How to accept certificate authority in HP PPM

Similar Messages

• How to create certificate authority and configure it for IIS

  Hi
  I Install ADCS role in Server 2012 and configure it. but when i go to IIS and want to create domain certification , the select button is grey .i think i couldn't configure certificate authority correctly. how can fix this problem.
  Whenever you see a helpful reply, click on Vote As Helpful & click on
  Mark As Answer if a post answers your question.
  LinkedIn:
    Facebook:

  Thanks my problem was solved.
  But there is a problem after install IIS and ADCS , i restarted both server but didn't work ,but now(6 hours after restart) it work fine.
  another Question is after i select appropriate certificate authority ,when i click on finish it gives me the following error 
  "the certificate request was submitted to the online authority but was not issued the request was denied"
  Whenever you see a helpful reply, click on Vote As Helpful & click on
  Mark As Answer if a post answers your question.
  LinkedIn:
  Facebook:

• How move Oracle Certificate Authority on other server

  Hello!!!
  I am planning move Oracle Certificate Authority
  to another host with certificates and so on.
  Can you help me, I cannot find any documentation.

  Hi,
  You can start with some value say 40% of your physical memory allocate to SGA (SGA_TARGET) and see your database performance. Then monitor the use of SGA and then can decide on the add or reduce it. There is no direct rule for sizing it purely depends on your application behavior and amount of data and many other factors.
  This will be continuous process, you need to start with some reasonable value.
  Cheers,
  Dilipkumar Patel.

• How can I permanently accept a certificate without trusting its certificate authority?

  Hello,
  When I try to connect to a secure website for which the certificate is signed by an untrusted certificate authority, Firefox warns me, as expected.
  The problem is that I would like to add a permanent exception for this certificate, but the corresponding checkbox is disabled. Note that I do not want to add the certificate authority in my database but only the certificate of the website.
  Is there a way to allow an excpetion of this kind?

  Thanks for the suggestion, I should've mentioned I'd already tried that without success. I tried clearing everything in the Clear Recent History section actually but the certificate is still remembered.
  I've also just now tried deleting the certificates completely but not even that works - a little concerning. (:

• How do I set up my own certificate authority

  I tried google on the above question, and the most recent thing I found was 7 years old. replacing the phrase used generates a lot of hits with a very poor signal to noise ratio.
  I have OpenSSL (in the cygwin distribution), which is quite recent, but frankly its documentation leaves just about everything to be desired. I found pyca, but it has no documentation at all (and it is a couple years old).
  I tried the steps appended below, but invariably the attempt to sign the certificates fails with an obscure error message about OpenSSL not finding one thing or another.
  At this stage, I just don't care whether I do this using something in the J2SDK such as keytool or OpenSSL, as long as I can get it done. Or if there is some other opensource software tool I can use, terrific. This is primarily for the purpose of securing communications within an Intranet, and secondarily for signing applets and applications distributed through WebStart. If I am not mistaken, I'll need a certificate for each of my servers. Right?
  If you know of an URL where this is well explained and illustrated, great. Give that to me.
  Otherwise, a simple illustration (or a correction of what I've appended below) would be appreciated. I believe I understand what ought to be happening. It ought to be rather simple to do, but there are these irritating and frustrating minor details getting in the way. For example, the steps I show below seem simple, but everything appears to get messed up by some of the contents of openssl.cnf in 'usr/ssl', in the cygwin directory, and there is no explanation of how to set things up for the first time you use OpenSSL within Cygwin (or on unix for that matter).
  Any assistance would be appreciated.
  Thanks,
  Ted
  ========failed attempt=====================
  # Generation of Certificate Authority(CA)
  openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config /usr/ssl/openssl.cnf
  # Create server request and key
  openssl req -new -keyout server-key.pem -out server-req.pem -days 36502 -config /usr/ssl/openssl.cnf
  # Remove the passphrase from the key
  openssl rsa -in server-key.pem -out server-key.pem
  # Sign server cert
  openssl ca -policy policy_anything -out server-cert.pem -infiles server-req.pem -config /usr/ssl/openssl.cnf
  # Create client request and key
  openssl req -new -keyout client-key.pem -out client-req.pem -days 36502 -config /usr/ssl/openssl.cnf
  # Remove a passphrase from the key
  openssl rsa -in client-key.pem -out client-key.pem
  # Sign client cert
  openssl ca -policy policy_anything -out client-cert.pem -infiles client-req.pem -config /usr/ssl/openssl.cnf

