Importing self-signed certificate

Similar Messages

• Need to import self-signed certificate?

  I'm in the process of migrating an applet to 1.3.1_03. The latest problem I've run into is the change in security between 1.2.2 and some version of 1.3, in that, apparently, I have to import a self-signed certificate into cacerts for our intranet applet to work.
  Is this still true for 1.3.1_03? If so, is there an easy way to do this from the client perspective (e.g. some batch file that can be run to handle this)? I've seen quite a few other posts surrounding this topic, but it's difficult to keep track of what's current.
  Does 1.4 remove this issue (just curious... we're not planning to go to 1.4)?
  Thanks,
  Van Williams

  What I've done is to import the certificate into a keystore on the web server. I also have the policy file (also on the web server) pointing to this keystore. This works fine, as long as either one of the following is true:
  1) the java.security file on the client has a policy.url entry thta points to the policy file on the web server
  2) The runtime parameters for the plug-in specify the policy file on the web server (e.g. -Djava.security.manager -Djava.security.policy={location of policy file on web server})
  I'm trying to figure out a way to not have an automated procedure change the java.security file on the client (though I'll use this approach if needed). I also don't want to change the runtime parms on the plug-in (will affect other applets). If there is a way to specify this in the HTML for my applet, that would be perfect. Any ideas (will be posting this as a separate thread).
  Thanks,
  Van Williams

• E90 importing self-signed certificate nightmares

  Hi!
  I want to import selfsigned certificate on customer's E90.
  I've I copied correctly exported certificate to phone, but the E90 file manager always says "File format not supported".
  I've tried with .cer, converted to .der with the following page: http://www.redelijkheid.com/symcaimport/
  I've been through all suggestions and step guides found on internet. Customer support does not have a clue what I'm talking about.
  I'm looking for anybody who has succesfuly imported any kind of certificate in to this model certificate store or anybody who can simply answer this question: what type of certicates does this model support.
  Thanx for you answers,
  Toni

  I'm using self-signed certificate from SBS. Right now it's not the question, if something is misconfigured within my certificate (I'm aware of SBS certificate problems), the problem is that E90 WILL NOT recognize .cer or .der files as certificates.
  There must be someone, who can answer this really simple question, which certificate formates are supported on E90.
  You will find this type of question posted many times on different forums, with diiferent suggestion, but they simply don't work.
  Again my error is "file format not supported"

• Safari on Windows could not accept self-signed certificate

  Hi, i am using Safari 5.0.4 on Windows 7 and I am trying to access an https site with a self-signed certificate (internal developing site).
  after i install the certificate to the Windows certificate store (i try both Personal store and Trusted Root Certification), when i try to browse the site, Safari asks me to choose a certificate, after i choose it, after a long hang time, Safari displays "Safari can't open the page".
  My questions are:
  1. Any one has configured safari on windows to accept self-signed certificate successfully?
  2. i see some other posts saying "Safari on Windows has bug to use the self-signed certificate", any official document or link saying this if this is true?

  Microsoft Windows web browser support questions?   Try one or more of these resources:
  http://technet.microsoft.com/en-us/library/cc747495(WS.10).aspx
  http://www.leonmeijer.nl/archive/2008/08/01/123.aspx
  http://stackoverflow.com/questions/681695/what-do-i-need-to-do-to-get-ie8-to-acc ept-a-self-signed-certificate
  That was from tossing the /internet explorer import self-signed certificate/ query at Google, and some poking around.  StackOverflow and Microsoft Technet and the Microsoft KBs have more details on Microsoft platforms and products and permutations, too.
  The usual best fix with this stuff is to create your own certificate authority (CA) root certificate and to configure that within your chosen platforms and browsers, but I do not know (off-hand) how to do that on Microsoft Windows boxes.  Google or some KB probably has details of loading your own root cert.  This approach means loading one cert, and the rest of what you create that's signed from that cert will now automatically be trusted.  Basically you become your own CA provider, load your root cert into each of your clients, and then issue your own certs chained from your own root cert, and Bob's Your Uncle.

