How to generate self-signed CA certificate, client certifacate in pkcs12

Similar Messages

• OBIEE 11g SSL how to generate self-signed/demo certificate

  Hi,
  We are enabling SSL for OBIEE 11.1.1.5 environment and want to generate self-signed or demo certificate.
  We are following note 1326781.1 and are at Step 1 - point 4 that says:
  4. Submit the Certification request to your Signing Authority (CA).
  Certification Authority(CA) is an valid signing authority of your choice (for example: OpenSSL, Verisign,
  Microsoft, etc)
  Upon submission of the certificate request, CA returns the certificate for the testmachine server (Server Certificate). Copy the CA certificate and Server Certificate to <MW_HOME>/SSL folder.
  How to gerenate self-signed or demo certificate?
  Thanks in advance.

  As long as you have the keytool on that server (installed with WLS) , you can create the generate the certificate and import that into a keystore.
  Follow : Getting Started with WebLogic Server: How to Create and Configure Self Signed Certificates for WebLogic Server Environments [ID 1341192.1] , describes the two options.
  http://www.techpaste.com/2012/06/steps-configure-ssl-oracle-weblogic-server-custom-identity-java-trust-keystore/
  I am not sure how to generate self signed certs on IBM AIX machine.
  HTH,
  SVS

• Generating Self Signed Certificate for iPlanet Directory Server for testing

  Hi Experts,
  I am unable to find how to generate self signed certificate for iPlanet Directory Server for testing purpose. Actually what i mean is i want to connect to the iPlanet LDAP Server with LDAPS:// rather than LDAP:// for Secured LDAP Authentication. For this purpose How to create a Dummy Certificate to enable iPlanet Directory Server SSL. I searched in google but no help. Please provide me the solution how to test it.
  Thanks in Advance,
  Kalyan

  Here's one I did earlier.
  Refers to Solaris 10
  SSL Security
  add a new certificate that lasts for ten years (120 months).
  stop the instance:
  dsadm stop <instance>
  Remove DS from smf control:
  dsadm disable-service <instance>
  Change Certificate Database Password:
  dsadm set-flags <instance> cert-pwd-prompt=on
       Choose the new certificate database password:
       Confirm the new certificate database password:
  Certificate database password successfully updated.
  Restart the instance from the dscc:
  DSCC -> start <instance>
  Now add a new Certificate which lasts for ten years (120 months; -v 120):
  `cd <instance_path>`
  `certutil -S -d . -P slapd- -s "CN=<FQDN_server_name>" �n testcert �v 120 -t T,, -x`
       Enter Password or Pin for "NSS Certificate DB":
  Stop the Instance.
  On the DSCC Security -> Certificates tab:
       select option to "Do not Prompt for Password"
  Restart the instance.
  On the Security -> General tab, select the new certificate to use for ssl encryption
  Restart the instance
  Stop the instance
  Put DS back into smf control:
  dsadm enable-service <instance>
  Check the smf:
  svcs -a | grep ds
  # svcs -a|grep ds
  disabled Aug_16 svc:/application/sun/ds:default
  online Aug_16 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads
  online 17:04:28 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1

• HT5012 How can you add a self signed CA Certificate to iOS 8?

  How Can I add a self signed CA Certificate to an iPad with iOS 8.1?

  I don’t think that I can help you but I am very interested in your question. Perhaps you have seen information about a related problem…
  https://discussions.apple.com/thread/6590335
  One way to install the self-signed CA certificate is to export it to a .CER file, email it to the iOS 8 device, open the attachment and process it. My guess is that the certificate will be installed (check the resulting profile) but due to an iOS 8 bug it will be ineffective.
  Or, you could send a signed email from the email account for the CA. Open the email on the iOS 8 device and process it.
  I assume your goal is for certificates issued by the CA to be automatically trusted on the iOS 8 device. Good luck with that.
  The method I used was to send a .CER file. The CA certificate showed up as a profile. However, I do not get automatic trusting of certificates issued by the CA.

• How to use self-signed Certificate or No-Check-Certificate in Browser ?

