DSEE 6.3.1 and 2048-bit SSL certificates

Similar Messages

• Problems using 4096 bit SSL certificate with WebLogic Apache 2.2 plug-in

  Hi,
  'm using WebLogic 9.2 MP3 and Apache HTTP Server (version 2.2) Plug-In. For security reasons, I have SSL installed on both Apache and WebLogic. So Apache must communicate with WebLogic via https.
  I get the following error when attempting to access WebLogic via Apache:
  Internet Explorer cannot display the webpage
  These are the last lines in wlproxy log:
  Fri Feb 26 14:08:59 2010 <71212672221392> INFO: SSL is configured
  Fri Feb 26 14:08:59 2010 <71212672221392> SSL Main Context not set. Calling InitSSL
  Fri Feb 26 14:08:59 2010 <71212672221331> INFO: Initializing SSL library
  I've found that the problem is caused by using a 4096 bit intermediate cert. When I include this 4096 bit cert in the file referenced by plugin parameter "TrustedCAFile", it is unable to load it. I've tested 4096 bit certs from a few different certificate authorities, and consistently see this problem, so I know the problem is not related to the specific certificate. If I use a 2048 bit intermediate certificate, everything works perfectly fine.
  Do you know if there are limitations to the certificate length that the plug-in can use?

  Yes 4096 bit Certificates are not supported by the plugin.
  You can use up to 2048 bit.
  There is a Bug which clearly mentions it.
  I dont remember the Bug Number, but an Oracle Support person will be able to tell you.
  Hope this helps.
  Faisal Khan
  Edited by: Faisal Khan on Feb 27, 2010 2:08 PM

• DSEE7 - DPS and CA-signed SSL certificates

  I recently deployed two new DSEE7 DPS servers and last night was attempting to install CA-signed (GoDaddy) SSL certificates on them. I used dpadm to generate the required 2048-bit CSR and received my certificates. I added them to the servers using the DSCC interface and after adding them and restarting the instance the certs were not showing up. I thought perhaps the operation had failed so I tried again and saw that the alias already existed. I then noticed that the certificate was listed under the CA certificates. I deleted it from there and imported the cert using dpadm add-cert, only to have the same thing happen again.
  dpadm add-cert /usr/local/dps/instance/ dps03.prod.domain.com /tmp/dps03.prod.domain.com.crt
  # dpadm list-certs /usr/local/dps/instance
  0 certificate found.
  # dpadm list-certs -C /usr/local/dps/instance | grep dps03
  dps03.prod.domain.com     2010/01/19 11:08 2013/01/19 11:08 n         SERIALNUMBER=xxxxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US      CN=dps03.prod.domain.com, OU=Domain Control Validated, O=dps03.prod.domain.comI have installed SSL certificates from GoDaddy on all my other production DS and DSEE systems (6.3.1) without issue, including their intermediate and root certificates to complete the trust chain.
  Does anyone have any insight into what the issue might be and how to correct it?

  Hi,
  Have you used the same alias in both case ? . i.e
  dpadm request-cert [options] /usr/local/dps/instance dps03.prod.domain.com
  then
  dpadm add-cert /usr/local/dps/instance/ dps03.prod.domain.com /tmp/dps03.prod.domain.com.crt

• IPhone LDAP contacts and Self signed SSL certificates

  Hi,
  I am using OpenLDAP with self signed SSL certificate, and i am unable to get SSL work with LDAP contacts on the IPhone (4.x). I have tried to add a CA cert with a server certificate for the LDAP server and downloaded it to the IPhone by web, it adds the CA, but even with it, it does not want to connect to the LDAP server with SSL enabled.
  Does LDAP contacts should work by adding new CA ? if yes, what is the exact procedure to do it ? (maybe I used a wrong CA export format, or wrong SSL certificate encryption format ...)
  can someone tell me how to do it ?
  This is really anoying, since we have multiple iphones on the company.
  Thanks for the help.

  Hello, found your post.  I realize it's been 6 months since you posted, but I have a solution for you since I have struggled with the same problem since 2009.
  I discovered that when the iPhone is using LDAPS, it tries to bind with LDAPv2.  After it binds, it speaks LDAPv3 like it is supposed to.  Apparently this is a somewhat common practice since OpenLDAP includes an option for it.
  You'll want to set the following option in OpenLDAP:
  dn: cn=config
  olcAllows: bind_v2
  Walla! LDAPS works! (assuming you've correctly done all the certificate stuff).  Took some deep reading through the debug logs to figure out this problem.  Figured I'd share my answer with others.

• Safari and self generated ssl certificates https connections

  Hello,
  Anyone know if there is a setting I can accept or install a non-3rd party security certificate in Safari? I can get to sites using https when they are 3rd party verified, but otherwise can not. Usually you just accept or install the certificate and it doesn't prompt anymore. On Safari though it just gives this error:
  "Error: Page could not be loaded. An SSL Error has occurred and a secure connection to the server cannot be made."
  Thanks.

