E90 importing self-signed certificate nightmares
Hi!
I want to import selfsigned certificate on customer's E90.
I've I copied correctly exported certificate to phone, but the E90 file manager always says "File format not supported".
I've tried with .cer, converted to .der with the following page: http://www.redelijkheid.com/symcaimport/
I've been through all suggestions and step guides found on internet. Customer support does not have a clue what I'm talking about.
I'm looking for anybody who has succesfuly imported any kind of certificate in to this model certificate store or anybody who can simply answer this question: what type of certicates does this model support.
Thanx for you answers,
Toni
I'm using self-signed certificate from SBS. Right now it's not the question, if something is misconfigured within my certificate (I'm aware of SBS certificate problems), the problem is that E90 WILL NOT recognize .cer or .der files as certificates.
There must be someone, who can answer this really simple question, which certificate formates are supported on E90.
You will find this type of question posted many times on different forums, with diiferent suggestion, but they simply don't work.
Again my error is "file format not supported"
Similar Messages
-
Importing self-signed certificate
Hi there!
I have some problems in importing SSL certificates on my macbook.
There are 2 certificates that needs to be imported: the root CA certificate, which is self-signed naturally and private user certificate, which is signed by above-mentioned CA.
The first file in .crt format, which is consists of CA public key and sign. The second file in .p12 format, which is consists of encrypted public and private keys.
The problem is:
I can't import nor CA neither my personal certificate.
The CA cert should be imported at "CA" tab in keychain, but the import button ("+") is inaccesible here:
http://img.200133883.info/big//%D0%A1%D0%B2%D1%8F%D0%B7%D0%BA%D0%B0_%D0%BA%D0%BB %D1%8E%D1%87%D0%B5%D0%B9-20120313-143521.png
When I tried to double-click CA.crt I got the import error # -67762 which saying that attribute "key length" was invalid. The same thing with my personal certificate.
Could somebody explain me, how should I import those two SSL certificated?I'm using self-signed certificate from SBS. Right now it's not the question, if something is misconfigured within my certificate (I'm aware of SBS certificate problems), the problem is that E90 WILL NOT recognize .cer or .der files as certificates.
There must be someone, who can answer this really simple question, which certificate formates are supported on E90.
You will find this type of question posted many times on different forums, with diiferent suggestion, but they simply don't work.
Again my error is "file format not supported" -
Need to import self-signed certificate?
I'm in the process of migrating an applet to 1.3.1_03. The latest problem I've run into is the change in security between 1.2.2 and some version of 1.3, in that, apparently, I have to import a self-signed certificate into cacerts for our intranet applet to work.
Is this still true for 1.3.1_03? If so, is there an easy way to do this from the client perspective (e.g. some batch file that can be run to handle this)? I've seen quite a few other posts surrounding this topic, but it's difficult to keep track of what's current.
Does 1.4 remove this issue (just curious... we're not planning to go to 1.4)?
Thanks,
Van WilliamsWhat I've done is to import the certificate into a keystore on the web server. I also have the policy file (also on the web server) pointing to this keystore. This works fine, as long as either one of the following is true:
1) the java.security file on the client has a policy.url entry thta points to the policy file on the web server
2) The runtime parameters for the plug-in specify the policy file on the web server (e.g. -Djava.security.manager -Djava.security.policy={location of policy file on web server})
I'm trying to figure out a way to not have an automated procedure change the java.security file on the client (though I'll use this approach if needed). I also don't want to change the runtime parms on the plug-in (will affect other applets). If there is a way to specify this in the HTML for my applet, that would be perfect. Any ideas (will be posting this as a separate thread).
Thanks,
Van Williams -
Safari on Windows could not accept self-signed certificate
Hi, i am using Safari 5.0.4 on Windows 7 and I am trying to access an https site with a self-signed certificate (internal developing site).
after i install the certificate to the Windows certificate store (i try both Personal store and Trusted Root Certification), when i try to browse the site, Safari asks me to choose a certificate, after i choose it, after a long hang time, Safari displays "Safari can't open the page".