  Folks,
  Hello. I am running Oracle Database 11gR1 with Operaing System Oracle Linux 5. But Enterprise Manager Console cannot display in Browser. I do it in this way:
  [user@localhost bin]$ ./emctl start dbconsole
  The command returns the output:
  https://localhost.localdomain:1158/em/console/aboutApplication
  Starting Oracle Enterprise Manager 11g Database Control ... ...
  I open the link https://localhost.localdomain:1158/em/console/aboutApplication in browser, this message comes up:
  The connection to localhost.localdomain: 1158 cannot be established.
  [user@localhost bin]$ ./emctl status dbconsole
  The command returns this message: not running.
  [user@localhost bin]$ wget https://localhost.localdomain:1158/em
  The command returns the output:
  10:48:08 https://localhost.localdomain:1158/em
  Resolving localhost.localdomain... 127.0.0.1
  Connecting to localhost.localdomain|127.0.0.1|:1158... connected.
  ERROR: cannot verify localhost.localdomain's certificate, issued by `/DC=com/C=US/ST=CA/L=EnterpriseManager on localhost.localdomain/O=EnterpriseManager on localhost.localdomain/OU=EnterpriseManager on localhost.localdomain/CN=localhost.localdomain/[email protected]':
  Self-signed certificate encountered.
  To connect to localhost.localdomain insecurely, use `--no-check-certificate'.
  Unable to establish SSL connection.
  A long time ago when I installed Database Server Oracle 11gR1 into my computer, https://localhost.localdomain:1158/em in Browser comes up this message:
  Website certified by an Unknown Authority. Examine Certificate...
  I select Accept this certificate permanently. Then https://localhost.localdomain:1158/em/console/logon/logon in Browser displays successfully.
  But after shut down Operating System Oracle Linux 5 and reopen the OS, https://localhost.localdomain:1158/em/console/logon/logon in Browser returns a blank screen with nothing, and no more message comes up to accept Certificate.
  My browser Mozilla Firefox, dbconsole, and Database Server 11gR1 are in the same physical machine.I have checked Mozilla Firefox in the following way:
  Edit Menu > Preferences > Advanced > Security > View Certificates > Certificate Manager > Web Sites and Authorities
  In web sites tab, there is only one Certificate Name: Enterprise Manager on localhost.localdomain
  In Authorities tab, there are a few names as indicated in the above output of wget.
  My question is: How to use self-signed certificate and no-check-certificate in Mozilla Firefox for EM console to display ?
  Thanks.

  Neither problem nor solution do involve Oracle DB
  root cause of problem & fix is 100% external, detached, & isolated from Oracle DB.
  This thread is OFF TOPIC for this forum.

• How to Import Self-signed SSL server certificates in Adobe AIR applications

  Hi,
  I am using secure AMF endpoints for remote object communication from AIR client.
  since i am using a self signed SSL certificate on the server, i am getting a certificate warning message on the AIR client, when ever a remote call is done.
  Is there any mechanism to import the server certificate in AIR application..?
  Please provide suggestions.
  Thanks

  I have the same issue along with repeated prompts to accept cert when I am just trying to access the page internally on my network.. Any help here RIM????????

• How to replace self-signed certificate for enterprise manager console

  Does anyone know how to change self-signed certificate for https access to Enterprise Manager console, which is issued during installation of Oracle 11g?

  Well, this might not be much help, but for 10g, on AIX, docID 1171558.1 describes how to create a new certificate.
  Not sure how relevant it will be for 11g, sorry :(

• How to monitor self signed certificates using scom 2007 R2

  How to monitor self signed certificates using scom 2007 R2.  i need to monitor specifically self signed certificates expiration. if  possible in two state monitor...please suggest me the best way..
  B John

  Hi,
  Based on my understanding, that you want to create a monitor to monitor certificate expiration, with two state, when the certificate is about expiration for 21 days,, send warning, when the certificate is about expiration for 10 days, then send
  alert. I think we need to create scripts to do so, hope the below links can be helpful:
  Monitoring Certificates In SCOM
  http://blogs.technet.com/b/omx/archive/2013/01/30/monitoring-certificates-in-scom.aspx
  Monitoring Expiring Certificates using SCOM
  http://blogs.technet.com/b/sgopi/archive/2012/05/18/monitoring-expiring-certificates-using-scom.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• EDirectory install - failed to retrieve self-signed root certificate:142

  Hi,
  My istallation has 2 NICs, public & internal.
  My tree name is IS.
  I have succesfully installed and used RedCarpet. I additionally enabled
  the Firewall and DHCP server to allow internet access to my users.
  On running Yast install for eDirectory I am given the default IP address
  of the server, this is the Public IP address - I decided that eDirectory
  was for internal use so changed IP address to internal one.
  At 50% of installation an error pops up :-
  Error
  The installation failed to retrieve the self-signed root certificate:142
  I aborted the installation.
  I retried the install using the public Ip address, it complains ports are
  already in use, I chose ignore and go ahead. Same error occurs :142.
  Your assistance and guidance would be appreciated.

