Issues with certificates with multiple CNs

Similar Messages

• Secure connection failed: The Certifying Authority for this certificate is not permitted to issue a certificate with this name. (Error code: sec_error_cert_not_in_name_space) PLEASE HELP ME!!

  I have gone to this website almost everyday for years and I have not changed anything in my internet settings, but now I'm getting this message: secure connection failed: The Certifying Authority for this certificate is not permitted to issue a certificate with this name. (Error code: sec_error_cert_not_in_name_space) The only thing I KNOW I did differently, was I installed a CAC reader to my computer, since then, this has been happening. Is there a setting I can change?? E-mail is: [email protected] Thanks! Megan

  There were recently several users getting this error code who use AVAST 2015. If you recently got that program, please see:
  * [https://support.mozilla.org/questions/1029578 Can NOT access https://www.google.com for google voice, mail etc.]
  * [https://support.mozilla.org/questions/1028985 Avast Forum connection failed - works in Chrome etc.]
  * [https://support.mozilla.org/questions/1028190 Since last FF update I can't sign out of Yahoo and when I close FF it tells me it has crashed.]

• Issues with certificates with both Firefox and chromium

  I tried everything ... I reinstalled both of them.
  I canceled the profile and made new ones.
  I check with all my other computer if they have issues with certificates: no problem at all.
  Checked the date, is ok.
  Finally I checked what is installed on the system related to the problem ..
  # pacman -Q|egrep '(openssl|curl|ca-cert)'
  ca-certificates 20140325-1
  ca-certificates-java 20140324-3
  curl 7.37.1-1
  lib32-curl 7.37.1-1
  lib32-openssl 1.0.1.i-1
  openssl 1.0.1.i-1
  python2-pyopenssl 0.14-3
  or if there is an issued with a library ..
  # ldd `which curl`
  linux-vdso.so.1 (0x00007fffd2a48000)
  libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f8a1c4d9000)
  libz.so.1 => /usr/lib/libz.so.1 (0x00007f8a1c2c3000)
  libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f8a1c0a5000)
  libc.so.6 => /usr/lib/libc.so.6 (0x00007f8a1bcf7000)
  libssh2.so.1 => /usr/lib/libssh2.so.1 (0x00007f8a1bace000)
  libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f8a1b860000)
  libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f8a1b44e000)
  libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00007f8a1b203000)
  libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00007f8a1af22000)
  libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00007f8a1acf0000)
  libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x00007f8a1aaec000)
  /lib64/ld-linux-x86-64.so.2 (0x00007f8a1c747000)
  libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f8a1a8e8000)
  libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00007f8a1a6db000)
  libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 (0x00007f8a1a4d7000)
  libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007f8a1a2c0000)
  I try to use a virtual machine on the same machine with ubuntu installed: no problem.
  Any idea?
  Last edited by saronno (2014-08-15 12:37:44)

  # curl -v https://areaclienti187.telecomitalia.it
  * Rebuilt URL to: https://areaclienti187.telecomitalia.it/
  * Hostname was NOT found in DNS cache
  * Trying 62.77.57.164...
  * Connected to areaclienti187.telecomitalia.it (62.77.57.164) port 443 (#0)
  * successfully set certificate verify locations:
  * CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using TLSv1.0 / AES128-SHA
  * Server certificate:
  * subject: C=IT; ST=Italy; L=Pomezia; O=Telecomitalia; OU=ADM.AP.PM.WO; CN=areaclienti187.telecomitalia.it; emailAddress=[email protected]
  * start date: 2013-10-08 10:06:37 GMT
  * expire date: 2014-10-08 10:06:37 GMT
  * common name: areaclienti187.telecomitalia.it (matched)
  * issuer: C=IT; O=I.T. Telecom; OU=Servizi di certificazione; CN=I.T. Telecom Global CA
  * SSL certificate verify ok.
  With curl no problem at all.
  Last edited by saronno (2014-08-15 19:10:09)

