How to import a Root Certificate Authority for signing

Similar Messages

• In-House Certificate Authority for Self Signed Jars in JRE1.8

  Hi,
  I am trying to get some assistance on a Java issue that Oracle Support are struggling with. I am using Oracle E-Business Suite and there is a note 1591073.1 advising on what to do to allow E-Business Suite to interoperate with the new security model of JRE 1.8
  The note effectively advises on 3 options –
  Option 1 - Purchase a Code Signing Certificate from a well known Certificate Authority ( already registered in their Root Certificates Key Store cacert ) and import it into the Key Store adkeystore.dat
  Option 2 - Purchase a Root Certificate from an unknown Certificate Authority, import it into the Key Store cacerts, then purchase a Code Signing Certificate from this Authority as per option 1
  Option 3 - Designate yourself as an In-House Certificate Authority by creating your own Root Certificate, importing into the Key Store cacerts and then creating yourself a Code Signing Certificate as this In-House Authority and importing into the Key Store adkeystore.dat
  Q1. I am trying to achieve option 3. However the Oracle note does not actually tell you how to create a Root Digital Certificate and Oracle support are struggling to answer – does anyone know how to do this ?
  Q2. How then do you create a Code Signing Certificate – Oracle seem to have a command ‘adjkey’ but I am not sure if this is what should be used and if so, how this maps my Root Certificate in the Key Store cacerts (given that there are also lots of other Root Certificates in cacerts belonging to all the well known Certificate Authorities ) to the Code Signing Certificate Key Store adkeystore.dat ?
  Any advice greatly appreciated,
  Jim

  Hi,
  For this issue, ensure you explicitly set the store for the certificate.
  Meanwhile, I would like to share the following article with you, I suggest you perform the steps to test it.
  Windows 8 Mail and Exchange using a self-signed certificate
  http://david.gardiner.net.au/2012/08/windows-8-mail-and-exchange-using-self.html.
  It also applies to windows 8.1.
  Additionally, I suggest you use other network to test it.
  If the issue persists, try to switch off SSL to see if it works.
  Note: Microsoft provides third-party
  contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  Regards,
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Certificate Authority for Exchange 2013

  Dear,
  I will install exchange 2013, whether to install the Certificate Authority role also? 
  If it is necessary, to install this CA, is simply combined with ADDS server, Exchange Server or a separate server?
  Thanks

  Hi,
  As all above says, Exchange 2013 can use Self-signed Exchange certificate which is installed automatically after Exchange 2013 installation. But please note that this self-signed certificate would be not trusted for Exchange using.
  If your Exchange 2013 is not internet-facing, we can use the self-signed certificate in your internal domain environment. If you want to publish your Exchange 2013 to the internet and send/receive external mails, we need to have a valid and trusted certificate
  for Exchange using.
  To get trusted certificate, we can deployed an
  Enterprise root CA which self-signs its own CA certificate and uses Group Policy to publish that certificate to the Trusted Root Certification Authorities store of all servers and workstations in the domain. Or we can directly buy a third-party certificate
  for using.
  About where to install the CA, my personal suggestion is to install ADCS (Active Directory Certificate Services) on a standalone server. You can also install it with your DC. About how to install a
  Root Certification Authority, please refer to:
  http://technet.microsoft.com/en-us/library/cc731183.aspx
  Regards,
  Winnie Liang
  TechNet Community Support

• How to identify which root certificate is used?

  How to identify which root certificate(on terminal) is used when a terminal is connecting to a https website?
  SecurityInfo.getServerCertificate() only returns the certificate send from the https server.
  But how could know the which local root certificate is used to verify the certificate send from the https server?
  Is there a method or class in MIDP 2.1?
  Thanks

  UP�Cthis question is urgent. Hope anyone can answer me!

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• How to create a signature in Yosemite for signing documents?

  How do I create signatures in Yosemite for signing documents?
  It used to be in Preview but can't find it now in Yosemite.
  Thanks.

  It can be accessed through Preview in Yosemite also. You can go to Tools -> Annotate -> Signature -> Manage Signature, to create new signature or edit the existing one.
  Thanks,
  Sanjeev

• How to install a root certificate of private CA for SSL initiation in ACE 4710 ?

