Is verisign cert "multi purpose"?

Similar Messages

• Non-Verisign certs in WS7

  Hello,
  I have a mix of server certificates from Verisign and Network Solutions CAs. Both types are stored in my Crypto accelerator (hardware token), from where I've been using them for WS6 and AS7 instances.
  In WS7, the Certificates tab in the admin interface shows certs of both types and the token that they are contained within. When I attempt to configure a listener with SSL enabled, the Certificate field has two types, "RSA Certificates" and "ECC Certificates". The latter says "No ECC Certificates Available", and the pick-list for the RSA Certificates only lists the Verisign certificates.
  For a server that I migrated from an older version (WS6.1), the server.xml lists the correct server-cert-nickname value for a NetSol cert, and indeed, the cert is properly loaded and the listener starts up fine using that certificate.
  Why is it that my NetSol certs don't show up in the admin interface? I can hack the server.xml file in vi to use the correct certs, but I'm thinking there should be a way that I can access these other certs with the admin interface.
  Thanks,
  Bill

  Output of wadm list-certs --verbose -all:
  nickname        issuer-name     expiry-date
  [email protected]:Server-Cert      Network Solutions Certificate Authority May 19, 2007 6:59:59 PMThere is no -h option to certutil -L:
  certutil -L [-n cert-name] [-X] [-d certdir] [-P dbprefix] [-r] [-a]However, if I export it from the hardware token using pk12util then import it into the internal token, I can view the details:
  # pk12util -o xxx -d . -n [email protected]:Server-Cert  
  Enter Password or Pin for "NSS Certificate DB":
  Enter Password or Pin for "[email protected]":
  Enter password for PKCS12 file:
  Re-enter password:
  pk12util: PKCS12 EXPORT SUCCESSFUL
  # pk12util -i xxx -d $PWD
  Enter Password or Pin for "NSS Certificate DB":
  Enter password for PKCS12 file:
  pk12util: PKCS12 IMPORT SUCCESSFUL
  # certutil -L -d .   
  Network Solutions Certificate Authority - GTE Corporation    c,, 
  Server-Cert                                                  u,u,u
  # certutil -L -d . -n Server-Cert
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number:
              28:f5:87:82:b0:65:ff:58:08:63:b5:0e:69:07:ea:6d
          Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
          Issuer: "CN=Network Solutions Certificate Authority,O=Network Solutio
              ns L.L.C.,C=US"
          Validity:
              Not Before: Fri May 19 00:00:00 2006
              Not After : Sat May 19 23:59:59 2007
          Subject: "CN=*.qisc.com,OU=Secure Link SSL Wildcard,O="Quixote Intern
              et Services & Consulting, Inc.",L=Chippewa Falls,ST=Wisconsin,C=U
              S"
          Subject Public Key Info:
              Public Key Algorithm: PKCS #1 RSA Encryption
              RSA Public Key:
                  Modulus:
                      c4:87:81:66:77:99:c5:8e:f1:59:ff:59:c6:38:63:5a:
                      46:31:8e:13:38:5e:2e:71:d7:22:38:5b:df:c4:47:e9:
                      d3:c3:ff:52:3a:5b:21:c1:b5:01:0a:ec:81:3d:80:b4:
                      39:74:6a:7d:39:63:e1:06:a4:f1:45:cf:43:8d:6a:79:
                      49:4e:d9:22:d2:8f:08:6e:23:87:e3:14:7f:aa:c7:8f:
                      df:d7:d0:e1:e0:7e:1c:d7:64:d0:43:94:19:06:7d:48:
                      82:6f:e3:e1:05:69:cc:42:67:9f:db:e5:c7:6e:11:7a:
                      10:94:6c:95:f0:1e:5c:36:93:37:09:ea:b4:0d:4e:6f
                  Exponent: 65537 (0x10001)
  (stuff deleted for brevity - let me know if you need to see all of this output)Hmmm...this is interesting...after importing the cert from the hardware token into the internal certificate database, it now shows up as "Server-Cert" in the RSA Certificates list of the SSL->Edit HTTP Listener admin page. So it only shows certs from the hardware token when they are Verisign certs, even though the NetSol certs work just fine when they are stored in the internal database. This is NOT a work-around, however, as this defeats the purpose of having the crypto accelerator.
  BTW, I also sent a note to NetSol's support people, and they had this thought:
  As we use an intermediate, that could be the reason why they are not listed.
  Without the intermediate it will not find a chain to the trusted root.
  We would recommend contacting the software provider for details on
  importing the intermediate into the application server.I have already tried importing their certificates into the internal token, but that had no effect on this problem. Do I need to import their intermediate certs into the hardware token, rather than the internal one? If so, how do I do that? Or do I need to install these intermediate certs in the admin server's internal database, rather than my server instance's database?
  On the assumption that these intermediate certs were needed in the admin server's internal database, I used certutil to load them to see if that would help:
  # certutil -A -n 'AddTrust External Root' -t 'CT,C,C' \
  -d . -a -i /tmp/certs/AddTrustExternalCARoot.crt
  # certutil -A -n 'UTN-USERFirst-Hardware - AddTrust AB' -t 'c,,' \
  -d . -a -i /tmp/certs/UTNAddTrustServer_CA.crt
  # certutil -A -n 'Network Solutions Certificate Authority - GTE Corporation' -t 'c,,' \
  -d . -a -i /tmp/certs/NetworkSolutions_CA.crt
  # certutil -L -d .                                                                                     
  Admin-Server-Cert                                            u,u,u
  Admin-Client-Cert                                            u,u,u
  AddTrust External Root                                       CT,C,C
  UTN-USERFirst-Hardware - AddTrust AB                         c,, 
  Network Solutions Certificate Authority - GTE Corporation    c,, 
  Admin-CA-Cert                                                CTu,u,uHowever, after stopping and restarting the admin server, I still do not see my token-resident certs in the admin interface.
  Let me know what you'd like to see next.
  Thanks,
  Bill