• Sign with certificate with 'non-repudiation' key usage only

  Hello,
  We are facing a problem validating digital signatures created by our partners with Adobe Reader. When validating the signature, we get the general 'The signer's identity is invalid' error. The Signature properties -> Certificate tab reports a warning "The selected certificate has errors: Not valid for usage".
  The key usage extension in the certificate that our partners use for signing contains the only 'non-repudiation' element. Still, the intended usage shown on the certificate summary tab is "Sign document".
  The main question is if the problem is related to the specific value of the key usage extension, or it has a different root.
  Thanks in advance,
  Ken

  Hello Steve,
  Thank you very much for the document. In the mean time, we've got a permission from our partners to share with you one of the documents we've exchanged with them before. I have uploaded it to Google Docs (https://docs.google.com/open?id=0B1wk9toh5e7AbWNlVGZoY2thY1U), as the forum doesn't allow me to attach documents to a message. Just in case if you're not familiar with Google Docs, simply go to File->Download menu after opening the link in the browser, and you will be able to retrieve and save the original document locally.
  Do I still need to ask them to sign the document you attached above as well?
  We really appreciate your efforts in this regard,
  Ken Ivanov

• Clients connect to wifi with certificate that expires every month - correct way to handle expired certificates?

  Hi all
  I'm sorry if this is the wrong forum to ask this question. Also my knowledge in this area is somewhat limited, which I why I need your help :-)
  We use wireless networks primarily in my company for all our clients and use a certificate to authenticate to the network. This certificate expires after 1 month and we automatically renew them 1 week before expiry. Relatively often we have users that
  are not connected to the network for a few weeks or more and then the certificate expires before being renewed. Then we have to connect them to the wired network to get the certificate updated, so they can connect to the wireless network again.
  What is the correct approach to solve this issue? We feel extending the life of the certificate would be a too big security compromise. Is there some way you could automatically allow an expired certificate briefly with the sole purpose of renewing the certificate?
  Or how would you normally resolve this issue?
  Thanks for any help/knowledge you can provide :-)

  > Setting the validity period that high, means that the certificate could be cracked before expiry.
  then you should be scary of CAs which validity is 10 or more years. And they use the same cryptography as end-entity certificates (key length and signature algorithms). It is a paranoya. Just make sure if client certificates use at least 2048 bit long
  keys and use SHA1 (or better) signature algorithm. In this case there is a little chance that certificate will be successfully cracked in 2 years.
  If there is an evidence (or indications) of client private key compromise -- immediately revoke the certificate and publish new CRL ASAP. You cannot protect clients from key compromise by using short-living certificates, because key compromise is ususally
  achieved by gaining a control over the private key (malware on client computer). Therefore, there is nothing wrong in issuing client certificates with 1 or 2 year validity.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• SSL Cert. Request with multiple CNs?

  Greetings to all of the Gurus out there!
  Is it possible to generate a Certificate Request within iMS (version 5.2) that will handle multiple CNs? In other words, we could request a certificate that would work for mail.foo.com, pop.foo.com, imap.foo.com, etc., etc. Or, failing that, is it possible to somehow create and register multiple certs to accomplish this?
  I know how to do this by using OpenSSL, but if I do that, then iPlanet doesn't know about the private OpenSSL key that I used to generate the certificate.
  Any help is appreciated.

  Hi,
  If the installation is stand-alone I
  don't know of a way to specify more then one
  certificate for each service. So if I recall prperly, based on iMS 5.2 experience,
  I can insert 1 Cert in the msg-serv and this is used
  by all services: smtp,imap,http. Correct - for a stand-alone installation.
  What I am not sure
  of, and this is where someone who has taken this
  further, is if I am obligated to use the hostname
  that the msg-serv is running on as my cert's cn?No you aren't obligated to use the hostname. You can use any name you want - you specify the name to be presented to clients during the certificate request stage.
  In my case the msg-serv instance is running on the
  host: kady-amd.education.ucsb.edu and i would prefer
  to have 1 cert that was listed as from
  mail.education.ucsb.eduYep sounds like a plan to me. This way your users only have to remember one address. Also if you decide to expand later (e.g. add in a MMP proxy and multiple backend hosts) you can just copy the certificate database files to the MMP, repoint the mail.education.ucsb.edu IP address and away you go.
  I am wondering if this will require at the OS level,
  a virtual hostname set up or can I do this with
  msg-serv ?All you need is the DNS record for mail.education.ucsb.edu to point at the IP address of the standalone system.
  Regards,
  Shane.

• Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

  I would love some help with this issue.  I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0  I have a test account set up with lab.acme.com to use the ACS.
  When I log into my site using Windows Auth, everything is great.  However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
  to use to log in   and after 3-5 second
   and return me the logon page with error message “Authentication failed” 
  I base my setup on the technet article
  http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
  I validated than all my certificate are valid and able to retrieve the crl
  I got in eventlog id 300
  The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
  Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
  Additional Data
  Exception details:
  Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
  ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
  correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  --- End of inner exception stack trace ---
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
  serializationContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
  trustNamespace, AsyncCallback callback, Object state)
  System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
  failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  thx
  Stef71

  This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
  on my case was :
  PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ad0001.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
  Certificate                 : [Subject]
                                  CN=domain.AD0001CA, DC=domain, DC=com
                                [Issuer]
                                  CN=domain.AD0001CA, DC=portal, DC=com
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  22/07/2014 11:32:05
                                [Not After]
                                  22/07/2024 11:42:00
                                [Thumbprint]
                                  blablabla
  Name                        : domain.ad0001
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : domain.ad0001
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17164
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ADFS_Signing.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
  Certificate                 : [Subject]
                                  CN=ADFS Signing - adfs.domain
                                [Issuer]
                                  CN=ADFS Signing - adfs.domain
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  23/07/2014 07:14:03
                                [Not After]
                                  23/07/2015 07:14:03
                                [Thumbprint]
                                  blablabla
  Name                        : Token Signing Cert
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : Token Signing Cert
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17184
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.PORTAL>

• Windows Server 2008 R2 with multiple Roles OS Rebuild, Need help with Certificates.

  Hi,
  I have rebuilt a Server for my client and I require help with certificates..
  I am unsure exactly what to do to get this server working as it was.
  Example, The Windows Server 2008 R2 has Microsoft Exchange, DNS, DHCP, ADDS, FileServices,Network Policy and access Services and Webservices roles installed on a single box.
  Since the Server OS Rebuild I am getting 2 issues that pop up usually when Outlook in opened on a client Workstation,
  I have not dont anything certificate wise to the server since OS Install, and the messages I get and best described here
  I seen on a backdrive, a few certificate files I dont know if we can use these files for anything but we have the following files of drive E (Backup)
  e:\server.xxxx.com.au\gd_iis_intermediates.p7b
  e:\server.xxxx.com.au\server.xxxx.com.au.crt
  e:\ssl\2013-2018.cer
  1st Message is about a Proxy certificate I dont get this often but saw it today and my client clicked ok too quickly.
  I have seen it and didnt see it again after trying to close outlook and reopen
  I looked up google images and tried to find it...
  It's like this, (There is a problem with the proxy server's security certificate.
  The security certificate is not from a trusted certifying authority.)
  2nd Message is about Security Alert, Autodiscover.xxxx.com.au Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.
  -X- The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certificating authority
  -TICK- The security certificate date is valid
  -X- The name on the security certificate is invalid or does not match the name of the site
  Do you want to preceed
  [Yes][No][View Certificate ...]
  3rd Message is very Close to the 2nd Message, is about Security Alert, xxxx-server.xxxx.local, Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.
  -X- The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certificating authority
  -TICK- The security certificate date is valid
  -TICK- The name on the security certificate is invalid or does not match the name of the site
  Do you want to preceded
  [Yes][No][View Certificate ...]
  If you can help guide me thou this as I'm very new to setting up certificates. I had a friend tell me about something in DNS.. but he has been super busy and I want to learn what to do.
  Thank-You.

  Hiya,
  quite a lot has the same confusions as you do, so I've written a simple explanation on the subjet of certificates
  http://jesperarnecke.wordpress.com/2014/03/22/certificates-simple-explanation/
  Let me know if that helps you and if you need further assistance.

