issue with Igor
  yet.
  Regards,
  Ari
  "Pavel" <[email protected]> wrote:
  Sounds like a bug in certicom code. It should support UTF8String.
  I'd file a support case.
  You might be able to use BMPString instead as a workaround.
  Pavel.
  "Igor Styrman" <[email protected]> wrote:
  Hello,
  We've run into a problem with 2-way-ssl and certificates that have
  scandinavian
  characters in the subject. The problem cert is used as client-certificate
  for
  authentication and it goes like this:
  1. Client surfs with http in our site, until clicks https-link thatwill
  immediately
  start the ssl-handshake
  2. Server presents it's trusted cert-list fine
  3. PIN is being asked fine
  4. Next the request processing stops on the exception below and nothing
  will happen
  on the client side.
  Certs without these äöå -chars work fine, so our guess is that they
  cause it,
  but the certs ought to be according to specs: name-fields encoding
  is
  UTF-8 according
  to RFC 2459 from year 1999. A failing example-cert is also below.
  Would this be a problem with the certificate rather than BEA-implementation?
  Same behavior on Windows and Solaris Weblogic 8.11 as such and withSP2
  (and with
  sp2 + CASE_ID_NUM: 501454 hotfix).
  Best Regards,
  Igor Styrman
  <avalable(): 20303264 : 0 + 0 = 0>
  <write ALERT offset = 0 length = 2>
  <SSLIOContextTable.removeContext(ctx): 1765100>
  PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <Filtering
  JSSE
  SSLSocket>
  PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.addContext(ctx):
  6487148>
  PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLSocket
  will
  be Muxing>
  PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.findContext(is):
  11153746>
  <SSLFilter.isActivated: false>
  <isMuxerActivated: false>
  <SSLFilter.isActivated: false>
  <21647856 readRecord()>
  <21647856 SSL Version 2 with no padding>
  <21647856 SSL3/TLS MAC>
  <21647856 received SSL_20_RECORD>
  <HANDSHAKEMESSAGE: ClientHelloV2>
  <write HANDSHAKE offset = 0 length = 58>
  <write HANDSHAKE offset = 0 length = 1789>
  <Converting principal: OU=Class 4 Public Primary Certification Authority,
  O="VeriSign,
  Inc.", C=US>
  <Converting principal: CN=SHP ROOT CA, O=SHP, C=FI>
  <Converting principal: CN=topsel, O=Fujitsu Services Oy, C=FI>
  <Converting principal: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust
  Solutions,
  Inc.", O=GTE Corporation, C=US>
  <Converting principal: CN=SatShp CA, O=Satakunnan sairaanhoitopiiri,
  C=FI>
  <Converting principal: OU=Class 1 Public Primary Certification Authority,
  O="VeriSign,
  Inc.", C=US>
  <Converting principal: [email protected], CN=Thawte
  Personal
  Basic CA, OU=Certification Services Division, O=Thawte Consulting,
  L=Cape
  Town,
  ST=Western Cape, C=ZA>
  <Converting principal: [email protected], CN=Thawte
  Personal
  Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
  L=Cape Town,
  ST=Western Cape, C=ZA>
  <Converting principal: OU=Class 3 Public Primary Certification Authority,
  O="VeriSign,
  Inc.", C=US>
  <Converting principal: CN=GTE CyberTrust Root, O=GTE Corporation, C=US>
  <Converting principal: [email protected], CN=Thawte
  Server
  CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
  Town, ST=Western
  Cape, C=ZA>
  <Converting principal: [email protected], CN=Thawte
  Personal
  Premium CA, OU=Certification Services Division, O=Thawte Consulting,
  L=Cape Town,
  ST=Western Cape, C=ZA>
  <Converting principal: [email protected], CN=Thawte
  Premium
  Server CA, OU=Certification Services Division, O=Thawte Consultingcc,
  L=Cape
  Town, ST=Western Cape, C=ZA>
  <Converting principal: OU=Secure Server Certification Authority, O="RSA
  Data Security,
  Inc.", C=US>
  <Converting principal: CN=Baltimore CyberTrust Root, OU=CyberTrust,O=Baltimore,
  C=IE>
  <Converting principal: CN=Fujitsu Test CA, O=Fujitsu Services Oy, C=FI>
  <Converting principal: CN=GTE CyberTrust Root 5, OU="GTE CyberTrustSolutions,
  Inc.", O=GTE Corporation, C=US>
  <Converting principal: CN=PSHP CA, O=Pirkanmaan sairaanhoitopiiri,
  C=FI>
  <Converting principal: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
  O=Baltimore, C=IE>
  <Converting principal: OU=Class 2 Public Primary Certification Authority,
  O="VeriSign,
  Inc.", C=US>
  <write HANDSHAKE offset = 0 length = 2409>
  <write HANDSHAKE offset = 0 length = 4>
  <SSLFilter.isActivated: false>
  <isMuxerActivated: false>
  <SSLFilter.isActivated: false>
