Messaging Server: Problem Adding SSL Certificate

Similar Messages

• Getting error "Problem with SSL Certificate" but I'm connecting to my private server without SSL

  I wanted to create a PDF from a subtree at a website. The first problem was that Acrobat Pro (11.0.7) wouldn't spider it (probably because there was a robot.txt file there) so I had to use SiteSucker to pull the pages down to my Mac.
  Then I discovered that Acrobat Pro can't handle file:/// URLs so that was no good either
  So then I copied all the pages to a folder on my Linux server where I use a non-standard port (86) for http connection as a minor security precaution.
  When I tried to access that from Acrobat Pro, it bitched about a problem with SSL Certificate but gave me no option to do anything about it. More relevantly, all the files were accessible using http protocol, not https so there shouldn't have been any need to deal with SSL certificates at all
  I had to temporarily enable port 80 on my apache server at which point it's now pulling all the files in and hopefully converting them.
  A) We're at version 11 ---- these kinds of issues should have been fixed years ago
  B) While you're at it, fix the stupid UI issue where the download dialog disappears completely if Acrobat Pro doesn't have the focus. On a long download, I'd like to be able to see progress while working on other stuff. Acrobat Pro is not the center of the universe!

  Interesting point 2, I am working on a Mac plugin at the moment. It does not hide its dialogs when switching to a different app. I consider this a bug and will fix it so the dialog disappears. I hadn't considered the question of progress but there is a very strong reason to do this on the Mac.
  My tests seem to show that
  (a) to get a dialog to sit above PDF documents all the time, it must be on a higher "level".
  (b) if a dialog is at a higher level, this is a global setting.
  So, if the dialog is not hidden when switching all, it will typically sit on top of the other app's document windows. This would not be popular, as the end user, unless they have mountains of screen space and choose to use it that way, must either close or move the dialog when switching app, then bring the dialog back.  So, because Acrobat Pro is not the centre of the universe, it will hide dialogs (or rather, the Mac will, as it's a standard option when creating a window).

• 31.3.0 hangs when connecting to my IMAPS server (problem with intermediate certificates or SSL in general?).

  After update to 31.3.0 Thunderbird hangs when connecting to IMAPS server aie.de (intermediate certificates in chain). No error message is given, Thunderbird just hangs with out updating the subject lines of the inbox.

  It is a configuration problem of the courier imap ssl daemon, resolution is shown [http://xf.wiki.mithi.com/index.php/Error_observed_in_/var/log/messages_log,_imapd:_couriertls:_accept:_error:1408F10B:SSL_routines:SSL3_GET_RECORD:wrong_version_number#Resolution here]

• Problem with ssl certificate

  Hello everyone!
  I have a scenario wherein I am trying to connect SRM to a marketsite through XI.
  SRM (Purchase Order) --->  XI (marketplace adapter) ---> Marketsite
  The URL of the marketsite is of the type HTTPS so I am using certificate logon as the method for authentication.
  Please tell me whether this is the right thing to do:
  1. Create a self-signed certificate in the "Key Storage" of the visual administrator.
  2. Export the certificate and have it installed in the marketsite.
  3. Configure the marketplace com. channel in the integration directory to use the private key I used to generate the certificate I sent to the marketsite.
  Having done that, I am get a "server rejected by chain verifier" error in the message monitoring tool.
  Here are some other questions:
  1. Should I create a new View for the certificate and private key, or should I create the certificate in the existing "service_ssl" and rename the new certificate "ssl-credentials-cert" and the private key "ssl_credentials"
  2. Will a self-signed certificate work or do I need to get it signed by a CA before importing the response.
  3. If a self-signed certificate will work, do I need to add another certificate in the "TrustedCAs" view?
  4. If I should import a certificate response from a CA, where can I get the certificate of the CA?
  I know these are a lot of questions, but I'd really appreciate all the help I can get from you guys. Please avoid posting links to other threads as I have pretty much read all of them..
  Warm regards,
  Glenn

  Hi Glenn,
  Let me explain the scenario without client certificate Logon (User and password) first .
  When you want to communicate with marketsite in secure manner, get the certificate of the CA (Certifying Authority) who has signed market site Cert. and add it to Trusted CAs view in Visual Admin of XI. Sometimes it may be a CA certificate chain.
  If that certificate is self-signed, add the market site certificate itself in to Trusted CAS of Vis.Admin of XI.
  Certificate Logon:
  This is for ur (XI servers) Identity to Marketsite.
  In Visual Admin KeyStorage create a view or in any of existing views create a Private Key and Public key (Certificate) pair representing XI Server (CN should be hostname of XI server). Get the public Key signed by CA and import the Certificate in Visual Admin.
  Now in Configuration select view and the Private Key just created for XI's Identity.
  PS: There may be some steps in Marketsite too in case of Certificate logon like Adding XI certificate to something like Trusted CAS of Marketsite.You can get better picture from guys administrating the Marketsite..
  Try these options and post the results in forum.
  Good Luck.
  Regards,
  Sudharshan N A