  The following works for me:
  NB: Some of the output has been removed in the interests of privacy (this will not affect the outcome)
  1. Create CA key and certificate
  1.1 Create a new file called "serial" containing the value "01".
  1.2 Create an empty file "index.txt"
  1.3 Create a subdirectory "newcerts"
  1.4 Execute.... create a key for your CA
  [ben@localhost ca]$ openssl genrsa -out ca.key 2048
  Generating RSA private key, 2048 bit long modulus
  .....................................+++
  ..........................................................+++
  e is 65537 (0x10001)
  1.5 Execute... create a certificate for your own CA
  [ben@localhost ca]$ openssl req -config ./openssl.cnf -new -x509 -key ca.key -out cacert.pem -days 365
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  Country Name (2 letter code) [GB]:
  County or State (full name) []:
  City or town (eg, Hitchin) []:
  Organization Name (eg, company) []:
  Organizational Unit Name (eg, section) []:
  Common Name (eg, your name or your server's hostname) []:
  Email Address []:
  2. Create PK key and .csr
  2.1 Execute...
  [ben@localhost ca]$ keytool -genkey -alias PK
  Enter keystore password: password
  What is your first and last name?
  [Unknown]:
  What is the name of your organizational unit?
  [Unknown]:
  What is the name of your organization?
  [Unknown]:
  What is the name of your City or Locality?
  [Unknown]:
  What is the name of your State or Province?
  [Unknown]:
  What is the two-letter country code for this unit?
  [Unknown]:
  Is CN=, OU=, O=, L=, ST=, C=GB correct?
  [no]: yes
  Enter key password for <PK>
  (RETURN if same as keystore password):
  2.2 Create .csr
  [ben@localhost ca]$ keytool -certreq -alias PK -file PK.csr
  Enter keystore password: password
  3. Sign PK with CA cert
  [ben@localhost ca]$ openssl ca -config ./openssl.cnf -in PK.csr -out PK.pem -keyfile ca.key -days 365
  Using configuration from ./openssl.cnf
  Check that the request matches the signature
  Signature ok
  Certificate Details:
  Serial Number: 0 (0x0)
  Validity
  Not Before: Jan 5 19:48:33 2006 GMT
  Not After : Jan 5 19:48:33 2007 GMT
  Subject:
  countryName = GB
  stateOrProvinceName =
  organizationName =
  organizationalUnitName =
  commonName =
  X509v3 extensions:
  X509v3 Basic Constraints:
  CA:FALSE
  Netscape Comment:
  OpenSSL Generated Certificate
  X509v3 Subject Key Identifier:
  D6:2D:7E:71:77:9E:1A:BB:54:69:98:63:6A:6A:E2:BA:12:C4:D7:DD
  X509v3 Authority Key Identifier:
  keyid:92:7C:33:7C:EC:1D:76:C5:B8:F0:30:6D:10:12:40:E5:E7:EA:24:31
  DirName:/C=GB/ST=/L=/O=/OU=/CN=/emailAddress=
  serial:F0:D1:38:36:65:6D:71:D5
  Certificate is to be certified until Jan 5 19:48:33 2007 GMT (365 days)
  Sign the certificate? [y/n]:y
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
  Data Base Updated
  4. Convert PK certificate into DER format
  [ben@localhost ca]$ openssl x509 -in PK.pem -out PK.der -outform DER
  5. Import CA certificate into keystores
  [ben@localhost ca]$ keytool -import -alias ca -file cacert.pem
  Enter keystore password: password
  Owner: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
  Issuer: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
  Serial number: f0d13836656d71d5
  Valid from: Thu Jan 05 19:41:09 GMT 2006 until: Fri Jan 05 19:41:09 GMT 2007
  Certificate fingerprints:
  MD5: AF:3D:8E:25:12:24:04:1F:40:70:BC:A0:9E:0E:44:84
  SHA1: B8:E8:0B:A5:86:33:21:0C:B5:3C:6E:F2:DE:7B:31:0F:59:AE:21:E4
  Trust this certificate? [no]: yes
  Certificate was added to keystore
  6. Import signed PK into keystore
  [ben@localhost ca]$ keytool -import -alias pk -file PK.der
  Enter keystore password: password
  Certificate reply was installed in keystore
  REF:
  http://www.yorku.ca/dkha/docs/jsse_cert/jsse_cert.htm
  http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#ownca
  http://www.openssl.org/docs/apps/ca.html#
  openssl.cnf:#
  # OpenSSL example configuration file.
  # This is mostly being used for generation of certificate requests.
  # This definition stops the following lines choking if HOME isn't
  # defined.
  HOME               = .