My questions are:
1. Any one has configured safari on windows to accept self-signed certificate successfully?
2. i see some other posts saying "Safari on Windows has bug to use the self-signed certificate", any official document or link saying this if this is true?Microsoft Windows web browser support questions? Try one or more of these resources:
http://technet.microsoft.com/en-us/library/cc747495(WS.10).aspx
http://www.leonmeijer.nl/archive/2008/08/01/123.aspx
http://stackoverflow.com/questions/681695/what-do-i-need-to-do-to-get-ie8-to-acc ept-a-self-signed-certificate
That was from tossing the /internet explorer import self-signed certificate/ query at Google, and some poking around. StackOverflow and Microsoft Technet and the Microsoft KBs have more details on Microsoft platforms and products and permutations, too.
The usual best fix with this stuff is to create your own certificate authority (CA) root certificate and to configure that within your chosen platforms and browsers, but I do not know (off-hand) how to do that on Microsoft Windows boxes. Google or some KB probably has details of loading your own root cert. This approach means loading one cert, and the rest of what you create that's signed from that cert will now automatically be trusted. Basically you become your own CA provider, load your root cert into each of your clients, and then issue your own certs chained from your own root cert, and Bob's Your Uncle. -
How to import the self-signed certificate in runtime
HI.
I work to connect between JSSE client and OpenSSL server with self-signed certificate.
But I met the SSLSocketException during handshaking.
Many Solutions registered in this page.
But their are all using keytool.
My application connect many site support the self-signed certificate.
So, I want to import the certificate in run time.
How Can I do??
Please, answer me..
Thanks,did you figure this out??? I need to know how to accept a self-signed certificate, otherwise it's this exception...
D:\javatools\apis\jsse1.0.2\samples\urls>java -cp jcert.jar;jnet.jar;jsse.jar;. URLReader
Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:61)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-12019
8])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120
198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V
1.2-120198])
at java.net.URL.openStream(URL.java:798)
at URLReader.main(URLReader.java:46) -
Nokia X - import self signed server certificate
Do someone know how to import a self signed server certificate? No CA root certificate, only a server!
I connect from all my devices to a Baikal server for calenders and addresses. For this machine I generate a self signed server certificate. I am working with all devices without problems after I import the certificate to this (iPhone, iPad, iMac, Win7, Srv2k8, Linux,...). Only the Nokia X don't want to accept it.
I store the cert in DER format and name ending to .cer to the memory card, choose the import, the cert is found and I have to name it, but then it will not import it??? And the CAdroid is not working?!
Do someone know how to do this right? Thanks.Hi, anoymo. You may install the self-signed certificate by downloading it using the phone's browser. The file format should be DER encoded binary (X.509). Or you can create an HTML file using the notepad. Just copy this code (<HTML><BODY><a href="FileName.cer">Install certificate</a></BODY></HTML>) excluding the parenthesis to the notepad and save it as .html. Create a zip file for the certificate and the HTML file, copy it to the phone then open the .html file it should prompt you to install the certificate. Directly importing it to the phone is not possible.
-
How to successfully import ASA self-signed certificate?
On ASA 9.1 i am trying to export an Identity certificate, self-signed certificate into p12 file so i can import it into laptop and used it for secure connection to ASA over ASDM. I can add certificate OK using ASDM, certificate show up OK in Certificate management/dentity certificate. Exported certificate into .p12 file with passphrase OK.
In Win XP and Windows 7 every time i try to import certificate i got message that password is incorrect. Yes, i did type correct password.
Even thru cli i got the same error when trying to import the file.
ASA(config)# crypto ca export ASDM_TRUSTPOINT pkcs12 password
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIIHPwIBAzCCBvkGCSqGSIb3DQEHAaCCBuoEggbmMIIG4jCCBt4GCSqGSIb3DQEH
BqCCBs8wggbLAgEAMIIGxAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQItd0L
7e5QezkgxXzmCJKpv3GqQV5/tfk66ySnBMCGrMzsQKBa32wzHYcSerSEePNXzudJ
Frdyc3ETMXECvO83gujQZLyJ9DfPaDy4gZHwEs9fwGqpJel/NTwUo16dtzO2Vbko
1kc8kd
-----END PKCS12-----
Any tips or tricks how to get this simple task completted? Is maybe file format not right?Hi
Please show the error ASA is reporting during import.
