Installing new SSL certificate on CUCM 7.1 (Verisign or Geotrust)

Similar Messages

• New SSL certificate with 2048 bit shows error: (Fehlercode: sec_error_unknown_issuer)

  installed a new SSL certificate with 2048 bit encryption (as is now required by issuer of certificate). Everything is OK with IE, FF shows error: (Fehlercode: sec_error_unknown_issuer)
  == URL of affected sites ==
  https://www.dongil.at/

  I have also tried all the solutions mentioned - but no luck.
  I wrote to Geotrust support and the pointed out that I needed the intermediate certificate and provided me with this url:
  https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422
  Please note, this intermediate certificate was *not* the same is linked to above - seems like there are 2 different intermediate certificates, depending on what type of certificate you got from Geotrust.
  Just to recap - if you got yourself a "QuickSSL, QuickSSL Premium or SSL Trial"-certificate (like me) then use this intermediate:
  https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422
  If you got a "True BusinessID or Enterprise SSL"-certificate, you should use this:
  https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1423
  - Lasse

• Installing an SSL certificate for a CSS 11503

  I'm having the hardest time searching for clear instructions on how to request and install an SSL certificate for a CSS 11503 Content Switch. Can anyone help or point me in the right direction?
  I'm also looking for instructions on how to replace an SSL certificate once it's been installed. Thanks!

  Allen,
  The portion of the configuration guide related to SSL certificates and keys can be found here:
  http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eea82.html#1422544
  To replace an SSL certificate, you'll need to remove the current certificate and re-import/create the new one.
  ~Zach

• Problem Installing Entrust SSL Certificate

  Hello:
  We are using BEA Weblogic 6.1 SP1. This year when we renew SSL certificate, we changed vendor from Verisign to Entrust. I just got the certificate from Entrust. Here's what happended:
  1. In the Entrust certificate email, it says "Entrust would like to inform you that as of January 1, 2004, the current GTE Corporation chain certificate that is distributed with all Entrust SSL certificates, will no longer be distributed with certificates that have an expiry date greater than January 1, 2006". However, I can't get Weblogic started on SSL without a valid ServerCertificateChainFileName. So I got the ServerChainFile from http://www.entrust.net/tech/weblogic6/removechain.cfm and saved the certificate into entrust-cert.pem file.
  2. It works on the server with BEA development license. However, when I move it to test web server with "SSL/Export" license, it gives this error "<License allows low strength (export) SSL.>" and Weblogic won't even start on both HTTP and SSL port.
  3. After trying all sorts of things and nothing helped, I'm wondering whether it's OK to use the same CSR request I generated using Weblogic certificate servlet last year, since no information has been changed since then?
  Does anybody have similar experience and can you shed some light on how to solve this issue. Should I contact Entrust to get a low strength SSL?
  Thanks in advance!
  Jenny

  It looks like you have the correct certificate but perhaps didn't import it the correct way. Did you create the Certificate Request on the same machine as you imported it? Otherwise you don't have the private key. If not them import the certificate on the
  same where you created the CR and then export the certificatye and make sure you select to export the private key as well and then import it on the RDS. If you followed the import steps correctly I suggest you contact GoDaddy to make sure the delivered
  a valid certificate.
  Kind regards,
  Freek Berson
  http://microsoftplatform.blogspot.com/

• How do I install a new SSL certificate?

  I am running Weblogic 6.1 on Windows 2000. I recieved a renewal notice from Verisign
  and purchased new certificates. I would like to put them in place but am a bit
  lost. I am new to Weblogic and am used to installing certificates in IIS. There
  seems to be no "install" feature under Weblogic.
  Do I just change the name of the path to point to the new certificate?
  Will I need to stop and restart the Weblogic services? Does this have the potential
  to take down the website?
  Any help would be greatly appreciated.
  Thanks in advance.
  ~Sheri

  This is something you'd have to do on Go Daddy, its not something that would be done in Muse.
  Go Daddy's page on their SSL service is: SSL Certificates | Secure Your Data & Transactions - GoDaddy

• Installing a new SSL Certificate to Exchange

  Hi,
  We have a Windows Server 2008 R2 machine running Exchange 2010 (sorry, there wasn't an option for a 2010 forum). As a company which handles payments, we need to be PCI DSS registered and the scan has picked up a failing point being we don't have
  an SSL Certificate installed. I have purchased one via GoDaddy and followed the instructions on their site to install it, however the PCI DSS scan is still failing because of the following reason:-
  "The following certificate was at the top of the certificate chain sent by the remote host, but is signed by an unknown certificate authority."
  The certificate at the top of the chain is the 'built-in' default certificate. How do I promote the installed GoDaddy certificate to the top of the chain?
  Thanks

  Hi,
  Please refer to this similar thread.
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/e80a77f8-4f88-439e-85dd-76463c7a69d3/certification-authority?forum=winserversecurity
  And try to Save your root CA(s) public certificate in PEM format into a text file to PCI DSS scanner.
  Hope this will be helpful for you.