  Hello ACE Gurus,
  We have to deploy end-to-end SSL for one of our application, but of course we won't be buying Entrust or other big name certificates for each web server :  we want to use self-issued certs signed by our private CA.The topology looks like this :
  Internet Client   ----HTTPs_Entrust_Cert----> ACE ------HTTPs_Private_Cert------> WebServers
  Maybe my search skills are soft, but I haven't found how to import a private CA certificate in the ACE, so that when the ACE initiates an SSL session with the webserver (as a client), it will recognize the Web Server's SSL Cert as valid, because he already has it in it's root store.
  The only thing I've found, is how to configure the ACE to ignore the SSL authentification/validation errors, like this :
  host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
  host1/Admin(config-parammap-ssl)# authentication-failure ignore
  Thanks for the help!
  Alex.

  Hi Alex,
  From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
  Thanks,
  Olivier

• How to import Verisign Intermediate certificate (char 2) with Oracle Wallet 10.1.0.5

  Hi,
      Recently I renewed a Verisign Certificate using Oracle Wallet 10.1.0.5 but could not apply one of the intermediate certificates (char2 encryption?).  The error message is : "Some trusted certificates could not be installed:. Does anyone have a solution to this problem?  A technician at Verisign told me that I need to contact Oracle for a patch.  Is there such a patch for Oracle Wallet version 10.1.05?
      Please help and thanks!
  Jim.

  Hi Jim,
  Which certificate did you get renewed ? root certificate or a user certificate and is it using the same CSR or did you request it via a new CSR (certificate signing request)
  Looks like the certificate chain is breaking when you are trying to import the intermediate certificate. The certs has to be imported in a order (root , intermediate and then user)
  Below doc can help you to some extent:
  How to Replace an Expired or Expiring Certificate in Wallet Manager in Oracle AS 10g and FMW 11g (Doc ID 303299.1)
  Thanks,
  Sharmela

• Windows Root Certificate authority questions.

  hello,
  I have 2 questions with regards to Offline ROOT CA in a 2 TIER Hierarchy :
  (1) Is it necessary to to ” map the Namespace of Active Directory to an Offline CA’s Registry Configuration” ? I didn’t do this step in my lab env and find this in some but
  but not all the online posts as well. what happens if we don't run this command on offline CA ?
  For instance:  certutil.exe –setreg ca\DSConfigDN CN=Configuration,DC=lab,DC=com 
  (2) What happens if i do not publish the ROOT CA certificate via "certutil -dspublish -f xxx.cer ROOTCA " command but instead just  push the root certificate  using Default Domain Group Policy Object to "Trusted Root Auth" store
  on all the domain machines ?  What are the pros/cons of using the certutil method vs the GPO method ?  
  Thanks
  Neeraj

  > Is it necessary to to ” map the Namespace of Active Directory to an Offline CA’s Registry Configuration” ?
  it is necessary only if you configure LDAP URLs for CRL Dsitribution Points and Authority Information Access extensions on Root CA (not recommended).
  > What are the pros/cons of using the certutil method vs the GPO method ?  
  different scopes. When publishing in Active Directory, it is downloaded to all
  *forest* members, while GPO covers only limited scope (domain, site or OU).
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• How to Import DVD content to FCP for editing

  My clients always bring us DVDs (both PAL and NTSC formats) for us to insert certain segments into the FCP project.
  Questions:
  1. We can import the PAL VOB file into FCP PAL project, but the images seems to be broken up in thick horizontal lines. It seems to be related to the interlace but we cannot fix it in FCP, not matter using deinterlace, switch field, de-flicker.
  2. No audio can be import in this way.
  We cannot digitally import those DVD files into FCP and we can only bring the DVD into FCP using component signals and analog audio through a DVD player.
  Any suggestion on how to import the DVD digitally into FCP, both audio and video?
  Thanks in advance.
  Mike
  (rem: those DVDs are most created by other post facilities, they are not encrypted movie DVDs, so this problem is not related to encryption or region codes.)

  Did you search the forum for DVD ripping? This is a very common problem and discussed all the time
  You have to rip the DVDs to a format that FCP understands like, for instance, DV video
  You can use software like DVxDVD a decent commercial product or MPEG Streamclip which is free but requires Apple MPEG Playback Component to make it work

• How to import Support Package 13(SAPKW70013) for SAP NetWeaver 2004s BI

  Hi,
  How to import Support Package 13 for SAP NetWeaver 2004s BI (BI Patch 13 or SAPKW70013)
  Note no for that is : 1019055.
  Thanks in Adavance,
  Dushyant.