• SHA256 certificate with Signature Algorithm as RSASSA-PSS not supported in FireFox but it is the only option available

  I have just built a new PKI infrastructure for issuing SHA2 certificates. When I duplicate a template and set it up to use KSP instead of CSP to enable SHA2 signing, the only provider I have available is the Microsoft Software Key Storage Provider which
  translates into RSASSA-PSS. I am also allowing the Private Key to be exported due to the fact that the cert and Key need to be placed on multiple servers such as in a cluster.
  I am finding that FireFox does not support certificates which use RSASSA-PSS and have tracked it to a few Bugzilla reports. IE and Chrome appear to not have any problem with this.
  I want to change the provider to something that FireFox supports while still being able to issue SHA2 certs. I am finding that if I unmark the "Allow Key to be Exported" on the template when I build the it, other options for providers appear.
  I need to be able to support the big 3 browsers: IE, Firefox, and Chrome while still allowing the key to be exported. I used AlternateSignatureAlgorithms=1 for the capolicy.inf file on both the offline root and Intermediate CA's. I read a post somewhere
  that changing the Root to AlternateSignatureAlgorithms=0 and renewing the Intermediate CA certificate could solve the problem but I do not understand how I can obtain a HSA2 certificate for the Intermediate if that is not enabled.
  I could use some assistance with this if someone knows how to make this work. Many thanks.
  Brian B.

  Brian,
  There is no correlation at all between the
  AlternateSignatureAlgorithms=1  or 0 line and the use of SHA256. In my book, it is recommended when you get into the weirder combinations (Elliptical curve versions, etc.)
  If you do as you plan (using AlternateSignatureAlgorithms=0),
  then the CA certificates will show Sha256RSA as the signature algorithm, and be universally accepted.
  As you stated... 
  1) Change the capolicy.inf on the root CA and renew the root CA certificate.
  2) Change the CAPolicy.inf on the issuing CA and renew the issuing CA certificate
  Now start issuing the KSP certificates, they will be usable on Firefox
  Brian 

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• Problems in using a certificate with  different versions of JVM

  Hi friends,
  I am facing a typical problem:
  I have to use a certificate which uses the sha1DSA signing algorithm to contact a web service(I am coding a client). I was using J2SDK_1.4.1_02 before. I added the certificate to keystore and it was working fine. But if I upgraded my JRE to 1.4.2_13 the same code doesn't work,. I got the following exception:
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
       at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA12275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
       at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA12275)
       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA12275)
       at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:570)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(DashoA12275)
       at com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection.post(HttpSOAPConnection.java:263)
       at com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(HttpSOAPConnection.java:151)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:121)
       at TestRequest.getCustomerInfo(TestRequest.java:60)
       at TestRequest.main(TestRequest.java:122)After some investigation I found that this JRE is accepting only certificate with sha1RSA signature algorithm. Please help me if anybody knows why this occurs or is this an issue which is to be addressed in server side.

  Hi Michal,
  Keeping in mind the recommendations of the Production Checklist...
  All other things being equal, homogenous deployments are usually less prone to surprises.
  But JDK 1.6 is noticeably faster than JDK 1.4, and features much better JMX support as well, so it's a probably the better option.
  Jon Purdy
  Oracle

• Office 2010 created PDF only bringing up Work with Certificates option with Signing

  When creating PDF documents with Microsoft Word 2010, the only Sign option showing is Work With Certificates and is greyed, I Need To Sign and Get Others to Sign is missing.  My previous PC with Windows 7/Office 2010 and Reader Xi was able to sign documents.  I'm also able on my old XP machine to create a dummy pdf in Word 2010 and sign it in Reader, and on my Windows8/Office 2013/Reader Xi PC.  Any idea as to where this might have been broken?
  With the PDF file created in 2013, I Ctrl+D'd to get the security settings as it's commonly suggested that electronic signatures is failing because of a setting there, however I'm still able to sign it with Signing: Not Allowed and get the full signing menu instead of the Work With Certificates.