  <21647856 readRecord()>
  <21647856 SSL3/TLS MAC>
  <21647856 received HANDSHAKE>
  <HANDSHAKEMESSAGE: Certificate>
  PM EEST> <Error> <Kernel> <> <satshpeduServer> <ExecuteThread: '14'
  for queue:
  'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-000802> <ExecuteRequest
  failed
  java.lang.NullPointerException: Could not set value for ASN.1 string
  object..
  java.lang.NullPointerException: Could not set value for ASN.1 string
  object.
       at com.certicom.security.asn1.ASN1String.setValue(Unknown Source)
       at com.certicom.security.asn1.ASN1String.setBufferTo(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeString(UnknownSource)
       at com.certicom.security.asn1.ASN1String.decode(Unknown Source)
       at com.certicom.security.pkix.AttributeTypeAndValue.decodeContents(Unknown
  Source)
       at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
  Source)
       at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
  Source)
       at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
       at com.certicom.security.asn1.ASN1SetOf.decodeContents(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
  Source)
       at com.certicom.security.asn1.DERInputStream.decodeSetOf(Unknown Source)
       at com.certicom.security.asn1.ASN1SetOf.decode(Unknown Source)
       at com.certicom.security.asn1.ASN1SequenceOf.decodeContents(Unknown
  Source)
       at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
  Source)
       at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
  Source)
       at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
       at com.certicom.security.pkix.Name.decodeContents(Unknown Source)
       at com.certicom.security.asn1.ASN1Choice.decode(Unknown Source)
       at com.certicom.security.pkix.TBSCertificate.decodeContents(Unknown
  Source)
       at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
  Source)
       at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
  Source)
       at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
       at com.certicom.security.pkix.Certificate.decodeContents(Unknown Source)
       at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
  Source)
       at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
  Source)
       at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
       at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
       at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown
  Source)
       at com.certicom.tls.record.handshake.MessageCertificate.<init>(Unknown
  Source)
       at com.certicom.tls.record.handshake.HandshakeMessage.create(Unknown
  Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
  Source)
       at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
  Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
  Source)
       at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
  Source)
       at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  -----BEGIN CERTIFICATE-----
  MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
  MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQQDEw9GdWppdHN1
  IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMjE4WjB3MQswCQYD
  VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSMO2bG3DtmzDpGlu
  ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSMO2bG3DtmzDpGlu
  ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO44
  Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0Ef
  C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
  YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
  HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFgQUtS4z8K26uW2d
  IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKwYKKwYBBAGCNxQC
  A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS5ob2xtb2xhaW5l
  bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi8vMjEyLjI0Ni4y
  MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89RnVqaXRzdSUyMFNl
  cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwHQYD
  VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQAZ
  KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF+fcK+q0T
  3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUULcmQGQFAd69R0Ur
  JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1uh8hgtStujmqsI
  0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHth7qoV3BtUKv4+z
  SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2wJzwNigt4zWiNg
  tvrGCMOrvrb5QTxVtLNr
  -----END CERTIFICATE-----