• New SSL certificate is not being displayed correctly in FF, error: ssl_error_rx_unexpected_server_key_exch

  I have installed a new SSL cert with associated chained root onto my SSL module.
  The certificate and its chain have been verified by verisign as being ok.
  The certificate handshake and exchange works fine on several other browser and OS combinations except FF. Unfortunately out customer base is heavily focussed on FF.
  Working (old certificate)
  https://eproc-europe.electrocomponents.com/emea/form-interface
  Not working (new certificate)
  https://eproc-americas.electrocomponents.com/amer/form-interface
  Any assistance would be greatly appreciated
  Regards
  Chris

  You can try to disable libPKIX support in Firefox, but it is not recommended to leave it disabled on the long run for security and vulnerability reasons.
  *<b>about:config</b> page: security.use_mozillapkix_verification = false
  Note that support for the security.use_mozillapkix_verification pref to disable PKIX has been removed in Firefox 33.

• Exchange 2007 - Outlook Anywhere problems after installing new SSL cert

  *** Original thread posted on wrong forum ***
  Hi all,
  Exchange 2007 environment (2x CAS, ISA2006). Not much familiar with Exchange.
  Problem: 20-odd machines off the domain use Outlook Anywhere (XP with Outlook 2010). AUthentication pop-up and not able to connect.
  Company has recently changed its name and we have to renewed the SSL cert. Previous SSL cert. was issued to: webmail.oldcompname.co.uk (several SANs on that cert., including internal server names).
  Applied for a new UCC SSL cert issued to: newcompanyname.com (also includes webmail.newcompanyname.com ; autodiscover.newcompanyname.com + old SANs).
  The setting on those machines point the proxy to the following:
  Https://webmail.oldcompname.co.uk (which is fine since it is in the cert and can be accessed)
  Only connect to proxy servers that have this principal name in their cert.: 
  msstd:webmail.oldcompname.co.uk (I believe this is the problem since the new UCC SSL cert. was issued to newcompanyname.com).
  Browsing technet + internet it seems that I need to look into OutlookProvider EXPR.
  When I run Get-OutlookProvider everything is blank (I believe I should be concerned to EXPR only for Outlook Anywhere).
  I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com
  My only concern is whether this might break something else in the Exchange environment, especially as we have 100+ users on smartphones connecting via SSL on webmail.oldcompname.co.uk
  Is it save to run this command? Do I need to re-start IIS? Do I need to look into any settings on ISA2006?
  Comments/help are much appreciated.
  Regards 

  Hi,
  According to the description, I found that we re-new a SSL certificate.
  "I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com"
  Just do it. Then remove the old certificate on ISA server and install a new one.
  Found a similar thread for your reference:
  Renewal of SSL certificate in exchange 2007 with ISA 2006
  http://social.technet.microsoft.com/Forums/exchange/en-US/25770038-8491-470a-92fa-8ae50674b7a6/renewal-of-ssl-certificate-in-exchange-2007-with-isa-2006
  Hope it is helpful
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• ACS Not installing renewed SSL Certificate for PEAP/EAP-TLS?

  We recently renewed our SSL certificate through RapidSSL. While attempting to install the new certificate into ACS, I was given the prompt to showing the updated dates, confirmed and installed the new certificate, deleting the old. I restarted ACS, as required, but when trying to enable PEAP or EAP-TLS, I am getting the error "Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed."
  The worst part, is that I when I tried to reinstall the old certificate, I am now getting the same problem.
  Any suggestions?