  Hi,
  If you meet any problems when using our products, you can post the question here. Please post one question in a single thread, and the question should be posted in the proper forum.
  The current forum is for Office 2010 - Planning, Deployment, and Compatibility.
  Just as Don mentioned, you may have multiple questions and some of them are not well placed, post them to the correct forum to get the specific support.
  Regards,
  Melon Chen
  TechNet Community Support

• Is there a way to make a self-signed client certificate with keytool...

  Is there a way to make a self-signed client certificate with keytool
  that will install successfully into the personal store in IE?

  hi,
  It is possible to make a self-signed client certificate with keytool and i am successfully using in my dummy application.
  The first thing you need to do is create a keystore and generate the key pair. You could use a command such as the following:
  keytool -genkey -dname "cn=Mark Jones, ou=JavaSoft, o=Sun, c=US"
  -alias business -keypass kpi135 -keystore C:\working\mykeystore
  -storepass ab987c -validity 180
  (Please note: This must be typed as a single line. Multiple lines are used in the examples just for legibility purposes.)
  This command creates the keystore named "mykeystore" in the "working" directory on the C drive (assuming it doesn't already exist), and assigns it the password "ab987c". It generates a public/private key pair for the entity whose "distinguished name" has a common name of "Mark Jones", organizational unit of "JavaSoft", organization of "Sun" and two-letter country code of "US". It uses the default "DSA" key generation algorithm to create the keys, both 1024 bits long.
  It creates a self-signed certificate (using the default "SHA1withDSA" signature algorithm) that includes the public key and the distinguished name information. This certificate will be valid for 180 days, and is associated with the private key in a keystore entry referred to by the alias "business". The private key is assigned the password "kpi135".
  Also please go through the http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
  This would help u better.
  bye,
  Arun

• Error at AS2 adapter level...There is no certificate with such alias

  Hi All,
  Iam sending the 856 message through AS2 adapter to partner and i got the below error at the adapter level.
  Unable to forward message to JCA adapter. Reason: Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: java.security.PrivilegedActionException: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: There is no certificate with such alias, SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: java.security.PrivilegedActionException: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Th
  Exception caught by adapter framework: Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: java.security.PrivilegedActionException: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: There is no certificate with such alias, SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: java.security.PrivilegedActionException: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Th
  The certificate has already been uploaded and the AS2ID is defined as one of the identifiers of the party.
  Anyone has any idea what might be wrong? Did i miss anything?
  Waiting for your answers.
  Regards
  Lex

  I am having the same issue.  
  I receive the com.seeburger.ksm.cryptoapi.exception.CryptoApiException: java.security.PrivilegedActionException
  message plus the "unable to find alias name TRUSTED\".
  It appears that after the outbound message is transformed to XML iin XI then sent to Seeburger's BIC for EDI format translation, then sent to AS2 for encryption/transmission, the AS2 adapter cannot find the key store that holds the certificates I am using.
  Am I missing some configuration that points the to the keystore I need ?
  Thanks for any and all responses.
  Andy

• Wildcard SSL Certificates with MFE?

  Is anyone using a wildcard SSL certificate on their mail server when using Mail for Exchange on assorted Nokia E Series mobiles please?
  We currently use a straight SSL cert and MFE works with no problem, however I've been looking into getting a single wildcard SSL certificate for our domain.
  Before doing anything I figured I'd try a website that used a wildcard certificate.
  When I did this (using an E51) I got the message "Website has sent a certificate with a different website name than requested" and was prompted to accept once, permanently, or don't accept.
  My question is whether this message would come up in a clear/obvious manner when using Mail For Exchange on a Nokia (so I can tell our users what to do when it does), and whether anyone has encountered issues using a wildcard with Nokias when using Mail for Exchange.
  If anyone has an E-Series and is using a Wildcard cert can you let me know if you've encountered any issues please?
  Thanks.

  This is interesting question. I look forward testing this myself
  What kind of cert & website you used on your own tests? Was the cert something like *.example.com? And the domain, was it https://something.example.com or https://example.com ? AFAIK wildcard doesn't match addresses consisting domain part only, so the latter one might not work.
  Help spreading the knowledge — If you find my answer useful, please mark your question as Solved by selecting Accept this solution from the Options menu. Thank you!