  1. quit from all windowed applications then launch Keychain Access
  2. remove from Keychain Access the reference to the self-signed certificate
  3. quit from Keychain Access
  4. in Safari, browse to a site that requires the self-signed certificate.
  Please describe in detail what happens from that point onwards.
  Thanks

• Web server type of standalone oc4j needed for SSL Certificate

  Hi,
  We have a standalone oc4j 10.1.3 that hosts an application whose many of its pages use https and so we need to buy SSL certificate from any of CAs like Verisign, GeoTrust, etc.. All of these CAs are asking us about the web server type that the standalone OC4J uses. I read the following statement from this url:
  http://download.oracle.com/docs/cd/B32110_01/web.1013/b28950/intro.htm#JICON100
  "communications in a standalone environment is provided through the built-in *_OC4J Web server_*, which supports HTTP and HTTPS communications natively without the use of the Oracle HTTP Server"
  On all of the SSL certificate systems of above CAs websites, they ask us to choose the web server type from a list of server types but I don't see OC4J web server listed and I am told that it is very important to make sure the web server type is correct otherwise the SSL Certificate that we buy may not be compatible with our web server type.
  So, I like to know the exact built in web server type name that goes with Standalone OC4J or one that is closest and for which SSL Certificate is compatible.
  Shown below is a list of web server types that I am asked to choose from on Verisign website.The closest to standalone oc4j according to below list is Oracle Wallet Manager but isn't this meant for Oracle Application Server (OAS) and not the standalone OC4J? we are using the java keytool to generate the CSR that we look to sign it via the verisign but again we are not sure about the web server type in the case of standalone OC4J that is not listed below. Please advice and thanks in advance to any of your responses in helping out.
  Webstar 4.x
  ApacheSSL mod_ssl
  WebLogic 6.0
  WebLogic 8.1
  Cisco
  ACS 3.2
  Covalent
  Apache ERS 2.4
  Apache ERS 3.0
  F5
  BIG-IP
  IBM
  Websphere MQ
  HTTP Server
  Lotus
  Domino 5.0
  Domino 6.0
  Domino 7.0
  Domino 8.0
  Windows NT - IIS 4.0
  Windows 2000 - IIS 5.0
  Windows 2003 - IIS 6.0
  Windows 2008 - IIS 7.0
  Exchange 2007
  iPlanet 4.x
  iPlanet 6.x
  ScreenOS
  SSL Accelerator
  Oracle Wallet Manager_
  Secure Web Server
  SSL Offloaders
  Stronghold
  Java Web Server 6.x
  Sun ONE
  AS Server w/IIS 4
  AS Server w/IIS 5
  EA Server
  Tomcat
  Zeus

  Hi Zeus,
  Type of certificate depends the method you will use to deploy the certificate on your application server.
  Please refer the links,
  http://download.oracle.com/docs/cd/B31017_01/web.1013/b28957/configssl.htm
  http://download.oracle.com/docs/cd/B14099_19/core.1012/b13995/wallets.htm#ASADM400
  http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
  Regards,
  mYth

• Install SSL certificate - OS X Server 10.8.2

  Greeting All,
  I am using OS X Server 10.8.2 with Server.app 2.2 and self-signed SSL sertificate. And I try use CA form Verisign.
  I already success create CSR and get trial SSL certificate form Verisign. But I found I can't install SSL certificate correct and made it use in Profile Manager 2. When I check Profile Manager 2 in Server.app 2.2. I only see self-signed intermediate CA.
  I check Apple on line guide and support site of Verisign but not found any latest guide of how to install it in Server.app. Any advice is welcome.
  Thanks,
  Spin

  If you purchased the SSL certificate, you have to convert the certificate to "PEM"
  https://www.sslshopper.com/ssl-converter.html

• SSL certificates not visible while RFC destination creation

  Hi all,
  I am setting up an RFC destination to connect to external server and which uses SSL certificates for its authorization.
  So i have imported the Client certificates into STRUST.
  While setting up an RFC connection of type G, in the security tab when we select the SSL security certificate radio button, will we be able to see the certificates(in the combo box) that we have imported in STRUST.
  Currently, though i have imported the Client certificates into STRUST, i am not able to see them in the SS security certificates combo box.
  Kindly help me out.
  Cheers,
  Siva Maranani.