It's working correctly with 9.1(0)2, example:
ASA9(config)# crypto ca trustpoint TP
ASA9(config-ca-trustpoint)# enrollment self
ASA9(config)# crypto ca enroll TP
WARNING: Trustpoint TP has already enrolled and has
a device cert issued to it.
If you successfully re-enroll this trustpoint,
the existing certificate will be replaced.
Do you want to continue with re-enrollment? [yes/no]: yes
% The fully-qualified domain name in the certificate will be: ASA9
% Include the device serial number in the subject name? [yes/no]: yes
Generate Self-Signed Certificate? [yes/no]: yes
ASA9(config)#
ASA9(config)# crypto ca export TP pkcs12 123456
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
+5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
-----END PKCS12-----
ASA9(config)#
ASA9(config)#
ASA9(config)# no crypto ca trustpoint TP
WARNING: Removing an enrolled trustpoint will destroy all
certificates received from the related Certificate Authority.
Are you sure you want to do this? [yes/no]: yes
ASA9(config)# crypto key zeroize rsa
WARNING: All RSA keys will be removed.
WARNING: All device digital certificates issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
ASA9(config)# crypto ca trustpoint TP2
ASA9(config)# crypto ca import TP2 pkcs12 123456
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
+5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
quit
INFO: Import PKCS12 operation completed successfully
ASA9(config)#
ASA9(config)# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 6e85f150
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=ASA9+serialNumber=123456789AB
Subject Name:
hostname=ASA9+serialNumber=123456789AB
Validity Date:
start date: 15:52:01 UTC Jan 12 2013
end date: 15:52:01 UTC Jan 10 2023
Associated Trustpoints: TP2
You might want to enable debugs: "debug crypto ca 255".
Be carefull when typing password - watch out for trailing space !
Michal -
SCCM 2012 has been successfully installed on the server:
SRVSCCM.
The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
The cluster service is running on the account: sqlclusteruser
The account has the appropriate SPN are registered:
setspn -L domain\sqlclusteruser
Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
MSSQLSvc/CLS-SQL4
MSSQLSvc/CLS-SQL4.domain.local
MSSQLSvc/CLS-SQL4:11434
MSSQLSvc/CLS-SQL4.domain.local:11434
After some time on the cluster hosts every day started appearing new folders with files inside:
srvboot.exe
srvboot.ini
srvboot.log
srvboot.log contains the following information:
SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
Copyright (C) 2011 Microsoft Corp.
Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
Failed to retrieve SQL Server service account.
Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
Disconnecting from Site Server.
SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
Without successfull bootstrap the siteserver backup is not able to run successfully.
Try grant everyone the read permisson on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
This worked for me.
After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER" -
Steps to create your own self signed certificate with java plugin working
You need two tools that comes with your jdk which are keytool and jarsigner.
Steps explain below in detail. Don't use netscape signtool, it will NEVER work!
* keytool -genkey -keyalg rsa -alias tstkey -keypass 2br2h2m -dname "cn=Test Object Signing Certificate, o=AI Khalil, ou=Java Products, c=AU"
cn = Certificate name
o = organistation
ou = organistation unit
c = country (first two letters)
If don't put the -dname, you can fill it line by line.
The -keypass has to be verify at the end, and you have to wait for it to create the rsa signing keys.
On NT by default it will put the alias information at D:\WINNT\Profiles\Administrator (if log in as administrator) with the default file called ".keystore". Windows 98 etc, don't know, search for .keystore
file. When you update it, check for the timestamp change and you know if you at the right spot.
You can store your alias information via the -storepass option to your current directory you work on, if you don't want to update the default .keystore file?
The .keystore contains a list of alias so you don't have to do this process again and again.
Another tip if you want your certificate encryption validity to be more than the default one month is simply
add the -validity <valDays>, after the -genkey option, to make your certificate usage for encryption to last much longer.