  Hi,
  RTC for BI 7.0 SAP_BW SP 13 is scheduled in CW 21, that is coming week, after that you should be able to download it from service market place.
  @others: Dont get confused about SPS release with SP release. BI has intermediate release which is SP release, SPS is SP-Stack release (which is NetWeaver release).
  SP 12 correspond to SPS 12 which is sceduled CW 21.
  Hope this helps.
  Best Regards,
  Rajani

• How to import a CA certificate

  I did implement some software using the Java SSL extension. It works when installing each certificate as trusted.
  Now I want to use the existing internal CA infrastructure. I did a certification request, got the answer and tried to import it into my keystore.
  I got the error
  keytool error: Failed to establish chain from reply
  Seems logical to me, as the signing CA is not known by default. I think I have to import the CA certificate into Javas "cacerts". But when trying this, I got the following error:
  keytool error: Signature not available
  Whats that??? Of course there is no signature available, it is the CA certificate. I compare the fingerprint of the certificate manually and it is OK. How to I import it into cacerts?
  Cheers...Urs

  OK, I solved that one.
  The problem was that the JDK1.2 keytool seems not being able to deal with RSA signatures, however the JDK1.3 one works ok.
  I'll do the key management with JDK1.3.
  Cheers...Urs

• How to verify CA root certificate?

  When the client downloads CA root certificate from the CA server , how to verify that the root certificate is actually from the CA server from which we want to connect?

  > but I have interpreted this question to be specifially about Root CAs ... as these are the only ones that require explicit trust or trust in a browser / OS vendor.
  No, I think the question was about web server trust. Since, the transport is not secured (there is no SSL) you can't verify whether you are downloading from the right server. Say, someone created a rogue web server and gain control over the traffic
  (may be, DNS is tampered, or MITM situation). As long this rogue web server responds with the certificate which can be successfully validated by the certificate chaining engine, this web server may be considered as valid.
  And vice versa, legitimate web server is misconfigured, and wrong certificate was placed there. Downloaded certificate won't pass the check and you may wrongfully consider this legitimate server untrusted. This is why you can't tell certainly whether
  you connected to the right server. You only can make assumptions based on downloaded content after it verification, but yet no certainty.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Is there a list of valid system root certificate authorities for a vanilla OSX (Lion, Mountain Lion) installation?

  I'm looking for a current list of valid CAs to compare to those in system keychain.  thnxs!

