Fail to install a trusted(SSL) certificate on CUCM 10.5
Hi Guys,
I have generated CSR from CUCM and have got it signed by CA.:
There are two kinds of certs in the cert chain - CA certs and end-entity certs. For example, the cert represent your box is "cucm01.acme.local". This is end-entity cert.
"cucm01.acme.local" was issued by a CA called "parent.someCA.com".
"parent.someCA.com" was issued by a CA called "grandparent.someCA.com".
And "grandparent.someCA.com" is the top (root) CA.
I'm trying to upload the signed CA by following steps:
1.Upload "grandparent.someCA.com" as "Tomcat Trust" cert.
2.Upload "parent.someCA.com" as "Tomcat Trust" cert.
3. Upload "cucm01.acme.local" as "Tomcat" cert. In the "Root Certificate" field, you should fill in the .pem file name of its parent.on the OS admin page > Security > Certificate Management.
The issue is on step 3, I couldn't find any "Root Certificate" field in both "Tomcat" cert and "Tomcat Trust" cert. Please see attached screenshot.
Is there any step I missed or wrong?
Please advise,
Thanks,
Cherry
when I try to access CUCM with its hostname, it still shows "There is a problem with this website's security certificate."
I click errors to view the details. It shows."This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."
But I have opened the root CA and installed them into Trusted Root Certification Authorities.
Similar Messages
-
Howto install a signed SSL Certificate
Hi,
I installed a new Novell File Reporter 2.0.
When I open the Browser I get a self signed Certificate.
Where can I install my signed SSL Certificate?
Thank you
ThomasTEggers,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/ -
Installing a new SSL Certificate to Exchange
Hi,
We have a Windows Server 2008 R2 machine running Exchange 2010 (sorry, there wasn't an option for a 2010 forum). As a company which handles payments, we need to be PCI DSS registered and the scan has picked up a failing point being we don't have
an SSL Certificate installed. I have purchased one via GoDaddy and followed the instructions on their site to install it, however the PCI DSS scan is still failing because of the following reason:-
"The following certificate was at the top of the certificate chain sent by the remote host, but is signed by an unknown certificate authority."
The certificate at the top of the chain is the 'built-in' default certificate. How do I promote the installed GoDaddy certificate to the top of the chain?
ThanksHi,
Please refer to this similar thread.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/e80a77f8-4f88-439e-85dd-76463c7a69d3/certification-authority?forum=winserversecurity
And try to Save your root CA(s) public certificate in PEM format into a text file to PCI DSS scanner.
Hope this will be helpful for you. -
Installing new SSL certificate on CUCM 7.1 (Verisign or Geotrust)
Hello,
I am trying to search CCO for a guide for installing a trusted certificate on a CUCM server to eliminate the SSL browser warnings. Could anyone point me to such a guide?
Thanks!http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/7_1_2/cucos/iptpch6.html#wp1046223
Michael
http://htluo.blogspot.com -
I have designed a website and I want to host it with GoDaddy. I also want to install a SSL Certificate so I can get the HTTPS://mydomain.com instead of the HTTPS://mydomain.worldsecuresystems.com that I get with BC. Is there a way to install the SSL Certificate in Adobe Muse so that I can do this?
This is something you'd have to do on Go Daddy, its not something that would be done in Muse.
Go Daddy's page on their SSL service is: SSL Certificates | Secure Your Data & Transactions - GoDaddy -
Can't install a wildcard SSL certificate
Running ML Server. I have a GoDaddy issued wildcard SSL certificate to *.mydomain.com. The certificate is currently installed on a different (non-Mac OS) server. I am able to cut and paste the main certificate, private key and other chain certificates from that server's interface and paste into a text file using TextWrangler. On the OS X server I deleted all of the old certificates in KeyChain (this server had an old wildcard version of the certificate before), deleted the old wildcard cert in Server.app and deleted the corresponding files in /etc/certificates
I then created a new self-signed certificate for *.mydomain.com in Server.app, then selected it, went to Manage Certificates and tried up update the self-signed certifcate with the signed certificate using the Server.app interface. The interface enables you to drag and drop certifcate and chain files to add.
However, this is where it gets strange...
