Installing self signed certificate

Similar Messages

• Step by Step Instructions for Installing Self Signed Certificate using Certificate Modification Tool

  I am looking for some step by step instructions for installing the self signed certificate from my Microsoft SBS 2003 server on a Treo 755p and 750p.  In particular I need some help with the form of the actual certificate and how to use the Certificate Modification tool. 
  Some questions I have are as follows:
  1. When I install the certificate on a Windows Mobile device I used an exported version of the certificate.  This export is done using the DER x.509 format.  Is that the same form I’ll need for the Palm?  Do I need some other form? Can/should I just use sbscert.cer file that is generated when SBS is configured?
  2. Does the self signed cert need to be installed on the computer being used to update the Palm or do we just need to be able to access the appropriate .CER file?
  3. There are three things included in the PalmCertificatesTool.zip file:
                                  Trusted CAs (folder)
                                  Cert2pdb.exe
                                  PalmCertificates.exe
     How do I use these tools?
  4. It looks like the PalmCertificates.exe file opens an interface that will allow me to browse to the desired .CER file.  Then I suppose I use the < Generate PDB > to create something that needs to then be uploaded to the Palm device?  Not having any real experience with a Palm device how do I upload and install this file? 
  5. Once uploaded do I do something on the device to install it?
  If there is some white paper that provides step by step instructions on doing this that would be great.
  Thanks,
  Walt Bell
  Post relates to: Treo 755p (Verizon)
  Post relates to: Treo 755p (Verizon)

  Thanks for that.
  I have one question after reading the article 43375:
  The article has you "Turn of AutoSync" and then "Reset the device".  It then indicates the device should be left idle. 
  The next step relates to running the PalmCertificates.exe, navigate to the certificate file and add it and then run the < Generate PDB > button.  Should the device be connected to the computer during this process? If so, at what point after the reset do you connect it to the computer?
  Thanks!
  Post relates to: Treo 755p (Verizon)

• How to install self-signed certificate with iOS 4?

  I've been trying to install a self-signed certificate in iOS 4 with no avail. I have a webserver at home in which I connect to via SSL using a self-signed cert. It used to work in 3.1.3; it would kick out a dialog, but you were able to continue to the page. Now with iOS 4, that is no longer the case, I am unable to view the site.
  I have tried several things. I have tried emailing the cert. to myself and installing it. I get it installed but says it's untrusted and am not able to view the site. I have tried converting my .pem that is on my server to .p12 and that didn't work. I tried going to the site in Safari on my Mac and adding the cert. to the keychain and then syncing; that didn't work. I tried taking that cert. in the keychain, making sure it was trusted, exporting it to .cer and adding that to a configuration profile I created in the iPhone Configuration Utility.. that did not work despite the fact that it showed it as trusted. Am I doing something wrong or missing something here?

  I've been trying to install a self-signed certificate in iOS 4 with no avail. I have a webserver at home in which I connect to via SSL using a self-signed cert. It used to work in 3.1.3; it would kick out a dialog, but you were able to continue to the page. Now with iOS 4, that is no longer the case, I am unable to view the site.
  I have tried several things. I have tried emailing the cert. to myself and installing it. I get it installed but says it's untrusted and am not able to view the site. I have tried converting my .pem that is on my server to .p12 and that didn't work. I tried going to the site in Safari on my Mac and adding the cert. to the keychain and then syncing; that didn't work. I tried taking that cert. in the keychain, making sure it was trusted, exporting it to .cer and adding that to a configuration profile I created in the iPhone Configuration Utility.. that did not work despite the fact that it showed it as trusted. Am I doing something wrong or missing something here?

• Self Signed Certificate for Web Proxy 4.0.2

  Does anyone have instructions on how to create and install self signed Certificate for Web Proxy Server 4.0.2? My OS is RHEL 4.
  Shed.

