(Invalid OCSP signing certificate in OCSP response(Error code: sec_error_ocsp_invalid_signing_cert)

Similar Messages

• Can't sign in to my psn error code ce-33987-0

  ive been trying to sign into psn for the past hour and keep getting this error code tried its suggested actions and checked my isp but there telling me its all ok there end and its the psn network can any one help me on this

  I've been having the same problem for over a week, but I think I found the solution to it.Firstly, my internet setup is an old netgear modem-router combo hooked up to a new TP-Link (n) router. The netgear is set to modem only mode. My ps4 is connected wirelessly downstairs.For about 3 months, my ps4 was working normally with no problems, but about a week ago this error code started popping up inconsistently. Sometimes everything was fine, most times it wasn't.I isolated the problem to the PS4-Router communication, as my ps3 (and everything else at home) worked perfectly with no changes to the setup. Possible Solution- Today, I factory reset both devices (Netgear and TP-Link routers) and set them up to the point where they worked normally (with my phone, laptop, etc).Then, I enabled UPnP on BOTH devices, and also Forwarded all the necessary ports for my PS4 on the TP-Link router.I changed the wireless channel on the TP-Link to [1] from [6].I also changed the wireless channel width on it from [auto] to [20mhz]. This automatically reduced my max Tx rate to [130mbps] from [300mbps]. (I suggest doing this manually if it doesn't change automatically).I rebooted the TP-Link router, and started up my ps4 after a few seconds. The system loaded perfectly, PSN signed in instantly, and I played an hour on BF4 with no problems. I also restarted my PS4 again to see whether the settings would 'Stick'. They did, it still ran perfectly. I won't play again for a few hours, but I will report here if it does/doesn't work. Good luck trying my solution, Hope it works for you.Happy Gaming

• Invalid control character 0 at position 7, Error Code : UFGUIEZK

  When I first login obiee dashboard, it would error about "invalid control character 0 at position 7".
  But if I click a select button, it would show the result what I want it.
  help me please.

  Hi Joe,
  (Especially using the IE8 brower)
  When I enter any dashboard pages, (not the login page...) it would error about "invalid control character 0 at position 7".
  I press the "Backspace" button. (I keep a same brower and same session.)
  Then I enter same dashboard. It doesn't mention about the error message. -_-; It works....
  What's the points is...
  OBIEE is working~
  I can use any answers... can make any dashboards.
  Everything is gonna all right...
  Except... If I wanna the any dashboard, I would enter the page twice.
  Thanks for your concern~!
  Edited by: user1121165 on 2009. 12. 15 오후 4:29
  Edited by: user1121165 on 2009. 12. 15 오후 4:33

• How to resolve error 403 response error code

  Hi to All
  Openstream to a webpage like google.com works fine, but openstream wid a search string like following gives error 403.
  http://www.google.co.in/search?hl=en&q=forums&btnG=Search&meta=
  Can anyone help with working around this??
  Thanks

  thats problem with the openstream
  corrected code is here
  URL urlObject = new URL("http://www.whitepages.com/10001/search/ReversePhone?phone=5056629477");
  //URL urlObject = new URL("http://www.google.com/search?q=$looknum&hl=en&pb=r&sa=X&oi=rwp&ct=title");
  URLConnection con = urlObject.openConnection();
  con.setRequestProperty( "User-Agent", "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; H010818)" );
  System.out.println( "length: "+con.getContentLength() );
  System.out.println( "content: "+con.getContent() );
  System.out.println( "type"+con.getContentType() );
  File file = new File("outfilename.txt");
  InputStream st = con.getInputStream();
  int c;
  while( (c=st.read()) != -1 ) {
  System.out.print( (char)c );
  //System.out.println("urlObject.getContent :"+urlObject.getContent());
  //System.out.println("urlObject.getFile :"+urlObject.getFile());
  catch (java.net.MalformedURLException exception){
  exception.printStackTrace();
  That can be usefull for some other one as me

• SendSynchronousRequest with self signed certificate

  Hi
  Due to the application design I cannot use the – initWithRequest:delegate: method of NSURLConnection class for my https requests to a server. Hence I have to make synchronous calls using sendSynchronousRequest:returningResponse:error.
  When I was using initWithRequest , it was taking a class delegate of NSURLConnectionDelegate class hence I handled the self signed certificate problem by the following code:-
  - (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
      return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
  - (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
      [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
      [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
  Now the problem is that sendSynchronousRequest does not take any delegates to be called on. So now how do I handle non trusted certificate problem using synchronous request.
  I searched but so far can't find any solution.