The first time I drag the certificate file to the interface, I get the green + symbol, let go and nothing happens. If I do it again, the interface lights up green again, but this time it adds it to the Non-identify certificate list. I am able to replicate this every time!
Why does the interface show me the first time that I can drag the file, but does nothing, and then the second time adds it as a non-identity certificate? Same behavior happens if I start with the chain certificate as well.
I can confirm that the four certificate files show up in /etc/certificates, but they appear to be generated by the self-signed certificate creation.
Any insights appreciated! TAAIn fact i had the same issue last week and i could only solve it by exporting the key with the certificate in a PCKS12 file. Fortunately this is supported by the windows certificate manager where the certificate was originally installed.
You could take your key and certificate files and merge them into a PKCS12 file using openssl (go to terminal, it is installed on an OSX box) and fire the following command (and change the filenames ;-)):
openssl pkcs12 -export -inkey openssl_key.pem -in openssl_crt.pem -out openssl_key_crt.p12 -name openssl_key_crt
The openssl tool requests a passphrase for the created file that you will need to provide again when the key is imported into the keychain.
Good luck with it -
How do I install a new SSL certificate?
I am running Weblogic 6.1 on Windows 2000. I recieved a renewal notice from Verisign
and purchased new certificates. I would like to put them in place but am a bit
lost. I am new to Weblogic and am used to installing certificates in IIS. There
seems to be no "install" feature under Weblogic.
Do I just change the name of the path to point to the new certificate?
Will I need to stop and restart the Weblogic services? Does this have the potential
to take down the website?
Any help would be greatly appreciated.
Thanks in advance.
~SheriThis is something you'd have to do on Go Daddy, its not something that would be done in Muse.
Go Daddy's page on their SSL service is: SSL Certificates | Secure Your Data & Transactions - GoDaddy -
Existing SCUP updates fail to install after changing the certificate.
Hi,
Recently our certificate we use to sign updates published from SCUP expired. Unfortunately we didn't have the box ticked to supply a timestamp with each publish so it resulted in us republishing everything with a new certificate.
When the update is new and has never been published before, a client Pc can download and install the new update with the new cert completely fine. The problem lies with updates that had to be re-signed. Each time they try and install I get 0x80091007 The
hash value is not correct.
I assume this is because the package still has the previous update with the old cert in it - I have redistributed the package and am still seeing the issue...
Has anyone else experienced it or have any ideas of how I can tackle this?
Thanks!Hi,
Pease have a look at the following thread, especially the steps of Aaron-SRS's and AlaRose's.
"A software update (the binary) can only be published once to WSUS. If you change the signing certificate, you will then also want to resign that binary by publishing it with the resign option (in Advanced settings)."
https://social.technet.microsoft.com/Forums/systemcenter/en-US/cbc28e7a-9a2b-41cb-9627-be66316f2507/invalid-certificate-signature-when-downloading-adobe-updates-published-from-scup?forum=configmgrsum
Best Regards,
Joyce -
Installing Network Solutions SSL Certificate Help
I have created the CSR and gotten the certificate files back from Network Solutions. This process is different under Snow Leopard Server, which is the only way I have done this, so I am struggling to get it to work. Network Solutions has no directions for doing this with OS X Server either. If anyone has done this, could you please post step by step directions? I greatly appreciate any help!
If they sold you the certificate, and you asked and they claim support for OS X Server,
then they need to supply you with support. Be it documentation or otherwise.
However, have a look at the following and see if that helps:
http://lists.apple.com/archives/Macos-x-server/2010/Nov/msg00058.html -
How to install SSL certificate on Mac OS X 10.8.3 Server 2.2
Hi,
In eairler versions of !0.8 / OS X Server 2.2 your where able to install a purchased SSl certificate in the
Hardware >> Profile Manager Server >> Settings >> SSL Certificate Edit
I've just done a clean install of 10.8.3 and OS X Server 2.2 but there is no "SSL Certificate Edit" available.
How do I install my purchased certificate?
Thanks,
Johnsorry for hijacking but I have a related question to do with certificates.
