How do I allow self-signed cert for SecureAMF on iOS?

Similar Messages

• Local, self-signed cert for SSL IMAP on Tiger?

  I have a co-located Xserve running Server 10.4.11 (Up time: 380 days!) with IMAP, where I have admin access to install SSL certificates, but I don't quite have the justification to purchase one from a CA.
  I also have several Mac computers where I read my email via IMAP with SSL encryption, and I was wondering if there is any way that I could install a self-signed certificate on my local computers that matches my Xserve and would be sufficient to make Mail.app stop complaining about my server.
  I've been searching the web for tutorials on SSL, thinking that there must be some kind of provision within SSL where I could just set up all machines to be aware of a self-signed certificate in a protected file somewhere on each computer, and I assume that it should be possible to make SSL happy to talk between my own computers. But it seems that most SSL tutorials focus on https, not IMAP or other non-web networking connections. Also, I have a sinking feeling that if I did find information, then it might not be appropriate for the exact directory structure of Tiger. If anyone can help or provide pointers, it would be most appreciated.
  P.S. I could potentially used a "free" signed certificate, but it is attached to a virtual domain that I am hosting on my Xserve, and I assume that it wouldn't match the domain of my email unless I juggle things around. Also, that free cert would eventually expire, and then I'll be back to the current situation of needing to use a self-signed cert.

  Never mind. I figured it out.
  First of all, my Xserve certificate did not have the full FQDN, just a convenient subset. I created another self-signed cert with the true FQDN. I saw some hints around the web saying that Mail.app will always complain if the DN does not match.
  Second, it turns out that Keychain Access is where the local certs live, and in Tiger I needed to drag the cert to my Desktop, open it, and store it in the x509 section.
  All is good. Now to see how my iPhone likes the new certs...

• Using keytool to generate self signed cert. for Microsft Certificate Mrg.

  Hi All,
  I want to be able to generate a self signed certificate that I can Import into
  Microsoft's Certificate Manager, to enable an HTTPS Listener for
  Microsoft's WinRM and WinRS.
  The certificate would only be for internal use, not used externally.
  Here's the problem. I can create a certificate using this (path obscured):
  "C:\Program Files\.....\jre\bin\keytool" -genkey -al
  ias dMobX -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=your-f5c57803
  53" -keypass changeit -validity 90 -storetype pkcs12 -keystore "C:\Program Files
  \......\jre\lib\keystore\.keystore" -storepass changeit
  "C:\Program Files\......\jre\bin\keytool" -export -alias dMob
  X -file "C:\Program Files\......\jre\lib\keystore\dMobX.cer" -stor
  etype pkcs12 -keystore "C:\Program Files\.......\jre\lib\keystore\.
  keystore" -storepass changeit -v
  Microsoft's Certificate Manager will accept it, the .cer, using "Import", into
  Trusted Root Certification Authorities, but when I run the command to create the HTTPS Listener, I get this error message:
  The WS-Management service cannot find the certificate that was requested.
  If I use another tool, like selfssl, I can generate a self signed certificate using:
  selfssl /N:CN=your-f5c5780353 /K:1024 /V:90 /P:443 /T
  This will populate a certificate in Trusted Root Certification Authorities,
  and when I run the command to create the HTTPS Listener, it succeeds with
  no problem.
  So my question is, am I doing something wrong with keytool, or are there
  extra steps that I need to take, or is it even capable of generating a "self signed
  certificate" that will work in the above case?
  There are some concepts involved, certificate wise, that I'm not sure about.
  Do I need to create a CSR and use a tool like openssl, as a CA, and
  use the resulting certificate?
  I just want to be able to programmatically create the needed certificate using keytool, or
  using an API.
  Thanks,

  Download the latest JDK on http://download.java.net/jdk7/binaries/.
  Run "keytool -genkeypair -ext KU=? -ext EKU=? ...". Substitute the "?" with the usages you see in the other cert (for example, "digitalSignature" or "codeSigning". If there are multiple ones, separate with comma).