  RANDFILE          = $ENV::HOME/.rnd
  # Extra OBJECT IDENTIFIER info:
  #oid_file          = $ENV::HOME/.oid
  oid_section          = new_oids
  # To use this configuration file with the "-extfile" option of the
  # "openssl x509" utility, name here the section containing the
  # X.509v3 extensions to use:
  # extensions          =
  # (Alternatively, use a configuration file that has only
  # X.509v3 extensions in its main [= default] section.)
  [ new_oids ]
  # We can add new OIDs in here for use by 'ca' and 'req'.
  # Add a simple OID like this:
  # testoid1=1.2.3.4
  # Or use config file substitution like this:
  # testoid2=${testoid1}.5.6
  [ ca ]
  default_ca     = CA_default          # The default ca section
  [ CA_default ]
  dir          = .               # Where everything is kept
  certs          = $dir/certs          # Where the issued certs are kept
  crl_dir          = $dir/crl          # Where the issued crl are kept
  database     = $dir/index.txt     # database index file.
  #unique_subject     = no               # Set to 'no' to allow creation of
                           # several ctificates with same subject.
  new_certs_dir     = $dir/newcerts          # default place for new certs.
  certificate     = $dir/cacert.pem      # The CA certificate
  serial          = $dir/serial           # The current serial number
  #crlnumber     = $dir/crlnumber     # the current crl number must be
                           # commented out to leave a V1 CRL
  crl          = $dir/crl.pem           # The current CRL
  private_key     = $dir/private/cakey.pem# The private key
  RANDFILE     = $dir/private/.rand     # private random number file
  x509_extensions     = usr_cert          # The extentions to add to the cert
  # Comment out the following two lines for the "traditional"
  # (and highly broken) format.
  name_opt      = ca_default          # Subject Name options
  cert_opt      = ca_default          # Certificate field options
  # Extension copying option: use with caution.
  # copy_extensions = copy
  # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  # so this is commented out by default to leave a V1 CRL.
  # crlnumber must also be commented out to leave a V1 CRL.
  # crl_extensions     = crl_ext
  default_days     = 365               # how long to certify for
  default_crl_days= 30               # how long before next CRL
  default_md     = md5               # which md to use.
  preserve     = no               # keep passed DN ordering
  # A few difference way of specifying how similar the request should look
  # For type CA, the listed attributes must be the same, and the optional
  # and supplied fields are just that :-)
  policy          = policy_match
  # For the CA policy
  [ policy_match ]
  countryName          = match
  stateOrProvinceName     = match
  organizationName     = match
  organizationalUnitName     = optional
  commonName          = supplied
  emailAddress          = optional
  # For the 'anything' policy
  # At this point in time, you must list all acceptable 'object'
  # types.
  [ policy_anything ]
  countryName          = optional
  stateOrProvinceName     = optional
  localityName          = optional
  organizationName     = optional
  organizationalUnitName     = optional
  commonName          = supplied
  emailAddress          = optional
  [ req ]
  default_bits          = 1024
  default_keyfile      = privkey.pem
  distinguished_name     = req_distinguished_name
  attributes          = req_attributes
  x509_extensions     = v3_ca     # The extentions to add to the self signed cert
  # Passwords for private keys if not present they will be prompted for
  # input_password = secret
  # output_password = secret
  # This sets a mask for permitted string types. There are several options.
  # default: PrintableString, T61String, BMPString.
  # pkix      : PrintableString, BMPString.
  # utf8only: only UTF8Strings.
  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  # MASK:XXXX a literal mask value.
  # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
  # so use this option with caution!
  # we use PrintableString+UTF8String mask so if pure ASCII texts are used
  # the resulting certificates are compatible with Netscape
  string_mask = MASK:0x2002
