How to Generate a Proper Self Signed Certificate for RV180W

Right now the Self-signed Certificate on my RV180W generates errors as it was issued to the MAC address instead of the current IP address. Could someone please provide me insrtucions on Generating a Self-Signed certificate (or 1 from my Windows Server 2012 Certification Authority) that will eliminate the constant barreage of certificate errors I get when trying to access the management interface of my device? the internal domain is mythos.local, netbios name of MYTHOS, and the device name in question is surtur.
Thanks in advance,
Robert Hessenauer

Anybody? It is unlike everyo9ne to ignore a post without comment for 9 days.
Not complaining (woll maybe just a bit)
Robert Hessenauer

Similar Messages

Self Signed Certificate for Web Proxy 4.0.2

Does anyone have instructions on how to create and install self signed Certificate for Web Proxy Server 4.0.2? My OS is RHEL 4.
Shed.

Unfortunately you will not be able to do that from the GUI.
You will have to use certutil frin proxy-install/bin/proxy/admin/bin/certutil
Make sure that your LD_LIBRARY_PATH includes proxy-install/bin/proxy/lib
(start -shell will give you a shell with all necessary paths set.)
create a file called password-file which contains your password to your cert database
your cert database resides in the alias directory of proxy installation.
certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234
-f password-file -d certdir

RV120W- How to create new unique self-signed certificate?

Hello,
how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself. Any idea? Did I miss something? Many thanks!
Abudef

So basically RV120W does not support self-signed certificate? It only allows to generate private key and certificate signin request. There is no chance to replace default generic ssl/vpn certifice within router itself? Could you please give me an advice, how to sign that request by some "CA"? I mean no commercial CA, I need something free running under Windows os. Many thanks!

Generating Self Signed Certificate for iPlanet Directory Server for testing

Hi Experts,
I am unable to find how to generate self signed certificate for iPlanet Directory Server for testing purpose. Actually what i mean is i want to connect to the iPlanet LDAP Server with LDAPS:// rather than LDAP:// for Secured LDAP Authentication. For this purpose How to create a Dummy Certificate to enable iPlanet Directory Server SSL. I searched in google but no help. Please provide me the solution how to test it.
Thanks in Advance,
Kalyan

Here's one I did earlier.
Refers to Solaris 10
SSL Security
add a new certificate that lasts for ten years (120 months).
stop the instance:
dsadm stop <instance>
Remove DS from smf control:
dsadm disable-service <instance>
Change Certificate Database Password:
dsadm set-flags <instance> cert-pwd-prompt=on
     Choose the new certificate database password:
     Confirm the new certificate database password:
Certificate database password successfully updated.
Restart the instance from the dscc:
DSCC -> start <instance>
Now add a new Certificate which lasts for ten years (120 months; -v 120):
`cd <instance_path>`
`certutil -S -d . -P slapd- -s "CN=<FQDN_server_name>" �n testcert �v 120 -t T,, -x`
     Enter Password or Pin for "NSS Certificate DB":
Stop the Instance.
On the DSCC Security -> Certificates tab:
     select option to "Do not Prompt for Password"
Restart the instance.
On the Security -> General tab, select the new certificate to use for ssl encryption
Restart the instance
Stop the instance
Put DS back into smf control:
dsadm enable-service <instance>
Check the smf:
svcs -a | grep ds
# svcs -a|grep ds
disabled Aug_16 svc:/application/sun/ds:default
online Aug_16 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads
online 17:04:28 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1

How to replace self-signed certificate for enterprise manager console

Does anyone know how to change self-signed certificate for https access to Enterprise Manager console, which is issued during installation of Oracle 11g?

Well, this might not be much help, but for 10g, on AIX, docID 1171558.1 describes how to create a new certificate.
Not sure how relevant it will be for 11g, sorry :(

Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
on this computer" and un-checked "Use simple certificate selection".
My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
drop down.
Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
TIA,
-Rick

Hi Rick,
Thank you for your patience.
According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
Best regards,
Steven Song
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

SCCM 2012 has been successfully installed on the server:
SRVSCCM.
The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
The cluster service is running on the account: sqlclusteruser
The account has the appropriate SPN are registered:
setspn -L domain\sqlclusteruser
Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
MSSQLSvc/CLS-SQL4
MSSQLSvc/CLS-SQL4.domain.local
MSSQLSvc/CLS-SQL4:11434
MSSQLSvc/CLS-SQL4.domain.local:11434
After some time on the cluster hosts every day started appearing new folders with files inside:
srvboot.exe
srvboot.ini
srvboot.log
srvboot.log contains the following information:
SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
Copyright (C) 2011 Microsoft Corp.
Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
Failed to retrieve SQL Server service account.
Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
Disconnecting from Site Server.
SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
Without successfull bootstrap the siteserver backup is not able to run successfully.
Try grant everyone the read permisson on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
This worked for me.
After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"

How to successfully import ASA self-signed certificate?

