Make client to trust server's certificate?

Similar Messages

• Wireless clients not trusting well-known Certificate Authorities by default??

  I'm using PEAP-MSCHAPv2 for wireless authentication.  The radius server is a Windows 2008 server running NPS.  The clients consist of a bunch of laptops (mostly running Windows).  Not all of these laptops are members of Active Directory.  So, pushing any type of policy out to all clients isn't feasible (ie. using a private PKI and using AD to push the server cert and wireless config to all domain members).  So we decided to use a public PKI and obtained a certificate for our radius server through a well known CA.  So far, so good.
  When clients to go connect, they still get a nasty warning saying:
  --START--
  The credentials provided by the server could not be validated. We recommend that you terminate the connection and contact your administrator with the information provided in the details. You may still connect but doing so exposes you to security risk by a possible rogue server.
  Details
  Radius Server:           $radius
  Root CA:                    $ca
  The server "$radius" presented a valid certificate issued by "$ca", but "$ca" is not configured as a valid trust anchor for this profile. Further, the server "$radius" is not configured as a valid NPS server to connect to for this profile.
  --STOP--
  (I replaced the actual radius server name with $radius and the CA with $ca).
  Doing a little digging, it appears this is just the expected behavior of the Windows wireless client???  What's the point of getting a signed cert by a well-known CA if the client is still going to get a nasty warning like this?
  Web browsers certainly don't behave like this.  The only difference between a web browser and the wireless client is with a browser, you're always going after a URL (ie, you can match what the browser wants to connect to versus what the CN on the server's cert comes back with) whereas on the wireless client, you generally won't know the radius server you're going to authenticate against.  But, in either scenario, the server's cert is signed by a well known CA.
  I found a nice post that mentions this, but no solution:
  http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/26886f09-e424-48da-9ecc-cf7efd9dccc0
  Well, I suppose a solution is to manually configure the client to trust certs issued by the CA and/or configure my radius server in the connection profile.  But that requires configuring each client.  And there's no way we can use AD to push a policy/cert to all clients.
  So my questions are:
  -is this really the expected behavior?
  -so browsers generally trust the default CAs whose certs are stored on the OS by default but the wireless adapters don't?

  This is a limitation of the Windows wireless client.
  http://support.microsoft.com/kb/2518158
  Somewhere was an artical the described that Microsoft wirless client does not trust public root CAs by default.  Using a 3rd party utility like Intel Pro Set trusts all the 3rd party root CAs by default so you dont get this message.
  Please respond to Microsoft and voice your problem maybe they will fix their wireless client to trust public root CAs.
  Justin.

• Sending a certificate form the client to the server... how to ?

  how can I send a certificate from the client to the server trough a Java code ??

  Short answer: You specify a keyStore.
  Either via command line using the -Djavax.net.ssl.keyStore=keystorefile property,
  or in Java code:
  char[] passphrase = "password".toCharArray();
  SSLContext ctx = SSLContext.getInstance("TLS", "SunJSSE");
  // KeyStore for the SSL client certificate
  KeyStore keyStore = KeyStore.getInstance("PKCS12");
  keyStore.load(new FileInputStream("client-cert.p12"), passphrase);
  KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509", "SunJSSE");
  keyManagerFactory.init(keyStore, passphrase);
  // keyStore for trusted server certs or CAs
  KeyStore trustedKeyStore = KeyStore.getInstance("JKS");
  trustedKeyStore.load(new FileInputStream("verisign-test-cert"), passphrase);
  TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
  trustManagerFactory.init(trustedKeyStore);
  ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
  SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
  HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
  // open the http connection to the party
  myConn = (HttpsURLConnection)myURL.openConnection();

• How to make Client instantly recieve msg from Server

  Hello! I'm trying to make a multiplayer game via Bluetooth (RFCOMM protocol) in J2ME. I already managed to detect devices both as a client and as a server. I also managed to send real-time message from client(s) to server in the following way:
  // Pauses thread until Transmission occurs
  StreamConnection conn = notifier.acceptAndOpen();
  read_msg(conn); //this is the function which reads the date received from client
  But when I try the above as a client I got some exception, but never mind actually.
  Here is the actual problem:
  I want to be able to send a message from server to client whenever I press a key so that the client instantly receives that message.
  Now the only thing that comes to my mind is to periodically check (i.e. every 50 ms) StreamConnection and watch for some changes like this.
  while(true) {
  InputStream input = conn.openInputStream(); // conn is of type StreamConnection
  //now I check if the messege received is the new one OR have I actually received a message
  // here I pause the Thread for i.e. 60 ms
  But that would be extremely CPU heavy and foolish, wouldn't it?
  So is there a smart way to register when client gets a message from server?
  Please give me some example for client side.
  Edited by: leden on Sep 27, 2007 3:07 PM