• Problems installing SSL certificates for more than one alias on iMS 5.2

  I have a problem to getting encyption on IMAP/HTTP/SMTP when they are on the same server. I only getting one SSL certificate installed by the Netscape console wizard, and therefore only one alias.
  Let's say I have 3 aliases to the same server just for the scalability, imap.vxu.se, smtp.vxu.se and mail.vxu.se for http (https). Then I can only have one certificate installed at the same time, for example https://mail.vxu.se. And the others, like (S)IMAP I getting a dialouge that says the hostname doesnt is the same as the registred in the certificate. How do I solve this? Is there some possibillity to install more than ONE certificate, so I can have one certificate for each alias?
  Environment: Full 420R, Solaris 8, iMS5.2
  Thanks in advice

  Although I completely agree the comments that suggestion this is not a great configuration idea, the error you are seeing ("...bean not found...") likely has nothing to do with the configuration - at least not as mentioned. My first guess is that if you are running the same exact form (FMX) as you ran for your first test then there should be no error. The only way such an error would appear is if the proper jar files are not being pulled to the client JRE or if the fmx was not properly generated. Be sure you are including config=webutil in the URL or that you have added the Webutil configuration info to your own named configuration section of formsweb.cfg
  Regardless, if this is a Windows machine, the probability of having problems with multiple installations of the same version is high. Consider that the system PATH, CLASSPATH, ORACLE_HOME and various other system variables needed by the server side of the installation will overlap for each installation. This will cause problems. On the client side, attempting to download jars of the same name from the same server, but which are not actually the same files will confuse the JRE. If the JRE detects that a file which it has already cached is coming from the same server (host) then it will not attempt to pull it again. This will be a problem if the jars are not exactly the same in both installation. Making the problem worse is that you may not be able to easily determine from which installation the jars (or any files) were obtained.
  So. as a general rule, regardless of whether multple installations can co-exist, I would not recommend it. This is especially true on a Windows platform.

• Exchange Server Affected by SSL Certificate Organization Name Change

  We recently underwent a name change of our company. We added a few new domain names for the new company to our Exchange Server 2007 and updated our address policy to include them and everything seemed to work okay for a while.  We subsequently reissued
  the SSL Certificate for our Exchange Server under the new organization name (per the CA's recommendation) .  Shortly thereafter we experienced all sorts of issues necessitating a rebuild of our Exchange Server.  Is there any dependency between
  the organization name in an SSL certificate and the organization name that Exchange Server stores it's info under in Active Directory (which still had the old name) that would cause Exchange to go haywire?

  Hi,
  Please confirm you were creating a new domain in your AD or creating an accepted domain in Exchange server.
  If you directly create an accepted domain in Exchange, the new domain would be
  considered authoritative when the Exchange organization hosts mailboxes for recipients in this SMTP domain. We don’t need to create a new Exchange certificate for this new accepted domain because the
  SRV records can be used to connect to Autodiscover service. And the Exchange services URLs are not changed and they can still be authenticated by the original certificate (mail.domain.com, autodiscover.domain.com).
  Certainly, we can reissue a new Exchange certificate, please make sure the new Exchange certificate has included all needed namespaces for your Exchange server such as:
  Mail.domain.com, autodiscover.domain.com, autodiscover.newdomain.com
  We can also run Get-ExchangeCertificate | fl to check it.
  Regards,
  Winnie Liang
  TechNet Community Support

• Problem uploading SSL certificat on a WLC 5508

  Hello,
  I'm trying to upload a SSL-certificate (RSA:2048) on a WLC 5508 via the "Management->HTTP-HTTPS" - Tab and get the following problem :
  *TransferTask: Jul 18 16:36:14.487: %UPDATE-3-CERT_INST_FAIL: updcode.c:1276 Failed to install Webauth certificate. rc = 1
  *TransferTask: Jul 18 16:36:14.487: %SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4028 Cannot PEM decode private key
  I've generated it using the following commands:
  # openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.ca-bundle -out CA.pfx
  # openssl pkcs12 -in CA.pfx -nodes -out CA.pem
  But it doesn't work...
  Does anyone have an idea?
  Best regards,
  Eric

  Hello Eric,
  I'm facing the same problem, when trying to upload a chained SSL certificate (2048bits) to the wlc version 7.0.116.0
  Did you use an unchained certificate and what size is your cert?
  According to a Cisco document, for controllers version 5.1.151.0 and later, only unchained certificates are supported for the management certificate.
  I'm just wondering, if this limitation still applies to the newer versions.
  Regards,
  Oliver

• SQL Server cannot Find SSL Certificate

  We need help solve an issue we are having with SQL Server 2008 recognizing certificates (for supporting SSL communications) we generate through the MakeCert.exe utility. We have followed all instructions available in the MSDN SQL Server 2008 online books, including using the mmc console utility to verify that the certificates are valid, but the certificates we make fail to be seen by the SQL Server 2008 Configuration Management application.

