How to validate SSL cert on ASA5510, before changing DNS?

Similar Messages

• How to setup SSL cert for SharePoint apps in a three tier farm with nlb

  I am having trouble understanding how to setup the SSL certificate on SharePoint apps or in general its configuration

  Please check the below thread..
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/53465d30-10b2-48c9-9541-5ade738156b4/how-to-setup-ssl-cert-for-apps
  Don't forget to mark it as an Answer if it resolves your issue and Vote Me as helpful if it useful.
  Mahesh

• HT1657 How can I download all purchased content before changing my info account?

  How can I download all purchased content before changing my info account?

  You can always setup your GMail account on your Mac as a POP3 account, and then flag GMail to mark all messages new.  The next mail check would cause your mail app to download all the messages on teh GMail server to your mail client.  Once they are in your mail client, you manage them locally in there, and it won't matter if the GMail host account goes away or not, because POP3 works with the local data once it is downloaded form the server.
  Be advised that doing this can cause you to redownload thousands (or hundreds of thousands) of emails depending upon your email volume and how long you have been using GMail.  If I do this, my GMail wants to re-send close to 6GB of data to me again because I have been using GMail for about as long as it has existed, and I average 100-200 emails a day on that account.

• CSS: How to chain SSL certificates outside of CSS before install?

  Could some one advise on how to chain the certs files outside and before installing to CSS, please.
  How to check if the cert files I received are in PEM format?
  What program (widows) I use to chain the certificates.
  What is the order in which the chaining is done.
  Currently all I have is two cert files
  xxtrustL1c.crt.txt
  xxxx.xxxxxx.net.pfx.txt
  and
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a00801de89b.shtml
  Step by step guidence please.
  Sri

  In order to use the chained certificates on the CSS, the server certificate and intermediate must be concatenated together. This allows the CSS to return the entire certificate chain to the client upon the initial SSL handshake. When the chained certificate file is created for the CSS, make sure the certificates are in the proper order. The server certificate must be first, then the intermediate certificate is used to sign the server certificate must be next. The power entry modules (PEM) format is not very strict, and the empty lines between keys or certificates do not matter.
  The entire contents of the mychainedrsacert.pem file are shown here with the server cert on the top, followed by the intermediate CA cert. If you need to add the root cert, it would go to the bottom.
  -----BEGIN CERTIFICATE -----
  BxMKQm94Ym9yb3VnaDEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAG
  Binary data of your server certificate
  BxMKQm94Ym9yb3VnaDEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAG
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
  MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
  LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
  HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy
  aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx
  BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg
  MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g
  TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB
  jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
  veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O
  OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB
  4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw
  KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV
  HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI
  ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk
  oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB
  BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv
  1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw
  E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
  -----END CERTIFICATE-----
  Then you can re-import your new concatenated certificate file.
  Hope this helps,
  Sean

• How to get OS X to accept an SSL Cert the way other UNIX clients do?

  I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC.
  I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another SSL cert for the moment). I know the cert is valid, so I'm not worried about the security implications of using it.
  On other *NIX clients, I simply have to add the cert into the root chain (e.g. /etc/ssl/certs/ca-certificates.crt), restart the application, and all apps will then accept it as valid.
  On OS X, I've imported the cert into Keychain Access, marked it as "Always Trusted" and set up a policy to "alias" it to the URL I need to access with my application (not a web browser) (ref: KB article: HT1679) in both the login and the System keychains, yet the client application still errors out and refuses to connect to the URL.
  How can I configure client SSL on OS X to work like other UNIX configurations? There doesn't seem to be a way to override the extremely restricted behavior.
  I have MacPorts installed and am open to an application specific "hack" if necessary, ala "LDLIBRARYPATH", if anyone thinks that's feasible (which is what I am looking at now). Conceivably I could recompile the client application since it's OSS, though I'd rather avoid that if possible.
  Any suggestions would be appreciated.
  Thanks in advance--
  =N=

  when you connect with a web browser to an https site that has a mistmatched cert it warns you and you have to tell the browser to ignore the security issue to let you carry on.
  what unix apps are you using to connect to this server?

• Changing SSL Cert, how do you update the trust profile for devices.

  I am in the process of changing out the ssl cert for the trust profile (going from a self-signed to a signed cert).  How do you update the trust profile on the devices already paired with the server.

  Yes, the linked smart object can be either raster or vector, but they will be placed as raster images, just as the embedded SO are.  SO can be embedded or linked to an outside file.  Edits to the original will not update in the original until you select "Update modified content from the menu" when you reopen the file that has the place SO in it.  otherwise it will update when you save the linked file.  Yes, there still is an advantage to having an embedded SO.  You may not want to maintain the links - send a file off and forget to include the linked files.  You may want to alter the SO, but not the original file.
  Ah, thanks. But does this mean that raster and vector smart objects can EITHER be located within the Photoshop file (as they have been since their advent) OR linked to an external file?
  And if so,
  1. Can this linked file be either raster or vector?
  2. Do edits to it automatically update the Photoshop file?
  3. Is ther any longer any advantage to having the smart object data stored within the Photoshop file when it can be linked?