  One more question.
  I have a server and many clients. Let's say I had already received the first message from every client with this piece of code:
  for(int current_client = 0; current_client < MAX_CLIENTS; ++current_client) {
  //notifier is of type StreamConnectionNotifier
  StreamConnection conn = notifier.acceptAndOpen(); //wait for transmission to occur
  String response = read_msg(conn); //read_msg actually reads the message
  Now, at some other moment I want to send a message to one of the clients .
  How could I do that?
  Do I have to add this command in the for loop above, perhaps?:
  conn_client[current_client] = conn;
  then simply reply by doing:
  OutputStream output = conn_list[who_I_want_to_send_msg_to].openOutputStream();
  and then the code like in my first post
  OR this whole procedure is totally wrong?
  Please explaim me what does openOutputStream() actually do?
  Edited by: leden on Sep 30, 2007 8:51 AM

• Trust the server's certificate

  hello
  I have a certificate already generate by the server and I do not know its alias, how I can make:
  - to export the server certificate from the certs keystore.
  with keytool:
  keytool -export -keystore "java.home"/lib/security/cacerts -alias jamie -file server.cer
  but I had the error: alias does not exist.
  somebody will be able to give me an indication thank you .

  You can always use the "keytool -list" to print all the aliases in a keystore.
  BTW, are you sure your certificate is inside "java.home"/lib/security/cacerts? That's the root CA collections comes with the JRE.

• HTTPS Without client authentication shows error of Certificate

  Hi Experts,
  I am trying to develop a SOAP to RFC scenario where in SOAP sender HTTP security level - HTTPS Without Client Authentication is selected.
  I have downloaded WSDL from Sender agreement and trying to test web service from SOAPUI.  Now as per my understanding simply placing request to HTTPS:<host>:<port>:XISOAPAdapter/....   with correct user should work and this scenario shouldn't need any certificates.
  However in SOAPUI and even in RWB SOAP Sender, I am receiving error that - Client Certificate required.
  Any comments on why would it be happening ?    In fact whatever option in HTTP Security level I select, error remains same. In NWA is there any other configuration to be done to make this work ?
  Is below understanding right ?
  -- >> HTTPS Without client authentication will not need certificate exchange and simply user authentication will do
  Thanks..
  regards,
  Omkar.