  # req_extensions = v3_req # The extensions to add to a certificate request
  [ req_distinguished_name ]
  countryName               = Country Name (2 letter code)
  countryName_default          = GB
  countryName_min               = 2
  countryName_max               = 2
  stateOrProvinceName          = County or State (full name)
  stateOrProvinceName_default     =
  localityName               = City or town (eg, Hitchin)
  localityName_default          =
  0.organizationName          = Organization Name (eg, company)
  0.organizationName_default     =
  # we can do this but it is not needed normally :-)
  #1.organizationName          = Second Organization Name (eg, company)
  #1.organizationName_default     = World Wide Web Pty Ltd
  organizationalUnitName          = Organizational Unit Name (eg, section)
  organizationalUnitName_default     =
  commonName               = Common Name (eg, your name or your server\'s hostname)
  commonName_max               = 64
  emailAddress               = Email Address
  emailAddress_max          = 64
  # SET-ex3               = SET extension number 3
  [ req_attributes ]
  challengePassword          = A challenge password
  challengePassword_min          = 4
  challengePassword_max          = 20
  unstructuredName          = An optional company name
  [ usr_cert ]
  # These extensions are added when 'ca' signs a request.
  # This goes against PKIX guidelines but some CAs do it and some software
  # requires this to avoid interpreting an end user certificate as a CA.
  basicConstraints=CA:FALSE
  # Here are some examples of the usage of nsCertType. If it is omitted
  # the certificate can be used for anything *except* object signing.
  # This is OK for an SSL server.
  # nsCertType               = server
  # For an object signing certificate this would be used.
  # nsCertType = objsign
  # For normal client use this is typical
  # nsCertType = client, email
  # and for everything including object signing:
  # nsCertType = client, email, objsign
  # This is typical in keyUsage for a client certificate.
  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  # This will be displayed in Netscape's comment listbox.
  nsComment               = "OpenSSL Generated Certificate"
  # PKIX recommendations harmless if included in all certificates.
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer:always
  # This stuff is for subjectAltName and issuerAltname.
  # Import the email address.
  # subjectAltName=email:copy
  # An alternative to produce certificates that aren't
  # deprecated according to PKIX.
  # subjectAltName=email:move
  # Copy subject details
  # issuerAltName=issuer:copy
  #nsCaRevocationUrl          = http://www.domain.dom/ca-crl.pem
  #nsBaseUrl
  #nsRevocationUrl
  #nsRenewalUrl
  #nsCaPolicyUrl
  #nsSslServerName
  [ v3_req ]
  # Extensions to add to a certificate request
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  [ v3_ca ]
  # Extensions for a typical CA
  # PKIX recommendation.
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
  # This is what PKIX recommends but some broken software chokes on critical
  # extensions.
  #basicConstraints = critical,CA:true
  # So we do this instead.
  basicConstraints = CA:true
  # Key usage: this is typical for a CA certificate. However since it will
  # prevent it being used as an test self-signed certificate it is best
  # left out by default.
  # keyUsage = cRLSign, keyCertSign
  # Some might want this also
  # nsCertType = sslCA, emailCA
  # Include email address in subject alt name: another PKIX recommendation
  # subjectAltName=email:copy
  # Copy issuer details
  # issuerAltName=issuer:copy
  # DER hex encoding of an extension: beware experts only!
  # obj=DER:02:03
  # Where 'obj' is a standard or added object
  # You can even override a supported extension:
  # basicConstraints= critical, DER:30:03:01:01:FF
  [ crl_ext ]
  # CRL extensions.
  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  # issuerAltName=issuer:copy
  authorityKeyIdentifier=keyid:always,issuer:always