  Hi 2UCowpoke,
  According to your description and the error messages ,it seems that the self-signed certificate is not trusted or supported by Windows 7 machine .
  How did you get the certificate ?
  It is recommended to ask for help from the certificate issuer support .
  Here is a link for reference :
  Windows does not have enough information to verify this certificate.
  http://www.kozeniauskas.com/itblog/2011/06/27/windows-does-not-have-enough-information-to-verify-this-certificate/
  NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• I try to go to Google and get Error code: sec_error_unknown_issuer

  I try to bring up Google and get this message:
  This Connection is Untrusted
  You have asked Firefox to connect securely to www.google.com, but we can't confirm that your connection is secure.
  Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
  What Should I Do?
  If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.
  www.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)
  I'm on a brand new computer. All I've loaded is Kaspersky Internet Security. This problem is *very* frustrating and annoying.
  Yes, I tried deleting the cert8 file and restarting Firefox. Same problem.
  Help!!!

  And again, even when I exit the Kaspersky anti-virus software, I still get the error message. That does make it seem like the problem must be with the new release of Firefox (maybe in conjunction with Windows 8.1?), not with the anti-virus software.
  Like Lydia, I really don't want to get into the business of just adding dozens of exceptions. That would seem to defeat the point of whatever security protection Firefox is trying to provide.

• Firefox 8 not displaying addons, error code:sec_error_unknown_issuer

  I receive the following error message when opening the addons tool bar...
  support.mozilla.com uses an invalid security certificate.
  The certificate is not trusted because the issuer certificate is unknown.
  (Error code: sec_error_unknown_issuer)

  Did you check the details of that certificate like the issuer and when it is valid by retrieving the certificate?
  * Click the link at the bottom of the error page: "I Understand the Risks"
  Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
  * Click the "View..." button and inspect the certificate and check who is the issuer.
  You can see more Details like intermediate certificates that are used in the Details pane.

• Flex - Getting the HTTP error code raised from SAP

  Hi all,
  is there a way to catch the error code returned by a BSP page?
  For example, I have a Flex HTTPService that points to a BSP page somedata.xml, which is populated after retrieving data in onInitialization handler.
  In this handler, if something goes wrong, I set up the response error code like this:
  try.
  "Data Handler Class
  catch zcx_some_exc into lx_some_exc.
    error_string = lx_some_exc->get_text( ).
    response->set_status( code = 500 reason = error_string ).
  endtry.
  In my faultHandler function in Flex, I need to display error_string in an Alert box:
  private function HTTPFaultEventHandler(event:FaultEvent):void{
    Alert.show(event.fault.faultString);
  But in this way, it always display "HTTP Request error".
  Anyone can help me?
  Thanks a lot,
  R.

  This is a known issue with flex HTTPService.
  what you could do is
  set the status to 200 for BSP response
  and pass the error message in xml format.
  on the flex side, in your result handler, check the xml to see whether its error xml or your normal result xml.
  if its error xml, you can provide an alert and then stop processing.
  Ref: http://onrails.org/articles/2008/02/20/dealing-with-http-errors-in-a-flex-with-rails-application
  Regards
  Raja

• OCSP response signature is invalid--ALC-DSS-111-005

  Hi All,
  I am using "verify pdf signature" process for signature verification for pdf having signed signature field.
  I am getting an error in status message of pdfSignatureVerificationResult as "ALC-DSS-111-005--OCSP response signature is invalid".
  Kindly provide any information to resolve this issue.
  Regards
  Abhishek