• ICal server won't work with SSL certificate

  I'm running Leopard Server 10.5.7, and have a GoDaddy SSL certificate installed on the server, which is working fine in Apache, but not for iCal server.
  In the Security Certificates section of Server Admin, the certificate shows up properly with the correct hostname, with the correct authority (i.e. not self-signed). I can use the certificate for one of my SSL websites, and it works fine, no browser errors, all works great.
  However, if I use Server Admin to enable SSL for iCal server and then select my GoDaddy certificate from the "Certificate" dropdown, the dropdown immediately changes to "Custom Configuration." So I save changes and stop/start the iCal service.
  Then I took my iCal clients (which were all working fine without SSL), and in 'Server Settings,' I changed the server address to https (instead of http), and port 8443 (instead of port 8008). But then when I refresh the calendars, iCal throws an error saying:
  "Unexpected secure name resolution error (code -9844). The server name may be incorrect."
  When I set everything back to the way it was before I started, all works fine.
  Anyone have any suggestions?

  Your problem seems similar to this thread:
  http://discussions.apple.com/thread.jspa?threadID=1992033&tstart=0
  There is some contradictory anecdotal information there, however. Tis reply in another thread:
  http://discussions.apple.com/message.jspa?messageID=6288712#6288712
  may hold some answers to your problem. There are two very enlightening articles on AFP548.com regarding certificate issues:
  http://www.afp548.com/article.php?story=20080624005724638
  http://www.afp548.com/article.php?story=20071203011158936
  That might also be of assistance. Then there's this little tidbit:
  http://www.networkjack.info/blog/2007/11/30/ssl-cert-with-subject-alternate-name /
  These may-or-may-not solve theproblem but may provide insight as to why it's happening.

• CF7 and JDK 1.4.2 - EV SSL Certificate Issue

  Let me start off by telling the group that we do not use CF for any of our applications.  We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use.  We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API.  About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy.  I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck.  Here are the details:
  EV Certificate issued by DigiCert (4096-bit).
  Customer is on CF7 and JDK 1.4.2.
  When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application.  He is using cfhttp to post his requests.  We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates.  Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
  Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
  Thanks in advance to those gurus that reply.  I have attached a sample post from our customers logs with non-essential data removed.
  I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
  - Dave

  Dave,
  I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
  I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
  so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
  to either CF 8 or CF 9 to get the issue quickly resolved.
  I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
  if I do find a solution, I'll definitely post it there for you.
  Cheers

• Wildcard SSL Certificates with MFE?

  Is anyone using a wildcard SSL certificate on their mail server when using Mail for Exchange on assorted Nokia E Series mobiles please?
  We currently use a straight SSL cert and MFE works with no problem, however I've been looking into getting a single wildcard SSL certificate for our domain.
  Before doing anything I figured I'd try a website that used a wildcard certificate.
  When I did this (using an E51) I got the message "Website has sent a certificate with a different website name than requested" and was prompted to accept once, permanently, or don't accept.
  My question is whether this message would come up in a clear/obvious manner when using Mail For Exchange on a Nokia (so I can tell our users what to do when it does), and whether anyone has encountered issues using a wildcard with Nokias when using Mail for Exchange.
  If anyone has an E-Series and is using a Wildcard cert can you let me know if you've encountered any issues please?
  Thanks.

  This is interesting question. I look forward testing this myself
  What kind of cert & website you used on your own tests? Was the cert something like *.example.com? And the domain, was it https://something.example.com or https://example.com ? AFAIK wildcard doesn't match addresses consisting domain part only, so the latter one might not work.
  Help spreading the knowledge — If you find my answer useful, please mark your question as Solved by selecting Accept this solution from the Options menu. Thank you!

• NAC SSL certificate Issue

  I recently applied a signed certificate to both the CAM and CAS. ever since then I have been having problems with the system. In the perfigo logs on the CAM I receive a lot of messages with "Certificate chaining error" in them. My question is what is the best way to roll back the signed certificates to the self signed ones? Any other suggestions would be greatly appreciated.
  Thanks in advance.