• FYI. Verisign Cert & ACS

  for those who have troubles getting verisign cert working on the ACS box, i just spoke to a verisign tech support after facing issues with certs. He mentioned that when generating a CSR on ACS, it generates extra info that are not compatible with verisign. Verisign is working on the issue, it is expected to be rectified soon (in a day or two). The tech support refused to give me further info about what version of ACS causing the issue or so... I'm using ACS3.3 at the moment.

  I've installed a Verisign cert on the ACS with minimal difficulty, but it does take a couple of extra steps.
  When generating the cert request on the ACS, you have to enter the complete identification path in the Common Name field of the form. i.e., instead of just cn=Ciscoacs, you have to enter c=US,s=Florida,l=KeyWest,o=TheShirtShack,ou=Accounting,cn=Ciscoacs all on the same line.
  Also, if the certificate file format that Verisign sends back is not recognized by the ACS, you can import it into your web browser and then re-export it in the correct format (DER .509 if I recall correctly) and then upload the reformatted cert to the ACS.
  It works fine after all that =)

• Printing to multi purpose tray from on Canon ImageRunner C5045

  I am having a problem printing to the multi purpose tray on my work printer.
  I've been able to print sucessfully to the multipurpose tray when I print from mail, or any other non-adobe application.
  However, it does not work in Illustrator cc/indesign/etc.
  I have gone through all the steps to select the correct paper feed options (file > print > setup > paper feed > all pages from > multipurpose tray.)
  I then tell my printer which paper I am using.
  It still does not recognize.
  Any thoughts appreciated.

  To print to Mailbox, you need to ensure you are using the Canon PS Driver for OS X, preferably v1.70 or later. There is also a Canon UFR2 driver for OS X, but it is not available to all models of imageRUNNER.
  With the correct driver installed, when you select to print from an application, change the Copies and Pages menu to Special Features. Here there is an option called Job Processing and in this menu you have the options of Print, Store, Secured Print and Promote Print. To print to mailbox, select the Store option. Then when you press Print the window letting you select the Mailbox number and enter the file name will appear.
  If you don't have the Special Features tab but have installed the PS driver v1.70 or later, then something has gone wrong with the installation and the driver will need to be installed again. Please reply if you need help with this.

• ACS SE w/ Verisign Cert

  I am using the CAS as an authenication server against AD for my wireless network. I have a WISM as my WLC and some of my users are getting a certifate error when I enable WPA. The error is coming from the ACS. I get an invalid cert error or cert not verified from the Iphone. The certificate is valid and I installed a intemediate CA. No matter what I try i can't get the error to go away.
  Could some please assist?
  Thanks
  mike

  I am using PEAP with MSCHAP. From the IPhone I am getting the cert is not verified, When I use the IntelPro supplicant on a Laptop, it refuses to log on even though I select use "any trusted CA". I called Cisco TAC and they say I have to install the cert on all my computer, I don't believe that is correct. I am using a Verisign cert and so should already be on my computers.
  Internet explorer is not having an issue with the cert, the dell wireless WLAN client does not have a problem either.
  Mike

• Selecting Paper for the Multi-purpose Tray - Canon imageCLASS MF6160dw

  I set the default paper for the Multi-purpose Tray of my Canon imageCLASS MF6160dw to be legal paper.
  When I want to print envelopes or labels, can I change to that respective paper from my computer OR must I do it from the panel on the printer?
  It sure seems like I have to constantly get up & change something on the panel on the printer that I should be able to do from my computer.
  If I can do it from my computer, please list the steps on how I would do that.

  Hi, Steven1!
  To ensure the most accurate information is provided, we will need to know the version of Windows or Mac in use.
  If this is a time-sensitive matter, our US-based technical support team is standing by, ready to help 24/7 via Email at http://bit.ly/EmailCanon or by phone at 1-800-OK-CANON (1-800-652-2666) weekdays between 10 AM and 10 PM ET (7 AM to 7 PM PT).
  Thanks and have a great day!

• [solved] Renewing a verisign cert

  Sorry, this isnt Arch related, but I'm having a tough time googling the correct answer.  I've got a customer using red hat linux and wanting to renew their verisign ssl cert for a webpage.  I'm following the instructions listed at https://knowledge.verisign.com/support/ … t&id=AR142
  My question is, do I need to generate a new key pair if i'm renewing the certificate?
  Thanks,
  MP
  Last edited by murffatksig (2009-09-15 20:17:40)

  you don't have to.
  generally they either:
  a) just re-sign the original cert request they have on hand, (new certificate lifetime)
  b) ask for a new csr to sign
  c) ask you to generate a new key, and then a new csr to sign
  I think which operation they prefer depends on the vendor.
  https://knowledge.verisign.com/support/ … 3035718053
  For the sake of security though, it certainly wouldn't hurt to generate a new private key and csr, and then have that csr signed. (option c above)
  another relevant link: http://serverfault.com/questions/42993/ … ith-apache
  apparently verisign does allow option a (see last comment on serverfault page)

• Verisign CERT Root Changw

  Verisign as of Oct. 10th has change the root ca they sign CERTS with. Our 802.1x supplicants are configured to trust only the older Class 3 Public Primary root that is part of widows. Is there any way to configure the ACS box to support the older root as reconfiguring all the supplicants is a non-trivial task. I wondered if there was a way to create a self-signed CERT to act as the root? Has anyone had this problem? Thanks

  Bruce,
  ACS can genrate self sign certificate but this will only work when client do not validate server certificate. If validation is required in your setup then self sign cert wont help.
  If installing cert on each client is feasable then configured not to validate server cert then your current set up will work fine.
  Regards,
  ~JG
  Do rate helpful posts

• VeriSign cert and IE5 on WLCS

  Hi.
  We installed the purchased certificate (from VeriSign) on our server
  WebLogicCommerceServer( weblogic.security.certificate.server &
  weblogic.security.key.server ).
  When the client accesses this host with IE5.5 browser, everything is OK.
  When the client uses IE5, however, he gets an error "the security
  certificate was issued by a company you have not choosen to trust".
  If we're adding weblogic.security.certificate.authority to point to a
  VeriSign root certificate (which we took from their site), then sometimes
  the client gets a "can't display page", and sometimes the same error as
  above.
  Any hints?