On ASA 9.1 i am trying to export an Identity certificate, self-signed certificate into p12 file so i can import it into laptop and used it for secure connection to ASA over ASDM. I can add certificate OK using ASDM, certificate show up OK in Certificate management/dentity certificate. Exported certificate into .p12 file with passphrase OK.
In Win XP and Windows 7 every time i try to import certificate i got message that password is incorrect. Yes, i did type correct password.
Even thru cli i got the same error when trying to import the file.
ASA(config)# crypto ca export ASDM_TRUSTPOINT pkcs12 password
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIIHPwIBAzCCBvkGCSqGSIb3DQEHAaCCBuoEggbmMIIG4jCCBt4GCSqGSIb3DQEH
BqCCBs8wggbLAgEAMIIGxAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQItd0L
7e5QezkgxXzmCJKpv3GqQV5/tfk66ySnBMCGrMzsQKBa32wzHYcSerSEePNXzudJ
Frdyc3ETMXECvO83gujQZLyJ9DfPaDy4gZHwEs9fwGqpJel/NTwUo16dtzO2Vbko
1kc8kd
-----END PKCS12-----
Any tips or tricks how to get this simple task completted? Is maybe file format not right?

Hi
Please show the error ASA is reporting during import.
It's working correctly with 9.1(0)2, example:
ASA9(config)# crypto ca trustpoint TP
ASA9(config-ca-trustpoint)# enrollment self
ASA9(config)# crypto ca enroll TP
WARNING: Trustpoint TP has already enrolled and has
a device cert issued to it.
If you successfully re-enroll this trustpoint,
the existing certificate will be replaced.
Do you want to continue with re-enrollment? [yes/no]: yes
% The fully-qualified domain name in the certificate will be: ASA9
% Include the device serial number in the subject name? [yes/no]: yes
Generate Self-Signed Certificate? [yes/no]: yes
ASA9(config)#
ASA9(config)# crypto ca export TP pkcs12 123456
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
+5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
-----END PKCS12-----
ASA9(config)#
ASA9(config)#
ASA9(config)# no crypto ca trustpoint TP
WARNING: Removing an enrolled trustpoint will destroy all
certificates received from the related Certificate Authority.
Are you sure you want to do this? [yes/no]: yes
ASA9(config)# crypto key zeroize rsa
WARNING: All RSA keys will be removed.
WARNING: All device digital certificates issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
ASA9(config)# crypto ca trustpoint TP2
ASA9(config)# crypto ca import TP2 pkcs12 123456
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
+5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
quit
INFO: Import PKCS12 operation completed successfully
ASA9(config)#
ASA9(config)# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 6e85f150
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
    hostname=ASA9+serialNumber=123456789AB
Subject Name:
    hostname=ASA9+serialNumber=123456789AB
Validity Date:
    start date: 15:52:01 UTC Jan 12 2013
    end   date: 15:52:01 UTC Jan 10 2023
Associated Trustpoints: TP2
You might want to enable debugs: "debug crypto ca 255".
Be carefull when typing password - watch out for trailing space !
Michal

How to replace an expiring self-signed certificate?

Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
http://screencast.com/t/zlVyR2Hsc
Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
http://screencast.com/t/54c2BUJuXO2
Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
Be aware that creating certificates starts to populate your server Keychain.
http://screencast.com/t/JjLb4YkAM
It appears that when you start to delete certificates, it leaves behind private keys.
http://screencast.com/t/XD9zO3n16z
If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
Bypass "Introduction".
In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
(OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
Pant, pant...
The next window asks for an email address and location information - this appears to be optional.
Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
Key Usage Extension window
Here's where it gets interesting...
I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
Extended Key Usage Extension...
Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
Sorry, folks, I just HAVE to show you the help for this window...
+*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible. EKU is defined with object identifiers called OIDs. If the EKU extension is omitted, all operations are potentially valid.*+
KILL ME NOW!!!
OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
Basic Constraints Extension...
Well, there is no mention of that on the original certificate, so leave it unchecked.
Subject Alternate Name Extension...
Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
DONE!!!! Let's see what the heck we got!
http://screencast.com/t/QgU86suCiQH
Well, I don't know about you but that looks pretty close for Jazz?
I got some extra crap in there but the stuff from the original cert is all there.
Think we're OK??
Out with the old certificate (delete).
Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
http://screencast.com/t/bydMfhXcBFDH
Oh yeah...one more thing in KeyChain Access...
See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
http://screencast.com/t/GdZfxBkHrea
Select "Always Trust".
I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
If you want to see my rant on Apple's worthless documentation, it's here.
http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