  Hi,
  I’m not sure what instructions you read from MSDN. Do you follow the steps described in http://msdn.microsoft.com/en-us/library/ms191192.aspx?  If not, please try it. Additionally, I suggest you refer to the following content from MSDN:
  For SQL Server to load a SSL certificate, the certificate must meet the following conditions:
  1. The certificate must be in either the local computer certificate store or the current user certificate store.
  2. The current system time must be after the Valid from property of the certificate and before the Valid to property of the certificate.
  3. The certificate must be meant for server authentication. This requires the Enhanced Key Usage property of the certificate to specify Server Authentication (1.3.6.1.5.5.7.3.1).
  4. The certificate must be created by using the KeySpec option of AT_KEYEXCHANGE. Usually, the certificate's key usage property (KEY_USAGE) will also include key encipherment (CERT_KEY_ENCIPHERMENT_KEY_USAGE).
  5. The Subject property of the certificate must indicate that the common name (CN) is the same as the host name or fully qualified domain name (FQDN) of the server computer. If SQL Server is running on a failover cluster, the common name must match the host name or FQDN of the virtual server and the certificates must be provisioned on all nodes in the failover cluster.
  If there are any more questions, please let me know.
  Thanks.
  ***Xiao Min Tan***Microsoft Online Community***

• Problem installing SSL certificate for CPS

  I work at a medium-sized University, and we have used
  Contribute 3 with CPS1.11 for well over a year. Recently, however,
  the Contribute clients began having difficulty logging in to CPS.
  At first this was intermittent, but is now constant. Adobe support
  suggested replacing the CPS self-signed SSL certificate with a
  genuine one, because apparently the self-signed certificate is
  causing communication delays and timeouts.
  I have the certificate, and am trying to use keytool (see
  http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html)
  to install it, but it is asking me for a keystore password, which I
  don't know. Apparently the standard defaults are "changeit" or
  "passphrase", but neither of these work.
  As a test, I created a fresh install of CPS and attempted to
  list the keys in the keystore, but again was asked for a keystore
  password and the defaults did not work. Adobe support suggested I
  ask here. Anybody have any experience installing a certificate for
  CPS?

  Are you sure that the certificate needs to be installed to all users? Can you provide more details about the certificate and its purposes?
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new:
  SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Adding SSL-Certificate Exception in Firefox 4

  I recently installed Firefox 4 beta 11 and now cannot access certain webpages provided by my university which are using an SSL-encryption.
  The error message I receive (in a popup box) is:
  '''evasys.urz.uni-halle.de uses an invalid security certificate.
  The certificate is not trusted because no issuer chain was provided.
  (Error code: sec_error_unknown_issuer)'''
  It has been a known problem that somehow Firefox does not handle the issuer chain of the certificate correctly (thats what the IT department says) and the solution up to now was to add an exception for this website in Firefox 3.x.x
  This would be fine by me for Firefox 4, too, but I cannot find a way to add this exception. As soon as I dismiss the error message box by clicking "OK" nothing happens, no "This connection is untrusted"-page (http://support.mozilla.com/en-US/kb/This%20connection%20is%20untrusted#w_certificates-and-identification) is opened or anything equivalent.
  Thank you in advance for any help.

  Hello.
  Yes, there is a problem with adding an exception button, but I found a temporary solution until Mozilla solves the problem.
  First, copy a link from website you want to enter.
  Then, go to: Options > Advanced > Encryption tab > View Certificates > Servers tab > Add Exception..
  Now paste the link at "Location:" then click "Get Certificate" and Confirm Security Exception.
  That's all.