I had to set up virtual domains manually instead of through the GUI and the server ssl site is now locked to a certificate that is about to expire and no longer needed, I can't change the certificate in the web gui because it was created manually, I can't delete the certificate because it is assigned to the server ssl website and I can't manually edit the conf files to point to a different certificate becasue it breaks it, any ideas? -
Expired SSL certificate errors in browser after installing a new Certificat
I recently install a new SSL certificate from Thawte following the same process as the last time in installed. The install seemed to work for a couple days and then i stared getting calls reporting an expired SSL Certificate. I verified that the proper cert was still installed and it was. what actually got the ball rolling again was disabling the listener associated with my secure site and re enabled it. that workd for 2 days and now the website is reporting an expired SSL cert. any clue what is going on?
Here is the output but i noticed that there are three of the same key(sitecert)
wadm> certutil -L -d .
sitecert u,u,u
sitecert u,u,u
Thawte SGC CA - VeriSign, Inc. CT,,
sitecert u,u,ui guess now the question is how to get ride of the 2 offending certs in the database. -
Error installing standard SSL certificate
- Using Sun Java System Web Server 7.0 U4. Fresh install on clean server. Created an instance for SSL. However, when installing the standard SSL certificate on the instance configuration, I get the following error:
ADMIN4078: Unable to retrieve output from command: /Sun/WebServer7/lib/CertificateMgrUtil.exe
I'm new to Sun 7 (we've been using 6.1) and I'm not familar with this CertificateMgrUtil.exe. Can anyone shed some light on what this is and what steps I would need to take for this utility?
ThanksPlease do the following:
- Try running administration server with the log-level 'finest'.
- Then do the same action that gave raise to the error that you are facing.
- After that look in to .../admin-server/logs/errors to see the error.
- Copy paste that error here.
BTW, have you enabled Dr.Watson? Check in Event viewer to see if the process crashed. Dr.Watson output would be useful too. -
Installing single SSL certificate on primary/secondary ACS boxes
I am trying to install the same SSL certificate I have installed on my primary ACS on my secondary ACS. I have replication configured and working between the two. The primary is the ACS appliance. The secondary is windows v3.3. The problem is the secondary ACS does not know about the private key file created during the CSR so I get an error when I try to install the certificate. So, what do I have to do to get around this? Obviously the certificate information is not copied over during replication. Is there a way to import it over manually?
Can I install the same certificate or do I need to do a separate CSR and install a separate certificate?Yes you can use same cert for both the acs. On appliance download the cert and pvk file on your FTP root.
Move both files to acs windows and upload the certs and pvk file. Retype the private key (you need to remember it )
On windows acs--->install new cert---->use Read certificate from file--->put the location of cert like D:\Jar.cer
Give the location of Private key file---->D:\prv.pvk-----> Type the pvt key --->submit.
Regards,
~JG
Do rate helpful posts -
Accepting runtime-specified SSL certificates in WebLogic 11g
Hi all!
In our application we need to call several Web Servervices based on URL's and trusted SSL certificates that are stored in database. Those certificates are self-signed but we cannot add them in the WebLogic truststore (we only want to accept them for those specific web service calls). This is 2-way SSL but our server refuses the remote certificate.
What is the right way to do this?
In WebLogic 10g we used to do the following:
WlsSSLAdapter adapter = new WlsSSLAdapter();
try {
// setup for client certificate
adapter.setKeystore(…);
adapter.setClientCert(…);
// setup for accepting the remote certificate
adapter.setTrustManager(new TrustManager() {
@Override
public boolean certificateCallback(X509Certificate[] paramArrayOfX509Certificate, int paramInt) {
return paramArrayOfX509Certificate[0] == expectedCertificate;
} catch (Exception e) {
throw new RuntimeException(e);
((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(weblogic.wsee.jaxrpc.WLStub.SSL_ADAPTER, adapter);However in WebLogic 11g it appears that even if the <tt>TrustManager</tt> is called (which we checked by using a debugger), WebLogic refuses the certificate:
<validationCallback: validateErr = 16>
< cert[0] = Serial number: 9232073310112809071929676484517784211
Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
Not Valid Before:Tue Nov 01 14:33:31 CET 2011
Not Valid After:Sun Nov 02 14:33:31 CET 2031
Signature Algorithm:MD5withRSA
>
<weblogic user specified trustmanager validation status 16>
<Certificate chain received from mestoudi2 - 10.142.0.23 was not trusted causing SSL handshake failure.>
<Validation error = 16>
<Certificate chain is untrusted>
<SSLTrustValidator returns: 16>
<Trust status (16): CERT_CHAIN_UNTRUSTED>
<NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
…I think the first difference occurs on the line "+weblogic user specified trustmanager validation status 16+" where in WebLogic 10g the value was 0 instead of 16.