  Unfortunately you will not be able to do that from the GUI.
  You will have to use certutil frin proxy-install/bin/proxy/admin/bin/certutil
  Make sure that your LD_LIBRARY_PATH includes proxy-install/bin/proxy/lib
  (start -shell will give you a shell with all necessary paths set.)
  create a file called password-file which contains your password to your cert database
  your cert database resides in the alias directory of proxy installation.
  certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234
  -f password-file -d certdir

• Is it possible to install a self-signed certificate to a phone?

  I made a self-signed certificate with KeyTool and I use the corresponding private key sign a MIDLet with jarsign tool.
  Now I don't know how to install the certificate to my phone. I also want to is it possible to do this?
  thanks.

  Hi,
  Check out this
  http://www.spindriftpages.net/pebble/dave/2006/06/18/1150641917692.html
  thanks,
  anup

• Why, when I successfully connect to Server 2012 Essentials R2 via Anywhere Access does the Remote Desktop Connection use the self signed certificate for RDP instead of the SSL certificate I installed when I set up access anywhere?

  Scenario:
  Windows Server 2012 R2 Essentials
  I purchased an SSL Cert from GoDaddy and I managed (after some challenges) to set up Anywhere access to use that new SSL Cert. I to rebooted the server and I am able to login to Anywhere Access vis https (using the SSL certificate) from PC, Mac and iOS.
  So far so good.
  The problem I am having is that when I click to launch a remote desktop connection to the server RDP connection wants to use the self signed SSL certificate of the server rather than the SSL Certificate I installed into Anywhere Access. As a result, I get
  a security warning like this: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
  The name in the certificate appears as ACME-SERVER.ACMEDOMAIN.local  instead of the SSL Certificate I installed, which is
  remote.acmedomain.com
  If I lick to accept, RDP does work fine, it;s just using a self signed certificate. I want it to use the trusted certificate that I purchased and installed.
  My guess is that there must be an additional step to tell Anywhere Access that when it generates the RDP session that it should use the cert? OR, is this just how it works?

  Because....
  the server does not have a 'trusted' certificate assigned to it.
  Only the RDP Gateway has the trusted certificate for the external name.
  If you want to remove that error, you have to do one of the following:
  Make sure your domain uses a public top level domaim, and get a public trusted certificate for your server.
  So, something like,
  server.domain.publicdomain.com
  Or,
  Install that certificate on your remote computer so it is trusted.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• How-to install a self-signed certificate on Sony Ericcson W350

  I am a developer and I am writing a j2me application for a Sony Ericcson W350 phone which needs to be able to use the phones SMS capabilities.  I have a signed .jar and .jad file with a self-signed certificate.  However, the phone is still treating my application as an untrusted third party app.  I think this is occuring because my self-signed certificate isn't in the java certificate store on the phone. Is there a way to load my self-signed certificate into the java certificate store?  I have tried copying it over to the phone via bluetooth and usb and installing it through the filesystem, however there isn't an option to install the certificate when browsing to it from the phone's filesystem.  Any help would be much appricated.

  Deactivating existing Java certificates prevented me from installing the .jad file.  I accessed the phone's file system using both Sony PC Companion with USB and using the OS file browser over bluetooth.

• ACS 5.3 / Self Signed / Certificate base auth

  Hello,
  Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.
  We have exported it to have a Trusted Certificate for client machine.
  This certificat has been installed on a laptop.
  The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)
  I have this error in the log:
  12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in  the client certificates chain
  I think the Access Policies (identity & authorization) are misconfigured:
  > I allowed Host Lookup, PAP/ASCII, MSCHAPV2, EAP-MD5, EAP-TLS, PEAP, EAP-FAST
  > Identity: System:EAPauthentication match EAP-TLS
  id Source: AD in which AD, Internal Users, Password based, certificate based CN Username are enabled
  > authorization: System:WasMachineAuthenticated=True
  Thanks for your help,
  regards,

  Hello,
  I found the answer here:
  https://supportforums.cisco.com/message/1298039#1298039
  ACS self-signed certificate is not compatible with EAP-TLS
  Thanks,

• How to register iOS device when using self signed certificate with apple Server?