• How to filter certificate templates in Certificate Authority snap-in with the correct values

  How to filter certificate templates in Certificate Authority snap-in with the correct values
  I have a 2012 R2 server running Microsoft Certificate Authority snap-in.
  I want to do a filter on a specific Certificate Template which i know exists in the 'Issued Certificates' folder.
  All the documentation i can find seems to suggest i copy the certificate name and use this in the View Filter.
  1). I add the 'Certificate Template' option into the Field drop-down.
  2). I leave the Operation as the '=' symbol
  3). I paste in just the name of the template in question. for example: 'my computers'
  The search results always come back blank 'There are no items to show in this view.' even when i know there are many instances of this template. I've tried on a win 2008 server and same issue.
  Is there a correct value to enter for the Certificate Template name?
  Can this be done easier using certutil commands?
  When i run the certutil tool i can confirm i have several issued templates. Certutil -catemplates -v > c:\mytemplate_log.csv
  Anybody know what i'm doing wrong?
  I seem to be getting nowhere with this one.

  > But its important you are using the template name, not the display name
  this is incorrect. OIDs are mapped to *display name*, not common name (it is true for all templates except Machine template). That is, in order to translate template name to a corresponding OID, you need to use certificate template's display name. And, IIRC,
  template name in the filter can be used only for V1 templates. For V2 and higher, OID must be used.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• How to import a Root Certificate Authority for signing

  How can I import a Root Certificate Authority in order to use it with Certificate Assistant as a CA to sign other certs?
  I have the CA cert imported in keychain along with it's associated private key (from a .p12), it's got the gold icon and is recognized as a Root certificate authority, yet Certificate Assistant will not list it as an available Root CA in the "Set Default CA" action dialog, the "Add..." dialog seems only interested in a ".certAuthorityConfig" plist file.
  Do I have to generate a certAuthorityConfig for the CA? I can't seem to find a way to do that. No clues from certtool & security CLI utils even.
  Any info/leads on how to get this to work would be much appreciated.
  Regards,
  -david

  Hi Alex,
  From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
  Thanks,
  Olivier

• How to find/replace existing certificates before decommissioning certificate authority?

  We plan to decommission a multi-use server that also contains our internal certificate authority and replace it with new dedicated CA servers in a more secure design (offline root CA etc.).
  Before we decommission our existing CA servers, how do we find a list of all the issued certificates that are still valid?
  We would need replace all those old certificates with new certificates from our new CA so the applications that use them don't break when the old certificates are removed/revoked and before we remove the GPO setting that makes our current CA a trusted root
  CA for our domain computers. 

  on CA server you can filter issued certificates by "Certificate Expiration Date" column. In the Certification Authority MMC snap-in, select Issued Certificates folder, then click View -> Filter. Add a filter that would filter certificates
  where "Certificate Expiration Date" is greater than current date.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• How to load the certificate authority into the keystore for the weblogic8.1

  how to load the certificate authority into the keystore for the weblogic8.1
  ==================================================
  Getting the message below when trying to improt the certificate to the weblogic 8.1 web server. Received this certificate from our internal IT certificate authority. Trying to import the certificate to our test sytem.
  ===================================================
  keytool error: java.lang.Exception: Failed to establish chain from reply
  Import failed. Verify that the Certificate Authority that signed 'certi.pem'
  has been loaded into your keystore 'keystore\pskey'
  To view keystore contents issue 'PSkeymanager -list -keystore keystore\pskey [-v
  To preview a certificate file issue 'PSkeymanager -previewfilecert -file certi.pem'

  You need to populate that field using cmod code. Find out from which table that field is and go to transaction cmod then enter project name and select component radio button then display.
  Now select the FM EXIT_SAPLRSAP_001  if your datasource is transactional dataource
  EXIT_SAPLRSAP_002 for master data attibute
  EXIT_SAPLRSAP_003 for Hierarchies
  EXIT_SAPLRSAP_004 for text
  then populate code .
  After your code then delete data from ods then reinit to populate the enhanced field.
  Hope it helps..

• Certificate Authority - How to issue Certificates without extensions?

  We are operating a Windows 2012 Server PKI with an Enterprise Subordinate Certificate Authority that is issuing Certificates through an AD Certificate Template, however  there are certain certificate extensions that need
  to be excluded.
  We are following the procedure defined in ;
  http: //blogs.technet.com/b/pki/archive/2007/01/03/how-to-exclude-the-certificate-template-name-from-certificates-to-be-issued.aspx
  certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.20.2
  certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.7
  net stop certsvc
  net start certsvc
  This does not have any effect as issued certificates continue to have the extensions in them after the change.

  Can you confirm that this command contains EDITF_DISABLEEXTENSIONLIST flag enabled:
  certutil -getreg policy\editflags
  if not, then you should enable it:
  certutil -setreg policy\editflags +EDITF_DISABLEEXTENSIONLIST
  and restart CA service.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• How do I recover accidentally deleted Certificate Authority?