to add to countryschool and john orban's experiences:
using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
maybe that's hopeful to somebody. but i stopped there since things seem to be working.
last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
now, we'll see how everything works once people start really using it...

Why, when I successfully connect to Server 2012 Essentials R2 via Anywhere Access does the Remote Desktop Connection use the self signed certificate for RDP instead of the SSL certificate I installed when I set up access anywhere?

Scenario:
Windows Server 2012 R2 Essentials
I purchased an SSL Cert from GoDaddy and I managed (after some challenges) to set up Anywhere access to use that new SSL Cert. I to rebooted the server and I am able to login to Anywhere Access vis https (using the SSL certificate) from PC, Mac and iOS.
So far so good.
The problem I am having is that when I click to launch a remote desktop connection to the server RDP connection wants to use the self signed SSL certificate of the server rather than the SSL Certificate I installed into Anywhere Access. As a result, I get
a security warning like this: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
The name in the certificate appears as ACME-SERVER.ACMEDOMAIN.local instead of the SSL Certificate I installed, which is
remote.acmedomain.com
If I lick to accept, RDP does work fine, it;s just using a self signed certificate. I want it to use the trusted certificate that I purchased and installed.
My guess is that there must be an additional step to tell Anywhere Access that when it generates the RDP session that it should use the cert? OR, is this just how it works?

Because....
the server does not have a 'trusted' certificate assigned to it.
Only the RDP Gateway has the trusted certificate for the external name.
If you want to remove that error, you have to do one of the following:
Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
So, something like,
server.domain.publicdomain.com
Or,
Install that certificate on your remote computer so it is trusted.
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+

ASA self-signed certificate for Anyconnect 3.1, which attributes?

Hi everybody,
I can't find the detailed information which attributes are exactly needed for the Anyconnect 3.1 client to correctly identify the VPN server -ASA 8.4(4)1
I have added two servers in the client connection profile:
IP address, primary protocol IPsec
IP address/non-default port number, primary protocol SSL
Connecting via IPsec only issues a warning about "untrusted source" (I didn't import the certificate as trusted, but that's not the issue)
Connecting via SSL issues an additional warning "Certificate does not match the server name".
The self-signed certificate (created with ASDM) includes the IP address as DN cn, additionally as alternate identity "IP address". I have exported the certificate and parsed it with openssl (after re-encoding to PKCS#12 DER) and apparently no attributes are included.
I would like to give it a try with certtool and openssl to generate a self-signed certificate which is accepted by the Anconnect 3.1, where can I find a detailed description, which attributes are required for Anyconnect SSL sessions? I'm convinced the identity (DN cn) is OK.

Shamelessly bumping this question,
Anyone out there (maybe from Cisco) who can tell us, which atttributes are required on a self signed certificate?
I keep getting "Certificate does not match the Server Name" for SSL-VPN, IPsec-VPN is fine for the same server.

Using self-signed certificates for HTTPS

I want to enable HTTPS protocol with WebLogic Server 5.1
I want to use a self signed certificate generated with the JDK keytool.
I've successfuly generated it and exported a dummy.cer file.
I've updated the weblogic.properties file with weblogic.security.certificate.server=dummy.cer
and I've got this exception
java.lang.NullPointerException:
at weblogic.security.RSAKey.toString(RSAKey.java:203)
at java.lang.String.valueOf(String.java, Compiled Code)
at java.lang.StringBuffer.append(StringBuffer.java, Compiled Code)
at weblogic.security.X509.toString(X509.java:261)
at java.lang.String.valueOf(String.java, Compiled Code)
at java.lang.StringBuffer.append(StringBuffer.java, Compiled Code)
at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:206)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java, Compiled
Code)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
at java.lang.Thread.run(Thread.java:479)
mar. dÚc. 18 12:20:03 GMT+01:00 2001:<E> <SSLListenThread> Security Configuration
Problem with SSL server certificate file (d:\weblogic\myserver\dummy.cer)
What's the right way to do this ?
[dummy.cer]