  Hello Omkar,
  What you are trying to do is Consume a SOAP->RFC scenario (synchronous) from SOAP UI and you want that to be secure. With this requirement, just having the certificates alone is not sufficient (sorry for late response..i just came across this post when i was searching something else )
  1)How did you generate the certificate and the private key? Because Key Generation plays a Big Part in it. The Key should have been signed by a CA. Though its not signed by a CA, a trick which would work is, at the time of Key generation, provide the Organization Name as SAP Trust Community and Country as DE.
  2) At the time of Key Generation definitely it shall ask for a password. You remember that.
  3) Export the Private Key as PCKS12 format and the certificate as Base64 format and have it in your local system, (shall be used later in SOAP UI and NWA)
  Here follows the major part
  4) Open NWA and go to Configuration Management->Authentication
  5) Go to Properties Taband click Modify
  6)  Under Logon Application select the check box "Enable Showing Certificate Logon URL Link on Logon Page" and save it.
  7) Now go to the Components Tab.
  8) Search for client_cert Policy Configuration name and Edit it it. Make sure the following Login Modules are maintained in the same Order
  ==> Name: com.sap.engine.services.security.server.jaas.ClientCertLoginModule
         Flag : Sufficient
  ==> Name: BasicPasswordLoginModule
         Flag: Optional
  9) Now Select the name com.sap.engine.services.security.server.jaas.ClientCertLoginModule and you can see lots of entries under the Login Module Options. Remove them all and add anew entry (case sensitive). Save it.
  ==>Name: Rule1.getUserFrom
         value : wholeCert
  10) Now search for the Policy Configuration name sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter
  and edit it.
  11) Under the Authentication stack select the template client_cert against the used template label. and save it
  12)If you are using AXIS Adapter, do the steps 11 for the Policy Configuration name sap.com/com.sap.aii.axis.app*XIAxisAdapter.
  13) Now in NWA navigate to Operation management->Identity Management
  14) Search for the user PIISUSER (or any user id which you thing has good amount of authorizations to access the service)
  15)Click Modify and go to the TAB Certificates and upload the certificate (not the private key) which you downloaded in step 3.
  16) With this setup what you have done is you have created proper certificate, enabled certificate based logon for SOAP and AXIS adapter and associated the certificate with a user id.
  17) usually in Dual stack PI, we will have the same certificate added to the server pse in strustsso2 tcode. But since its single stack, just make sure in the cert and keys you add this certificate to teh Trusted CAs and also to the Server Keystore.
  18) Now in SOAP UI Right Click on the Project Name->Select Show Project View->Under the WS Security Configurations->Go to Keystore and certificates and add the Private Key
  19) In SOAP UI under the operation name, in the Request, in stead of providing user credentials, choose the private key name against the SSL Keystore entry.
  20) Before you execute the scenario  make sure you have chosen the HTTPS url and https port is proper. Usually its 443, but some customers configure their own port.
  Scenario should work now. Else if you track it using XPI Inspector, you can find out easily at which step it has gone wrong.
  Good Luck!!
  Best Regards,
  Sundar

• Getting XP Clients to trust ACS Self sign Cert

  Hi,
  I'm implementing ACS 4.0 to provide PEAP Security on a customers WLAN. I'd like to use the Self signed certificate feature within ACS, because it's easy to use and I don't want to 'play' with the customers Servers to install CA unless I really have to (deniability!!).
  My question is, how do I get the XP Clients to trust the certificate installed on the ACS when the 'Authenticate Server' option is enabled on the PEAP client?
  Due to the range of client adapters on the network and the only common factor being that they all run XP SP2, I plan to use the 'wireless zero configuration' option on those clients.
  I presume I have to tick the relevent CA box on the Client trust list, but how do I get the cert to appear in that trust list?
  Regards all,
  Dan

  Thanks for your reply,
  I need to validate the server certificate to strengthen against 'man in the middle' attacks. But I'm struggling to figure out how to trust the SSC from the ACS.
  There must be a way of adding that CA to the Clients Certificate Trust List?
  This network will be the subject of a Pen test when it's finished and I need to make it as secure as possible.
  I Know EAP-TLS is stronger, but Certificates on all the clients is too cumbersome to manage. (Customers point of view).
  At least using this method (if implemented properly), The customer only has to maintain the Server cert every year.
  Regards,
  Dan

• Office web apps server (2013) certificate issue

  If the name of the farm is different from the name of the individual office web apps server machine is there any way to deploy office web apps server with a single domain SSL certificate? 
  My office web apps server is working, but reporting itself unhealthy, apparently due to the fact that the SSL cert is for the name of the farm and that is different from the name of the machine. 
  Errors are 2004, 1004, 2156, 1156, "could not establish trust relationship for the SSL/TLS secure channel"
  Going to the farm's discovery URL in the browser works fine, but going to the machine name (plus /hosting/discovery) gives an SSL error because the name of the farm is not the same as the name of the machine. 
  Is there any way to make it use the farm's URL instead of the machine's URL in its own internal watchdog operations? Or any way to make it use a self signed certificate on the machine's URL for it's own health checks and still use the legitimate purchased
  SSL cert for user access? Or any other way you can think of to use a $5.99/yr single domain certificate instead of a $89.99/yr multiple domain certificate? 
  Bill Coulter

