FF33 doesn't like our internal SSL certificates.
Updating FireFox to version 33 breaks SSL connectivity with certificates signed by our company's internal CAs. As of the latest update, we get the following error message with no method of override:
An error occurred during a connection to www.google.com. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
I assume the problem stems from the new mozilla::pkix certificate validation. The sec_error_bad_der seems to indicate there's a parsing issue with the certificate itself.
These certificates work fine in FF <32, Chrome, and MS IE. But I recognize there may be something subtly wrong with these certs that should be corrected. However, FireFox doesn't actually give any useful information to help troubleshoot this. What options are available to discover what exactly FF is finding so broken about these?
Sorry to put this work on you, but I don't understand many of the comments in these bugs about issues with the signing certificate. You probably are in a better position to understand them:
https://www.google.com/search?q=sec_error_bad_der+site:bugzilla.mozilla.org&tbs=qdr:y
Similar Messages
-
Exchange 2013 autodiscover finds external & internal SSL certificate causing autodiscover to fail
<p>Hi:</p><p>I'm currently working on a windows 2012 server, with exchange 2013, lets say our internal domain is "cars.com" and ALSO the case for our external domain. We have purchased an SSL wildcard positive certificate
*.cars.com so that we could configure Outlook Anywhere, we have created the needed DNS records at godaddy and our internal server, OWA, ECP it all works if you go to <a href="https://bird.cars.com/owa">https://bird.cars.com/owa</a>
because we have a DNS record for bird in godaddy and out local server, so all of that is working like a pro ! here comes the tricky part, our website is registered in godaddy but hosted by someone else a company called poetic systems; when we test the connection
with the remote connectivity analyzer website we get a very peculiar error that says SSL certificate not valid, now it provides the name of the certificate it found and is not ours, we found that the hosting company is listening in port 443, therefore, it
is pulling their self signed certificate also, does anyone have a fix for this, I have done this same setup before for other companies and this is the first time a situation like this happens. I REALLY NEED HELP !!!!!</p>Hi,
According to your description, there is a certificate error when you test Outlook Anywhere connection by ExRCA.
If I misunderstand your meaning, please feel free to let me know.
And to understand more about the issue, I’d like to confirm the following information:
What’s detail error page?
Check the Outlook Anywhere configuration: get-outlookanywhere |fl
Check the certificate : get-exchangecertificate |fl
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
Changing SSL certificate for ICM
Hello,
I'd like to change SSL certificate for ICM service. I've change it in STRUST, but when I run web browser, server sends old one. IT is very odd, that ICM still works after deleteing all "SSL Server" certificates in STRUST. I tried to restart whole SAP system, but it did not help.
Is there any possibility to change working certificate? What should I do to make such change?> I often use transaction SMICM -> Administration -> ICM -> Exit soft to restart only the ICM without interrupting the whole SAP system.
> You should increase the ICM trace level, restart it and look at the trace file to try to find out what's wrong.
OK, ICM runs properly now. I have no idea why, as I did not change anything. Maybe "soft restart" invoked few times helped.
> Of course. In my company we use our own internal CA for intranet use and Verisign for internet use.
> (for internet use the certificate in on the reverse proxy in the DMZ).
Here I've got another problem.
I've started with something simple. STRUST->SSL server->Create Certificate Request. My CA has signed this request. Now, when I'm trying to install signed certificate, I got an error "Cannot import certificate response".
As my CA is not signed by any well known CA e.g. VeriSign), I've added my CAs certificate to SAP database (as root CA and server CA), butit did not help.
In SSL server, I've got "(self signed)" below "own certif." field and I cannot change it
If it's not a big problem, could you write down, what should I do to install external SSL certificate signed by not well-known CA.
Many thanks for your help,
regards,
Konrad -
Installing SSL certificate Windows Server 2012R2 RDSH servers
Hello,
I'm currently in the final fase of installing an functional Remote Desktop (Windows Server 2012R2) environment. The only problem i have, which i try to complete several days now without any luck, is the installation of our WildCard SSL certificate on de
Remote Desktop Session Host servers (farm).