• How to replace self-signed certificate for enterprise manager console

  Does anyone know how to change self-signed certificate for https access to Enterprise Manager console, which is issued during installation of Oracle 11g?

  Well, this might not be much help, but for 10g, on AIX, docID 1171558.1 describes how to create a new certificate.
  Not sure how relevant it will be for 11g, sorry :(

• Self-Signed Cert being advertised on load-balance ip for ASA VPN cluster

  We recently saw an issue potentially related to CSCul61231 when a self-signed certificate was applied to the internal interface of the lan (inside) connection.  For some reason, the public (outside) cluster ip address started handing out the self signed cert instead of the configured certificate.  Lan interfaces certificates for either of the ASA's in the cluster were not effected - only the VIP.  Even after removing the code, the issue still occurred until the cluster was broken.  After re-connecting cluster issue did not come back.  We are not using the 5500-X devices but instead 5550's.  We do have 9.1.(x) running - I think 9.1.2, but not confident.
  We were looking to add a self-signed static cert as best practice dictates - but if this is the issue we can't and will have to replace our UC cert with one that contains the inside interfaces dns as well.  Can anyone confirm this to be the case?  Below is the exact line that caused the issue.
  ssl trust-point TrustPoint_X INSIDE vpnlb-ip ssl trust-point TrustPoint_X INSIDE
  Thanks in advance!

  Just wanted to follow up and confirm we have 9.1(5)12 running on the devices.  A note in the bug report suggest a possible ip6 address is associated in some way.  I want to also point out the devices have only ipv4 address assigned.
  Anyone that can confirm this functionality would be greatly appreciated.
  Thanks!

• How to import a self signed certificate into Firefox from the windows store properly.

  I am currently trying to get a wcf service that runs on the same machine as the browser that is making the request. Since the connection is between a browser and an application running on the same machine security was orginally not a concern and it seemed fine to leave the request on http. The first issue arrised when Firefox did not allow mixed content calls (The website making the requests uses https). I have the service converted fine to run with Chrome and IE in https, but not for Firefox due to its use of a seperate store.
  For the windows store I created one CA cert which then issues the self signed cert which is then binded to a port I have the WCF service listening on (In my case this is: https://localhost:8502).
  This all needs to be done progammatically so I can't manually Add an Exception (which does work).
  If there was a way to use certutil (I am not very addept at using this tool at all) to add this exception it would be very helpful.
  The other method I have tried is exporting the selof signed cert and then importing it. Using IIS I can only export the file as .pfx which I can't seem to import into the Servers tab in the certificates interface (I assume this is the right location for it since the exception adds it here). I extracted the certificate from the port through code and imported it to the store, but it does not seem have the extra column defining the port like the exception cert does (It does not work wither).
  How do I do this correctly? Or is it even possible to have a self signed cert bypass all this? I only have it using self signed certs since the service is just running on localhost.

  HI,
  Adding an exception does work manually, but you would like to do this programmatically. This has more on the nSS functions [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Certificate_Download_Specification]
  I have not tried this you can add it to the file cert8.db if you can insert it into each profile you can access? (For example copy the file after you have manually added it?) that would overwrite any uniqueness however- not good for preserving data.
  The best advice would come from the security mailing list or the esr mailing list, that helps enterprise environments.

• Old clients won't switch from Self-Signed Certs to PKI.

  Greetings.
  I am wondering if anyone can give me advise on problem I am having with some of my sccm clients.
  When I originally deployed SCCM i used self signed certs on clients.
  We needed to add MAC and Linux support and MAC clients won't work without PKI, so I following this http://technet.microsoft.com/en-us/library/gg682023.aspx to configure Certificate Authority.
  It all seemed work well, I can now join MAC client with auto-enroll and all machines are requesting client certificates and I had couple of machine with new push on windows site installed with PKI.
  So right now I have about 250 windows clients, only 22 of them use PKI and the rest keeps using self-signed certs.
  I foolishly switched main site settings, MP settings and DP point settings to use https only.
  As a result I lost all self-signed clients and have full log for mpcontrol saying that it's rejecting clients cause they certificate cannot be validated.
  I logged in to couple of those machines and MMC i can see that it did enroll machine with valid Client Cert but Configuration Manager client itself still saying that it's using self signed one.
  Am I missing a step that I need to do to make sure that all those clients switch to PKI?