Note: You MUST use the -keyalg rsa because for starters the rsa encyption alogorthim is supported on ALL browsers instead of the default DSA and the other one SHA. Java plugins must work with the RSA algorthim when signing applets, else you will get all sorts of weird errors :)
Do not use signtool because thats a browser dependant solution!! Java plugin is supposed to work via running it owns jre instead of the browser JVM. So if you going to use netscape signtool, it starts to become a mess! ie certificate will install, but applet won't start and give you funny security exception errors :)
* keytool -export -alias tstkey -file MyTestCert.crt
It will read the alias information in the .keystore information picking up the rsa private/public keys info and
create your self sign certificate. You can double click this certificate to install it? But don't think this step is needed but maybe for IE? Someone else can check that part.
If you make a mistake with the alias, simply keytool -delete -v -alias <your alias key>
If not in default .keystore file, then simply keytool -delete -v -alias <your alias key> -keystore <your keystore filename>
* Put your classes in your jar file, my example is tst.jar.
* jarsigner tst.jar tstkey
Sign your testing jar file with your alias key that supports the RSA encryption alogorthim.
* jarsigner -verify -verbose -certs tst.jar
Check that its been verified.
The last step is the most tricky one. Its to do with having your own CA (Certified Authority) so you don't
have to fork out money straight away to buy a Verisign or Twarte certificate. The CA listing as you see in
netscape browsers under security/signers, is NOT where the plugin looks at. The plugin looks at a file called
CACERTS. Another confusion is that the cacerts file is stored in your jre/lib/security AND also at your
JavaSoft/Jre/<Java version>/lib/security. When you install the Java plugin for the first time in uses your
JavaSoft folder and its the cacerts file that has to be updated you add your own CA, because thats where
the plugin look at, NOT THE BROWSER. Everything about plugin is never to do with the browser!! :)
* keytool -import -file MyTestCert.crt -alias tstkey -keystore "D:\Program Files\JavaSoft\JRE\1.3.1\lib\security/cacerts"
Off course point to your own cacerts file destination.
Password to change it, is "changeit"
Before you do this step make a copy of it in its own directory in case you do something silly.
This example will add a CA with alias of my key called "tstkey" and store to my example destination.
* keytool -list -v -keystore "E:/jdk/jdk1.3/jre/lib/security/cacerts"
List to see if another CA is added with your alias key.
Your html, using Netscape embed and Internet explorer object tags to point to the java plugin,
your own self sign applet certificate should work
Cheers
Abraham KhalilI follow Signed Applet in Plugin, and it's working on
my computer. Thanks
But When I open my applet from another computer on
network, why it does not work ..?
How to make this applet working at another computer
without change the policy file ..?
thanks in advance,
AnomYou must install the certificate on that computers plugin. Can this be done from the web? can anyone suggest a batch file or otherwise that could do this for end users?
I want a way for end users to accept my cert as Root or at least trust my cert so I dont have to buy one. I am not worried about my users refusing to accept my cert. just how do I make it easy for them? IE you can just click the cert from a link, but that installs for IE, and not the plugin where it needs to be. -
ASA self-signed certificate for Anyconnect 3.1, which attributes?
Hi everybody,
I can't find the detailed information which attributes are exactly needed for the Anyconnect 3.1 client to correctly identify the VPN server -ASA 8.4(4)1
I have added two servers in the client connection profile:
IP address, primary protocol IPsec
IP address/non-default port number, primary protocol SSL
Connecting via IPsec only issues a warning about "untrusted source" (I didn't import the certificate as trusted, but that's not the issue)
Connecting via SSL issues an additional warning "Certificate does not match the server name".
The self-signed certificate (created with ASDM) includes the IP address as DN cn, additionally as alternate identity "IP address". I have exported the certificate and parsed it with openssl (after re-encoding to PKCS#12 DER) and apparently no attributes are included.
I would like to give it a try with certtool and openssl to generate a self-signed certificate which is accepted by the Anconnect 3.1, where can I find a detailed description, which attributes are required for Anyconnect SSL sessions? I'm convinced the identity (DN cn) is OK.Shamelessly bumping this question,
Anyone out there (maybe from Cisco) who can tell us, which atttributes are required on a self signed certificate?