  The OCSP protocol has an option for accepting only signed requests, where the signer of the OCSP request has to be trusted by the OCSP Responder.
  LiveCycle Digital Signatures ES2 and or Acrobat can be configured to sign OCSP requests.
  In LiveCycle, it is part of the Digital Signatures service configuration, see attached screen shots.  Acrobat\Reader supports it through a registry entry...  I have attached the relevant page from the Digital Signatures and Document Security administration guide.
  Regards
  Steve

• Problem setting up OCSP in LAB "Bad signing certificate on Array Controller" Signing Certifcate: not found

  Hello
  Can someone please help me with the following question.
  In my LAB I have setup the following (MSDB subscription)
  Windows 2003 R2 Active Directory (Forest and Domain at "Windows Server 2003" level)
  2012 R2 offline Root CA (published the ROOT CA certificate to member server "LocalMachine/Trusted Root Certification Authorities" store via GPO as could not recall the certutil command to publish to directory services)
  2012 R2 online enterprise issuing CA (works fine)
  Setup OCSP on a separate server following a number of article
  Templates To Issue > OCSP Response Singing
  Gave the OCPS Server "Read", "Enrol"  (some confusion in various articles about also assigning Auto Enrol permission but I did not)
  Gave Network Service account same permissions as above
  Configured AIA extension on issuing CA for http://OCSPServer1/ocsp
  opened the OCSP MMC and configured Revocation Configuration called MyConfig, choose the issuing CA cert by browsing AD The wizard picked up the CA and the Template no problem and the wizard automatically selected the check box to Auto Enrol
  etc..
  However I get the following message at the end of the wizard "Bad singing certificate on array controller" and under array controller section certificate status says "Signing Certificate: Not Found"
  Check MMC > Certificates > Services > OCSPSvc\_MyConfig_  no certificate present
  At issuing CA > Certificate Authority > Issued Certificates   no OCSP signing certificate issued.
  Do I need to public the ROOT CA Cert to AD too rather than pushing to LocalMachine\Trusted Root Certification Authorities via GPO?
  I have also tried giving the OCSP Server and Network Service 'Auto Enrol" rights on the template but no difference.
  What I would like to also know please is, what triggers the "enrolment" for the OCSP cert, is this when you complete the OCSP Revocation Configuration wizard? and does the OCSPSvc then re-enrol for another cert in two weeks, even without auto enrol
  configuration on the template?
  Thanks very much in advance
  AAnotherUser__
  AAnotherUser__

  OK A little more information (should have thought about checking the Windows event logs first)
  One the OCSP Server, when completing the "Revocation Configuration" Wizard I get two Error events in the Windows Application Log as follows
  Event ID 34
  The Online Responder Service encountered an error while submitting the enrollment request for configuration Config9 to certification authority SubCA01.LAB.local\LAB-SUBCA01-CA. The request ID is -1.(The permissions on this certification authority do not allow
  the current user to enroll for certificates. 0x80094011 (-2146877423 CERTSRV_E_ENROLL_DENIED))
  Followed by Event ID 23
  The Online Responder Service could not locate a signing certificate for configuration Config9.(Cannot find the original signer. 0x8009100e (-2146889714 CRYPT_E_SIGNER_NOT_FOUND))
  So much clearer as to where the issue lies, will do some further digging
  Thanks
  AAnotherUser__
  AAnotherUser__

• The name ("common name") of a valid code-signing certificate in a keychain within your keychain path.   A missing or invalid certificate will cause a build error.  [CODE_SIGN_IDENTITY]

  The name ("common name") of a valid code-signing certificate in a keychain within your keychain path.   A missing or invalid certificate will cause a build error.  [CODE_SIGN_IDENTITY]

  If you could ask a coherent question, maybe...
  Perhaps you should be posting in the developers forums...

• Add revocation info (ocsp response) in the signatures

  I'm doing an application to sign pdfs in java.
  I already have successfully sign pdfs, but I want to add also the revocation info embedded into the file. I have no problems with CRLs, but I can't add the other revocation method like a ocsp response.
  To get a fully signed pdf I have downloaded adobe pro 9 trial version, and I'm trying to sign a pdf with revocation info. For that I selected the "add revocation info when signing" in security preferences. So I sign a pdf with revocation info activated and another one without it. Comparing both files there is a file size difference of 300 KB, so I suppose something has added. But when I validate the pdf with the adobe reader I can't get a valid signature in offline mode. Really I'm not sure if the acrobat reader don't understands correctly the revocation info embedded in the pdf or if the signature itself is not correct.
  If I use my program to sign the pdf and I add the crls the acrobat reader validate correctly the signature in offline mode.
  Anyone have manage to sign a pdf with adobe pro 9 including revocation info? or anyone know where I cat get a sample pdf with an ocsp response embedded? or anyone knows something to help me?
  thanks.

  Hola Alfredo,
  "So if I trust directly in the ocsp responder it would be a valid ocsp response, right?"
  Wrong. Although nothing happens in Acrobat without trust being established, it's not enough to just assign a certificate in the chain "trust anchor" status. All of the other rules must be followed as well. As an example, although we have been discussing OCSP responses, similar rules apply to indirect CRLs. If a CA is using an indirect CRL the correct extensions in both the CRL itself and the certificate under test would need to be present. It wouldn't be enough to just trust the signer of the CRL.
  "Is there any possibility in adobe to trust in the responder, the same way as I can do with the timestamp?"
  It's a little more complicated than that, but Acrobat does allow for a user to establish local trust in accordance with RFC 2560, Section 4.2.2.2. You are asking about adding "a local configuration of OCSP signing authority for the certificate in question". It can be done using the registry keys defined in the Acrobat Security Administration Guide (location noted in the first reply above), Section 5.4.1.1. You need to define the iURLToConsult and the sURL (which tells Acrobat to accept any OCSP response that comes from this URL). That's the effect you are looking for. However, these are global settings and will overwrite any other certificates, so you might want to set up a Custom Cert Preference as described in Section 3.4.6.
  "Adobe have any type of utility or log to show more details about the signature verification?"
  Yes, check out section 5.4.4.4 of the Acrobat Security Administration Guide.
  "In that last case with the nextUpdate problem it were not giving me any type of error about the ocsp, but anyway It didn't consider valid the response as you say."
  With apologies, I wasn't clear enough on this issue. It's not that Acrobat doesn't consider the response valid, but rather it's doesn't consider the response usable for other than "real time" usage. An OCSP response downloaded in real time that doesn't contain the nextUpdate extension is valid (assuming all other checks are okay). It's only when you are trying to use a cached OCSP response without the nextUpdate extension that Acrobat won't accept it. The lack of the nextUpdate extension is a tool that the CAs have at their disposal to force requesting applications (in this case Acrobat) to always ask for the latest information and not rely on older data.
  "And the last question, where can I get a sample pdf with an embedded valid ocsp response? do you have any sample one?"
  The Acrobat Security Administration Guide has an embedded OCSP response covering the end-entity in the signing chain.
  Steve

• OCSP response processing

  I am one of thousands of Acrobat users in a US Federal Agency.  I am introducing digital signatures using smart card credentials (FIPS-201 PIV card) on a Windows 7 machine using Acrobat to add the signature field to an existing Form.
  We need to embed the signature verification information in the Form.  The CRL embeds and adds 3MB to the 240KB document size.  The second signature adds another 3MB.  This is unsustainable and we need to use OCSP for certificate revocation checking and embed the OCSP Response into the form.  We are trying to determine why Acrobat is not using the OCSP response.  The CRL cache is cleared and the signature applied.  The OCSP Response is apparently ignored or fails some part of Acrobat processing.  I did find a previous note ( http://forums.adobe.com/message/2752534 ) that indicates that
  "...If OCSP response signing certificate contains CRL distribution point (in my case CDP (CRL) and AIA (OCSP)), online OCSP check executes, but after getting all chain certificate OCSP responses, validating signature against CRL (it’s looks from Local cache). It means you never get OCSP validation data in Adobe Acrobat or Reader signature revocation tab..."
  From the PKI Shared Service Provider I rec'd the following:
  "...when we generated the OCSP signing cert that it populated the CDP and OCSP info in the AIA which it was not supposed to. So it looks like the combination of the Adobe problem mentioned in the article and the issue with the OCSP signing cert may be causing it to ignore the OCSP info and to continue on to process the CRL."
  Can you confirm that Acrobat will fail to use the OCSP Response in our case?
  Can you offer a work-around for the issue?
  Thanks and regards, Dave