We have 1 gateway server which is also the connection broker. On this server i have installed (using the Deployment Properties of the Session Collection) the certificate on all available levels. But still, when i try to connect to our Remote Desktop Servers
i get the automatically created certificate from the Remote Desktop Session Host servers. The certificate works for all the other functions (gateway etc.)
The servers are joined to the domain, and the wildcard certificate = *.zon-ict.nl.
Below the screenshot of the deployment settings.
Can someone point me in the right direction for installing the certificate on the RDSH servers?Hi,
Thank you for posting in Windows Server Forum.
Basic requirements for Remote Desktop certificates:
1. The certificate is installed into computer’s “Personal” certificate store.
2. The certificate has a corresponding private key.
3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well.
Please follow beneath article for details.
Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
Hope it helps!
Thanks.
Dharmesh Solanki -
When accessing Intranet sites with that have SSL Certificates issued by our internal PKI, FF for Windows gives an error messsage - An error occurred during a connection to myshaw. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
Chrome and IE work fine. This is a new PKI using the SHA-2 signature algorithm.Hi Guigs2,
From the other post you link too, I can confirm that both the Root and Subordinate CA have been commissioned with the:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
registry key set. As can be seen above, the Signature algorithm on an issued certificate is RSASSA-PSS. This is been Microsoft suggested deployment IF you do not wish to support either XP or Windows 2003 machine and lower. In fact, I believe the option has been around since Windows 2008, however, there were of course, a lot more XP machines back then.
The obvious answer is that we would like to maintain the updated algorithm, AND see support for it added for Firefox. I think you will see a LOT more posts like this as people deploy more 2012 PKI infrastructure supporting only Windows 7 and up. Heavens, we may well be forced to Chrome or even back to IE!!! Whilst I do not what to necessary open up other potential vulnerabilities, for the sake of testing, what do you mean by disabling mozilla:pkix? -
MPX 2.1.1.2 SSL Certificates doesn't show in the web administration
Hey guys,
I've uploaded SSL certificates to my MeetingPlace Express installation and I got the error showed in the attached file. "Display Certificate" via the web interface doesn't show anything but under CLI with SSLUtil command I can see that the certificates are actually generated in the system.
Currently the certificates are actullay working when I access the meetingplace via web but I don't have any administration control over them via the web administration. Rebooting the server doesn't help. Anyone experienced similar issue?
Regards,
VladimirCorrect it did work in 1.5. on .sql files, when connected, so I have updated the ER to bug. We also need to expand this to support PL/SQL files.
Sue -
How to ignore SSL certificate warning only for a specific internal subnet?
I understand my issue may be a little unique, but I am sure some people have come across it. I am working with some test gears that have either self-signed certificates or flat out invalid/expired SSL certificates. Since this is a lab/test environment I don't want to have to go through the trouble of generating my own certificates and load them on each test device, since they come and go quite a bit.
Is there a way to tell Firefox to ignore SSL warning, but only for a given subnet? For example, if the SSL certificate is presented by anyone in 10.11.12.0/24, accept it without question, but if it's coming from anywhere else, check its validity.
I doubt this will ever be a main feature for Firefox, but perhaps someone has come across an add-on that does this?I suggest you to ignore self signed certificates. You should get some low priced SSL certificates to prevent your website from warnings.
I preferred to buy ssl certificates from reseller, as its low pricing.
Some good resellers are:
[http://servertastic.com servertastic.com]
[https://www.sslrenewals.com SSLRenewals.com]
and you can google it for more reseller list. -
Iplanet 6.0 creating a development SSL certificate for internal use
With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
Is there a tool to create my own SSL certificate for development work with iplanet 6.0?With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
Is there a tool to create my own SSL certificate for development work with iplanet 6.0? -
Wildcard SSL Certificates with MFE?
Is anyone using a wildcard SSL certificate on their mail server when using Mail for Exchange on assorted Nokia E Series mobiles please?
We currently use a straight SSL cert and MFE works with no problem, however I've been looking into getting a single wildcard SSL certificate for our domain.
Before doing anything I figured I'd try a website that used a wildcard certificate.
When I did this (using an E51) I got the message "Website has sent a certificate with a different website name than requested" and was prompted to accept once, permanently, or don't accept.