  You can dump all of the root certificates with:
  security find-certificate -a -Z /System/Library/Keychains/SystemRootCertificates.keychain
  Here's a script I wrote a while ago as part of an attempt to mitigate CAs that I didn't want to trust... I work in a government environment, so it seems silly to trust CAs from China and Russia, as well as an assortment of other oddball countries.  Maybe it will help you find what you're looking for:
  #!/bin/sh
  if [ -f /tmp/rootcerts ]
  then
    rm -f /tmp/rootcerts
  fi
  if [ -f /tmp/rootcerts.sh ]
  then
    rm -f /tmp/rootcerts.sh
  fi
  if [ -f /tmp/ccs ]
  then
    rm -f /tmp/ccs
  fi
  echo ""
  echo "Script generated at /tmp/rootcerts.sh"
  echo ""
  security find-certificate -a -Z /System/Library/Keychains/SystemRootCertificates.keychain | sed 's/^\ \ \ \ //' | grep -v '^keychain\|^class\|^attributes\|^"cenc\|^"ctyp\|^"hpky\|^"issu\|^"alis\|^"skid \|^"snbr\|^"subj'| sed 'N;s/\n/@/' | sed 's/"labl"\<blob\>\=//' | sed 's/^SHA-1\ hash\:\ //' | sort -t'@' -k2 > /tmp/rootcerts
  while read line
  do
    SHA=`echo $line | cut -d'@' -f1`
    NAME=`echo $line | cut -d'@' -f2`
    NAME2=`echo $line | cut -d'@' -f2 | sed -e 's/^\"//' -e 's/\"$//'`
    security find-certificate -c "$NAME2" /System/Library/Keychains/SystemRootCertificates.keychain >/dev/null 2>&1
    if [ "$?" -eq "0" ]
    then
      APPL=0
      security find-certificate -c "$NAME2" /System/Library/Keychains/SystemRootCertificates.keychain | grep [Aa]pple >/dev/null 2>&1
      if [ "$?" -eq "0" ]
      then
        APPL=1
      fi
      DOD=0
      security find-certificate -c "$NAME2" /System/Library/Keychains/SystemRootCertificates.keychain | grep DoD >/dev/null 2>&1
      if [ "$?" -eq "0" ]
      then
        DOD=1
      fi
      CTRY=`security find-certificate -c "$NAME2" -p /System/Library/Keychains/SystemRootCertificates.keychain | openssl x509 -text | grep '^\ *Issuer:' | tr -s ' ' | cut -d' ' -f3 | sed -e 's/^C=//' -e 's/,$//' | sed 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
      case $CTRY in
        [A-Z][A-Z] ) if [ "$APPL" -eq "1" ]
                     then
                       echo "# $NAME - APPLE" >> /tmp/rootcerts.sh
                       echo "#security delete-certificate -Z $SHA /System/Library/Keychains/SystemRootCertificates.keychain" >> /tmp/rootcerts.sh
                       echo "" >> /tmp/rootcerts.sh
                     elif [ "$DOD" -eq "1" ]
                     then
                       echo "# $NAME - DoD" >> /tmp/rootcerts.sh
                       echo "#security delete-certificate -Z $SHA /System/Library/Keychains/SystemRootCertificates.keychain" >> /tmp/rootcerts.sh
                       echo "" >> /tmp/rootcerts.sh
                     else
                       echo "# $NAME - $CTRY" >> /tmp/rootcerts.sh
                       echo "security delete-certificate -Z $SHA /System/Library/Keychains/SystemRootCertificates.keychain" >> /tmp/rootcerts.sh
                       echo "" >> /tmp/rootcerts.sh
                     fi ;;
        * ) echo "# $NAME did not return a valid country code" >> /tmp/rootcerts.sh
            echo "security delete-certificate -Z $SHA /System/Library/Keychains/SystemRootCertificates.keychain" >> /tmp/rootcerts.sh
            echo "" >> /tmp/rootcerts.sh ;;
      esac
    else
      echo "$NAME could not be read" >> /tmp/rootcerts.sh
      echo "" >> /tmp/rootcerts.sh
    fi
  done</tmp/rootcerts
  ALL1=`security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain | grep labl | wc -l`
  echo "There are $ALL1 certificates in SystemRootCertificates"
  echo ""
  ALL=`grep '^security' /tmp/rootcerts.sh | wc -l | sed 's/^\ *//' | grep -v '^$'`
  echo "There were $ALL certificates read and dumped into rootcerts.sh"
  echo ""
  NOCODE=`grep '^#.*did not return a valid country code' /tmp/rootcerts.sh | wc -l | sed 's/^\ *//' | grep -v '^$'`
  echo "There were $NOCODE certificates that did not return a country code"
  echo ""
  grep '^#.*\ \-\ ' /tmp/rootcerts.sh | sed 's/^#\ .*\ \-\ //g' | sort | uniq > /tmp/ccs
  for i in `cat /tmp/ccs`
  do
    NUM=`grep $i$ /tmp/rootcerts.sh | wc -l | sed 's/^\ *//' | grep -v '^$'`
    echo "There were $NUM entries in country code $i"
  done
  if [ -f /tmp/ccs ]
  then
    rm -f /tmp/ccs
  fi
  if [ -f /tmp/rootcerts ]
  then
    rm -f /tmp/rootcerts
  fi

• How can I import CA root certificate into Nokia 62...

  I need to receive e-mail via IMAP over SSL connection with self-signed server certificate. When I'm trying to download exported certificate in X.509 binary format (*.cer or *.der) I can see all certificate details but I can not save it - phone reports "Security module error".
  There is an inactive "Security module settings" menu item in Settings->Security. When I try to choose it phone says "Insert security module".
  My phone is Nokia 6233 with 5.43 f/w.
  What can I do?

  I'm having the same problem on my Nokia 6131
  Nahuel
  Nokia 5165 / 1100 / 6560 / 6131 / 5130 / E71 / C6-00 / C7 / E7-00 (My 9th Nokia)