  I am experiencing this same issue.  The OWA server has sp1 installed.  In the OWA event logs I am getting health fails for 2 events and as best I can tell it seems to be related to this issue.
  We are also using a single godaddy certificate with a non machine name FQDN.  Both internal and external url's of the OWA farm are set to this same name.
  The problem only seems to occur with the 'Proofing Watchdog' (See events below).
  Has anyone got any update on whether this is supposed to be fixed ?
  <?xml version="1.0" encoding="utf-16"?>
  <HealthReport xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <HealthMessage>ProofingWatchdog reported status for Proofing in category 'PositiveWeb'. Reported status: Spelling attempt exception for "good": System.Net.WebException: The underlying connection was closed: Could not establish
  trust relationship for the SSL/TLS secure channel. ---&gt; System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
  <?xml version="1.0" encoding="utf-16"?>
  <HealthReport xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <HealthMessage>ProofingWatchdog reported status for Proofing in category 'NegativeWeb'. Reported status: Spelling attempt exception for "baad": System.Net.WebException: The underlying connection was closed: Could not establish
  trust relationship for the SSL/TLS secure channel. ---&gt; System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
     at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception 

• Missing the "Microsoft Exchange Server Auth Certificate"

  Hi Everyone,
  I have a single Exchange box.    
  Was integrating my Lync and Exchange and noticed some issues after configuring my Lync pre-reqs: http://technet.microsoft.com/en-us/library/jj721919.aspx
  Following the line of communication and event logs, I quickly saw that the error was not on my Lync Server, but on my Exchange.  The "Microsoft Exchange Server Auth Certificate" that is created during Ex2013 install was missing.
   It was not there to give out tokens for the Server to Server authentication required to integrate Lync, Exchange, and Sharepoint.
  Running Get-AuthConfig: http://technet.microsoft.com/en-us/library/jj215766(v=exchg.150).aspx
  pointed to a thumbprint that did not exist anymore.  
  I confirmed this by checking the local cert store (local computer>personal>certificates), looking in the ECP (servers>certificates), and also running Get-ExchangeCertificate
  In my Exchange Server event log, I found the following errors: 
  Log Name: Application
  Source: MSExchange Certificate Deployment
  Date: 6/8/2014 4:00:50 AM
  Event ID: 2005
  Task Category: General
  Level: Warning
  Keywords: Classic
  User: N/A
  Computer: server.domain.com
  Description:
  Federation or Auth certificate not found: ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation
  Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig. The certificate may take time to propagate to the local or neighboring sites.
  Event Xml:
  2005
  3
  1
  0x80000000000000
  2391484
  Application
  server.domain.com
  ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3
  AND
  Log Name: Application
  Source: MSExchange OAuth
  Date: 6/8/2014 1:25:41 PM
  Event ID: 2004
  Task Category: Configuration
  Level: Warning
  Keywords: Classic
  User: N/A
  Computer: server.domain.com
  Description:
  Unable to find the certificate with thumbprint ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3 in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.
  Event Xml:
  2004
  3
  2
  0x80000000000000
  2397430
  Application
  server.domain.com
  ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3
  Googling has only produced one article that is about another issue that I would have found further down the line if I wasn't testing within the pre-reqs.  The solution is the same, but the article is somewhat poorly written and does not respond to all
  the comments enough to leave one feeling it's 100% correct.  
  http://blogs.technet.com/b/jenstr/archive/2012/11/22/getting-internal-server-error-500-when-creating...
  The broad strokes are clear:
  The fix is to create a new "Microsoft Exchange Server Auth Certificate" by using the following sequence of cmdlets In EMS on the MBX server:
  1. New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -Services smtp
  Do not accept to replace the SMTP certificate when prompted
  2. Note the thumbprint of the new certificate. Let us assume it is 7A39541F8DF58D4821967DD8F899B27410F7C081
  3. $a=get-date
  4. Set-AuthConfig -NewCertificateThumbprint 7A39541F8DF58D4821967DD8F899B27410F7C081 –NewCertificateEffectiveDate $a
  Accept to continue despite the fact that the certificate effective date is not 48 hours into the future
  5. Set-AuthConfig –PublishCertificate
  6. Make sure to remove any potential reference to the previous certificate (which might not exist anymore) by doing Set-AuthConfig -ClearPreviousCertificate.
  Remember to do iisreset on both CAS and MBX servers. Then finally, you can try to re-issue the New-CsPartnerApplication cmdlet.
  65 Million Dollar question:
  Is the syntax in part 1 correct?  Two people says to add the domain?  Jens responds, but it's vague.  What would the correct command look like?  I do not know where to add the -DomainName within the command and which name I
  should add?  The FQDN of the CAS?
  New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName server.domain.com -Services
  smtp
  Thank you everyone