• How do you generate a new SSL cert in CSA

  None of my hosts can poll because the SSL Cert has expired. I am running CSA 4.0-1 540 and need to generate a new cert. Anyone know how?

  It looks like I found something here:
  http://www.cisco.com/en/US/docs/security/csa/csa45/install_guide/Chap3.html#wpmkr985044
  From within CiscoWorks click: VPN Security Management Solution -> Administration -> Import Root Certificate.

• How to validate required fields before executing menu item ("Save As") using cutom Javascript?

  Hi,
  Sorry, I am new to PDF Development. I tried creating PDF using Acrobat XI Pro. During creation, I have encountered issues in running custom JavaScript. The requirement is to validate all the required fields before saving the PDF. I tried using the following scripts to validate the said required fields. But, it's not working.
  Option 1: If the field is null, a message box will appear.
  if(this.getfield("textbox") = null){
  app.alert("required");
  else {app.execMenuItem("SaveAs");}
  Option 2: If the field is required, a message box will appear.
  var f = this.getField("textbox");
  f.required = true;
  if(f = true)
  app.alert('required');
  else
  app.execMenuItem("SaveAs");
  The scripts mentioned above are not working. I wanted to validate the required fields before saving the PDF.
  In addition, I tried validating each field using the following script:
  f = getField(event.target.name)
  if (f.value.length == 0)
      f.setFocus()
      //Optional Message - Comment out the next line to remove
      app.alert("This field is required. Please enter a value.")
  When I open the PDF, the script is working. However, when the message box pops out, the "OK" button is not working as expected. The message box is not closing. I tried opening the form in a site in different Java versions (like 7-11 and 7-67). It's working in version 7-67. I tried upgrading the Java version from 7-11 to 7-67. Still, it doesn't work.
  I would appreciate your feedback on this matter.

  If you set the fields as required, then when the user hits the print button you could run this script:
  var txt = form1.execValidate();
  if (txt == true){
  print command
  This code assumes that the root node of your form is form1. Also ensure you put a message into the Empty Message parameter for each field that you want to mark s required.

• SSL cert on ASA 5512 from Thwate or Digitcert

  I ran into the issue when I install SSL123 cert from Thwate . I did not have issue with SSL cert from DIgitcert- their process and steps are simple and using better encryoption - SHA256. Compare to Thwate - their support did not let me use SHA2 and I had to use SHA1 - according to some organisation SHA1 will be retired soon 
  Let me explain how to install SSL123 from Thwate into ASA 5510- you can follow their instruction - but generate CSR with 2048 - with 4096 did not work .Once you apply into their portal use SHA1 ( SHA2 did not work ) . Before you get email with their CA -  install Root and Secondary intermidiate certificate - located in their website . After you get email with the new cert - you can install under Idendity certificates where still says pending .Note - there are CSR checker tools - before you apply it into CA _ google CSR checker - make sure your CSR does not have any errors
  Note - When you install each certificate - trustpoint association could be in different order - example - ASDM_trustpoint0 , ASDM_trustpoint1 , ASDM_trustpoint2   etc . If you use the same ASDM_trustpoint0 for all certs- root , intermidiate and signed certificate - Did not work and you are getting ERROR - :Failed to parse or verify imported certificate
  here is the link you can follow - https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO16141&actp=search&viewlocale=en_US&searchid=1429125296765
  Finally you can check your SSL cert - google SSL checker to see if your chain as good all the way and what need to be fixed 

  First of all, you don't need the server names in the cert if your Exchange urls are configured to a load balanced url. Going forward, you will not be able to get a certificate from 3rd party with internal urls (server fqdn) in it.
  When you export the certificate from CAS1, make sure that you include the private key as well (there will be a check box to tick) and import it back on CAS2.
  If not, you can just import the certificate into CAS2 by selecting Import Exchange certificate in EMC and select the 3rd party cert (just like you imported on CAS1).
  Yes, you need the certificate on both servers, otherwise you will get certificate errors on clients (assuming that there is some form of load balancing in place - NLB or hardware).

• Multiple SSL Certs in one SSL Proxy/VIP

  Guys
  I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP.  Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.
  However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP.  The customer wants to use only port 443.  I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.
  Is this possible at all?  I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.
  Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?
  Thanks

  Cathy
  Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide  certificates for www.website.com and ww2.website.com due to cost.
  Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first?  Or would this not be advisable / possible.  I always thought it was the L4 policy that made the VIP proxy?
  Can SAN certs not be used in this example?
  Thanks

• Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

  Coldfusion 11
  Windows Server 2012 R2
  Both the Coldfusion admin and additonal site work fine on HTTP.
  As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
  Coldfusion 11 - Web Sockets via SSL
  The Coldfusion-error.log shows
  Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
  INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
  Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
  Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
  If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
  Any assistance welcome - I can't allow this site to made publicly available with using SSL.
  SM

  @Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release.  And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
  If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
  First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
  Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
  You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
  Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
  Finally, when you say that if you “comment out the SSL sections  it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
  To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
  /charlie

• SSL Cert for 2008 R2 Reporting Services that is installed on a Failover Cluster - server address mismatch?