  Well, first of all we should avoid confusion by using the term "<i>ABAP destination</i>" rather than "<i>RFC destination</i>" (although ABAP transaction SM59 still has this old title).
  When referring to an "ABAP destination of type G" we are talking of an outbound http connection to a non-ABAP server (e.g. an SAP J2EE server or any other http server).
  I'm not sure whether you are aware that in this context "<i>SSL client certificate</i>" refers to the ABAP <u>system</u> (which is the SSL client in this scenario). This is different from scenarios where "X.509 client certificate" refers to a certificate which is assigned to an individual <u>user</u> (using a web browser). <b>In the given scenarios, where two systems are the communication peers, SSL cannot be used for user authentication.</b> That fact is often misunderstood.
  By default you'll find 3 different SSL certificates (actually: PSEs) in an ABAP system (which can be used only after enabling SSL, of course - see note 510007 for instructions):
    - SSL Server
    - SSL Client (anonymous)
    - SSL Client (Default)
  Well, the "<i>SSL Client (anonymous)</i>" is actually not really a "client certificate" but used for outgoing http requests where you do not intend to send your own SSL client certificate. Since you cannot use the server's SSL client certificates for user authentication it might make sense to use "<i>SSL Client (anonymous)</i>" is most cases.
  Please notice: you have to add the server's SSL certificate (respectively the root CA certificate and potentially intermediate CA certificates) to the certificate list of the "<i>SSL Client (anonymous)</i>" PSE (using STRUST). By default, that list is empty - consequently no SSL server certificate is trusted (in contrast to a web browser which is already shipped with a long list of "trusted CAs").
  Only when the (remote) server demands SSL client certificates it might make sense to use either "<i>SSL Client (Default)</i>" or to define a new SSL client certificate (for the ABAP system that submits the https request).
  Please notice:
  SSL client certificates need to be issued by an Certification Authority (CA) in order to be accepted by the SSL server.
  In addition to importing the SSL server's certificate to the certificate list of the SSL client PSE (see above: <i>anonymous SSL client</i>) you also need to export the root CA certificate (and potentially all intermediate CA certificates) of the SSL client certificate and import it to the (remote) SSL server's keystore (kindly refer to the manuals of that server for instructions).
  Kind regards, Wolfgang
  PS: I assume that you have imported some certificates to the certificate list of a SSL client PSE. In SM59 only those SSL client PSEs are listed: "<i>SSL Client (anonymous)</i>", "<i>SSL Client (Default)</i>" and all SSL client PSEs that you might have defined in addition (using transaction STRUST => <i>Environment</i> => <i>SSL Client Identities</i>).

• Install GoDaddy SSL Certificate to Windows Server 2012 - Access Anywhere

  I would like to activate Access Anywhere on my windows server 2012 essentials. I went through the guided steps and purchased a SSL certificate from Godaddy. Godaddy doesn't offer support regarding the correct installation process of their certificates
  using iis 8 (server 2012 essentials). I noticed that Access Anywhere requires a PFX certificate and Godaddy only provided a PKCS #7 and a cer. file. Please let me know if Godaddy's certificates are compatible with windows server 2012 essentials. Without Access
  Anywhere functioning on my server, the usefulness of the server greatly decreases. Your assistance is greatly appreciated. Thanks. 

  All you need is the standard, lowest level, single domain, no email, no bells, no whistles, no UCC.  Just a simple SSL cert.  Even SBS standard which adds email to the RWA feature, only requires that, thanks to the magic of the dev. team.
  Larry Struckmeyer[SBS-MVP] If your question is answered, please mark the response as the answer so that others can benefit.

• Can I install ssl certificates in Firefox for android 4.0 tablets?

  I need to Know if I can install ssl certificates in Firefox for android 4.0 tablets?
  I did it with the laptop Firefox for windows 7 and I am using al time but I need to travel with my samsung tablet and use my ssl certificate to acces my bank account. I dont know if the android version of firefox have advance options to configure my certificate.

  Visit a website that provides the cert and then you should be prompted to install it. As of right now the feature is in Firefox Beta from the Play Store if you want a more polished version.

• Use public SSL certificate for WebAccess 8 on SLES10 Linux S

  Currently my WebAccess 8 server is running on NetWare. I want to move my WebAccess to SLES10 SP3 server and use public SSL certificate from third-party on SLES 10. I think this is just to get apache to use the public cert on SLES 10 Linux server and nothing to change on WebAccess, right?
  Thanks in advance.
  Wilson

  wilsonhandy wrote:
  > Currently my WebAccess 8 server is running on NetWare. I want to move
  > my WebAccess to SLES10 SP3 server and use public SSL certificate from
  > third-party on SLES 10. I think this is just to get apache to use the
  > public cert on SLES 10 Linux server and nothing to change on
  > WebAccess, right?
  Yeah, it's purely an Apache config. No need to do anything to
  WebAccess just to get SSL working.
  Novell Knowledge Partner
  Enhancement Requests: http://www.novell.com/rms

• Installing an SSL certificate for a CSS 11503

  I'm having the hardest time searching for clear instructions on how to request and install an SSL certificate for a CSS 11503 Content Switch. Can anyone help or point me in the right direction?
  I'm also looking for instructions on how to replace an SSL certificate once it's been installed. Thanks!