  Hi,
  I have installed the server.app by Apple and used a slef signed certificate for my server. Now I want to register my different devices (iMac, iPhone etc.). I could register the iMac without problesm (I just had to add my self signed certificate to the trusted certificates)
  Sadly, with the iPhone it is not that easy. I can install the "trust profile", but still after that I can not register my device. It seems like it does not accept my self signed certificate for device registration. When adding a registration profile, I get the error "www._mydomain_.tld/devicemanagement/api/device/auto_join_ota_service" is not valid.
  Nethertheless, I can install a profile with setting, e.g. my imap settings, via the profile management without problems.
  Does anyone have an idea how to get around the problem with the self signed certificate?
  Best regards

  Try deleting the Server.app and download it again from the App Store, restart.
  My Server is also using self signed certificates and is working with iOS device (Trust Profile needed first).

• Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

  SCCM 2012 has been successfully installed on the server:
  SRVSCCM.
  The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
  Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
  The cluster service is running on the account: sqlclusteruser
  The account has the appropriate SPN are registered:
  setspn -L domain\sqlclusteruser
  Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
  MSSQLSvc/CLS-SQL4
  MSSQLSvc/CLS-SQL4.domain.local
  MSSQLSvc/CLS-SQL4:11434
  MSSQLSvc/CLS-SQL4.domain.local:11434
  After some time on the cluster hosts every day started appearing new folders with files inside:
  srvboot.exe
  srvboot.ini
  srvboot.log
  srvboot.log contains the following information:
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
  Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
  Copyright (C) 2011 Microsoft Corp.
  Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
  Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
  Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
  Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
  Failed to retrieve SQL Server service account.
  Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
  Disconnecting from Site Server.
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

  The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
  Without successfull bootstrap the siteserver backup is not able to run successfully.
  Try grant everyone the read permisson on
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
  This worked for me.
  After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
  After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
  sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"

• How to replace an expiring self-signed certificate?

  Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
  First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
  It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
  The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
  It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
  I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
  I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
  Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
  http://screencast.com/t/zlVyR2Hsc
  Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
  Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
  http://screencast.com/t/54c2BUJuXO2
  Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
  Be aware that creating certificates starts to populate your server Keychain.
  http://screencast.com/t/JjLb4YkAM
  It appears that when you start to delete certificates, it leaves behind private keys.
  http://screencast.com/t/XD9zO3n16z
  If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
  OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
  In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
  Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
  Bypass "Introduction".
  In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
  The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
  You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
  In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
  The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
  (OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
  Pant, pant...
  The next window asks for an email address and location information - this appears to be optional.
  Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
  Key Usage Extension window
  Here's where it gets interesting...
  I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
  Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
  Extended Key Usage Extension...
  Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
  Sorry, folks, I just HAVE to show you the help for this window...
  +*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible.  EKU is defined with object identifiers called OIDs.  If the EKU extension is omitted, all operations are potentially valid.*+
  KILL ME NOW!!!
  OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
  Basic Constraints Extension...
  Well, there is no mention of that on the original certificate, so leave it unchecked.
  Subject Alternate Name Extension...
  Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
  DONE!!!! Let's see what the heck we got!
  http://screencast.com/t/QgU86suCiQH
  Well, I don't know about you but that looks pretty close for Jazz?
  I got some extra crap in there but the stuff from the original cert is all there.
  Think we're OK??
  Out with the old certificate (delete).
  Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
  http://screencast.com/t/bydMfhXcBFDH
  Oh yeah...one more thing in KeyChain Access...
  See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
  http://screencast.com/t/GdZfxBkHrea
  Select "Always Trust".
  I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
  I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
  Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
  If you want to see my rant on Apple's worthless documentation, it's here.
  http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

  to add to countryschool and john orban's experiences:
  using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
  in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
  when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
  supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
  you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
  now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
  after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
  lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
  maybe that's hopeful to somebody. but i stopped there since things seem to be working.
  last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
  now, we'll see how everything works once people start really using it...