  Hi,
  Running Firefox 5 on Ubuntu 10.10 and while troubleshooting some other issues, I believe I have deleted a Certificate Authority accidentally. Because of this I cannot securely access Facebook or any https Google sites. I can, however, access Bank of America and other https sites no problem.
  Also, I can access these sites in Chrome without issue (but I prefer Firefox).
  I'm looking for a way to recreate or repopulate the CAs. I tried uninstalling/reinstalling Firefox but that didn't seem to work. I'm at the point where I feel like I'll have to reinstall the OS, but I don't want to get to that point if at all possible.
  Any ideas much appreciated.
  Regards,
  Joe

  Thanks for your helpful information! I think you just solved a similar problem I've been having for quite awhile.

• How do I permanently remove a built-in certificate authority?

  Firefox added CNNIC as certificate authority which, IMHO, is untrustworthy (it's from the People's Republic of China.) I would like to be able to permanently remove the built-in CNNIC along with some other authorities which I do not trust but deleting it through the options menu doesn't do it.
  This also applies to Thunderbird.

  I agree with you and now that man-in-the-middle attacks have been confirmed using fraudulent certificates, I think it is time to have a better system for checking for good and valid certificates. I also do not think that it is necessary or even good to have certificates from all over the world on your network especially from countries that are your competitors. A system must be established for certificates and administrators should be able to remove certificates that they are not comfortable with on their networks with ease and not have them attempt to come back. Finally, I wonder why we need so many certificates because for those of you who remember back in Windows 98 Second Edition there were only a small amount of certificates, less surface area to hack because there were not as many provided services. Nowadays, computers have become too complex and it is necessary to start giving power back to the administrators to easily remove unneeded services and unneeded certificates and unneeded junk that is slowing down their systems and resulting in vulnerabilities such as allowing for SQL injections in systems that are thought to be safe.
  http://www.computerworld.com/s/article/9215723/Hacker_breaks_into_Barracuda_Networks_database?taxonomyId=17
  http://www.computerworld.com/s/article/9215809/Hackers_gain_root_access_to_WordPress_servers?taxonomyId=17

• Untrusted server cert chain & does not recognize the certificate authority

  I have java code that makes an ssl connection to an HTTPS server.
  The code workes fine when I connect to a server that has a
  certificate that was issued by a recognizable authority.
  But when I try to connect to our test HTTPS server which has a
  certificate that was created by ourselves for debug, I get this
  java exception: "untrusted server cert chain".
  When I connect to our test HTTPS server with a browser, I get
  this message from the browser in a popup window:
  "www.xyz.com is a web site that uses a security certifcate to
  identify itself. However netscape 6 does not recognize the
  certificate authority that issued this certificate."
  At this point I am able to accept the certificate in the popup
  window and continue.
  Question: In my java code how can I accept a certificate
  that was signed by an unrecognizable authority just like the
  browser can. Or during debug, how can I set an override
  to accept ALL certs no matter what.
  Thanks.....Paul

  You will have to import your server test certificate into your client machine keystore. By default the keystore will be the 'cacerts' file in JAVA_HOME/jre/lib/security, get your server certificate in .pem format and use keytool to import it to the client.
  keytool -import -alias <anything> -file <full path of .pem file> -keystore <full path of cacerts file>
  The keystore password is 'changeit' by default, keytool comes with the JDK.
  The reasoning behind this is to prevent the misuse of test certificates, the client has to consciously import an untrusted certificate. When you install a real certificate on your server the client will be automatically validated if bought from a trusted CA (Thawte, Verisign).
  Take a look at the java.security.KeyStore class, you can use it to view your certificate chain.
  Ronny.

• Certificate authority is not installed

  Hi
  SBS 2011 std.
  In Fix My Network wizard I am getting 'certificate authority is not installed' and the wizard is unable to fix the problem. I have checked and Active Directory Certificate Services is installed under Roles.
  How can I fix this please?
  Thanks
  Regards