  Matt,
  How did you perform the CSR.... did you use ACS or OpenSSL? Also, did you verify that the certificate is in the trusted personal folder on the server?
  Scott

• Error installing standard SSL certificate

  - Using Sun Java System Web Server 7.0 U4. Fresh install on clean server. Created an instance for SSL. However, when installing the standard SSL certificate on the instance configuration, I get the following error:
  ADMIN4078: Unable to retrieve output from command: /Sun/WebServer7/lib/CertificateMgrUtil.exe
  I'm new to Sun 7 (we've been using 6.1) and I'm not familar with this CertificateMgrUtil.exe. Can anyone shed some light on what this is and what steps I would need to take for this utility?
  Thanks

  Please do the following:
  - Try running administration server with the log-level 'finest'.
  - Then do the same action that gave raise to the error that you are facing.
  - After that look in to .../admin-server/logs/errors to see the error.
  - Copy paste that error here.
  BTW, have you enabled Dr.Watson? Check in Event viewer to see if the process crashed. Dr.Watson output would be useful too.

• Installing single SSL certificate on primary/secondary ACS boxes

  I am trying to install the same SSL certificate I have installed on my primary ACS on my secondary ACS. I have replication configured and working between the two. The primary is the ACS appliance. The secondary is windows v3.3. The problem is the secondary ACS does not know about the private key file created during the CSR so I get an error when I try to install the certificate. So, what do I have to do to get around this? Obviously the certificate information is not copied over during replication. Is there a way to import it over manually?
  Can I install the same certificate or do I need to do a separate CSR and install a separate certificate?

  Yes you can use same cert for both the acs. On appliance download the cert and pvk file on your FTP root.
  Move both files to acs windows and upload the certs and pvk file. Retype the private key (you need to remember it )
  On windows acs--->install new cert---->use Read certificate from file--->put the location of cert like D:\Jar.cer
  Give the location of Private key file---->D:\prv.pvk-----> Type the pvt key --->submit.
  Regards,
  ~JG
  Do rate helpful posts

• Installing a SSL certificate for WebVPN

  We purchased a SSL certficate from network solutions to interface with our webvpn connections. This is what they sent us:
  AddTrustExternalCARoot.crt
  NetworkSolutions_CA.crt
  UTNAddTrustServer_CA.crt
  WEBVPN.MYSITE.COM.crt (name changed to protect privacy)
  I've had absolutely no luck getting the identity certificate installed, and I have no idea what the other certs are really used for.
  Try #1:
  I figured that using the ASDM was easier to deal with certs so I navigated to the identity certificates section. I tried to import an identity certificate from a file by browsing to the identity certificate and click add certificate. But it stops me and says "Passphrase cannot be empty." I talked to network solutions and they don't have a passphrase for me. So then I just make up anything and click Add Certificate but I get stopped with this error: ERROR: Import PKCS12 operation failed.
  Try #2:
  At the identity certificates page in ASDM I clicked Add and then tried to add a new identity certificate by filling out all the parameters. This prompts me to save a CSR file to my computer. Ok done. But the certificate is not 'installed'.
       Try #2.1
       To get the certificate installed I tried clicking 'install' and browsing to WEBVPN.MYSITE.COM.crt. Upon hitting OK I get stopped with the following error: Cannot import certificate - Certificate does not contain device's General Purpose public key for trust point ASDM_TrustPoint1. ERROR: Failed to parse or verify imported certificate.
       Try #2.2
       I thought the CSR file is something important so I sent the CSR file to network solutions and they sent back a 'validation.xps' file. I tried to use this to 'install' into the identity certificate I just added. Unfortunately I get the following error when doing so: ERROR: Failed to parse or verify imported certificate.
  I called network solutions and tried to explain to them and they of course had no idea what I'm talking about.
  Is anyone familiar with this process that can point me in the right direction to install the cert?Thanks

  I know this is a really old question and our solution was pretty silly, but this is still one of the top results for "Passphrase cannot be empty."
  In our case, the cert we had purchased was not in PKCS12 format, but the regular PEM format.  You need to convert it using openssl:
  openssl pkcs12 -export -in prod_cert.pem -out prod_cert.pkcs12 -name "New Cert"
  It will ask you for a password, which you supply, then use that cert and password with the Cisco Cert import.
  They're one of the few appliances I have seen that don't accept unencrypted PEM files.
  Hope this is of use to someone else.

• How to install a SSL certificate on Azure?