  It is. but how can i redeploy them?
  I was under impression auto push won't reinstall them. If i do deployment - that seem to reuse existing configuration and still use self signed on old machines.
  How can i verify that it does push clients to machine that already have it correctly and start using new config and not reuse old one.
  I even tried removing clients from couple of machines and see if it gets pushed again on them with proper config and those machines don't seem to get client but used to get it fine before. I keep getting new machines being added to domain and they get client
  pushed to them, but anything that had client with self signed doesn't seem to be happy.

• Activate https webmail using openssl self-signed cert

  Dear expert,
  Anyone can give me guidance on how to create and activate https webmail, pops using openssl self-signed cert
  thanks

  Thanks jay for your rocket respond
  I make it work after following your guide and follow this link:
  http://swforum.sun.com/jive/thread.jspa?forumID=16&threadID=52981
  Basically the csr created in mail startconsole, I self signed using openssl.
  One more question, can I use the same cert to enable ssl in ldap encryption tab in ldap console.
  thanks

• Self Signed Certificate for Web Proxy 4.0.2

  Does anyone have instructions on how to create and install self signed Certificate for Web Proxy Server 4.0.2? My OS is RHEL 4.
  Shed.

  Unfortunately you will not be able to do that from the GUI.
  You will have to use certutil frin proxy-install/bin/proxy/admin/bin/certutil
  Make sure that your LD_LIBRARY_PATH includes proxy-install/bin/proxy/lib
  (start -shell will give you a shell with all necessary paths set.)
  create a file called password-file which contains your password to your cert database
  your cert database resides in the alias directory of proxy installation.
  certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234
  -f password-file -d certdir

• OWA using self signed cert

  I have a customer that just bought a blackberry, and I have other customers that use them via OWA for email. Those customers have a Cert from verisign, and use ssl for the owa site.  This latest customer uses SSL, however, it is a self-signed cert.  This isn't a problem for WM5 devices, since I can install the cert on them... but how will this effect this blackberry I want to put in place.
  My understanding is that blackberry contacts my OWA, and then pushes the email it gets to the device.
  not using SSL is not an option.
  Will blackberry still connect to the OWA site even though the cert will show as untrusted for them? 

  Regardless of whether the Cert is trusted or not. When entering the server information ensure you are using the full https:// owa address and it should work fine.

• How to use a self-signed certificate

  Hello,
  I am having some troubles understanding how to use a self-signed certificate. I have created one using Keychain Access -> Create Certificate but it never asked me for the private key and it never told me where the certificate is stored. How am I supposed to use it?
  Typically I would like to do two things:
  1) use the certificate to for example sign an email or other document so that the recipient can verify that it was really me. I understand the concept that they have to have my public key and use it to somehow decrypt something that I have encrypted with my private key. But where is my private key? As mentioned, the certificate creation process never at any point asked me to provide a private key.  An example using this process to sign an email would be really appreciated.
  2) I want to be able to decrypt a message that someone sends to me after encrypting it with my public key. Again, I need my private key, where is it? I was never asked to choose one!
  Please note that i am familiar with the whole process using openSSL ssh via command line, I just need to understand how to achieve the same thing using the certificate creation procedure provided via Keychain Access.
  In short, now thta I have created my certificate, how do I use it? Examples for dummies would be really appreciated
  Thanks  in advance
  /Andrea

  Can you import the CA cert under “Your Certificates.”, delete the CA cert, switched to “Authorities”, re-imported the CA cert, and restarted Firefox.