My question is whether this message would come up in a clear/obvious manner when using Mail For Exchange on a Nokia (so I can tell our users what to do when it does), and whether anyone has encountered issues using a wildcard with Nokias when using Mail for Exchange.
If anyone has an E-Series and is using a Wildcard cert can you let me know if you've encountered any issues please?
Thanks.This is interesting question. I look forward testing this myself
What kind of cert & website you used on your own tests? Was the cert something like *.example.com? And the domain, was it https://something.example.com or https://example.com ? AFAIK wildcard doesn't match addresses consisting domain part only, so the latter one might not work.
Help spreading the knowledge — If you find my answer useful, please mark your question as Solved by selecting Accept this solution from the Options menu. Thank you! -
Wildcard * SSL Certificates for TTA??
Is there any way I can use a wildcard SSL certificate like:
*.mycompany.com
in my TTA server?
I was able to run all the cert commands successfully using the
*.mycompany.com cert:
Generated the CSR (tarantella security certrequest)
Installed the Cert File (tarantella security certuse)
Installed the Chained CA cert (tarantella security customca)
Review/validate certinfo (tarantella security certinfo)
The TTA-installed Apache webserver was fine with the wildcard certificate
since I was able to goto:
https://subdomain.mycompany.com (FYI, the subdomain is NOT "www")
But after I went to:
https://subdomain.mycompany.com/tarantella/
I got the following errors in my Java Console:
Secure Global Desktop 4.10.903: Connecting to Secure Global Desktop
server...
Secure Global Desktop 4.10.903: Using secure connection to
Secure Global Desktop server subdomain.mycompany.com:443
Secure Global Desktop 4.10.903: Certificate (*.mycompany.com) not accepted
for this Secure Global Desktop server (subdomain.mycompany.com) due to name
mismatch.
Secure Global Desktop 4.10.903: Client dropping connection.
Secure Global Desktop 4.10.903: Unable to connect: Certificate
(*.mycompany.com) not accepted for this Secure Global Desktop server
(subdomain.mycompany.com) due to name mismatch.
Secure Global Desktop 4.10.903: Missing negotiation feature cgi script
Is there a way that I can get the applet to do a regex-ish match on the name
for wildcard certs?
CyrusHi Cyrus
I was loosely referring to PKI rules e.g.
http://www.ietf.org/proceedings/98mar/98mar-edited-110.htm
http://www.iihe.ac.be/internal-report/1997/stc-97-19.html
Wildcarding isn't supported. I understand what you are trying to do now
but it won't work because the software is looking for a certificate
matching a single server.
The certrequest command is just a wrapper script for openssl so it won't
stop you doing anything the openssl command believes may be valid. You don't
actually need to use this command it's just there for convenience, you
could do everything just using openssl.
The current documentation doesn't explictly state that you can't use
wildcards in certificates but it does say you need a certificate for a
SGD server. My understanding of the wildcard issue is that it is up to
a particular application to decide what is appropriate.
http://www.tarantella.com/support/documentation/sgd/ee/4.1/help/en-us/tsp/gettingstarted/whatare_certs.html
Regards
Barrie
On 2005-08-15, Cyrus Mehta <[email protected]> wrote:
May I inquire as to where these rules are listed regarding SSL Certs, I
didn't see anything to the effect in the documentation. Also why weren't
the rules enforced at certificate generation time. Even the validation
command (tarantella security certinfo) had no problems.
The CSR generation/signing went through flawlessly and created a wildcard
cert that Apache could use. It's one thing if the whole cert process
couldn't handle a wildcard, but it seems like everything would have worked
if only the applet accepted a wildcard regex match.
Regards,
Cyrus
barrie wrote:
Hi Cyrus
No, sorry. The rules say you can't do that. You are required to have a
certificate for a node not a network.
Regards
Barrie
On 2005-08-05, CM <[email protected]> wrote:
Is there any way I can use a wildcard SSL certificate like:
*.mycompany.com
in my TTA server?