• Steps to create your own self signed certificate with java plugin working

  You need two tools that comes with your jdk which are keytool and jarsigner.
  Steps explain below in detail. Don't use netscape signtool, it will NEVER work!
  * keytool -genkey -keyalg rsa -alias tstkey -keypass 2br2h2m -dname "cn=Test Object Signing Certificate, o=AI Khalil, ou=Java Products, c=AU"
  cn = Certificate name
  o = organistation
  ou = organistation unit
  c = country (first two letters)
  If don't put the -dname, you can fill it line by line.
  The -keypass has to be verify at the end, and you have to wait for it to create the rsa signing keys.
  On NT by default it will put the alias information at D:\WINNT\Profiles\Administrator (if log in as administrator) with the default file called ".keystore". Windows 98 etc, don't know, search for .keystore
  file. When you update it, check for the timestamp change and you know if you at the right spot.
  You can store your alias information via the -storepass option to your current directory you work on, if you don't want to update the default .keystore file?
  The .keystore contains a list of alias so you don't have to do this process again and again.
  Another tip if you want your certificate encryption validity to be more than the default one month is simply
  add the -validity <valDays>, after the -genkey option, to make your certificate usage for encryption to last much longer.
  Note: You MUST use the -keyalg rsa because for starters the rsa encyption alogorthim is supported on ALL browsers instead of the default DSA and the other one SHA. Java plugins must work with the RSA algorthim when signing applets, else you will get all sorts of weird errors :)
  Do not use signtool because thats a browser dependant solution!! Java plugin is supposed to work via running it owns jre instead of the browser JVM. So if you going to use netscape signtool, it starts to become a mess! ie certificate will install, but applet won't start and give you funny security exception errors :)
  * keytool -export -alias tstkey -file MyTestCert.crt
  It will read the alias information in the .keystore information picking up the rsa private/public keys info and
  create your self sign certificate. You can double click this certificate to install it? But don't think this step is needed but maybe for IE? Someone else can check that part.
  If you make a mistake with the alias, simply keytool -delete -v -alias <your alias key>
  If not in default .keystore file, then simply keytool -delete -v -alias <your alias key> -keystore <your keystore filename>
  * Put your classes in your jar file, my example is tst.jar.
  * jarsigner tst.jar tstkey
  Sign your testing jar file with your alias key that supports the RSA encryption alogorthim.
  * jarsigner -verify -verbose -certs tst.jar
  Check that its been verified.
  The last step is the most tricky one. Its to do with having your own CA (Certified Authority) so you don't
  have to fork out money straight away to buy a Verisign or Twarte certificate. The CA listing as you see in
  netscape browsers under security/signers, is NOT where the plugin looks at. The plugin looks at a file called
  CACERTS. Another confusion is that the cacerts file is stored in your jre/lib/security AND also at your
  JavaSoft/Jre/<Java version>/lib/security. When you install the Java plugin for the first time in uses your
  JavaSoft folder and its the cacerts file that has to be updated you add your own CA, because thats where
  the plugin look at, NOT THE BROWSER. Everything about plugin is never to do with the browser!! :)
  * keytool -import -file MyTestCert.crt -alias tstkey -keystore "D:\Program Files\JavaSoft\JRE\1.3.1\lib\security/cacerts"
  Off course point to your own cacerts file destination.
  Password to change it, is "changeit"
  Before you do this step make a copy of it in its own directory in case you do something silly.
  This example will add a CA with alias of my key called "tstkey" and store to my example destination.
  * keytool -list -v -keystore "E:/jdk/jdk1.3/jre/lib/security/cacerts"
  List to see if another CA is added with your alias key.
  Your html, using Netscape embed and Internet explorer object tags to point to the java plugin,
  your own self sign applet certificate should work
  Cheers
  Abraham Khalil