  Hi,
  Looks like a corrupt package, please follow
  Uninstall the CA server role
  1. On the server that is running SBS 2011 Essentials, click  Start , point to Administrative Tools , and then click Server Manager .
  2. Right-click Roles , and then select Remove Roles .
  3. On the Before You Begin page, click Next .
  4. Click to clear the Active Directory Certificate Services check box, and then click Next .
  5. On the Confirm Removal Selections page, click Remove .
  6. Click Close , and then restart the server.
  7. After the server restarts, click Close when you are prompted by a message that reads
  Removal Succeeded.
  Reinstall the CA server role
  1. On the server, click Start , point to Administrative Tools , and then click Server Manager .
  2. In the Roles Summary section, click Add Roles .
  3. On the Before You Begin page, click Next .
  4. On the Server Roles page, select Active Directory Certificate Services , and then click Next .
  5. On the Introduction to Active Directory Certificate Services page, click Next .
  6. On the Select Role Services page, select Certification Authority and Certification Authority Web Enrollment , and then click Next .
  7. On the Specify Setup Type page, select Standalone , and then click Next .
  8. On the Specify CA Type page, select Root CA , and then click Next .
  9. On the Set Up Private Key page, select Use existing private key , select Select a certificate and use its associated private key option, and then click Next .
  10. On the Select Existing Certificate page, select the <Server_Name> -CA certificate, and then click Next .
  Note In this certificate name item, < Server_Name> is the name of the destination server.
  11. On the Configure Certificate Database page, accept the default locations, and then click Next .
  12. Confirm your selections, and then click Install .
  13. When the wizard is finished, click Close , and then restart the server.
  14. At an elevated command prompt, run the following commands:
  • CertUtil -setreg CA\ValidityPeriod Years
  • CertUtil -setreg CA\ValidityPeriodUnits 30
  Verify the installation
  1. Click Start , point to Administrative Tools , and then click Certification Authority .
  2. Right-click the server name, and then click Properties .
  3. Click the Extensions tab.
  4. In the list that is displayed, click <a href="http:///CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl">http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl .
  5. Make sure that the following options are selected:
  • Include in CRLs. Clients use this to find the Delta CRL location .
  • Include in the CDP extension of issued certificates .
  6. Click OK to save your changes.
  7. When you are asked to restart Active Directory Certificate Services, click Yes .
  8. Close the Certification Authority screen.
  Add the server and the clients to the Dashboard
  1. Locate the following folder: C:\Program Files\Windows Server\Bin\ .
  2. Right-click the Wsspowershell.exe file, and then click Run As Administrator .
  Note A new window that runs PowerShell opens.
  3. In the PowerShell windows, type Add-WssLocalMachinecert .
  4. Rerun the connector installation on all client computers. For more information about how to install the client connector, see How do I connect compu
  Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• SUN Java System Web Server 7.0U1 How to install certificate chain

  I am trying to install a certificate chain using the SUN Java Web Server 7.0U1 HTTPS User interface. What I have tried so far:
  1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pem
  2. Go to Certificates Tab/Server Certificates
  3. Choose Install
  4. Cut and paste contents of cert_chain.pem in the certificate data box.
  5. Assign to httplistener
  6. Nickname for this chain is 'server_cert'
  7. Select httplistener and assign server_cert (for some reason, this is not automatically done after doing step 5).
  8. No errors are received.
  When I display server_cert (by clicking on it), only the first certificate of the chain is displayed and only that cert is provided to the client during the SSL handshake.
  I tried to do the same, except using the Certificate Authority Tab, since this gave the option of designating the certificate as a CA or chain during installation. When I select ed "chain," I get the same results when I review the certificate (only the first cert in the file is displayed). This tells me that entering the chain in PEM format is not acceptable. I tried this method since it worked fine with the F5 BIG-IP SSL appliance.
  My question is what format/tool do I need to use to create a certificate chain that the Web Server will accept?

  turrie wrote:
  1. Created a single file using vi editor containing the four certificates in the chain by cutting an pasting each certificate (Begin Certificate ... End Certificate) where the top certificate is the server cert (associated with the private key), then the CA that signed the server cert, then the next CA, then the root CA. Call this file cert_chain.pemIn my opinion (I may be wrong) cut and pasting multiple begin end
  --- BEGIN CERTIFICATE ---
  ... some data....
  --- END CERTIFICATE ---
  --- BEGIN CERTIFICATE ---
  ... some data....
  --- END CERTIFICATE ---is NOT the way to create a certificate chain.
  I have installed a certificated chain (it had 1 BEGIN CERTIFICATE and one END CERTIFICATE only and still had 2 certificates) and I used the same steps as you mentioned and it installed both the certificates.
  some links :
  [https://developer.mozilla.org/en/NSS_Certificate_Download_Specification|https://developer.mozilla.org/en/NSS_Certificate_Download_Specification]
  [https://wiki.mozilla.org/CA:Certificate_Download_Specification|https://wiki.mozilla.org/CA:Certificate_Download_Specification]