  Hi,
  Yes, we need to specify a valid FQDN for either the Subject or the DomainName parameter. Please run the following command:
  New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName server.domain.com -Services
  smtp
  Then following the other steps in your posting to re-create the Microsoft Exchange Server Auth Certificate.
  Regards,
  Winnie Liang
  TechNet Community Support

• Validating a server's certificate

  I am writing an app that does an https post of a request and gets a result returned. The company that I am interacting with has a certificate from verisign. I know nothing about certificates! I need to validate their certificate in code as I do this transaction. I need to validate that their cert is current, check the authority and the url. Anyone have an example of this type of action? Do I do this right before the post or does this happen during the post? Sorry I am such a newbie!
  Thanks!
  Bill

  Hello!!!
  I've a similar problem. I need validate a client certificate against my server. I'm researching in this field and I've learning some things. You need have one keystore, this is the place where the certificates are stored. In this keystore you need have the CA root certificates (Certificate Authory or similar), so to speak, the trusted certificates (verisign, thawte, etc). Your application trust by default in this entities. You can add more entities when you want, only you need the CA root certificates to import them. Afterwards, you need validate a client certificate against this keystore, so the client cert must have a sign from a CA inside it. Then we're going to validate the cert asking to the keystore if the client cert exists inside it, first look for the same CA root that the client cert have and if this CA root exists then we will look for final client cert, and if this certificate exists then the process will be ok.
  This is the process more or less, I'm sorry if I can't explain me better, so you can read more of this in the java tutorial or the JSSE tutorial, or JCE tutorial.
  If you have installed J2SE in your machine, you will see the keystore in C:\Documents and Settings\<your_user>\.keystore
  and c:\j2sdk1.4.1_02\jre\lib\security\cacert
  This is my code, works, but I need do finish it:
  package autenticacion;
  import java.security.KeyStore;
  import java.security.Security;
  import java.security.cert.CertificateFactory;
  import java.security.cert.X509Certificate;
  import java.util.*;
  import com.novell.ldap.LDAPConnection;
  import com.novell.ldap.LDAPException;
  import com.novell.ldap.LDAPJSSESecureSocketFactory;
  import com.sun.net.ssl.SSLContext;
  import java.io.*;
  public class TestCert {
  KeyStore keyStore;
  String keyStorePath;
  char[] keyStorePassword;
  public TestCert(){
       this.keyStore = null;
       this.keyStorePath = "";
       this.keyStorePassword = null;
  public TestCert(KeyStore keyStore, String keyStorePath, char[] keyStorePassword){
       this.keyStore = keyStore;
       this.keyStorePath = keyStorePath;
       this.keyStorePassword = keyStorePassword;
  public static void main( String[] args )
       FileInputStream keyStoreIStream = null;
  try
  String keyStorePath = "D:/JAVA/j2sdk1.4.1_02/jre/lib/security/cacerts";//"c:/Documents and Settings/instalador/.keystore";
  char[] keyStorePassword = "changeit".toCharArray();//"password".toCharArray();
  String pathFileName = "c:/mykeyFile.cert";
  //dynamically set SunJSSE as a security provider
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Open the keystore file.
  try
  // Open the stream to read in the keystore.
  keyStoreIStream = new FileInputStream(keyStorePath);
  catch( FileNotFoundException e )
  // If the path does not exist then a null stream means
  // the keystore is initialized empty. If an untrusted
  // certificate chain is trusted by the user, then it will be
  // saved in the file pointed to by keyStorePath.
  keyStoreIStream = null;
  // Create a KeyStore Object
  KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
  // Init the Keystore with the contents of the keystore file.
  // If the input stream is null the keystore is initialized empty.
  keyStore.load(keyStoreIStream, keyStorePassword);
  // Close keystore input stream
  if(keyStoreIStream != null)
  keyStoreIStream.close();
  keyStoreIStream = null;
            //Array en el que se guardan todos los certificados que nos envien.
                 //X509Certificate[] chain = (X509Certificate[]) request.getAttribute("java.security.cert.X509Certificate");
  //isChainTrusted
                 TestCert test = new TestCert( keyStore, keyStorePath, keyStorePassword );
                 X509Certificate[] cert = test.getCertFromFile(pathFileName);
                 test.getAcceptedIssuers();
                 System.out.println(test.isChainTrusted(cert));
  catch( Exception e )
       e.printStackTrace();
  System.out.println( "main Error: " + e.toString() );
  } finally{
       try{
            if(keyStoreIStream!=null){
                 keyStoreIStream.close();
       }catch( Exception e){
            e.printStackTrace();
       System.out.println( "main Error: " + e.toString() );
  // getAcceptedIssuers retrieves all of the certificates in the keyStore
  // and returns them in an X509Certificate array.
  public X509Certificate[] getAcceptedIssuers()
  X509Certificate[] X509Certs = null;
  try
  // See how many certificates are in the keystore.
  int numberOfEntry = keyStore.size();
  // If there are any certificates in the keystore.
  if(numberOfEntry > 0)
  // Create an array of X509Certificates
  X509Certs = new X509Certificate[numberOfEntry];
  // Get all of the certificate alias out of the keystore.
  Enumeration aliases = keyStore.aliases();
  // Retrieve all of the certificates out of the keystore
  // via the alias name.
  int i = 0;
  while (aliases.hasMoreElements())
       String alias = (String)aliases.nextElement();
  System.out.println(alias);
  X509Certs[i] = (X509Certificate)keyStore.getCertificate(alias);
  System.out.println(X509Certs);
  i++;
  catch( Exception e )
  System.out.println( "getAcceptedIssuers Exception: "
  + e.toString() );
  X509Certs = null;
  return X509Certs;
  // isChainTrusted searches the keyStore for any certificate in the
  // certificate chain.
  private boolean isChainTrusted(X509Certificate[] chain)
  boolean trusted = false;
  try
  // Start with the root and see if it is in the Keystore.
  // The root is at the end of the chain.
  for (int i = chain.length - 1; i >= 0; i-- )
  if (keyStore.getCertificateAlias(chain[i]) != null)
  trusted = true;
  break;
  catch( Exception e )
  System.out.println( "isChainTrusted Exception: "
  + e.toString() );
  trusted = false;
  return trusted;
  * Obtiene el certificado de un fichero y lo pasa a un objeto de la clase X509Certificate.
  private X509Certificate[] getCertFromFile(String filename){
            X509Certificate chain[] = null;
            FileInputStream fis = null;
            try{
            //The following example parses a PKCS#7-formatted certificate reply stored in a file and extracts all the certificates from it:
            Vector v = new Vector();
            fis = new FileInputStream(filename);
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            Collection c = cf.generateCertificates(fis);
            Iterator i = c.iterator();
            while (i.hasNext()) {
            X509Certificate cert = (X509Certificate)i.next();
            System.out.println(cert);
            v.add(cert);
                 chain = new X509Certificate[v.size()];
                 chain = (X509Certificate [] ) v.toArray(chain);
            } catch (Exception ex){
                 ex.printStackTrace();               
            } finally {
                 try{
                      fis.close();
                 }catch (Exception ex){
                      ex.printStackTrace();               
            return chain;
  If you do finish your code I'd like you tell me something.
  Bye.