• How to import the self-signed certificate in runtime

  HI.
  I work to connect between JSSE client and OpenSSL server with self-signed certificate.
  But I met the SSLSocketException during handshaking.
  Many Solutions registered in this page.
  But their are all using keytool.
  My application connect many site support the self-signed certificate.
  So, I want to import the certificate in run time.
  How Can I do??
  Please, answer me..
  Thanks,

  did you figure this out??? I need to know how to accept a self-signed certificate, otherwise it's this exception...
  D:\javatools\apis\jsse1.0.2\samples\urls>java -cp jcert.jar;jnet.jar;jsse.jar;. URLReader
  Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert chain
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
  at java.io.OutputStream.write(OutputStream.java:61)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-12019
  8])
  at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120
  198])
  at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V
  1.2-120198])
  at java.net.URL.openStream(URL.java:798)
  at URLReader.main(URLReader.java:46)

• Nokia X - import self signed server certificate

  Do someone know how to import a self signed server certificate? No CA root certificate, only a server!
  I connect from all my devices to a Baikal server for calenders and addresses. For this machine I generate a self signed server certificate. I am working with all devices without problems after I import the certificate to this (iPhone, iPad, iMac, Win7, Srv2k8, Linux,...). Only the Nokia X don't want to accept it.
  I store the cert in DER format and name ending to .cer to the memory card, choose the import, the cert is found and I have to name it, but then it will not import it??? And the CAdroid is not working?!
  Do someone know how to do this right? Thanks.

  Hi, anoymo. You may install the self-signed certificate by downloading it using the phone's browser. The file format should be DER encoded binary (X.509). Or you can create an HTML file using the notepad. Just copy this code (<HTML><BODY><a href="FileName.cer">Install certificate</a></BODY></HTML>) excluding the parenthesis to the notepad and save it as .html. Create a zip file for the certificate and the HTML file, copy it to the phone then open the .html file it should prompt you to install the certificate.  Directly importing it to the phone is not possible.

• How to successfully import ASA self-signed certificate?

  On ASA 9.1 i am trying to export an Identity certificate, self-signed certificate into p12 file so i can import it into laptop and used it for secure connection to ASA over ASDM. I can add certificate OK using ASDM, certificate show up OK in Certificate management/dentity certificate. Exported certificate into .p12 file with passphrase OK.
  In Win XP and Windows 7 every time i try to import certificate i got message that password is incorrect. Yes, i did type correct password.
  Even thru cli i got the same error when trying to import the file.
  ASA(config)# crypto ca export ASDM_TRUSTPOINT pkcs12 password
  Exported pkcs12 follows:
  -----BEGIN PKCS12-----
  MIIHPwIBAzCCBvkGCSqGSIb3DQEHAaCCBuoEggbmMIIG4jCCBt4GCSqGSIb3DQEH
  BqCCBs8wggbLAgEAMIIGxAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQItd0L
  7e5QezkgxXzmCJKpv3GqQV5/tfk66ySnBMCGrMzsQKBa32wzHYcSerSEePNXzudJ
  Frdyc3ETMXECvO83gujQZLyJ9DfPaDy4gZHwEs9fwGqpJel/NTwUo16dtzO2Vbko
  1kc8kd
  -----END PKCS12-----
  Any tips or tricks how to get this simple task completted? Is maybe file format not right?