  Allen,
  The portion of the configuration guide related to SSL certificates and keys can be found here:
  http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eea82.html#1422544
  To replace an SSL certificate, you'll need to remove the current certificate and re-import/create the new one.
  ~Zach

• Godaddy SSL certificate installation problems - intermediate certificate not being recognized

  domain = mail.gottfried.org
  Installed both the certificate and the intermediate certificate from godaddy (used the 10.6 mac os x version)
  Response from:
  http://www.sslshopper.com/ssl-checker.html#hostname=mail.gottfried.org
  The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
  When I check in 0000_any_443_.conf
  I see:
  SSLCertificateFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. cert.pem
  SSLCertificateKeyFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. key.pem
  SSLCertificateChainFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem
  I am assuming that the intermediate certificate should be:
  mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.chain.pem
  When I look at that certicate it is the same as
  mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.cert.pem
  When I check keychain and exported both the mail.gottfried.org certificate and also the starfield secure certification authority they match what was installed initially (what I downloaded from Godaddy).
  It looks like in the install process the intermediate certificate is not being linked to the ssl certificate and that the ssl certificate is being used for the chain.
  Anyone have any suggestions?
  I have talked to both Godaddy and Apple Enterprise support. Godaddy has nothing past 10.6 instruction wise (though the support person really tried to help). The Apple rep couldnt really help and if I really want help from them I need to talk to integration where costs start at $700....
  Anyone have an SSL provider that worked properly with 10.8  or has really good support for mountain lion server?
  Please let me know.
  Thanks!

  While you still can, get a refund for the certificate, and get a certificate from somebody else, and preferably one that doesn't need an intermediate?  That'll be the easiest.
  If you're not doing ecommerce or otherwise dealing with web browsers and remote clients that you don't have some control over or affiliation with, you can use a private certificate and get equivalent (or arguably better) security.  Running your own certificate authority does mean you'll learn more about certificates, though.
  Here and here are general descriptions of getting certificates and intermediate certificates loaded, and some troubleshooting here and particularly here (TN2232).  I have found exiting Keychain Access to be a necessary step on various versions.  It shouldn't be, but...
  FWIW and depending on your particular DNS setup and whether you're serving multiple web sites, you'll need a multiple-domain certificate.
  Full disclosure: I've chased a few of these cases around for customers, and it can take an hour or three to sort out what the particular vendor of math, err, certificates has implemented, to confirm the particular certificate formats and possibly convert the certificates where necessary, and to generally to sort out the various posted directions and confusions.  (I'm not particularly fond of any of the major math, err, certificate vendors, either.)

• New SSL certificate with 2048 bit shows error: (Fehlercode: sec_error_unknown_issuer)

  installed a new SSL certificate with 2048 bit encryption (as is now required by issuer of certificate). Everything is OK with IE, FF shows error: (Fehlercode: sec_error_unknown_issuer)
  == URL of affected sites ==
  https://www.dongil.at/

  I have also tried all the solutions mentioned - but no luck.
  I wrote to Geotrust support and the pointed out that I needed the intermediate certificate and provided me with this url:
  https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422
  Please note, this intermediate certificate was *not* the same is linked to above - seems like there are 2 different intermediate certificates, depending on what type of certificate you got from Geotrust.
  Just to recap - if you got yourself a "QuickSSL, QuickSSL Premium or SSL Trial"-certificate (like me) then use this intermediate:
  https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422
  If you got a "True BusinessID or Enterprise SSL"-certificate, you should use this:
  https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1423
  - Lasse

• CUMA SSL Certificate (2048 bits)

  Hi team
  I have  Sent to verisign,  a  self-signed request for a CUMA Server 7.1, but, they say that the key size is not secure  (1024 bits) and they want,  that I change the Key size to 2048bits. Can I do that? I won´t have problem with this change?
  Thanks
  Jose

  Here do we need to generate the new key pair or can we use the default Key pair .
  As you already created the default keypair with 2048 bits, you can use the default one. But it's a good practice to have separate key-pairs for different functions. So I would generate a new key-pair with a specific label like "SSL-KEYS" and use that for ASDM.
  Also for self signed certificate do we need to specify the DN attributes value ? i.e Common Name , Department , Company Name etc. etc .
  that depends on how you want to access your ASA. If you have your ASA-FQDN in DNS, then use that as the subject (CN=asa.example.com). Or you use the inside IP address of the ASA to access the ASDM.
  Also do we need to enable Act as local certificate authority and issue dynamic certificates to TLS proxy ?
  no, that's a completely different functionality.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni