N95 gives message non-trusted on signed certificat...

Similar Messages

• How to Install a trusted self signed certificate in iPhone?

  Hi,
  I'm trying to install a self signed CA certificate in an iPhone 4S (IOS 5.1) but always the certificate is showed as "Not Trusted".
  I have an iPhone 4 (same IOS 5.1) and when I install the same certificate it appear as Trusted. I have the same behavior in some iPads.
  I think this is the reason because my VPN is not working. When a try to use a Cisco VPN with certificate always receive the "Could not validate the server certificate." error in the devices how can't trust in my CA.
  Anyone have a clue about how to resolve this?

  You need to use a profile updater like iPhone configuration utility.
  1. Create a configuration profilecredential.
  2. In the profile go in credential and add/import the root certificate from the authority you want to have.
  3. Install the profile on the device.
  I should work.
  HTH,
  ../Bruno

• Unable to sign in to Adobe CC desktop app.  Gives message"You've been signed out"  please sign in t

  Already reset password and even uninstalled and re-installed the app.  No change.  Just stuck in this loop.

  Hi RobCo,
  Please follow the step.
  Close the Creative Cloud application.
  Navigate to the OOBE folder.
  Windows: [System drive]:\Users\[user name]\AppData\Local\Adobe\OOBE
  Mac OS: /Users/[user name]/Library/Application Support/Adobe/OOBE folder
  Delete the opm.db file.
  Launch Creative Cloud.
  Please let us know if this was helpful.
  Regards

• Invalid Certificate Microsoft Outlook cannot sign or encrypt this message because you have no certificates which can be used to send from your e-mail address.

  Hi,
  I have a problem when trying to sign emails with an X.509 certificate in Outlook 2010. I constantly get the error message. The certificate is Verified for the email address I'm sending from.
  "Invalid Certificate
  Microsoft Outlook cannot sign or encrypt this message because you have no certificates which can be
  used to send from your e-mail address."I have no problem with signing documents in Word 2010 with the same certificate, only when trying to send email.Every check I can perform confirms that there's nothing wrong with the certificate. Yet, Outlook still says it is invalid.I have even tried installing a second X.509 for the same email address just to check. Outlook doesn't seem to like either certificate.I know this has been posted before, but I'm completely stuck here.Thanks,~Dan

  Hi,
  You may have checked the option "Encrypt contents and attachments for outgoing messages" in Outlook, please uncheck this to test if the problem persists.
  File -> Options -> Trust Center -> Trust Center Settings -> E-mail Security -> Clear the checkbox "Encrypt contents and attachments for outgoing messages" -> OK.
  Regards,
  Melon Chen
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs. Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Signer Certificate is Different in the message

  Hi All,
  I am getting the following exception when i receive documents from my TP. I verified that i have the user and trusted certificate in the wallet and that the wallet location is configured in the tip.props. I also could see in the logs that the certificate are being read by B2B. I used these same certificates in the B2B config and verified the serial numbers of the certificates uploaded in b2b and the wallet.
  Has anyone else come across the same problem?
  0.10 at 10:33:44:723: RMI TCP Connection(3)-192.168.1.54: B2B - (DEBUG) adding BEGIN/END CERTIFICATE comment
  2008.10.10 at 10:33:44:723: RMI TCP Connection(3)-192.168.1.54: B2B - (DEBUG) adding BEGIN/END CERTIFICATE comment
  2008.10.10 at 10:33:44:766: RMI TCP Connection(3)-192.168.1.54: B2B - (WARNING) java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
       at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:176)
       at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:101)
       at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
       at oracle.tip.adapter.b2b.tpa.MessageValidator.compareX509Cert(MessageValidator.java:519)
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateSignatureInfo(MessageValidator.java:478)
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateMessage(MessageValidator.java:147)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processTPA(TPAProcessor.java:635)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processIncomingTPA(TPAProcessor.java:229)
       at oracle.tip.adapter.b2b.engine.Engine.processIncomingMessage(Engine.java:1715)
       at oracle.tip.adapter.b2b.transport.InterfaceListener.onMessage(InterfaceListener.java:191)
       at oracle.tip.transport.basic.HTTPReceiver.sendRequest(HTTPReceiver.java:431)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
       at sun.rmi.transport.Transport$1.run(Transport.java:148)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
       at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
       at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
       at java.lang.Thread.run(Thread.java:534)
  Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
       at sun.security.util.DerInputStream.getLength(DerInputStream.java:530)
       at sun.security.util.DerValue.init(DerValue.java:346)
       at sun.security.util.DerValue.<init>(DerValue.java:276)
       at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:173)
       ... 21 more
  2008.10.10 at 10:33:44:766: RMI TCP Connection(3)-192.168.1.54: B2B - (WARNING) Not validating the certificate! Please make sure to validate the certificate manually
  2008.10.10 at 10:33:44:767: RMI TCP Connection(3)-192.168.1.54: B2B - (ERROR) Error -: AIP-50530: Signer certificate in the message is different from certificate in agreement
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateSignatureInfo(MessageValidator.java:483)
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateMessage(MessageValidator.java:147)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processTPA(TPAProcessor.java:635)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processIncomingTPA(TPAProcessor.java:229)
       at oracle.tip.adapter.b2b.engine.Engine.processIncomingMessage(Engine.java:1715)
       at oracle.tip.adapter.b2b.transport.InterfaceListener.onMessage(InterfaceListener.java:191)
       at oracle.tip.transport.basic.HTTPReceiver.sendRequest(HTTPReceiver.java:431)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
       at sun.rmi.transport.Transport$1.run(Transport.java:148)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
       at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
       at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
       at java.lang.Thread.run(Thread.java:534)
  2008.10.10 at 10:33:44:767: RMI TCP Connection(3)-192.168.1.54: B2B - (ERROR) Error -: AIP-50530: Signer certificate in the message is different from certificate in agreement
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateSignatureInfo(MessageValidator.java:483)
       at oracle.tip.adapter.b2b.tpa.MessageValidator.validateMessage(MessageValidator.java:147)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processTPA(TPAProcessor.java:635)
       at oracle.tip.adapter.b2b.tpa.TPAProcessor.processIncomingTPA(TPAProcessor.java:229)
       at oracle.tip.adapter.b2b.engine.Engine.processIncomingMessage(Engine.java:1715)
       at oracle.tip.adapter.b2b.transport.InterfaceListener.onMessage(InterfaceListener.java:191)
       at oracle.tip.transport.basic.HTTPReceiver.sendRequest(HTTPReceiver.java:431)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
       at sun.rmi.transport.Transport$1.run(Transport.java:148)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
       at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
       at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
       at java.lang.Thread.run(Thread.java:534)