If we check "Use JSSE SSL" in the WebLogic administration console (which switches the implementation to com.sun.net.ssl instead of com.certicom.tls), the <tt>TrustManager</tt> is not called at all.
We also tried to configure the <tt>TrustManager</tt> by implementing a <tt>javax.net.ssl.X509TrustManager</tt> that we set on a <tt>weblogic.wsee.connection.transport.https.HttpsTransportInfo</tt> passed to the stub using
((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(TRANSPORT_INFO, transportInfo);But it is not called either – however it works for setting up a proxy for example. We are generating the stubs using the clientgen Ant task (<tt>weblogic.wsee.tools.anttasks.ClientGenTask</tt>).
We are a little bit stuck, any idea of what we should do? Is the WebLogic 11g behavior a regression or is there something else we should configure to get back the old behavior?Hello,
Weblogic has two keystores : identity (if you are doing 2 ways SSL) and trust. you should import your "external" certificate in the "trust" key store.
look at your server config to know your config : Home >Summary of Servers >AdminServer-->configuration-->keystore
I suggest that you change the default configuration (not using the demo one),
then when you know where is yo key store use the command line to add your certificate to trusted store (this is a example) :
opt/weblogic10_3_3/jdk160_18/jre/bin/keytool -import -noprompt -trustcacerts -alias BLCCertificateAuthority -file cacert2035.pem -keystore /opt/weblogic10_3_3/jdk160_18/jre/lib/security/cacerts
once your certificated is added to your trust store it should work.
I hope it will help. -
New SSL certificate with 2048 bit shows error: (Fehlercode: sec_error_unknown_issuer)
installed a new SSL certificate with 2048 bit encryption (as is now required by issuer of certificate). Everything is OK with IE, FF shows error: (Fehlercode: sec_error_unknown_issuer)
== URL of affected sites ==
https://www.dongil.at/I have also tried all the solutions mentioned - but no luck.
I wrote to Geotrust support and the pointed out that I needed the intermediate certificate and provided me with this url:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422
Please note, this intermediate certificate was *not* the same is linked to above - seems like there are 2 different intermediate certificates, depending on what type of certificate you got from Geotrust.
Just to recap - if you got yourself a "QuickSSL, QuickSSL Premium or SSL Trial"-certificate (like me) then use this intermediate:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422
If you got a "True BusinessID or Enterprise SSL"-certificate, you should use this:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1423
- Lasse
Maybe you are looking for
-
Results from Executing Sequence in VB
I�m trying to control the TestStand engine from Visual Basic. I�m using the Automation Server interface rather than the ActiveX control because ultimately I want to be able to interface with it from script running in a web browser. The problem I'm ha
-
got an i phone 5 2 days ago it was flat within the day i got it and wont charge apple has cost me 1500 in two days and i still have no alarm clock you have destroyed my life i want the problem resolved and also want to know how to invoice apple for t
-
I had to move ITunes from my husband's computer to mine after he lost his IPod and then his computer had a virus about 6 months ago. Most of the items in the library have a checkmark next to them and when I attempt to synch to my IPod 5th generation
-
Beeps, and something weird before/ PC won't run
When i come back from shool today, my brother told me that PC dosen't work So I turned it on, and when WinXP should start to boot it showed my a long list of nines(before this was one L), something like that: L99 99 99 99 99 ... It was on black scr
-
How to get this condition right ?
Hi Friends, Please tell me , How to get this condition right. Current Date = Posting date (RBKP.BUDAT) + 7 (i.e. notifications are sent 7 days after the Posting date). I need to get the blocked invoices which are overdue for 7 days, and send these bl