I keep getting "Certificate does not match the Server Name" for SSL-VPN, IPsec-VPN is fine for the same server. -
Error when using sapgenpse import_own_cert to import a signed certificate
We have installed a WebDispatcher and want to use SSL and executed the following steps:
1. Generate Self-Signed Certificate and CSR by:
sapgenpse get_pse -p SAPSSLS.pse -r SAPSSL.req "CN=emsd3c.cs-apps.carestreamhealth.com, OU=IT, O=Carestream Health, C=US"
2. User service.sap.com/trust SSL Test Server Certifcated service to signed the CSR which looks like
BEGIN CERTIFICATE-----
MIIBpDCCAQ0CAQAwZDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEUNhcmVzdHJlYW0g
SGVhbHRoMQswCQYDVQQLEwJJVDEsMCoGA1UEAxMjZW1zZDNjLmNzLWFwcHMuY2Fy
ZXN0cmVhbWhlYWx0aC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP+w
TmRWeRlt1tg5GnjMloRhezO6lRJ1mhgNcWGQTECtAXDVypnznTFhimj3OG1zgW
gItJ1u4GjvQuYR2w2T92UrV3mnORrlHfpYOBCngRwQWfSaG7Ih5g3NeQ4bAq60Ap
0BwVg9hTpjZfTXfqYQHyzYPk6Pv9c+l0m3Va/DMfAgMBAAGgADANBgkqhkiG9w0B
AQUFAAOBgQBw6ipAyPUor96WGIOu93v7jjxE0uLuCMkfjaHnuqpYaOWM7z6XQn
2jWMwEKG4vsvU1X5azUuqA1yidH5+GXTD0VCbXUqLWZEP6S2FMJXixv/e3QELYrT
qBee2JDYPAdoMkKX/cwshFwXXo41R/gjEwn6aBDg9jkA70xFZEOjTQ==
BEGIN CERTIFICATE-----
The certificated signed by SAP looks like and I have created a file called d3c_test.cer to contain it:
BEGIN CERTIFICATE-----
MIIC5zCCAlCgAwIBAgIDANTZMA0GCSqGSIb3DQEBBQUAMFAxCzAJBgNVBAYTAkRF
MRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MQ8wDQYDVQQLEwZTZXJ2ZXIx
EjAQBgNVBAMTCVNlcnZlciBDQTAeFw0wOTA3MjkxNzM4NDVaFw0wOTA5MjcxNzM4
NDVaMIGAMQswCQYDVQQGEwJERTEcMBoGA1UEChMTU0FQIFRydXN0IENvbW11bml0
eTEYMBYGA1UECxMPQ2FyZXN0cmVhbUhlYXRoMQswCQYDVQQLEwJJVDEsMCoGA1UE
AxMjZW1zZDNjLmNzLWFwcHMuY2FyZXN0cmVhbWhlYWx0aC5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPjouDXa5nj8UQN77E53KCn1Xv2mI4uQMwz2cv
2YLL0086PfLzv+GZgMNsykmFzCAw2Nq2PthvhRhIUSZmCWgF36vN3GnwYPhc3flw
bvYGkeyFvJ3i3I0xiZTwVdvNDnd/GmLH6VCqCEbIwPXEJJamWop6SumaHl7h5KgV
aaqPAgMBAAGjgZ0wgZowDAYDVR0TAQH/BAIwADAlBgNVHRIEHjAchhpodHRwOi8v
c2VydmljZS5zYXAuY29tL1RDUzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8B
Af8EBAMCBPAwHQYDVR0OBBYEFHBRAASwukLlThOY+NbGKycJGjjIMB8GA1UdIwQY
MBaAFIHbg/NK+zUYCLkBvbcdW51zNVtJMA0GCSqGSIb3DQEBBQUAA4GBAIxe9gRz
7UdawNwiIyKo2jvg6P0VnvPRMiyfMJdtbaTarinJmgP2yghMGKx84twvEds9GV42
xUXbX/AHdgI3ef8N/WXvs15Hi4GnMdb/d7zhz3DAcjajbr7xmFycFFqRSwJ68Kb0
JF2cZLtwh9G0dJZMbT5ihJ61mCVMXvIbH27s
END CERTIFICATE-----
3. Execute the following commend to import SAP's response (d3c_test.cer)
sapgenpse import_own_cert -c d3c-test.cer -p SAPSSLS.pse
Receive the following error:
sapgenpse import_own_cert -c d3c-test.cer -p SAPSSLS.pse
Please enter PIN: ****
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Server CA, OU=Server, O=SAP Trust Community, C=DE"
ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Server CA, OU=Server, O=SAP Trust Community, C=DE"
Any help will be appreciated.