  Thanks Ramesh,
  I replicated the entire setup in Dev Box and took a risk. Asked the TP to send Prod data to Dev and it worked. It looks like something to do with the setup in production which is faulty.
  Right now i am able to get all the documents from the TP into Dev box.
  Thanks a lot for all your help!!

• Problem with placing self-signed certificate in trust store on WLS 10.3

  I have had some problems setting up two-way SSL on WLS 10.3.2.
  1. I have not been able to use the java properties listed on
  http://weblogic-wonders.com/weblogic/2010/11/09/enforce-weblogic-to-use-sun-ssl-implementation-rather-than-certicom/
  to use the native Java SSL implementation rather than the certicom. Has anyone else had success using these?
  -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
  -Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
  -DUseSunHttpHandler=true
  -Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)
  2. When I use the ValidateCertChain to validate my keystore with the self-signed certificate I get the message
  CA cert not marked with critical BasicConstraint indicating it is a CA
  Certificate chain is invalid
  which I read was a problem with certificates generated by keytool, yet I find I was not able to circumvent this
  by setting the property weblogic.security.SSL.enforceConstraints to off in the WLS server environment.
  Has anyone else noticed this?
  3. The error I get is
  ####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server
  <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1297793541204> <BEA-000000> <Exception during hands
  hake, stack trace follows
  java.lang.NullPointerException
  at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
  at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
  at com.certicom.tls.interfaceimpl.CertificateSupport.findInTrusted_Validity(Unknown Source)
  ####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tunin
  g)'> <<WLS Kernel>> <> <> <1297793541207> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  java.lang.Exception: New alert stack
  at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  Are there other conditions besides the issue about the missing Basic Constraint field that can raise an
  alert with type 40?
  4. Steps I used to generate jks keystore for inclusion in trust keystore (actual values substituted):
  ** keytool -genkey -alias mykey -keystore mykeystore -validity 35600 \
  -dname "cn=Common Name, ou=Common Name, o=Org, l=location, s=state, c=US" \
  -storepass mypass -keypass mypass
  ** exported a DER format head certificate of mykey into mykey.cer.der
  ** keytool -import -trustcacerts -keystore DemoTrust.jks -alias mykey -file mykey.cer.der
  Any comments appreciated and thanks for this forum.

  Faisal,
  Certicom has an internal restriction that a Date must be notBefore 1970 and notAfter 2105 inclusive.The Java-generated key is valid until Wed Mar 14 11:03:59 EDT 2108. Your knowledge of this area is
  quite impressive, thank you so much for this!

• New self signed certificate, how to mark as trusted for all users on clients

  We have a new 10.8 server that we are currently using for iChat/Messages service.  We have created a self signed certificate to encrypt the traffic to the Messages service since we have the service accessible for internet and phone users.  We use network accounts and users need to log in on several different machines when in the office.
  Can anyone suggest how to tell a client machine to trust the certificate for all users?
  Currently, each user is asked to trust the certificate on each client they log into.
  I have imported the server certificate into the client's system keychain in Kechain Access and asked it to trust the certificate for all items manually.  This does not appear to allow all users to trust the certificate since subsequent users who have not yet trusted the certificate on the test client are still asked to confirm trust.  When opening the iChat.app the users are still propmpted to verify the certificate which now indicates that it is trusted for all users.