• WRVS4400n, QuickVPN, Server's certificate doesn't exist on local computer

  Hi,
    I bought a new WRVS400n recently because it had Gigabit speed, wireless n and a built in VPN server.  The device works perfect except for the Quick VPN client.  I'm a system engineer so I thought I could set it up quite easy just like any other device I configured in the past.  Painfull but it isn't like this.
    I set up the VPN on the WRVS4400n and generated a certificate.  I saved both the client and admin certificate to my pc, I gave them a name to easily make up the difference between both of them.  When placing the certificate in the installed QuickVPN folder, it doesn't seem to get recognised by the QuickVPN software.  When I try to connect, it says 'Server's certificate doens't exist on your local computer'.  I guess the naming convention must meet some kind of format, is that correct?  If so, this should have been described in the documentation.
    Besides that I checked if the required ports used by the VPN server are open on the public port of the device, that is the case.  So It seems I'm quite close to get it working.
    The version of QuickVPN I used is 1.4.2.1.  The WRVS4400n has the latest firmware loaded.
  Kind regards,
  Pieter.

  >I set up the VPN on the WRVS4400n and generated a certificate.  I saved both the client and admin certificate to my pc
  The "certificate for client" should be saved as a .pem file and copied into the install directory of QuickVPN client.
  The "certificate for admin" is used as a backup, which can be used to re-provision the router in case admin needs to reset the router to factory default for any reason. 

• QuickVPN, Server's certificate doesn't exist on local computer

  Hi,
    I bought a new WRVS400n recently because it had Gigabit speed, wireless n and a built in VPN server.  The device works perfect except for the Quick VPN client.  I'm a system engineer so I thought I could set it up quite easy just like any other device I configured in the past.  Painfull but it isn't like this.
    I set up the VPN on the WRVS4400n and generated a certificate.  I saved both the client and admin certificate to my pc, I gave them a name to easily make up the difference between both of them.  When placing the certificate in the installed QuickVPN folder, it doesn't seem to get recognised by the QuickVPN software.  When I try to connect, it says 'Server's certificate doens't exist on your local computer'.  I guess the naming convention must meet some kind of format, is that correct?  If so, this should have been described in the documentation.
    Besides that I checked if the required ports used by the VPN server are open on the public port of the device, that is the case.  So It seems I'm quite close to get it working.
    The version of QuickVPN I used is 1.4.2.1.  The WRVS4400n has the latest firmware loaded.
  Kind regards,
  Pieter.

  >I set up the VPN on the WRVS4400n and generated a certificate.  I saved both the client and admin certificate to my pc
  The "certificate for client" should be saved as a .pem file and copied into the install directory of QuickVPN client.
  The "certificate for admin" is used as a backup, which can be used to re-provision the router in case admin needs to reset the router to factory default for any reason. 

• How can the client know if the SSL certificate specified in the service-config.xml file is invalid/u

  Hi,
  How can the client know if the SSL certificate specified in the service-config.xml file is invalid/untrusted/expired? For example using iOS client, the trusted certificate will not work and the client has no way to know that the certificate is untrusted. Can the lcds server return any specific exceptions for SSL errors?
  Thanks,
  Swathi.

  We use a standard Java keystore and certificate validation can be handled as per standard best practices. At present we do not provide a hook point to validate the server certificate. However, you can register a bootstrap service which validates the certificate on system startup: http://help.adobe.com/en_US/dataservicesjee/4.6/Developing/WSc3ff6d0ea77859461172e0811f00f 6fe7f-7ffeUpdate.html This would require you to pass another copy of the keystore configuration to you Bootstrap service and then you can inspect the certificate in the keystore and validate it.

• Can I trust an expired certificate?

  Hi,
  is there any setting that will let me trust an expired certificate? I'm communicating with a server that has an unsigned expired certificate. The funny thing is that this behavior seems to has changed on different jvm-versions, on one of my client-machines I'm running a jvm version 1.5.0_06-b05, which is accepting the expired certificate. On a different client I'm running jvm version 1.5.0_07-b03, and this version is NOT accepting the expired certificate, I'm using the exact same trust store file!?
  Of course the solution is to install a valid certificate on the server but that is out of my control...
  Regards
  Magnus

  is there any setting that will let me trust an expired certificate?That's a contradiction in terms. The person who signed it, or self-signed it, gave it an expiry date beyond which you shouldn't trust it. So you shouldn't trust it.
  Of course the solution is to install a valid certificate on the server but that is out of my control...It probably isn't out of your control at all. If it's a third party, complain to their customer service or IT department. If it's internal to your organization, ditto, and in both cases raise it as a major security risk for the project - get it elevated to project manager level or beyond. Be the squeaky wheel that gets the grease.

• Async tcp client and server. How can I determine that the client or the server is no longer available?