Thanks
RiversHi Sri Garimella,
As you have mentioned above to donwload root certificate also & giv the command as
sapgenpse -import_own_cert -c d3c-test.cer -p SAPSSLS.pse -r <RootCA_cert_file>.
Could you please help me from where can i get the RootCA_cert_file ?
In service market place I am unable to find RootCA_cert_file.
Could you please elloborate the issue ?
Regards
Hari -
Problem with placing self-signed certificate in trust store on WLS 10.3
I have had some problems setting up two-way SSL on WLS 10.3.2.
1. I have not been able to use the java properties listed on
http://weblogic-wonders.com/weblogic/2010/11/09/enforce-weblogic-to-use-sun-ssl-implementation-rather-than-certicom/
to use the native Java SSL implementation rather than the certicom. Has anyone else had success using these?
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
-Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
-DUseSunHttpHandler=true
-Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)
2. When I use the ValidateCertChain to validate my keystore with the self-signed certificate I get the message
CA cert not marked with critical BasicConstraint indicating it is a CA
Certificate chain is invalid
which I read was a problem with certificates generated by keytool, yet I find I was not able to circumvent this
by setting the property weblogic.security.SSL.enforceConstraints to off in the WLS server environment.
Has anyone else noticed this?
3. The error I get is
####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server
<[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1297793541204> <BEA-000000> <Exception during hands
hake, stack trace follows
java.lang.NullPointerException
at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
at com.certicom.tls.interfaceimpl.CertificateSupport.findInTrusted_Validity(Unknown Source)
####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tunin
g)'> <<WLS Kernel>> <> <> <1297793541207> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
Are there other conditions besides the issue about the missing Basic Constraint field that can raise an
alert with type 40?
4. Steps I used to generate jks keystore for inclusion in trust keystore (actual values substituted):
** keytool -genkey -alias mykey -keystore mykeystore -validity 35600 \
-dname "cn=Common Name, ou=Common Name, o=Org, l=location, s=state, c=US" \
-storepass mypass -keypass mypass
** exported a DER format head certificate of mykey into mykey.cer.der
** keytool -import -trustcacerts -keystore DemoTrust.jks -alias mykey -file mykey.cer.der
Any comments appreciated and thanks for this forum.Faisal,
Certicom has an internal restriction that a Date must be notBefore 1970 and notAfter 2105 inclusive.The Java-generated key is valid until Wed Mar 14 11:03:59 EDT 2108. Your knowledge of this area is
quite impressive, thank you so much for this! -
Can you use a self signed certificate on an external Edge Server interface?
Hi,
I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
cert is valid (root and intermediate have been checked for validity).
At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
ThxDrago,
Thanks for all your help. I got it working.
My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
Let me update everyone about self-signed certificates:
YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
intermediate have been checked for validity).
Here are my notes:
Create/enable your own external Certificate Authority (CA) running on a server with internet access.
On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
You should have already completed: Step1 and Step 2.
Run or Run Again "Step 3: Request, Install or Assign Certificates".
Install the "Edge internal" certificate.
Click "Request" button to run the "Certificate Request" wizard.
You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
Once the certificate has been created, use "Import Certificate" to import it.
Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
Install the "Edge External" certificate (public Internet).
Click the "Request" button to run the "Certificate Request" wizard.
Press "next"
Select "Prepare the request now, but send it later (offline certificate request).
Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
Fill in the organization info.
Fill in the Geographical Information.
The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
Select your "Configured SIP domains"
"Configure Additional Subject Alternative Names" if you want. Otherwise, next.
Verify the "certificate Request Summary". Click next.
Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
For the "External Edge certificate (public Internet), click "Assign".
The "Certificate Assignment" wizard will run.
Click next.
From the list, select your cert "EXTERNAL-EDGE".
Finish the wizard to "complete".
You are finished on the server.
Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
Browse
Select "Trusted Root Certification Authorities"
Finish the wizard. -
SSL (Self Signed Certificate) in Business Connector
After going through hundreds of messages, I am still not clear about the steps involved in including SSL certificate with HTTP protocol.