• Applet signed w/ self-signed cert - different behaviors w different servers

  Folks,
  I'd really appreciate your help with the following.
  I'd like to deploy an applet as a signed jar. Probably at least in the beginning, and maybe indefinitely, I'd like to sign it with a self-signed cert. When I've tested this under Linux, loading the applet in a browser running on my desktop, from an apache2 webserver also running on the desktop, I get the expected behavior - I get a security dialog reporting that the applet was signed by an unrecognized CA, but allowing me to accept the applet's signature. However, when I try loading the applet from my server (i.e, browser still running on my desktop, but now loading the applet from the real webserver, which is also apache2), I don't get a security dialog, and the applet fails silently.
  Is there some way of configuring the webserver so that the security dialog is presented for a self-signed applet? What explains this difference?
  Thanks much,
  Matthew Fleming
  DermVision, LLC

  Double post answer has been given and ignored:
  http://forum.java.sun.com/thread.jspa?threadID=569012&messageID=2812525#2812525

• Applet signed w/ self-signed cert - different behavior w/ different servers

  Folks,
  I'd really appreciate your help with the following.
  I'd like to deploy an applet as a signed jar. Probably at least in the beginning, and maybe indefinitely, I'd like to sign it with a self-signed cert. When I've tested this under Linux, loading the applet in a browser running on my desktop, from an apache2 webserver also running on the desktop, I get the expected behavior - I get a security dialog reporting that the applet was signed by an unrecognized CA, but allowing me to accept the applet's signature. However, when I try loading the applet from my server (i.e, browser still running on my desktop, but now loading the applet from the real webserver, which is also apache2), I don't get a security dialog, and the applet fails silently.
  Is there some way of configuring the webserver so that the security dialog is presented for a self-signed applet? What explains this difference?
  Thanks much,
  Matthew Fleming
  DermVision, LLC

  policy files or Runtime Parameters could change the default behavior.
  The java.policy could have a line like this:
  permission java.lang.RuntimePermission "usePolicy";
  A full trace might show you what's going wrong.
  To turn the full trace on (windows) you can start the java console, to be found here:
  C:\Program Files\Java\j2re1.4...\bin\jpicpl32.exe
  In the advanced tab you can fill in something for runtime parameters fill in this:
  -Djavaplugin.trace=true -Djavaplugin.trace.option=basic|net|security|ext|liveconnect
  if you cannot start the java console check here:
  C:\Documents and Settings\userName\Application Data\Sun\Java\Deployment\deployment.properties
  I think for linux this is somewhere in youruserdir/java (hidden directory)
  add or change the following line:
  javaplugin.jre.params=-Djavaplugin.trace\=true -Djavaplugin.trace.option\=basic|net|security|ext|liveconnect
  for 1.5:
  deployment.javapi.jre.1.5.0.args=Djavaplugin.trace\=true -Djavaplugin.trace.option\=basic|net|security|ext|liveconnect
  The trace is here:
  C:\Documents and Settings\your user\Application Data\Sun\Java\Deployment\log\plugin...log
  I think for linux this is somewhere in youruserdir/java (hidden directory)

• Activate SSL with OpenSSL Self-Signed Cert

  Dear Expert,
  Anyone can give me guidance on how to activate and create ssl cert in Java IM using openssl self-signed cert.
  thanks