  To fully answer my own question,
  I got a verisign authenticode certificate, and was not able to export it in pk12 format that is necessary for netscape to be able to import it.
  I've got a verisign netscape cert on order that I am pretty sure will work for netscape and the java plugins/webstart, as has been mentioned.
  Re: my company's decision. With the disclaimer fully in effect that I'm not in a position of power and am just a programmer wanting a certificate and thus might not have all of the facts or even the correct facts on the issues at hand... From what I understood, thawte got quite a bit more restrictive on where the private key could be stored. From what I understand, the private keys would have to be stored in a central location for the entire organization which wasn't reasonable for our size of 5 - 10,000 as it would have caused undue hardship on the gatekeepers as well as people actually wanting something signed. Verisign apparently didn't have the same strictness.

• Multi-purpose buttons not working in DPS.

  The multi-button effect I made works great in the SWF Preview but doen't work at all in the Content Viewer. Is it because DPS can not support it? Should I stick with Object States? I'm just frustrated because I thought I figured out a great way to show and hide captions using buttons alone.
  Thanks for the input!

  And thanks Neil, I figured that. I have no one at my company that knows DPS and I work with for a company with 3000k employees and 10% designers. So I relying on every bit of training I can get my hands on, Adobe TV, the pdf guide of DPS and Lynda.com. There is no buget to have an expert come in to teach me either. I found the forums a few days ago and was very pleased. But now after today, I am not so sure. And I'm not being to sensitive either, I thought this place is about camaraderie, guess not. It's about earning MVP status and pluses.

• Automatically accept VeriSign certs?

  Hi all. I'm pretty new to SSL so any help with this question would be appreciated.
  I have a web service app running on a WebLogic 10.3 server (let's call it ServerA). This web service app also contains a web service client to make calls to another web service app running on another server somewhere (let's call it ServerB).
  ServerB is beyond my control, but happens to be behind the same firewall as ServerA. For my app on ServerA, I've been asked to "auto-accept the connection (trust VeriSign)" when making a web service call to ServerB. I believe this is to avoid certificates expiring, but I may be wrong.
  Can anyone tell me how (either in the WebLogic console or in my Java code) to automatically trust VeriSign certificates?
  Forgive my ignorance on this subject. It's my first time working with SSL.

  You probably want to also try the security forum:
  WebLogic Server - Security
  Specify whether you are using just 1-way SSL (where this should work without intervention I believe using the CA list with the JVM). If you're using 2-way SSL, then I think you'll need to do some key importing.
  You should really consult someone who understands security requirements in your environment on what they want, as this is something you really want to get right and not misconfigure.

• Installing Verisign Cert failure

  I have a certificate from verisign and it asks me for the private key file? Verisign didn't give me a private key file, where would I find this file?
  Thanks
  mike

  Hello Michael,
  VeriSign does provide you with the certificate which is the signed public key. For security reasons, the private key is not something that you would provide to VeriSign as this needs to remain on your server or device. It should not be shared with another party. Depending on what was used to generate the key pair, the private key may simply be a file located in a certain path or it could possibly be hidden.
  Please feel free to contact us for further assistance.
  Phone: 1-877-438-8776 Option 1, 2
  Email: [email protected]
  Regards,
  Frank
  VeriSign Technical Support
  VeriSign, Inc.