  Hi
  Please show the error ASA is reporting during import.
  It's working correctly with 9.1(0)2, example:
  ASA9(config)# crypto ca trustpoint TP
  ASA9(config-ca-trustpoint)# enrollment self
  ASA9(config)# crypto ca enroll TP
  WARNING: Trustpoint TP has already enrolled and has
  a device cert issued to it.
  If you successfully re-enroll this trustpoint,
  the existing certificate will be replaced.
  Do you want to continue with re-enrollment? [yes/no]: yes
  % The fully-qualified domain name in the certificate will be: ASA9
  % Include the device serial number in the subject name? [yes/no]: yes
  Generate Self-Signed Certificate? [yes/no]: yes
  ASA9(config)#
  ASA9(config)# crypto ca export TP pkcs12 123456
  Exported pkcs12 follows:
  -----BEGIN PKCS12-----
  MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
  BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
  +5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
  fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
  IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
  QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
  QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
  WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
  4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
  8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
  pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
  h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
  XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
  OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
  0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
  mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
  fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
  kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
  PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
  8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
  fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
  yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
  gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
  Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
  WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
  VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
  qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
  FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
  JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
  bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
  p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
  v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
  0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
  -----END PKCS12-----
  ASA9(config)#
  ASA9(config)#
  ASA9(config)# no crypto ca trustpoint TP
  WARNING: Removing an enrolled trustpoint will destroy all
  certificates received from the related Certificate Authority.
  Are you sure you want to do this? [yes/no]: yes
  ASA9(config)# crypto key zeroize rsa
  WARNING: All RSA keys will be removed.
  WARNING: All device digital certificates issued using these keys will also be removed.
  Do you really want to remove these keys? [yes/no]: yes
  ASA9(config)# crypto ca trustpoint TP2
  ASA9(config)# crypto ca import TP2 pkcs12 123456
  Enter the base 64 encoded pkcs12.
  End with the word "quit" on a line by itself:
  MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
  BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
  +5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
  fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
  IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
  QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
  QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
  WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
  4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
  8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
  pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
  h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
  XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
  OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
  0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
  mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
  fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
  kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
  PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
  8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
  fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
  yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
  gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
  Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
  WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
  VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
  qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
  FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
  JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
  bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
  p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
  v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
  0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
  quit
  INFO: Import PKCS12 operation completed successfully
  ASA9(config)#
  ASA9(config)# sh crypto ca certificates
  Certificate
    Status: Available
    Certificate Serial Number: 6e85f150
    Certificate Usage: General Purpose
    Public Key Type: RSA (1024 bits)
    Signature Algorithm: SHA1 with RSA Encryption
    Issuer Name:
      hostname=ASA9+serialNumber=123456789AB
    Subject Name:
      hostname=ASA9+serialNumber=123456789AB
    Validity Date:
      start date: 15:52:01 UTC Jan 12 2013
      end   date: 15:52:01 UTC Jan 10 2023
    Associated Trustpoints: TP2
  You might want to enable debugs: "debug crypto ca 255".
  Be carefull when typing password - watch out for trailing space !
  Michal

• Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

  SCCM 2012 has been successfully installed on the server:
  SRVSCCM.
  The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
  Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
  The cluster service is running on the account: sqlclusteruser
  The account has the appropriate SPN are registered:
  setspn -L domain\sqlclusteruser
  Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
  MSSQLSvc/CLS-SQL4
  MSSQLSvc/CLS-SQL4.domain.local
  MSSQLSvc/CLS-SQL4:11434
  MSSQLSvc/CLS-SQL4.domain.local:11434
  After some time on the cluster hosts every day started appearing new folders with files inside:
  srvboot.exe
  srvboot.ini
  srvboot.log
  srvboot.log contains the following information:
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
  Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
  Copyright (C) 2011 Microsoft Corp.
  Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
  Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
  Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
  Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
  Failed to retrieve SQL Server service account.
  Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
  Disconnecting from Site Server.
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

  The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
  Without successfull bootstrap the siteserver backup is not able to run successfully.
  Try grant everyone the read permisson on
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
  This worked for me.
  After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
  After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
  sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"