  Hi Giles,
  Thanks for te update. The problem I am facing is:-I have 2 SSL certificates on my ACE and I have also configured 2 server farms (farm1 and farm2)each associated with ssl certificate, now the problem i am facing is when we access the farm2 serverfarm we are issued the certificate of farm1 wereas i need to be getting the certificate from the farm2.
  Thanks in advance.
  Regards
  Sum

• Importing external web service with SSL certificate security

  Hello,
  I'm trying to import an external web service (that resides in another server, independent of ours). However, right after I enter the WSDL in the import window I get the following error in the NWDS:
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target      [Error: com.sap.ide.es.core.ui.internal.wizards.fragments  Thread[ModalContext,6,main]]
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
            at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
            at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
            at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
            at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
            at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
            at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
            at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
            at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.getURLAsStream(UrlValidationRunnable.java:137)
            at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.validate(UrlValidationRunnable.java:75)
            at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.run(UrlValidationRunnable.java:55)
            at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
            at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
            at sun.security.validator.Validator.validate(Validator.java:218)
            at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
            at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
            at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
            ... 15 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
            at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
            at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
            ... 21 more
  Has anyone ever consumed an external web service with SSL certificate security? How do you import this in your Web Dynpro project?
  Cheers!

  Hi Alain,
  I just checked on a newer NW environment (NW 7.2) and was presented an empty list as well... It seems the mapping procedure I described is deprecated since NW 7.11, and the modeled CAF application service is already exposed as a web service.
  You may want to have a look at http://help.sap.com/saphelp_nwce711/helpdata/en/43/f173947bbb025be10000000a1553f7/content.htm or http://scn.sap.com/message/7852996 for more info

• Certificate signing request with subject alternative names?

  Has anyone been successful at generating a certificate signing request for a certificate that uses subject alternative names via the Server Manager GUI? It seems to skip the entire X509 section of the CSR for me.
  Command line via openssl works but I'd like to stick with the GUI for the encryption on the certificates.

  I just checked the documentation and found that your code is incorrect. IAlternativeName::StrValue contains value for an email address, a Domain Name System (DNS) name, a URL, a registered object identifier (OID), or a user principal name (UPN). It doesn't
  contain string value for directory name (and other non-mentioned types). Instead, you need to instantiate an IX500DistinguishedName interface and initialize it from an alternative name value:
  class Program {
  static void Main(string[] args) {
  String RequestString = "Base64-encoded request");
  CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10();
  request.InitializeDecode(RequestString, EncodingType.XCN_CRYPT_STRING_BASE64_ANY);
  Console.WriteLine("Subject: {0}", request.Subject.Name);
  foreach (IX509Extension ext in request.X509Extensions) {
  if (ext.ObjectId.Name == CERTENROLL_OBJECTID.XCN_OID_SUBJECT_ALT_NAME2) {
  CX509ExtensionAlternativeNames extensionAlternativeNames = new CX509ExtensionAlternativeNames();
  string rawData = ext.RawData[EncodingType.XCN_CRYPT_STRING_BASE64];
  extensionAlternativeNames.InitializeDecode(EncodingType.XCN_CRYPT_STRING_BASE64, rawData);
  foreach (CAlternativeName alternativeName in extensionAlternativeNames.AlternativeNames) {
  switch (alternativeName.Type) {
  case AlternativeNameType.XCN_CERT_ALT_NAME_DIRECTORY_NAME:
  IX500DistinguishedName DN = new CX500DistinguishedName();
  DN.Decode(alternativeName.RawData[EncodingType.XCN_CRYPT_STRING_BASE64]);
  Console.WriteLine("SAN: {0}", DN.Name);
  break;
  default:
  Console.WriteLine("SAN: {0}", alternativeName.strValue);
  break;
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Firefox does not recognize SSL Certificate issuer Entrust Certification Authority – L1K, but Entrust Certification Authority – L1C is ok?

  We have a new Entrust SSL Certificate with issuer Entrust Certification Authority – L1K which Firefox does not recognize. Internet Explorer and Chrome are ok.
  On a different system we have an Entrust SSL Certificate with issuer Entrust Certification Authority – L1C which is ok with Firefox.

  Did you verify that all intermediate certificates are installed on the server?
  You can inspect the certificate chain via a site like this:
  *http://www.networking4all.com/en/support/tools/site+check/
  *https://www.ssllabs.com/ssltest/