H Jerome,
The certificate may have been generated incorrectly but I would suggest logging
a support case.
Kind Regards,
Richard Wallace
Senior Developer Relations Engineer
BEA Support.
"Jerome Cahuzac" <[email protected]> wrote:
>
>
>
I want to enable HTTPS protocol with WebLogic Server 5.1
I want to use a self signed certificate generated with the JDK keytool.
I've successfuly generated it and exported a dummy.cer file.
I've updated the weblogic.properties file with weblogic.security.certificate.server=dummy.cer
and I've got this exception
java.lang.NullPointerException:
at weblogic.security.RSAKey.toString(RSAKey.java:203)
at java.lang.String.valueOf(String.java, Compiled Code)
at java.lang.StringBuffer.append(StringBuffer.java, Compiled
Code)
at weblogic.security.X509.toString(X509.java:261)
at java.lang.String.valueOf(String.java, Compiled Code)
at java.lang.StringBuffer.append(StringBuffer.java, Compiled
Code)
at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:206)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java,
Compiled
Code)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
at java.lang.Thread.run(Thread.java:479)
mar. dÚc. 18 12:20:03 GMT+01:00 2001:<E> <SSLListenThread> Security Configuration
Problem with SSL server certificate file (d:\weblogic\myserver\dummy.cer)
What's the right way to do this ?

Renewing Self Signed Certificate for WAAS Central Manager

Hi,
We would like some help from you about the following: We have an WAAS Central Manager which its self-signed certificate validity has expired as showed below:
Validity
Not Before: Jul 7 00:47:06 2009 GMT
Not After : Jul 6 00:47:06 2014 GMT
We have used its certificate to install some other remote WAAS Express routers.
We would like to know the following:
1. is it possible to renew this certificate? or
2. do we need to reinstall another certificate on CM and replicate this new one on these waas express remote devices?
If affirmative for at least one of them, please, could you share any document that describe how to do it?
I have attached some output commands from our CM.
Thanks,
Marcelo

attaching file now!!!

Self Signed Certificate for Exchange 2013

What's the draw back for using self sign certificate in production enviroment

Hi,
Based on my research, here are the disadvantages of self-signed certificate:
1. The certificates aren’t trusted by other applications/operating systems. This may lead to authentications errors etc.
Note: To overcome this limitation, some IT staff add the self-signed certificates to the Trusted Roots Certificate Authorities. However, using this workaround may to additional time that needed for management and troubleshooting.
2. Self-signed certificates life time is usually 1 years. Before the year is ended, the certificate may need to renew/replace.
3. Self-signed certificates may use low hash and cipher technologies. Due this, the security level that implemented by self-signed certificates may not satisfy the current Security Policy etc. .
4. No support for advanced PKI (Public Key Infrastructure) functions (e.g. Online checking of the revocation list etc.).
5. Most of the advanced feathers of the server side applications required to impended a PKI (Public Key Infrastructure). By this, self-signed certificates advantages cant be used.
For more information, you can refer to the following article:
http://blogs.microsoft.co.il/yuval14/2011/09/23/the-advantages-and-disadvantages-of-using-self-signed-certificates/
Thanks,
Angela Shi
TechNet Community Support

Self signed certificate for web service security !!

i've created self-signed certificate using keytool for web serivce security. But i'm unable to implement from the client side. When i'm giving "dn=localhost" it's working fine. But when i'm giving other than that it's throwing me error as :
java.io.IOException: HTTPS hostname wrong: should be <192.168.2.36>
I don't know what's the problem. Could any tell me where i'm wrong. In the CN i've given my ip address. Please help me out.
Do i need to do something else?

thanks for your kind help.
But i follwed the same which are given. Do i need to set something in netbeans? i'm usign netbeans 5.5,tomcat 5.5 and jdk5. Still i'm getting the same error as "https hostname is wrong: it should be <192.168.2.278>", which my ip address. I've created my self signed certificate and given the path to it by mentioning in System.setProperty("javax.net.ssl.trustStore","d:/keystore/auth.keystore"); and for password to. Do i need to do something else?
Please help me out in this reagard. I'm startup of this technology.
in advance thanks.

How to Generate a Proper Self Signed Certificate for RV180W

Similar Messages

Maybe you are looking for