• Steps to create your own self signed certificate with java plugin working

  You need two tools that comes with your jdk which are keytool and jarsigner.
  Steps explain below in detail. Don't use netscape signtool, it will NEVER work!
  * keytool -genkey -keyalg rsa -alias tstkey -keypass 2br2h2m -dname "cn=Test Object Signing Certificate, o=AI Khalil, ou=Java Products, c=AU"
  cn = Certificate name
  o = organistation
  ou = organistation unit
  c = country (first two letters)
  If don't put the -dname, you can fill it line by line.
  The -keypass has to be verify at the end, and you have to wait for it to create the rsa signing keys.
  On NT by default it will put the alias information at D:\WINNT\Profiles\Administrator (if log in as administrator) with the default file called ".keystore". Windows 98 etc, don't know, search for .keystore
  file. When you update it, check for the timestamp change and you know if you at the right spot.
  You can store your alias information via the -storepass option to your current directory you work on, if you don't want to update the default .keystore file?
  The .keystore contains a list of alias so you don't have to do this process again and again.
  Another tip if you want your certificate encryption validity to be more than the default one month is simply
  add the -validity <valDays>, after the -genkey option, to make your certificate usage for encryption to last much longer.
  Note: You MUST use the -keyalg rsa because for starters the rsa encyption alogorthim is supported on ALL browsers instead of the default DSA and the other one SHA. Java plugins must work with the RSA algorthim when signing applets, else you will get all sorts of weird errors :)
  Do not use signtool because thats a browser dependant solution!! Java plugin is supposed to work via running it owns jre instead of the browser JVM. So if you going to use netscape signtool, it starts to become a mess! ie certificate will install, but applet won't start and give you funny security exception errors :)
  * keytool -export -alias tstkey -file MyTestCert.crt
  It will read the alias information in the .keystore information picking up the rsa private/public keys info and
  create your self sign certificate. You can double click this certificate to install it? But don't think this step is needed but maybe for IE? Someone else can check that part.
  If you make a mistake with the alias, simply keytool -delete -v -alias <your alias key>
  If not in default .keystore file, then simply keytool -delete -v -alias <your alias key> -keystore <your keystore filename>
  * Put your classes in your jar file, my example is tst.jar.
  * jarsigner tst.jar tstkey
  Sign your testing jar file with your alias key that supports the RSA encryption alogorthim.
  * jarsigner -verify -verbose -certs tst.jar
  Check that its been verified.
  The last step is the most tricky one. Its to do with having your own CA (Certified Authority) so you don't
  have to fork out money straight away to buy a Verisign or Twarte certificate. The CA listing as you see in
  netscape browsers under security/signers, is NOT where the plugin looks at. The plugin looks at a file called
  CACERTS. Another confusion is that the cacerts file is stored in your jre/lib/security AND also at your
  JavaSoft/Jre/<Java version>/lib/security. When you install the Java plugin for the first time in uses your
  JavaSoft folder and its the cacerts file that has to be updated you add your own CA, because thats where
  the plugin look at, NOT THE BROWSER. Everything about plugin is never to do with the browser!! :)
  * keytool -import -file MyTestCert.crt -alias tstkey -keystore "D:\Program Files\JavaSoft\JRE\1.3.1\lib\security/cacerts"
  Off course point to your own cacerts file destination.
  Password to change it, is "changeit"
  Before you do this step make a copy of it in its own directory in case you do something silly.
  This example will add a CA with alias of my key called "tstkey" and store to my example destination.
  * keytool -list -v -keystore "E:/jdk/jdk1.3/jre/lib/security/cacerts"
  List to see if another CA is added with your alias key.
  Your html, using Netscape embed and Internet explorer object tags to point to the java plugin,
  your own self sign applet certificate should work
  Cheers
  Abraham Khalil

  I follow Signed Applet in Plugin, and it's working on
  my computer. Thanks
  But When I open my applet from another computer on
  network, why it does not work ..?
  How to make this applet working at another computer
  without change the policy file ..?
  thanks in advance,
  AnomYou must install the certificate on that computers plugin. Can this be done from the web? can anyone suggest a batch file or otherwise that could do this for end users?
  I want a way for end users to accept my cert as Root or at least trust my cert so I dont have to buy one. I am not worried about my users refusing to accept my cert. just how do I make it easy for them? IE you can just click the cert from a link, but that installs for IE, and not the plugin where it needs to be.

• ASA self-signed certificate for Anyconnect 3.1, which attributes?

  Hi everybody,
  I can't find the detailed information which attributes are exactly needed for the Anyconnect 3.1 client to correctly identify the VPN server -ASA 8.4(4)1
  I have added two servers in the client connection profile:
  IP address, primary protocol IPsec
  IP address/non-default port number, primary protocol SSL
  Connecting via IPsec only issues a warning about "untrusted source" (I didn't import the certificate as trusted, but that's not the issue)
  Connecting via SSL issues an additional warning "Certificate does not match the server name".
  The self-signed certificate (created with ASDM) includes the IP address as DN cn, additionally as alternate identity "IP address". I have exported the certificate and parsed it with openssl (after re-encoding to PKCS#12 DER) and apparently no attributes are included.
  I would like to give it a try with certtool and openssl to generate a self-signed certificate which is accepted by the Anconnect 3.1, where can I find a detailed description, which attributes are required for Anyconnect SSL sessions? I'm convinced the identity (DN cn) is OK.