• Lion Server Problems Enrolling iPads - Certificate Error

  I'm trying to set up a very basic internally managed iPad trolley, we have 16 iPads and a Lion Mac Mini Server.
  Today was our first install day and I'm stuck with a couple of errors that I get on the iPads when I try to enroll them.
  I've already gone through various threads and followed a few peoples advice on re-creating Open Directory + certs to no avail.
  At the moment there are 2 certs that I can use - The first being the one that Profile Manager made when creating Open Directory and the second being a self signed cert that I created manually afterward. I get a different error depending on which cert I use.
  The auto created OD one comes back with "Invalid Profile"
  The self signed cert comes back with "The server certificate for "https://nhmacserver01.domainname.co.uk/devicemanagement/api/device/ota_service" is invalid.
  As I don't have my SSL cert signed by 3rd party I have been installing the "Trust Profile" before Enrolling.
  I have thoroughly checked DNS and all is okay on that front, is there anything else I could of overlooked here?
  On the server the auto created OD cert comes up as trusted whereas the self signed one does not so I suspect that the auto created one is the way forward..
  I am back on site again tomorrow so can post up any additional details that might give you guys a better idea of where i've got to.
  Thanks a lot in advance,
  Martin

  Tried with a different CA certificate, and this solved the problem. It seems like the original CA certificate was the wrong one, and there was only one, expired client certificate which was attached to the CA. Since IE doesn't show you the selection box when there is only one certificate, I didn't see which client certificate was being used.
  So in summary - problem solved...
  Michael

• Problem generating SSL certificate

  I'm trying to generate a CSR from oracle wallet 10g R2 for a wildcard SSL account with network solutions. Wallet gives an error when I use *.mydomain.com for the common name, yet netsol requires this format to register the certificate. Any ideas on how to workaround this issue.

  Hi,
  I'm having the same problem... Did you have any luck solving this issue?
  Derek

• Configuring SSL certificates on ALBPM Studio

  Hi,
  I am invoking a web service which is deployed on a web logic server which is a secure server and needs SSL certificates to communicate. I have the certificates but don’t know how to configure it to my ALBPM Studio.
  Can I configure those to studio or do I need to deploy my code on the Enterprise edition installed on application server having these SSL certificates? But in that case I would land up investing so much time in deploying the code on server after even a small change. Since I don’t have those certificates configured to my studio it is not allowing me to catalog the service in my project and throwing Introspection error. The details of the error are mentioned below:
  +[Error] Web Service WSDL parse exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target..+
  +[Error] Instrospection exception: Web Service WSDL parse exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target...+
  Can anyone throw any pointers on this type of error
  Thanks,
  Akshay

  In order to communicate with SSL secured webservices (those with WSDL end point starting as https:// you need to have certificates from these servers.
  For BPM Standalone these are the steps
  1. Download the .cer file from server. (One way is you can use IE browser to get that file and export it from browser to a local directory)
  2. Put this file in %JAVA_HOME%\jre\lib\security. You can put it anywhere you want.
  3. Run the following command at a command prompt:
  C:\Program Files\Java\jre1.6.0_02\bin>keytool -import -trustcacerts -alias <CERT ALIAS NAME> -keystore ..\lib\security\cacerts -file ..\lib\security\gd_<cert file name>.cer
  4. You will be prompted for a password. If you have not changed the password, it will be "changeit".
  5. You will then get the following message if all is successful - "Certificate was added to keystore".
  6. Restart Tomcat (inbuilt server in BPM Studio).
  This should solve your problem.
  Pls note that if you have not configured your keyStore then first do so. you will find this document handy to do so.
  http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File
  Arvind
  Visit my blog at http://soa-bam-bi.blogspot.com/ for more tips on BPM & SOA

• BingMaps not showing with SSL certificate

  I have recently added SSL certificate to the server for the website I am developing.
  I changed my applications to use  https from http.
  <script type="text/javascript" src="https://ecn.dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=7.0">
  After changing it from http to https, it is showing a blank page in place of map. The error it says is 
  This page is trying to load scripts from unauthenticated sources
  I had to click on the right top corner shield and allow the browser to run unsafe scripts to get the bingmaps to show up.
  Any ideas on how I can resolve it. I am using ASP.NEt, C#, Javascript and jQuery.
  Thanks in advance.
  Nate

  I had to add &s=1 to run the BingMaps in secure mode
  so, we should use following link to run the bing maps with SSL.
  https://ecn.dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=7.0&s=1
  Thanks
  Nate

• Flash Media Encoder - server problem

  Hi guys,
  I tried to use FMS and FME to broadcast my webcam video, but
  I got the error message:
  Server Problem
  Failure to connect to primary server. Please verify that your
  Server URL is vaild and your internet connection is working and
  retry.
  I already done these steps:
  1. install FMS and change the path to
  <AppDir>C:\apps</AppDir>
  2. install FME and set the FMS URL to rtmp://localhost/apps,
  Stream: stream
  But while I click Connect button, it took almost 5 mins and
  then showed up the message above.
  Did I missed something?
  Could anyone help me out? thanks!!!!
  wii

  You got your FMS application folders mixed up. You haven't
  created a FMS "application", you've only told FMS to look in
  C:\apps for a folder called apps.
  Try to create a subfolder under C:\apps called "apps". I.e.,
  create this: c:\apps\apps and then your rtmp string should
  work.