  Here how I make it work. Some of the tips is from jay in this forum
  Instant Messaging with SSL
  Let say I have Messaging, Directory, IM server in 1 box.
  Let's create a cert
  # cd /etc/opt/SUNWiim/default/config/
  a) Sun [TM] ONE Messaging Server 6.1 and Sun [TM] ONE Directory Server 5.2 were installed from JES2 on the same box
  b) The server_root directory for Directory Server is the default: /var/opt/mps/serverroot
  c) The server_root directory for Messaging Server is also the default: /opt/SUNWmsgsr
  1. Login to the console and do a Certificate Request
  a) cd /var/opt/mps/serverroot
  b) ./startconsole &
  c) Login to the main console as "cn=Directory Manager"
  d) Select and open the "Messaging Server" console
  e) Highlight the tab called "Tasks" at the top
  f) Select "Manage Certificates"
  g) Console will ask for a password for the security database. Please enter a password twice and make sure that you remember it. This will create the following two files under "/var/opt/mps/serverroot/alias" directory:
  -rw------- 1 mailsrv other 65536 Aug 12 13:57 msg-config-cert8.db
  -rw------- 1 mailsrv other 32768 Aug 12 13:57 msg-config-key3.db
  NOTE: Please make sure that:
  - either the owner of the files is the messaging server user ( mailsrv in this case ),
  -or the permission is appropriate for the mail server user to at least read it.
  h) Once you reach the "Manage Certificate" window, please make a "Certificate Request" by filing up the appropriate questions
  i) Once you are done, you get a CSR , which looks something like this:
  -----BEGIN NEW CERTIFICATE REQUEST-----
  MIIBszCCARwCAQAwczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWE x
  DzANBgNVBAcTBm5ld2FyazEMMAoGA1UEChMDc21pMQ0wCwYDVQQLEwRhdGFjMSEw
  HwYDVQQ DExhwb3BleWUuYXRhYy5lYmF5LnN1bi5jb20wgZ8wDQYJKoZIhvcNAQEB
  BQADgY0AMIGJAoGBALF eXVTFDj/1eONPzV/dAZ0dBKdstl+u+L/DTdw1sCXXOdNG
  MzYeTUu9g/g0dXL/bniF31M0OkoW+6O 5mshySv/KXS9QcoPngSKS6wuL8kNlYKQR
  Dw97WCS1uaqubAK/kir4hDmL7X9Rf29EFHDSFOWjeOJ /M7aqFWCfR5sTeSIFAgMB
  AAGgADANBgkqhkiG9w0BAQQFAAOBgQCeYwptiL/j7Bcs0DtGYiOlMMs utezF1COC
  4+wHt/p+LtQkvQWBoXisqN6YlGfZPXOCdUyA+RwU7BxjX9IQLP+9HLHfQyLzvCKb
  boKKpjIc8Ci+tmibM5QkgTxu4L7yeCR/PiplgVPttHNT2Qr9cxHLLBvIO6N1GOE8
  VBoq0pC5SA= =
  -----END NEW CERTIFICATE REQUEST-----
  Please maintain and preserve this CSR , since you will be sending it to the Certificate Authority ( CA ) so they can issue you a Certificate
  # openssl genrsa -des3 -out ca.key 4096
  # openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
  # openssl x509 -req -days 3650 -in file.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server-cert.crt
  # cp -p /var/opt/mps/serverroot/alias/msg-config-key3.db key3.db
  # cp -p /var/opt/mps/serverroot/alias/msg-config-cert8.db cert8.db
  # cp -p /var/opt/mps/serverroot/alias/secmod.db .
  # cat sslpassword.conf
  Internal (Software) Token:password
  # cat /etc/opt/SUNWiim/default/config/iim.conf
  iim.comm.modules = "iim_server,iim_mux,iim_wd"
  iim.smtpserver = "www.esuria.com.bn"
  iim.instancedir = "/opt/SUNWiim"
  iim.instancevardir = "/var/opt/SUNWiim/default"
  iim.user = "root"
  iim.group = "root"
  iim.config.version = "1.1"
  iim_ldap.host = "www.esuria.com.bn:389"
  iim_ldap.searchbase = "o=esuria.com.bn,dc=esuria,dc=com,dc=bn"
  iim_ldap.loginfilter = "(&(objectclass=inetorgperson)(uid={0}))"
  iim_ldap.usergroupbyidsearchfilter = "(|(&(objectclass=groupofuniquenames)(dn={0
  }))(&(objectclass=inetorgperson)(uid={0})))"
  iim_ldap.usergroupbynamesearchfilter = "(|(&(objectclass=groupofuniquenames)(cn=
  {0}))(&(objectclass=inetorgperson)(cn={0})))"
  iim_ldap.allowwildcardinuid = "False"
  iim_ldap.userclass = "inetOrgPerson"
  iim_ldap.groupclass = "groupOfUniqueNames"
  iim_ldap.groupbrowsefilter = "(objectclass=groupofuniquenames)"
  iim_ldap.searchlimit = "40"
  iim_ldap.userdisplay = "cn"
  iim_ldap.groupdisplay = "cn"
  iim_ldap.useruidattr = "uid"
  iim_ldap.groupmemberattr = "uniquemember"
  iim_ldap.usermailattr = "mail"
  iim_ldap.resynctime = "720"
  iim_ldap.usergroupbinddn = "cn=Directory Manager"
  iim_ldap.usergroupbindcred = "password"
  iim_ldap.useidentityadmin = "false"
  iim.log.iim_server.severity = "INFO"
  iim.log.iim_mux.severity = "ERROR"
  iim.log.iim_wd.severity = "ERROR"
  iim_server.domainname = "esuria.com.bn"
  iim_server.useport = "True"
  iim_server.port = "5269"
  iim_server.usesslport = "False"
  iim_server.sslport = "5223"
  iim_server.enable = "True"
  iim_server.clienttimeout = "15"
  iim_server.usesso = "0"
  iim.policy.modules = "iim_ldap"
  iim.userprops.store = "file"
  iim_mux.listenport = "www.esuria.com.bn:5222"
  iim_mux.serverport = "www.esuria.com.bn:45222"
  iim_mux.enable = "true"
  iim_mux.numinstances = "2"
  iim_mux.maxthreads = "10"
  iim_mux.maxsessions = "1000"
  iim_mux.usessl = "on"
  iim_mux.secconfigdir = "/etc/opt/SUNWiim/default/config"
  iim_mux.keydbprefix =
  iim_mux.certdbprefix =
  iim_mux.secmodfile = "secmod.db"
  iim_mux.certnickname = "server-cert"
  iim_mux.keystorepasswordfile = "sslpassword.conf"
  iim_wd.enable = "true"
  iim_wd.period = "300"
  iim_wd.maxRetries = "10"
  -open http://www.esuria.com.bn/im/en/im.jnlp
  -click More Detail and enable Use SSL