  Shamelessly bumping this question,
  Anyone out there (maybe from Cisco) who can tell us, which atttributes are required on a self signed certificate?
  I keep getting "Certificate does not match the Server Name" for SSL-VPN, IPsec-VPN is fine for the same server.

• Error when using sapgenpse import_own_cert to import a signed certificate

  We have installed a WebDispatcher and want to use SSL and executed the following steps:
  1. Generate Self-Signed Certificate and CSR by:
  sapgenpse get_pse -p SAPSSLS.pse -r SAPSSL.req "CN=emsd3c.cs-apps.carestreamhealth.com, OU=IT, O=Carestream Health, C=US"
  2. User service.sap.com/trust SSL Test Server Certifcated service to signed the CSR which looks like
  BEGIN CERTIFICATE-----
  MIIBpDCCAQ0CAQAwZDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEUNhcmVzdHJlYW0g
  SGVhbHRoMQswCQYDVQQLEwJJVDEsMCoGA1UEAxMjZW1zZDNjLmNzLWFwcHMuY2Fy
  ZXN0cmVhbWhlYWx0aC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP+w
  TmRWeRlt1tg5GnjMloRhezO6lRJ1mhgNcWGQTECtAXDVypnznTFhimj3OG1zgW
  gItJ1u4GjvQuYR2w2T92UrV3mnORrlHfpYOBCngRwQWfSaG7Ih5g3NeQ4bAq60Ap
  0BwVg9hTpjZfTXfqYQHyzYPk6Pv9c+l0m3Va/DMfAgMBAAGgADANBgkqhkiG9w0B
  AQUFAAOBgQBw6ipAyPUor96WGIOu93v7jjxE0uLuCMkfjaHnuqpYaOWM7z6XQn
  2jWMwEKG4vsvU1X5azUuqA1yidH5+GXTD0VCbXUqLWZEP6S2FMJXixv/e3QELYrT
  qBee2JDYPAdoMkKX/cwshFwXXo41R/gjEwn6aBDg9jkA70xFZEOjTQ==
  BEGIN CERTIFICATE-----
  The certificated signed by SAP looks like and I have created a file called d3c_test.cer to contain it:
  BEGIN CERTIFICATE-----
  MIIC5zCCAlCgAwIBAgIDANTZMA0GCSqGSIb3DQEBBQUAMFAxCzAJBgNVBAYTAkRF
  MRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MQ8wDQYDVQQLEwZTZXJ2ZXIx
  EjAQBgNVBAMTCVNlcnZlciBDQTAeFw0wOTA3MjkxNzM4NDVaFw0wOTA5MjcxNzM4
  NDVaMIGAMQswCQYDVQQGEwJERTEcMBoGA1UEChMTU0FQIFRydXN0IENvbW11bml0
  eTEYMBYGA1UECxMPQ2FyZXN0cmVhbUhlYXRoMQswCQYDVQQLEwJJVDEsMCoGA1UE
  AxMjZW1zZDNjLmNzLWFwcHMuY2FyZXN0cmVhbWhlYWx0aC5jb20wgZ8wDQYJKoZI
  hvcNAQEBBQADgY0AMIGJAoGBAPjouDXa5nj8UQN77E53KCn1Xv2mI4uQMwz2cv
  2YLL0086PfLzv+GZgMNsykmFzCAw2Nq2PthvhRhIUSZmCWgF36vN3GnwYPhc3flw
  bvYGkeyFvJ3i3I0xiZTwVdvNDnd/GmLH6VCqCEbIwPXEJJamWop6SumaHl7h5KgV
  aaqPAgMBAAGjgZ0wgZowDAYDVR0TAQH/BAIwADAlBgNVHRIEHjAchhpodHRwOi8v
  c2VydmljZS5zYXAuY29tL1RDUzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8B
  Af8EBAMCBPAwHQYDVR0OBBYEFHBRAASwukLlThOY+NbGKycJGjjIMB8GA1UdIwQY
  MBaAFIHbg/NK+zUYCLkBvbcdW51zNVtJMA0GCSqGSIb3DQEBBQUAA4GBAIxe9gRz
  7UdawNwiIyKo2jvg6P0VnvPRMiyfMJdtbaTarinJmgP2yghMGKx84twvEds9GV42
  xUXbX/AHdgI3ef8N/WXvs15Hi4GnMdb/d7zhz3DAcjajbr7xmFycFFqRSwJ68Kb0
  JF2cZLtwh9G0dJZMbT5ihJ61mCVMXvIbH27s
  END CERTIFICATE-----
  3. Execute the following commend to import SAP's response (d3c_test.cer)
  sapgenpse import_own_cert -c d3c-test.cer -p SAPSSLS.pse
  Receive the following error:
  sapgenpse import_own_cert -c d3c-test.cer -p SAPSSLS.pse
  Please enter PIN: ****
  import_own_cert: Installation of certificate failed
  ERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Server CA, OU=Server, O=SAP Trust Community, C=DE"
  ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Server CA, OU=Server, O=SAP Trust Community, C=DE"
  Any help will be appreciated.
  Thanks
  Rivers