  > Hi Johan,
  >
  > Thanks for sticking with me... I appreciate your time and help (believe
  > me, It's a great help..)
  >
  > I have cracked it...
  >
  > On a reboot, I chose to press F2 to get rid of the Suse Chameleon screen
  > and watched the boot process progress. I then noticed that it was unable
  > to contact my specified NTP source.
  >
  > I went into Yast Ntp client and changed my NTP source to other published
  > secondary NTP servers and all failed. I then put in the ip address of one
  > of the time servers and Bingo! ntp connected...I think I've seen this
  > before with Netware...where name resolution of the ntp server name does
  > not occur....most ntpserver administrators state they prefer you contact
  > the server by name rather than address...hmmm.....
  >
  > I then retried Yast eDirectory install and it was a breeze, as was the
  > iManager install....
  >
  > GroupWise here I come...
  >
  > Rgds.
  >
  > Stan Chelchowski
  >
  Hi, this is roy.
  had the same issue. using a supermicro with a builtin dual nic.
  disabled it and installed an old pci nic to test and it finally loaded the
  edirectory without an error.
  on another note, i am installing the NLSBS 9.0 and had to manually load
  the disk drivers since i have an adaptec 2010s raid adapter. i had
  installed suse 9.3 on the same machine earlier with absolutely no issues,
  but NLSBS is a pain. if you run red carpet and update all, then the driver
  issue returns.
  how do you get and install the service pack 2?
  thanks,
  roy

• Nokia X - import self signed server certificate

  Do someone know how to import a self signed server certificate? No CA root certificate, only a server!
  I connect from all my devices to a Baikal server for calenders and addresses. For this machine I generate a self signed server certificate. I am working with all devices without problems after I import the certificate to this (iPhone, iPad, iMac, Win7, Srv2k8, Linux,...). Only the Nokia X don't want to accept it.
  I store the cert in DER format and name ending to .cer to the memory card, choose the import, the cert is found and I have to name it, but then it will not import it??? And the CAdroid is not working?!
  Do someone know how to do this right? Thanks.

  Hi, anoymo. You may install the self-signed certificate by downloading it using the phone's browser. The file format should be DER encoded binary (X.509). Or you can create an HTML file using the notepad. Just copy this code (<HTML><BODY><a href="FileName.cer">Install certificate</a></BODY></HTML>) excluding the parenthesis to the notepad and save it as .html. Create a zip file for the certificate and the HTML file, copy it to the phone then open the .html file it should prompt you to install the certificate.  Directly importing it to the phone is not possible.

• Mail.app: Self-Signed SSL Certificates

  How can I make mail trust self signed mail certificates FOREVER? As it is now, I have to tell Mail.app to always trust the cert for each email account, every time I launch mail. Then it remembers to trust it until I quit mail, then I have to re-tell it all over again. This is bearable on my desktop but on my laptop, where I need SSL the most, I'm constantly logging in and out and rebooting, and it drives me crazy.
  FYI it's my own server, running Mac OS X Server. And I'm not buying a certificate, it's the encryption I'm after

  First, the certificate must match the name Incoming Mail Server that your clients are using. For example 'mail.acme.com'. So, when creating the self-signed certificate, the common name that you enter would be 'mail.acme.com'. If you don't do this, you will always be prompted about the certificate when you relaunch Apple mail.
  Just for clarification, here is how you should trust the self-signed certificate on the Macs that are using Apple Mail:
  1. When you get the prompt about the certificate, click the show certificate button.
  2. Drag the icon of the Certificate on the left in the Show Certificate dialog box to the desktop. This will create a document on your desktop named 'mail.acme.com.cer'.
  3. Double click the certificate on the desktop which will open an Add Certificate dialog box.
  4. Depending on the version of Mac OS X that you are running, what you do next will vary a little.
  Leopard
  1. Click the drop down next to keychain and select System
  2. Open Keychain Access (Applications/Utilities) if it is not already open
  3. Click System on left hand side under Keychains
  4. Locate the 'mail.acme.com' certificate on the right and double-click it to open it. (NOTE: I had to quit Keychain Access and reopen it before the certificate showed up under System for me for some odd reason)
  5. Click the gray triangle next to Trust to expand the Trust section of the Certificate.
  6. Select Always Trust from the drop down next to 'When using this certificate'
  7. Close the certificate window and then quit out of Keychain Access
  8. Click the continue button back in Apple Mail if the Certificate dialog is still present.
  9. Quit out of Apple Mail and the relaunch it again. This time you should not see the certificate dialog alert.
  Tiger
  1. Click the drop down next to keychain and select X509Anchors
  2. Open Keychain Access (Applications/Utilities) if it is not already open
  3. Click System on left hand side under Keychains
  4. Locate the 'mail.acme.com' certificate on the right and double-click it to open it.
  5. Click the gray triangle next to Trust to expand the Trust section of the Certificate.
  6. Select Always Trust Settings from the drop down next to 'When using this certificate'
  7. Close the certificate window and then quit out of Keychain Access
  8. Click the continue button back in Apple Mail if the Certificate dialog is still present.
  9. Quit out of Apple Mail and the relaunch it again. This time you should not see the certificate dialog alert.
  This worked for me. I hope this works for you too.