I was able to run all the cert commands successfully using the
*.mycompany.com cert:
Generated the CSR (tarantella security certrequest)
Installed the Cert File (tarantella security certuse)
Installed the Chained CA cert (tarantella security customca)
Review/validate certinfo (tarantella security certinfo)
The TTA-installed Apache webserver was fine with the wildcard certificate
since I was able to goto:
https://subdomain.mycompany.com (FYI, the subdomain is NOT "www")
But after I went to:
https://subdomain.mycompany.com/tarantella/
I got the following errors in my Java Console:
Secure Global Desktop 4.10.903: Connecting to Secure Global Desktop
server...
Secure Global Desktop 4.10.903: Using secure connection to
Secure Global Desktop server subdomain.mycompany.com:443
Secure Global Desktop 4.10.903: Certificate (*.mycompany.com) not accepted
for this Secure Global Desktop server (subdomain.mycompany.com) due to
name
mismatch.
Secure Global Desktop 4.10.903: Client dropping connection.
Secure Global Desktop 4.10.903: Unable to connect: Certificate
(*.mycompany.com) not accepted for this Secure Global Desktop server
(subdomain.mycompany.com) due to name mismatch.
Secure Global Desktop 4.10.903: Missing negotiation feature cgi script
Is there a way that I can get the applet to do a regex-ish match on thename
for wildcard certs?
Cyrus -
ISE: Guest SSL Certificate Not Trusted Error
Team,
We are building an ISE Demo for an event, I configured the Guest Access and it is working fine. the problem is that when the guests (Event attendess) try to access the internet they will be reditrected to teh ISE for Guest Authentication. The guest will get the below error message which doesn't look good because the ISE has the self-signed certificate and it doesn't have a public trusted certificate.
I tried to generate a trail SSL certificate from Thawte and Symentec but both replied that we couldn't verify the information you have provided. I believe this is because my domain is not publicly resgitered (I created this domain internally for the event)
Please advice what is the solution for this issue. I don't want my guest/attendees to see the error message. It doesn't look for to demonstrate ISE.
Please advice
Thanks in advanceThe only solution that can competely resolve your issue is to get a certificate from any trusted CA, like Verisign, Thawte, etc. Cost for that is typically $100 per year. Other solution is to use certificate from StartSSL. They have easy procedure for issuing ceritifcates and it's free, but in some browsers that window still may appear sometimes.
-
We are planning our Direct Access environment now and plan to also use SSTP VPN on the same box.
I understand that the best practice is to use a certificate published by a public CA for the outward facing IP-HTTPS listener and we plan to do this however during testing we would like to use a certificate created from our internal CA. If our testing phase
is successful and we plan to go ahead we would then buy a public CA certificate and replace the internally created one.
I would just like to know how much of an issue/hassle it would be to do this. I believe that during the DA setup wizard it automatically inserts the certificates you provide. Is it a problem to change it afterward? Do you have uninstall DA and run through the
wizard again? Thanks.Or you can use a Public 30-day trial SSL that is supported on all Clients.
The hassle of changing it, will be the same as when you are renewing a public SSL certificate in the future. And yes, you have to re-run the wizard again, after you have imported the new SSL certificate on the DA server. -
Renew SSL Certificate for for two Exchange 2010 Server and the new rules.
I find DigitCert's website always helpful with cert questions.They've got a pretty helpful page here: https://www.digicert.com/internal-names.htmIt looks like they've got a tool for Exchange, but I've not used it myself, so can't say if it works or how well: https://www.digicert.com/internal-domain-name-tool.htmI bet Microsoft have something on their website too that helps with this sort of question.I'd say you register a completely new domain and use that for public facing and internal servers. Or you could just create a sub domain of an existing one, i.e. subdomain.mydomain.com and use that, i.e. public_exchange.subdomain.mydomain.com and internal_exchange.subdomain.mydomain.com.
Hi there ,
My exchange 2010 Server Certificate is about to expire and i am going to renew it but according to the new rules for SSL Certificate Issuing we can not include our Local Servers Names and Local FQDN such as myserver.contoso.local, my issue is that i have 2 exchange servers one is internet-facing Server (where the certificate is initiated and installed) and one is non-internet-facing Exchange server.
if i am going to renew my certificate with public only name, I have to create a split Domain that reflects my external links to the internal Users, what shall i do for the non-internet-facing server? do i need to create another record in my split DNS Server and add it to my Certificate Request ?