• Generating Self Signed Certificate for iPlanet Directory Server for testing

  Hi Experts,
  I am unable to find how to generate self signed certificate for iPlanet Directory Server for testing purpose. Actually what i mean is i want to connect to the iPlanet LDAP Server with LDAPS:// rather than LDAP:// for Secured LDAP Authentication. For this purpose How to create a Dummy Certificate to enable iPlanet Directory Server SSL. I searched in google but no help. Please provide me the solution how to test it.
  Thanks in Advance,
  Kalyan

  Here's one I did earlier.
  Refers to Solaris 10
  SSL Security
  add a new certificate that lasts for ten years (120 months).
  stop the instance:
  dsadm stop <instance>
  Remove DS from smf control:
  dsadm disable-service <instance>
  Change Certificate Database Password:
  dsadm set-flags <instance> cert-pwd-prompt=on
       Choose the new certificate database password:
       Confirm the new certificate database password:
  Certificate database password successfully updated.
  Restart the instance from the dscc:
  DSCC -> start <instance>
  Now add a new Certificate which lasts for ten years (120 months; -v 120):
  `cd <instance_path>`
  `certutil -S -d . -P slapd- -s "CN=<FQDN_server_name>" �n testcert �v 120 -t T,, -x`
       Enter Password or Pin for "NSS Certificate DB":
  Stop the Instance.
  On the DSCC Security -> Certificates tab:
       select option to "Do not Prompt for Password"
  Restart the instance.
  On the Security -> General tab, select the new certificate to use for ssl encryption
  Restart the instance
  Stop the instance
  Put DS back into smf control:
  dsadm enable-service <instance>
  Check the smf:
  svcs -a | grep ds
  # svcs -a|grep ds
  disabled Aug_16 svc:/application/sun/ds:default
  online Aug_16 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads
  online 17:04:28 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1