• Extend self-signed SSL certificate beyond one year

  Hi all,
  How can I extend SSL Certificate created by Windows 2008 R2's Certificate Service beyond 1 year?
  Thanks.

  Hi,
  For self-signed certificate, you can use IIS Manager to create new one. For more detailed steps, please refer to the below steps.
  Create a Self-Signed Server Certificate in IIS 7
  http://technet.microsoft.com/library/cc753127(WS.10)
  If it’s a certificate issued by a CA, we just need to renew the certificate with the CA to extend the valid date.
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• Abandoning Self-Signed SSL Certificates?

  Hello,
  I'm working on remediation of some security flaws and have encountered a finding that calls out each of my domain-added workstations as having self signed SSL certificates.  I'm not an expert on the subject, but I do know the following things:
  1)  An earlier finding lead to me disabling all forms of SSL on my servers and workstations
  2)  Workstations use certificates to identify themselves to other domain assets.
  Now my servers all have their own certs signed by an outside authority.  However, it would be a huge amount of work to go through the process for each and every workstation.  So my questions are these:
  1)  Can I create a NON-SSL self signed cert for these machines to use?
  2)  How do I remove these current SSL certs without having to hover over each workstation?
  Basically, what's the least effort to remove self-signed SSL certs and replace them with something more secure?
  Thanks,
  M.

  What do you mean when you say that you've disabled all forms of SSL on your servers and workstations? SSL serves to provide secure communications for all of your domain operations, so disabling SSL, in general, would likely break your entire domain. If you're
  using certificates on your workstations, then you're using certificate-based security (IPSec) in some manner.
  Do you have AD CS or some other certificate signing authority/PKI in your environment? If not, you would have to pay a public provider (i.e. VeriSign) to provide certificates, and I can assure you that gets very expensive.
  If you have Microsoft servers in your environment, you can install and use Certificate Services to provide an internal signing mechanism which can be managed through group policy. You can replace all of the workstation certificates with ones signed by your
  internal certificate authority (CA,) and those will pass muster with any auditor provided the appropriate safeguards are put into place elsewhere in your environment.
  Least effort for you would be to implement an internal CA, which admittedly isn't a low-effort endeavor, and have the CA assign individual certificates to all of your machines, users, and any other assets you need to protect. If your auditors are requiring
  the removal of the self-signed certificates, you might find a way to script the removal of the certificates. In my experience, however, most auditors just want IPSec to be done with certificates that terminate somewhere other than the local workstation (i.e.
  an internal CA).

• IPhone LDAP contacts and Self signed SSL certificates

  Hi,
  I am using OpenLDAP with self signed SSL certificate, and i am unable to get SSL work with LDAP contacts on the IPhone (4.x). I have tried to add a CA cert with a server certificate for the LDAP server and downloaded it to the IPhone by web, it adds the CA, but even with it, it does not want to connect to the LDAP server with SSL enabled.
  Does LDAP contacts should work by adding new CA ? if yes, what is the exact procedure to do it ? (maybe I used a wrong CA export format, or wrong SSL certificate encryption format ...)
  can someone tell me how to do it ?
  This is really anoying, since we have multiple iphones on the company.
  Thanks for the help.

  Hello, found your post.  I realize it's been 6 months since you posted, but I have a solution for you since I have struggled with the same problem since 2009.
  I discovered that when the iPhone is using LDAPS, it tries to bind with LDAPv2.  After it binds, it speaks LDAPv3 like it is supposed to.  Apparently this is a somewhat common practice since OpenLDAP includes an option for it.
  You'll want to set the following option in OpenLDAP:
  dn: cn=config
  olcAllows: bind_v2
  Walla! LDAPS works! (assuming you've correctly done all the certificate stuff).  Took some deep reading through the debug logs to figure out this problem.  Figured I'd share my answer with others.

• Self Signed in Certificates without CA server

  Hi Team,
  I am working to configure expressway for Cisco Jabber but i stuck now in certificate step, can i do self signed in certificate without CA server ? if yes what are the procedures to do that.
  Thanks

  It is better if you use a CA server.
  Please follow the deployment guide http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-1-1.pdf