  Hi,
  I am trying to install an SSL cert on my Azure instance. I followed this tutorial: http://www.windowsazure.com/en-us/documentation/articles/cloud-services-configure-ssl-certificate/
  However, when I deploy the package on to the staging instance it does not start up. And we can't retrieve detailed bug, and can't connect remotely to that instance.
  I am not sure what else can be done? Please help?

  hi,
  Did you upload cert into staging environment? How did you set the Https endpoint on your service definition file ?Did you try to change http to https to access cloud service? I suggest you could try to use https to visit your cloudservice firstly. If it
  doesn't work, please check your endpoints setting in your project.
  >>And we can't retrieve detailed bug, and can't connect remotely to that instance.
  Did you enable the Remote desktop? You could enable the remote desktop on your deployment (http://msdn.microsoft.com/en-us/library/windowsazure/gg443832.aspx ). Any latest info,
  please let me know.
  Hope this helps.
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Problem Installing a SSL Certificate on a RD Server

  I'm trying to install a 3rd party SSL Certificate (GoDaddy) on my RD Session Host server (2008 R2).  I generated the request through IIS, received the cert from GoDaddy and imported it into [Certificates(Local Computer)\Personal\Certificates]. 
  I then went to RD Session Host Configuration,  and RDP-Tcp, and chose to select certificate.... however, I'm not given a choice...instead I receive a dialogue box saying "There are no certificates installed on this Remote Desktop Session Host server". 
  Any ideas why I cannot choose the cert?  Do I request the cert improperly ?  I'm stuck here...  thanks in advance for any tips!
  Scott

  It looks like you have the correct certificate but perhaps didn't import it the correct way. Did you create the Certificate Request on the same machine as you imported it? Otherwise you don't have the private key. If not them import the certificate on the
  same where you created the CR and then export the certificatye and make sure you select to export the private key as well and then import it on the RDS. If you followed the import steps correctly I suggest you contact GoDaddy to make sure the delivered
  a valid certificate.
  Kind regards,
  Freek Berson
  http://microsoftplatform.blogspot.com/

• New SSL certificate for M670 process?

  Can someone help me with the current process for installing a new certificate on an M670 running 8.1.0-476?  Do I still use OPENSSL to generate the private key, and then get the certificate signed and import the certificate via CLI, pem format?
  Can I install a SAN certificate?  I have one DNS name spam.domain.com for the two (internal and external) SPAM quarantine interfaces and another name mspam.domain.com for the management interface.
  Appreciate the input, I only do this every three years and the process has changed the last two times and I find nothing in the documentation. 
  Jason

  Jason -
  You can use a SAN certificate - as long as the machine names are specified and signed off in the cert by your signer.
  Had previous saved notes for similar questions in the past --- see if this helps:
  For full create and install:
  http://tools.cisco.com/squish/39054
  Starting with AsyncOS version 7.1 it is possible to generate a self-signing request on the ESA appliance. This can be used as a workaround to create certificates for SMAs.
  On an ESA, create a self-signed certificate that will be used for the SMA. This can be done under GUI: Network > Certificates
  Detailed description how to generate a certificate can be found within the knowledge base article 1634.
  It is important, when creating a certificate, for common name to use the hostname of the SMA (M-Series) and not of the ESA (C-Series), so that the certificate can be properly used. Submit and commit changes.
  Use GUI: Network > Certificates > Export Certificates to export certificate.
  Give it a file name (e.g. mycert) and password that will be used when converting the certificate. Exported certificate will be in .pfx format. The M-Series only supports .pem format for importing, so this certificate needs to be converted.
  To convert certificate from .pfx format to .pem format, please use the following OpenSSL syntax:
  openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
  Windows version of OpenSSL can be downloaded from:http://www.slproweb.com/products/Win32OpenSSL.html  Make sure Visual C++ 2008 Redistributable is installed first before the OpenSSL Win32.
  Versions for Mac, Linux, and other operation systems can be downloaded from http://www.openssl.org/source/
  After converting the certificate to the correct format, one should now have available both - the certificate and the corresponding key in .pem format. It is recommended to sign it by a trusted Certification Authority (CA). Cisco doesn't recommend a specific CA, this is up to the choice of the customer.
  To have this signed, simply select "Download certificate signing request" in the GUI of the ESA (Network > Certificates >select the corresponding certificate created for the SMA) and submit it to the trusted CA of choice.
  The signed certificate or the self-signed certificate, and the key in .pem format, can be imported now in the SMA. To learn how to do it, please use the corresponding Installing Certificates on an IronPort Email Security Appliance.
  Let me know!
  -Robert