  I utilized the idea from
  http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance.  In short, create the new Clustered SQL instance on Node1,
  installing Reporting Services with it.  Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
  feature on Node2.  It points out using the SQL Cluster Network name for connecting to Reporting Services.
  I verified upon failover that I could still access the Reports and ReportServer URLs.  However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
  this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
  I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert.  The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
  cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
  What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?

  I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

• How to validate a session object in jsp?

  Hi All,
  i am facing a problem.The problem is how to validate the session object object in jsp.I have written a java script by using a defined function as setInterval and has given 5 mintues if the user is idle and will show a pop up menu before time out the session but in case of page active still this pop up menu is coming. The java script as follows.
  function SetTimer(){
       //How long before timeout (should be a few minutes before your server's timeout
       //set timer to call function to confirm update
       if(timeoutMinutes)
       timerObj = setInterval("ConfirmUpdate()",60000);
  function clearTimerFn(){
            timerCount = 0;
            clearInterval(timerObj);
            //timerObj = setInterval("ConfirmUpdate()",60000);
  function ConfirmUpdate(){
       //Ask them to extend
       if(confirm("Your session is about to expire. Press 'OK' to renew your session.")){
            //load server side page if ok
            var url = "ajaxSessionchecker.do?sessionvalidate=sessionvalid";
            LoadXMLDoc(url);
  And in jsp i am calling this js function as
  <%session=request.getSession(false);
            if(session.getLastAccessedTime()==60000){ %>
            <script type="text/JavaScript">
       clearTimerFn();
  </script>
  <%}else{
  session.setMaxInactiveInterval(-1000);} %>
  could you pls help me out?

  The reason for doing this is when ever i come to this user.jsp from account.jsp with a different account number this user.jsp is not refreshed and i still
  see the same old user.jsp for the previous account that i naviated before. Also please let me know if there is any other approach to acheive this taskDoes refreshing the page by pushing F5 solve the problem?
  If so, then the browser is caching the page, despite your attempts to stop it.

• How to validate multiple lines which is exist in the form builder at the same session

  Hi All,
  we are working on oracle Forms personalization to trigger the message at the point of saving multiple lines rather than requiring each line to be save individually. Currently the oracle form is allowing to user to enter two distinct lines that have same resource and basis type in BOM.
  Currently the Oracle form is allowing to enter the duplicate combination and not giving any error message even we enter the same combination of data.
  As per the customer requirement, they don’t want to validate the data while creating the records but when they try to save the form, in that case it should validate all the records at a time then need to display the appropriate message.
  Customer don’t want to customize the Oracle standard form. Here we have only option to use form personalization or through custom.pll.
  Any idea on how to validate multiple lines which is exist in the form builder at the same session as before inserting the record itself need to perform the validations for all the records.
  Thanks for your help in this regard.
  Regards,
  Thirupathi

  you can write a post script which will do the necessary tasks.
  I mean, once you are done with inserting records into these tables, exeute another procedure which will insert these "extra" records, based on some logic.
  you may not be able use DB trigger as it may generate mutating error or if you don't write it carefully, it will go into recursive loops as you are refering to same tables.
  HTH

• How to use SSL certificates in OSX Server

  I have setup OSX server with a host name that is pointed properly to my OSX server. My question is about using certificates that were purchased through my domain registrar.
  I bought a cert and after the validation process, I was given a link to download 4 certificate files.
  AddTrustExternalCARoot.crt
  DV_NetworkSolutionsDVServerCA2.crt
  DV_USERTrustRSACertificationAuthority.crt
  [domain name].crt
  So after downloading these and opening them one by one, I installed them in the keychain as a system cert.
  The part I cant figure out is how to use the domain cert instead of the one that the server creates upon completion of setup (the self signed one).
  On the certificate selection in the sidebar, I can choose Import a certificate identity, but when I drag my domain cert into the box, it shows up as a non-identity cert and the Import button is still grayed out. I dragged all four certs there and all of them show as non-identity certs.
  If I go down the path of the Get a Trusted Certificate, it takes me through the CSR request which I dont think I need since i have my certificates already.
  Am I missing a step? Or do I need to export from the keychain, then import into the server application? Seems like the new certificates should show up in the server application. Any help would be greatly appreciated.

  I got the answer and wanted to post for anyone that happened to have this question.
  During the SSL cert setup, it asks where your domain is hosted and since it was hosted by Network Solutions, I chose that option which doesnt do the CSR request. I had to choose Other/VPS.
  Once I did that, I was able to generate a CSR in the server application and get my certificate issued again by pasting the request code on my registrars website. Once I received those certs, I dragged my domain cert into the Pending one listed in the certificate list.
  Also I chose Apache/ModSSL as the type of server. Hope that helps and new people like myself in setting up the server application.