  Hi Sri Garimella,
  As you have mentioned above to donwload root certificate also & giv the command as
  sapgenpse -import_own_cert -c d3c-test.cer -p SAPSSLS.pse -r <RootCA_cert_file>.
  Could you please help me from where can i get the RootCA_cert_file ?
  In service market place I am unable to find RootCA_cert_file.
  Could you please elloborate the issue ?
  Regards
  Hari

• Problem with placing self-signed certificate in trust store on WLS 10.3

  I have had some problems setting up two-way SSL on WLS 10.3.2.
  1. I have not been able to use the java properties listed on
  http://weblogic-wonders.com/weblogic/2010/11/09/enforce-weblogic-to-use-sun-ssl-implementation-rather-than-certicom/
  to use the native Java SSL implementation rather than the certicom. Has anyone else had success using these?
  -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
  -Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
  -DUseSunHttpHandler=true
  -Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)
  2. When I use the ValidateCertChain to validate my keystore with the self-signed certificate I get the message
  CA cert not marked with critical BasicConstraint indicating it is a CA
  Certificate chain is invalid
  which I read was a problem with certificates generated by keytool, yet I find I was not able to circumvent this
  by setting the property weblogic.security.SSL.enforceConstraints to off in the WLS server environment.
  Has anyone else noticed this?
  3. The error I get is
  ####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server
  <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1297793541204> <BEA-000000> <Exception during hands
  hake, stack trace follows
  java.lang.NullPointerException
  at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
  at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
  at com.certicom.tls.interfaceimpl.CertificateSupport.findInTrusted_Validity(Unknown Source)
  ####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tunin
  g)'> <<WLS Kernel>> <> <> <1297793541207> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  java.lang.Exception: New alert stack
  at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  Are there other conditions besides the issue about the missing Basic Constraint field that can raise an
  alert with type 40?
  4. Steps I used to generate jks keystore for inclusion in trust keystore (actual values substituted):
  ** keytool -genkey -alias mykey -keystore mykeystore -validity 35600 \
  -dname "cn=Common Name, ou=Common Name, o=Org, l=location, s=state, c=US" \
  -storepass mypass -keypass mypass
  ** exported a DER format head certificate of mykey into mykey.cer.der
  ** keytool -import -trustcacerts -keystore DemoTrust.jks -alias mykey -file mykey.cer.der
  Any comments appreciated and thanks for this forum.

  Faisal,
  Certicom has an internal restriction that a Date must be notBefore 1970 and notAfter 2105 inclusive.The Java-generated key is valid until Wed Mar 14 11:03:59 EDT 2108. Your knowledge of this area is
  quite impressive, thank you so much for this!

• Can you use a self signed certificate on an external Edge Server interface?