This topic first appeared in the Spiceworks Community -
We run webaccess and currently self-sign. This of course
results in a warning for our users (employees). I am
looking at getting an ssl certificate but don't know which
type is needed. Seems like most certificate authorities
have a quickie ssl which requires very little verification
and a standard ssl which requires more information. I don't
need an EV certificate.
So, can I get by with the cheapest certificate to avoid the
warning message??
ChrisIt really depends on what Windows and/or the browser recognizes as a trusted CA. We use Trustwave certs for our WA SSL. Windows and IE trusts them, though Firefox doesn't seem to. However, at least Firefox can always trust it, unlike Win/IE.
We used Verisign initially, and they were around $2k for a 3-year cert. Trustwave was about $200 for the same. So we switched and haven't looked back. We also have several other webapps that use Trustwave certs.
HTH,
Aaron -
Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2
HI All,
I am hearing the news that SHA-1 certificates will be soon phased out on Chrome and Microsoft platforms. I am Ok with replacing public certificates with SHA-2 certificates.
But I see that our internal certificates are also issued with SHA-1 algorithm. And these SSL certificates are used in LAN to access internal sites. So Do I need to get internal certificates reissued with SHA-2(256)? If so what do I need to make the
changes on CA server to use SHA-2 algorithm.
Thanks in advance.
MahiOn 9/20/2014 1:28 AM, "Paul Adare [MVP]" wrote:
On Sat, 20 Sep 2014 06:24:23 +0000, mahi_tweak wrote:
Could you please let me know w.r.t to phase out of SHA1, is it required to take action for Internal (private) CA servers as well?
Currently no. All of the current SHA1 deprecation notices from Microsoft
apply only to public root CAs that are part of the Microsoft Trusted Root
program.
You should start planning to migrate your internal CAs however. At some
point in time I think you'll find that all SHA1 certificates will be
deprecated.
Paul - does IE have the logic built in to know when a cert has been issued by an internal CA so that it does not flag it as unsafe? The way I see it is this is all pointless to have legacy SHA1 in your environment if the browser cant distinguish one from
the other.
This depends somewhat on what version of IE you are using. I urge anyone who is stuck with an older version to modernize ASAP.
I also recommend CA servers also be the latest version. Like Paul said, SHA-1 has been deprecated and the new SHA-2 is the new flavor of the week.
Being cynical, seems that too many problems come from suspicious efforts to make the system secure in the first place.
Please don't pay attention to anything Vegan Fanatic has to say on this topic as he is clearly out of his depth here and has no idea what he's talking about.
IE does not itself do certificate validation, that is passed off the certificate chaining engine that is built into the Windows OS. When the date arrives that SHA1 SSL and code signing certificates issued by roots in the Microsoft Trusted Root program are
no longer accepted arrives, determining whether the certificate being validated chains to an internal or an external root will be determined by the certificate chaining engine and not directly by IE.
The last sentence above makes no sense at all, and SHA2 is not "the new flavour of the week".
Maybe you are looking for
-
Is there a way to restore text messages back to my iPhone 5s version 7.1.1? I have several text messages that have been deleted somehow and I would like to restore them to my phone. I have tried restoring it from the last backup and that did not hel
-
hi to all abap Gurus what is standard text in script ?how to use it > where do we use it ? we know that the use is reusability . how it is reusable . and it is used to support for multiple languages . pls tell in detail . pls dont give any link . po
-
Hello, I have a problem when I click on any view to modify this with a W2K 9i client when I use a RedHat8 8i DB the Enterprise Manager Console or SQLNavigator Tool just close it. But If I try with a NT40 8i DB I don't have the same problem. Can anybo
-
Time Dimension Type allows different values in attributes - Bug or Feature?
Not sure if this is a bug or a feature. But if one has multiple hierarchies on a Time dimension. You have the ability to specify different values for member attributes in different hierarchies. Example. Hierarchy A has MIN_ID for it's Member and uses
-
Hi Experts, i have an null pointer exception error in a message on adapter engine level. It's allways the same message what occurs this error. The message content in netweaver message monitoring contains following error: Application error occurred du