1. Instead of subscribing to Trusted Certificate Authority, can we ceate a Self Signed Certificate? If yes, how?
2. Can anyone please explain the steps involved in including SSL certificate (configuring/importing the certificate)? We are successfully calling HTTP and sending the XML document to a HTTPS URL with authorized user name and password. I need to include SSL certificate to complete the requirement. I have looked at all the PDF documents that are available with BC installation and looked at many forums and still haven't found the answers.
Thanks in advance.Hi Ramesh.
When untrusted root certificates may be acceptable
Some CAs may be trusted, but in only a very limited way. For example, a company with employees in diverse
locations can make internal documents available to all its employees by setting up a Web site on an intranet that
is only accessible from inside the corporate LAN (i.e. people on the Internet cannot see it). If there are
documents on this site that should have limited access within the company (such as strategic plans or personnel
documents), then these can be protected with SSL.
Since both the servers as well as the browsers are on corporate-controlled equipment, it is well within the
companyu2019s interests to act as its own CA. This means that the company can generate its own root certificate
with which it can sign as many SSL certificates as required for the servers deployed in its intranet. Once this is
done, this certificate should be installed into the certificate stores of all the browsers used in the company. Since
the computers these browsers run on are controlled by the company, this is easy to do: the corporate IT
department can have a policy that the companyu2019s root certificate is installed in the browseru2019s certificate store
whenever a new computer is set up. This prevents security warnings from being displayed whenever an
employee accesses an SSL-secured site on the company intranet.
The advantage to the company is that it can deploy secured sites anywhere on its intranet without purchasing
certificates from an external CA. Note that if the company also runs an e-commerce site, then it should purchase
its SSL certificate from a trusted CA and not use an internal one for sites accessible to the public, who will not
have the certificate installed by the corporate IT department, and thus would receive a security warning.
In such an environment, an unscrupulous employee (most likely a member of the IT team) who has access to
the private key could launch very successful MITM attacks against employees who visit SSL-protected ecommerce
and e-banking sites at work. This will be discussed later in this document. However, the company
can easily protect itself by warning employees not to visit such sites on company time or equipment, since they
are not u201Cbusiness related activities.u201D
Please see this doc related to trusted and untrusted certificate.
http://www.sericontech.com/Downloads/Untrusted_Root_Certificates_Considered_Harmful.pdf -
Keytool self-signed certificate.
Using Keyman on hp-unix. Wanted to create self-signed certificate.
When I tried to create, it asked to create keys. I created them. Then I could select self-signed and create it. This is listed under private certificates. Now what to do? For somebody to trust this certificate, do I have to take it to another database on another box?
Say, I created a private certificate pc1 at Box1. For Box2 to trust Box1, I guess I need to take this certificate and put it on Box2. (exporting from box1 and importing to box2). Is this what I am supposed to do? Or am I understanding something different? If I am correct, it(keyman) is not giving me option to export the certificate.
Please help.Using ikeyman, Not keytool
Maybe you are looking for
-
Buying Mac OS X 10.5 Leopard
Hello, I am not sure this is the right place to place the question. As soon as Mac OS X 10.5 Leopard comes out I am buying a Macbook with this new software. The problem is that I have my beloved imac g5 with Mac OS X Tiger, but I want to update it to
-
Error while loading data into hierarchy
Hi, I tried loading the master data from flat file into a hierarchy but its giving me an error message as invalid entry and says hierarchy doesn't exist.Could anyone please guide me how to proceed. Thanks, Kuldeep.
-
Any other ideas can't access work scheduled...... Within a website even though it works on iPhone 4
-
hi friends: I am been looking into AVTransmit2.java, AVReceive2.java and AVTransmit3, AVReceive3 can your tell me what is the input and output of this function where can I change to transmit and receive my DataSource and Then presenting them AVTransm
-
CreateODBCDateTime monkeys with Daylight Saving Time!!
If one uses CreateODBCDateTime to convert a date into the proper format for storing in a SQL Server database, and one runs this operation on a date between 0200 and 0300 on the day that Daylight Saving Time changes, the function will change the time