• ACS - Verisign Cert - PEAP Auth - XP Clients

  Hi
  I am hoping to implement PEAP using a server certificate on ACS generated from a real CA like Verisign/Thawte etc to prevent having to distribute an internal root CA certificate to all clients.
  I have discovered that Verisign provide a WLAN Auth certificate product , but this appears to be specificlly for IAS.
  Does anybody know whether I can just generate a certificate reest from the ACS box and use any certificate , or is there a particular type I need?
  Any help would be much appreciated!
  Thanks
  Leon

  CTA can be configured to perform machine authentication using certificates provided that the 802.1x Wired Client has been installed.Refer http://cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870ac.html for more information.

• Zebra QL420 Printer using PEAP (Verisign Certs)

  Hi,
  Has anybody been able to successfully get a Zebra printer QL420 Plus connected to Cisco LWAPP/CAPWAP APs ?
  We are using WPA2 - PEAP with Verisign Signed Server Certificate.

  Yes I have the QL420 + printers working with 5508 WLC and 3502E CAPWAP APs and PEAP
  Fotis - You will most likely find the reason for the slow ping resonce is down to the setting for "Power Mode". You likely have it set to "best". This setting controls how long the device "sleeps" before it awakens and downloads queued traffic from and AP. Setting it to "off" will put the device in to CAM (Constantly Awake Mode). This means that the device never switches its radio card off and never allows traffic to be queued on an AP. However this will mean that the drain on the devices battery will be much greater, I believe there is a slidding scale of settings for this device that go in order of highest battery drain as follows:
  Best
  1
  2
  3
  4
  off
  Off will give you the best performance with maximum battery drain. play with the settings and see which gives best performance/batery drain balance.
  Regards
  Simon