  Hi,
  I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
  interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
  cert is valid (root and intermediate have been checked for validity).
  At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
  Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
  Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
  I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
  Thx

  Drago,
  Thanks for all your help. I got it working.
  My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
  Let me update everyone about self-signed certificates:
  YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
  I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
  intermediate have been checked for validity).
  Here are my notes:
  Create/enable your own external Certificate Authority (CA) running on a server with internet access. 
  On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
  Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
  You should have already completed: Step1 and Step 2.
  Run or Run Again "Step 3: Request, Install or Assign Certificates".
  Install the "Edge internal" certificate.
  Click "Request" button to run the "Certificate Request" wizard.
  You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
  Once the certificate has been created, use "Import Certificate" to import it.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
  In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
  Install the "Edge External" certificate (public Internet).
  Click the "Request" button to run the "Certificate Request" wizard.
  Press "next"
  Select "Prepare the request now, but send it later (offline certificate request).
  Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
  Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
  Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
  Fill in the organization info.
  Fill in the Geographical Information.
  The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
  Select your "Configured SIP domains"
  "Configure Additional Subject Alternative Names" if you want. Otherwise, next.
  Verify the "certificate Request Summary". Click next.
  Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
   Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
  In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
  For the "External Edge certificate (public Internet), click "Assign".
  The "Certificate Assignment" wizard will run.
  Click next.
  From the list, select your cert "EXTERNAL-EDGE".
  Finish the wizard to "complete".
  You are finished on the server.
  Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
  When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
  Browse
  Select "Trusted Root Certification Authorities"
  Finish the wizard.

• SSL (Self Signed Certificate) in Business Connector

  After going through hundreds of messages, I am still not clear  about the steps involved in including SSL certificate with HTTP protocol.
  1. Instead of subscribing to Trusted Certificate Authority, can we ceate a Self Signed Certificate? If yes, how?
  2. Can anyone please explain the steps involved in including SSL certificate (configuring/importing the certificate)? We are successfully calling HTTP and sending the XML document to a HTTPS URL with authorized user name and password. I need to include SSL certificate to complete the requirement. I have looked at all the PDF documents that are available with BC installation and looked at many forums and still haven't found the answers.
  Thanks in advance.

  Hi Ramesh.
  When untrusted root certificates may be acceptable
  Some CAs may be trusted, but in only a very limited way. For example, a company with employees in diverse
  locations can make internal documents available to all its employees by setting up a Web site on an intranet that
  is only accessible from inside the corporate LAN (i.e. people on the Internet cannot see it). If there are
  documents on this site that should have limited access within the company (such as strategic plans or personnel
  documents), then these can be protected with SSL.
  Since both the servers as well as the browsers are on corporate-controlled equipment, it is well within the
  companyu2019s interests to act as its own CA. This means that the company can generate its own root certificate
  with which it can sign as many SSL certificates as required for the servers deployed in its intranet. Once this is
  done, this certificate should be installed into the certificate stores of all the browsers used in the company. Since
  the computers these browsers run on are controlled by the company, this is easy to do: the corporate IT
  department can have a policy that the companyu2019s root certificate is installed in the browseru2019s certificate store
  whenever a new computer is set up. This prevents security warnings from being displayed whenever an
  employee accesses an SSL-secured site on the company intranet.
  The advantage to the company is that it can deploy secured sites anywhere on its intranet without purchasing
  certificates from an external CA. Note that if the company also runs an e-commerce site, then it should purchase
  its SSL certificate from a trusted CA and not use an internal one for sites accessible to the public, who will not
  have the certificate installed by the corporate IT department, and thus would receive a security warning.
  In such an environment, an unscrupulous employee (most likely a member of the IT team) who has access to
  the private key could launch very successful MITM attacks against employees who visit SSL-protected ecommerce
  and e-banking sites at work. This will be discussed later in this document. However, the company
  can easily protect itself by warning employees not to visit such sites on company time or equipment, since they
  are not u201Cbusiness related activities.u201D
  Please see this doc related to trusted and untrusted certificate.
  http://www.sericontech.com/Downloads/Untrusted_Root_Certificates_Considered_Harmful.pdf

• Keytool self-signed certificate.

  Using Keyman on hp-unix. Wanted to create self-signed certificate.
  When I tried to create, it asked to create keys. I created them. Then I could select self-signed and create it. This is listed under private certificates. Now what to do? For somebody to trust this certificate, do I have to take it to another database on another box?
  Say, I created a private certificate pc1 at Box1. For Box2 to trust Box1, I guess I need to take this certificate and put it on Box2. (exporting from box1 and importing to box2). Is this what I am supposed to do? Or am I understanding something different? If I am correct, it(keyman) is not giving me option to export the certificate.
  Please help.

  Using ikeyman, Not keytool