  I follow Signed Applet in Plugin, and it's working on
  my computer. Thanks
  But When I open my applet from another computer on
  network, why it does not work ..?
  How to make this applet working at another computer
  without change the policy file ..?
  thanks in advance,
  AnomYou must install the certificate on that computers plugin. Can this be done from the web? can anyone suggest a batch file or otherwise that could do this for end users?
  I want a way for end users to accept my cert as Root or at least trust my cert so I dont have to buy one. I am not worried about my users refusing to accept my cert. just how do I make it easy for them? IE you can just click the cert from a link, but that installs for IE, and not the plugin where it needs to be.

• How to use self-signed Certificate or No-Check-Certificate in Browser ?

  Folks,
  Hello. I am running Oracle Database 11gR1 with Operaing System Oracle Linux 5. But Enterprise Manager Console cannot display in Browser. I do it in this way:
  [user@localhost bin]$ ./emctl start dbconsole
  The command returns the output:
  https://localhost.localdomain:1158/em/console/aboutApplication
  Starting Oracle Enterprise Manager 11g Database Control ... ...
  I open the link https://localhost.localdomain:1158/em/console/aboutApplication in browser, this message comes up:
  The connection to localhost.localdomain: 1158 cannot be established.
  [user@localhost bin]$ ./emctl status dbconsole
  The command returns this message: not running.
  [user@localhost bin]$ wget https://localhost.localdomain:1158/em
  The command returns the output:
  10:48:08 https://localhost.localdomain:1158/em
  Resolving localhost.localdomain... 127.0.0.1
  Connecting to localhost.localdomain|127.0.0.1|:1158... connected.
  ERROR: cannot verify localhost.localdomain's certificate, issued by `/DC=com/C=US/ST=CA/L=EnterpriseManager on localhost.localdomain/O=EnterpriseManager on localhost.localdomain/OU=EnterpriseManager on localhost.localdomain/CN=localhost.localdomain/[email protected]':
  Self-signed certificate encountered.
  To connect to localhost.localdomain insecurely, use `--no-check-certificate'.
  Unable to establish SSL connection.
  A long time ago when I installed Database Server Oracle 11gR1 into my computer, https://localhost.localdomain:1158/em in Browser comes up this message:
  Website certified by an Unknown Authority. Examine Certificate...
  I select Accept this certificate permanently. Then https://localhost.localdomain:1158/em/console/logon/logon in Browser displays successfully.
  But after shut down Operating System Oracle Linux 5 and reopen the OS, https://localhost.localdomain:1158/em/console/logon/logon in Browser returns a blank screen with nothing, and no more message comes up to accept Certificate.
  My browser Mozilla Firefox, dbconsole, and Database Server 11gR1 are in the same physical machine.I have checked Mozilla Firefox in the following way:
  Edit Menu > Preferences > Advanced > Security > View Certificates > Certificate Manager > Web Sites and Authorities
  In web sites tab, there is only one Certificate Name: Enterprise Manager on localhost.localdomain
  In Authorities tab, there are a few names as indicated in the above output of wget.
  My question is: How to use self-signed certificate and no-check-certificate in Mozilla Firefox for EM console to display ?
  Thanks.

  Neither problem nor solution do involve Oracle DB
  root cause of problem & fix is 100% external, detached, & isolated from Oracle DB.
  This thread is OFF TOPIC for this forum.

• Can you use a self signed certificate on an external Edge Server interface?