  Hello. I would like to write async tcp client and server. I wrote this code but a have a problem, when I call the disconnect method on client or stop method on server. I can't identify that the client or the server is no longer connected.
  I thought I will get an exception if the client or the server is not available but this is not happening.
  private async void Process()
  try
  while (true)
  var data = await this.Receive();
  this.NewMessage.SafeInvoke(Encoding.ASCII.GetString(data));
  catch (Exception exception)
  How can I determine that the client or the server is no longer available?
  Server
  public class Server
  private readonly Dictionary<IPEndPoint, TcpClient> clients = new Dictionary<IPEndPoint, TcpClient>();
  private readonly List<CancellationTokenSource> cancellationTokens = new List<CancellationTokenSource>();
  private TcpListener tcpListener;
  private bool isStarted;
  public event Action<string> NewMessage;
  public async Task Start(int port)
  this.tcpListener = TcpListener.Create(port);
  this.tcpListener.Start();
  this.isStarted = true;
  while (this.isStarted)
  var tcpClient = await this.tcpListener.AcceptTcpClientAsync();
  var cts = new CancellationTokenSource();
  this.cancellationTokens.Add(cts);
  await Task.Factory.StartNew(() => this.Process(cts.Token, tcpClient), cts.Token, TaskCreationOptions.LongRunning, TaskScheduler.Default);
  public void Stop()
  this.isStarted = false;
  foreach (var cancellationTokenSource in this.cancellationTokens)
  cancellationTokenSource.Cancel();
  foreach (var tcpClient in this.clients.Values)
  tcpClient.GetStream().Close();
  tcpClient.Close();
  this.clients.Clear();
  public async Task SendMessage(string message, IPEndPoint endPoint)
  try
  var tcpClient = this.clients[endPoint];
  await this.Send(tcpClient.GetStream(), Encoding.ASCII.GetBytes(message));
  catch (Exception exception)
  private async Task Process(CancellationToken cancellationToken, TcpClient tcpClient)
  try
  var stream = tcpClient.GetStream();
  this.clients.Add((IPEndPoint)tcpClient.Client.RemoteEndPoint, tcpClient);
  while (!cancellationToken.IsCancellationRequested)
  var data = await this.Receive(stream);
  this.NewMessage.SafeInvoke(Encoding.ASCII.GetString(data));
  catch (Exception exception)
  private async Task Send(NetworkStream stream, byte[] buf)
  await stream.WriteAsync(BitConverter.GetBytes(buf.Length), 0, 4);
  await stream.WriteAsync(buf, 0, buf.Length);
  private async Task<byte[]> Receive(NetworkStream stream)
  var lengthBytes = new byte[4];
  await stream.ReadAsync(lengthBytes, 0, 4);
  var length = BitConverter.ToInt32(lengthBytes, 0);
  var buf = new byte[length];
  await stream.ReadAsync(buf, 0, buf.Length);
  return buf;
  Client
  public class Client
  private TcpClient tcpClient;
  private NetworkStream stream;
  public event Action<string> NewMessage;
  public async void Connect(string host, int port)
  try
  this.tcpClient = new TcpClient();
  await this.tcpClient.ConnectAsync(host, port);
  this.stream = this.tcpClient.GetStream();
  this.Process();
  catch (Exception exception)
  public void Disconnect()
  try
  this.stream.Close();
  this.tcpClient.Close();
  catch (Exception exception)
  public async void SendMessage(string message)
  try
  await this.Send(Encoding.ASCII.GetBytes(message));
  catch (Exception exception)
  private async void Process()
  try
  while (true)
  var data = await this.Receive();
  this.NewMessage.SafeInvoke(Encoding.ASCII.GetString(data));
  catch (Exception exception)
  private async Task Send(byte[] buf)
  await this.stream.WriteAsync(BitConverter.GetBytes(buf.Length), 0, 4);
  await this.stream.WriteAsync(buf, 0, buf.Length);
  private async Task<byte[]> Receive()
  var lengthBytes = new byte[4];
  await this.stream.ReadAsync(lengthBytes, 0, 4);
  var length = BitConverter.ToInt32(lengthBytes, 0);
  var buf = new byte[length];
  await this.stream.ReadAsync(buf, 0, buf.Length);
  return buf;

  Hi,
  Have you debug these two applications? Does it go into the catch exception block when you close the client or the server?
  According to my test, it will throw an exception when the client or the server is closed, just log the exception message in the catch block and then you'll get it:
  private async void Process()
  try
  while (true)
  var data = await this.Receive();
  this.NewMessage.Invoke(Encoding.ASCII.GetString(data));
  catch (Exception exception)
  Console.WriteLine(exception.Message);
  Unable to read data from the transport connection: An existing   connection was forcibly closed by the remote host.
  By the way, I don't know what the SafeInvoke method is, it may be an extension method, right? I used Invoke instead to test it.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.