• [Solved] Constructed a multi-purpose prompt but still have 1 issue

  I didn't think re-opening my old thread was a good idea so I'm starting  new one to address 1 issue I have left to conquer.
  With some help from JWR I have built my prompt and it works for users and root logged into a local machine.  Logging into a remote machine does change my user's prompt by appending :ssh: to it.  However, as the root user logged into a remote machine, which should have the  :ssh: appended to it, doesn't work.  By that I mean that root logged in to a remote system doesn't get the correct prompt.  I want the prompt to look like this for root:
  :root: ~ :ssh:
  Instead I get this prompt which lacks the word "root" in it:
  : ~ ::ssh:
  This is my prompt script so far and I'd really appreciate some help to nail down this glitch. 
  The script for root and user are identical apart from having a different prompt uncommented.
  ### Other prompt styles to use later
  This is root's current script:
  ### A PS1 for each computer is on the respective lines in this order:
  ### ### White Yunzi / Silver Yunzi / Pink Yunzi / Rainbow EeePC
  if [[ -n $SSH_CLIENT ]]; then
  # PS1='\[\e[0;37m\]: \[\e[1;32m\]\W\[\e[0;37m\] :\[\e[0;37m\]:\[\e[1;33m\]ssh\[\e[m\]\[\e[0;37m\]: ' # WY SSH
  PS1='\[\e[0;37m\]: \[\e[1;33m\]\W\[\e[0;37m\] :\[\e[0;37m\]:\[\e[1;33m\]ssh\[\e[m\]\[\e[0;37m\]: ' # SY SSH
  # PS1='\[\e[0;37m\]: \[\e[1;35m\]\W\[\e[0;37m\] :\[\e[0;37\m]:\[\e[1;33m\]ssh\[\e[m\]\[\e[0;37m\]: ' # PY SSH
  # PS1='\[\e[0;37m\]: \[\e[1;33m\]\W\[\e[0;37m\] :\[\e[0;37m\]:\[\e[1;33m\]ssh\[\e[m\]\[\e[0;37m\]: ' # EeePC SSH
  elif [[ ${EUID} == 0 ]]; then ## :root: ~ :
  # PS1='\[\e[0;37m\]:\[\e[1;32m\]\u\[\e[0;37m\]:\[\e[0;37m\]: \[\e[1;92m\]\W \[\e[0;37m\]:\[\e[m\] \[\e[0;37m\] ' # WY root
  PS1='\[\e[0;37m\]:\[\e[1;34m\]\u\[\e[0;37m\]:\[\e[0;37m\]: \[\e[1;34m\]\W \[\e[0;37m\]:\[\e[m\] \[\e[0;37m\] ' # SY root
  # PS1='\[\e[0;37m\]:\[\e[1;35m\]\u\[\e[0;37m\]:\[\e[0;37m\]: \[\e[1;35m\]\W \[\e[0;37m\]:\[\e[m\] \[\e[0;37m\] ' # PY root
  # PS1='\[\e[0;37m\]:\[\e[1;33m\]\u\[\e[0;37m\]:\[\e[0;37m\]: \[\e[1;33m\]\W \[\e[0;37m\]:\[\e[m\] \[\e[0;37m\] ' # EeePC root
  else ## : ~ :
  # PS1='\[\e[0;37m\]: \[\e[1;32m\]\W\[\e[0;37m\] :\[\e[m\]\[\e[0;37m\] ' # WY user
  PS1='\[\e[0;37m\]: \[\e[1;34m\]\W\[\e[0;37m\] :\[\e[m\]\[\e[0;37m\] ' # SY user
  # PS1='\[\e[0;37m\]: \[\e[1;35m\]\W\[\e[0;37m\] :\[\e[m\]\[\e[0;37\m] ' # PY user
  # PS1='\[\e[0;37m\]: \[\e[1;33m\]\W\[\e[0;37m\] :\[\e[m\]\[\e[0;37m\] ' # EeePC user
  fi
  ## :root: ~ :ssh:
  #PS1='\[\e[0;37m\]:\[\e[1;34m\]\u\[\e[0;37m\]:\[\e[1;34m\] \W \[\e[0;37m\]:\[\e[m\]\[\e[0;37m\]\[\e[1;33m\]ssh\[\e[0;37m\]: ' # SY root
  ## :root:: ~ :ssh:
  #PS1='\[\e[0;37m\]:\[\e[1;34m\]\u\[\e[0;37m\]:\[\e[0;37m\]: \[\e[1;34m\]\W \[\e[0;37m\]:\[\e[m\]\[\e[0;37m\]\[\e[1;33m\]ssh\[\e[0;37m\]: ' # SY root
  ## :root:: ~ ::ssh:
  # PS1='\[\e[0;37m\]:\[\e[1;34m\]\u\[\e[0;37m\]:\[\e[0;37m\]: \[\e[1;34m\]\W\[\e[0;37m\] :\[\e[m\]:\[\e[m\]\[\e[0;37m\]\[\e[1;33m\]ssh\[\e[0;37m\]: ' # SY root
  Last edited by MoonSwan (2014-11-19 09:23:02)

  jasonwryan wrote:So it works for root locally, just not when you SSH in as root or change to root in an SSH session?
  Yes, you're quite correct.
  jasonwryan wrote:Also, it might help if you remove the commented lines, it is pretty hard to work out what is going on in there...
  I agree and I found a bunch of \'s that I missed.  Sorry about that!
  Here's the config stripped of extraneous junk:
  if [[ -n $SSH_CLIENT ]]; then
  PS1='\[\e[0;37m\]: \[\e[1;32m\]\W\[\e[0;37m\] :\[\e[0;37m\]:\[\e[1;33m\]ssh\[\e[m\]\[\e[0;37m\]: ' # WY SSH
  elif [[ ${EUID} == 0 ]]; then ## :root: ~ :
  PS1='\[\e[0;37m\]:\[\e[1;32m\]\u\[\e[0;37m\]:\[\e[0;37m\]: \[\e[1;92m\]\W \[\e[0;37m\]:\[\e[m\] \[\e[0;37m\] ' # WY root
  else
  PS1='\[\e[0;37m\]: \[\e[1;32m\]\W\[\e[0;37m\] :\[\e[m\]\[\e[0;37m\] ' # WY user
  fi
  Edit:  stripped out two comments I'd missed earlier.
  Last edited by MoonSwan (2014-11-19 08:27:27)