  This issue was put into Adobe support.  They have identified it as a bug in crl/ocsp
  processing and have escalated it into engineering.  There is no estimate of when the
  bug will be fixed.

• NextUpdate, embedding OCSP response

  Hi,
  I am trying to understand revocation info and relevant processes in the PDF signature...
  "If nextUpdate is not set, the responder is indicating that newer revocation information is available all the time".
  I have a situation where my OCSP response doesn't have nextUpdate set. This means that Reader should always
  check whether certificate is revoked or not, right ?
  Here is what I do right now:
  1) include signing certificate and PKCS#12 cert chain(my digital id for OCSP) in PDF signature appearance
  2) sign PDF byterange on SmartCard and set external digest on PKCS7
  3) include OCSP response in PKCS7
  QUESTION 1:
  But for some reason I don't see that OCSP is embedded in PDF any way. Although I see it exists in Byterange content.
  Any explanation ?
  I have 2 signing certificates which I can use in step #1. Their intended usage:
  1) Sign transaction, Encrypt keys, Encrypt document, Client Authentication, Email Protection
  2) Sign document
  Here is the revocation info that is shown on Revocation Info Tab:
  1) ... The selected certificate is considered valid because it does not appear in a Certificate Revocation List (CRL).
  2) ... No revocation checks are done for such certificates, they are inherently considered trustworthy.
  QUESTION 2:
  Can't I use certificate #2 for embedding OCSP in PDF ?

  I am currently reading "Long-Term Digital Signatures" that states: "Revocation responses from an OCSP server are usually time stamped by the server that creates them". What does time stamped mean in the thisUpdate/nextUpdate context?
  p.s. The topic I raised is based on custom solution that signs PDF using iTextSharp. I am embedding OCSP response myself, how does Reader behaves when there is no nextUpdate entry ?
  Regards,
  M.

• Enable Multiple Stapled OCSP Responses in IIS

  I would like to configure IIS to send multiple stapled OCSP responses when sending its certificate chain to a web client at the start of an SSL/TLS connection.  Currently, IIS only sends the OCSP response (signed indication from the issuing CA
  that the certificate is still valid and not revoked) for the server certificate, but doesn't send it for the intermediate certificates. 
  For instance, if my IIS web server certificate is issued by the Entrust CA, it may be signed by the Entrust intermediate certificate "Entrust L1C", which is then signed by the Entrust root CA certificate "Entrust 2048".  In that
  circumstance, IIS is only sending the client the OCSP status for the server certificate, but not the OCSP validation status for the "Entrust L1C" certificate.  So, the web client doesn't have to currently do an OCSP query to the Entrust
  CA for the server certificate (since the web server sends that OCSP response to the web client), but does have to do an OCSP query to the Entrust CA for "Entrust L1C" to verify the intermediate certificate also isn't revoked.  If the web client
  is behind a tight firewall that doesn't allow browsing to random Internet IPs for OCSP, the web client is unable to know if the certificate is still valid.  The response from the IIS forum http://forums.iis.net/post/2097704.aspx was that
  I should post the question here.
  How can I configure IIS to send OCSP responses (OCSP stapling) to web clients for the intermediate certificates in its certificate's chain as well?  Multiple Certificate Status Request Extension is an Internet standard documented in RFC 6961 at
  http://tools.ietf.org/html/rfc6961.  Is there a way to configure IIS to do this?

  It is working as designed. Currently OCSP Stapling only includes the revocation status for the leaf/server certificate. The assumption is that the offline CA certificates use CRLs, the CRLs are cached and should not need to be included in the stapled responses.
  Brian