  Hi,
  I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
  interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
  cert is valid (root and intermediate have been checked for validity).
  At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
  Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
  Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
  I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
  Thx

  Drago,
  Thanks for all your help. I got it working.
  My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
  Let me update everyone about self-signed certificates:
  YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
  I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
  intermediate have been checked for validity).
  Here are my notes:
  Create/enable your own external Certificate Authority (CA) running on a server with internet access. 
  On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
  Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
  You should have already completed: Step1 and Step 2.
  Run or Run Again "Step 3: Request, Install or Assign Certificates".
  Install the "Edge internal" certificate.
  Click "Request" button to run the "Certificate Request" wizard.
  You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
  Once the certificate has been created, use "Import Certificate" to import it.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
  In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
  Install the "Edge External" certificate (public Internet).
  Click the "Request" button to run the "Certificate Request" wizard.
  Press "next"
  Select "Prepare the request now, but send it later (offline certificate request).
  Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
  Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
  Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
  Fill in the organization info.
  Fill in the Geographical Information.
  The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
  Select your "Configured SIP domains"
  "Configure Additional Subject Alternative Names" if you want. Otherwise, next.
  Verify the "certificate Request Summary". Click next.
  Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
   Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
  In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
  For the "External Edge certificate (public Internet), click "Assign".
  The "Certificate Assignment" wizard will run.
  Click next.
  From the list, select your cert "EXTERNAL-EDGE".
  Finish the wizard to "complete".
  You are finished on the server.
  Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
  When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
  Browse
  Select "Trusted Root Certification Authorities"
  Finish the wizard.

• SSL (Self Signed Certificate) in Business Connector

  After going through hundreds of messages, I am still not clear  about the steps involved in including SSL certificate with HTTP protocol.
  1. Instead of subscribing to Trusted Certificate Authority, can we ceate a Self Signed Certificate? If yes, how?
  2. Can anyone please explain the steps involved in including SSL certificate (configuring/importing the certificate)? We are successfully calling HTTP and sending the XML document to a HTTPS URL with authorized user name and password. I need to include SSL certificate to complete the requirement. I have looked at all the PDF documents that are available with BC installation and looked at many forums and still haven't found the answers.
  Thanks in advance.

  Hi Ramesh.
  When untrusted root certificates may be acceptable
  Some CAs may be trusted, but in only a very limited way. For example, a company with employees in diverse
  locations can make internal documents available to all its employees by setting up a Web site on an intranet that
  is only accessible from inside the corporate LAN (i.e. people on the Internet cannot see it). If there are
  documents on this site that should have limited access within the company (such as strategic plans or personnel
  documents), then these can be protected with SSL.
  Since both the servers as well as the browsers are on corporate-controlled equipment, it is well within the
  companyu2019s interests to act as its own CA. This means that the company can generate its own root certificate
  with which it can sign as many SSL certificates as required for the servers deployed in its intranet. Once this is
  done, this certificate should be installed into the certificate stores of all the browsers used in the company. Since
  the computers these browsers run on are controlled by the company, this is easy to do: the corporate IT
  department can have a policy that the companyu2019s root certificate is installed in the browseru2019s certificate store
  whenever a new computer is set up. This prevents security warnings from being displayed whenever an
  employee accesses an SSL-secured site on the company intranet.
  The advantage to the company is that it can deploy secured sites anywhere on its intranet without purchasing
  certificates from an external CA. Note that if the company also runs an e-commerce site, then it should purchase
  its SSL certificate from a trusted CA and not use an internal one for sites accessible to the public, who will not
  have the certificate installed by the corporate IT department, and thus would receive a security warning.
  In such an environment, an unscrupulous employee (most likely a member of the IT team) who has access to
  the private key could launch very successful MITM attacks against employees who visit SSL-protected ecommerce
  and e-banking sites at work. This will be discussed later in this document. However, the company
  can easily protect itself by warning employees not to visit such sites on company time or equipment, since they
  are not u201Cbusiness related activities.u201D
  Please see this doc related to trusted and untrusted certificate.
  http://www.sericontech.com/Downloads/Untrusted_Root_Certificates_Considered_Harmful.pdf