  Resolved.
  - Drag certificate from verification dialog.
  - Import into System Keychain
  - Select certificate in System Keychain and select "i" button at bottom of window.
  - Set all items to always trust.

• Self Signed Certificates vs. GnuPG key and Web of Trust

  I'm not totally sure where to ask this question, though this is the best place I can think of.
  Wanting to be able to digitally sign my emails, and I can use a self signed certificate, or get one from CAcert.org (which, as far as I can tell, is also a self signature)...
  Whereas with GnuPG, the keys are certified based on the web of trust.
  Is there any kind of web of trust for the certificates?
  Russell

  Your private key is stored in the keystore (.pfx or .p12)
  file that adt created for you when you created your self-sign
  certificate. The file itself is protected by the password you
  entered. Don't ever give this file to anyone, and under no
  circumstances should you give the password to anyone.
  The public key is also stored in the same file. You can
  export the public key, embedded in a certificate, from the keystore
  file, although you likely won't have any need to do that.
  If the resulting .air file is ever modified then the
  application won't install. There's no need for users to check the
  hash or anything like that to validate the file; it's all done
  automatically as part of the installation process.
  Hope that helps,
  Oliver Goldman | Adobe AIR Engineering

• SCCM 2007 - task sequence - prestaged media - self-signed certificates - error message 'Certificate has expired for this media'

  Hi there
  Quick scenario.
  We have created a task sequence prestaged media .wim file (SCCM 2007, client OS is Windows XP).
  Recently some of these swap-out machinses, on delivery and start up, have started showing this message:
  'Certificate has expired for this media'.
  This is because the self-signed certificate created during the prestaged media creation process has expired.
  My question is: is it possible to mount the image using dism or imagex and then inject an updated sertificate?
  Best regards
  John

  the disk that has the prestaged media applied must be the boot partition.
  create a task sequence to stage the prestaged media. In this task run a format and partition step which configures both the system disk and the os disk, though make the os disk the active boot partition. Then apply the prestage wim.
  On your deploy task, somewhere after the OS has applied create a group that runs only if the media is OEM (from memory  _SMSTSMedia =
  OEMMedia)
  in this group run the command bcdboot C:\Windows /s F: /f ALL where f: is the drive letter assigned to the system disk, then run another step that removes the drive letter and reboots. The deploy task will now continue and you will be booting to the system
  partition.
  So I wanted to get back to working on this issue.  I noticed that when I said it Worked that it was actually still booting from C drive instead of the reserved partition.  For the past few days I have been trying to get the prestaged to work like
  a network deploy but fail every time.  I cannot get the prestaged to boot from any other partition other then the partition where windows was imaged too.
  So where I am at today.  When I do as suggest above the D drive (The reserved Boot volume) return on reboot. it will not stay hidden.  also the OS is till booting from C and does not change to the D drive or no drive letter drive with the above
  commands.  I think there is some other command missing that tells it to boot from a new location that is not bcdboot.
  Has anyone seen any guides for how to use prestaged and bitlocker enabled task sequence?  I think that would help me figure out my current issues as with bitlocker you must have this other partition.

• I frequently get the messages "windows couldn't sign you out" (I am signed out) ,"not connected to in the internet" with prompts to sign in again (I don't) and "you're currently working offline", with a prompt to connect to my own locked wireless. None of

  I frequently get the messages "windows couldn't sign you out" (I am signed out) ,"not connected to in the internet" with prompts to sign in again (I don't) and "you're currently working offline", with a prompt to connect to my own locked wireless. None of these statements are true and I ignore the prompts (although my husband did re-sign on to our router once). I find that if I unplug the phone line and then plug it in again, it works. Strange. Is someone trying to get my password?
  == This happened ==
  A few times a week
  == when we had internet installed by comcast

  Try Settings > General > Reset > Reset Network Settings.
  Read this:
  http://support.apple.com/kb/TS4008

• ASA self-signed certificate for Anyconnect 3.1, which attributes?

  Hi everybody,
  I can't find the detailed information which attributes are exactly needed for the Anyconnect 3.1 client to correctly identify the VPN server -ASA 8.4(4)1
  I have added two servers in the client connection profile:
  IP address, primary protocol IPsec
  IP address/non-default port number, primary protocol SSL
  Connecting via IPsec only issues a warning about "untrusted source" (I didn't import the certificate as trusted, but that's not the issue)
  Connecting via SSL issues an additional warning "Certificate does not match the server name".
  The self-signed certificate (created with ASDM) includes the IP address as DN cn, additionally as alternate identity "IP address". I have exported the certificate and parsed it with openssl (after re-encoding to PKCS#12 DER) and apparently no attributes are included.
  I would like to give it a try with certtool and openssl to generate a self-signed certificate which is accepted by the Anconnect 3.1, where can I find a detailed description, which attributes are required for Anyconnect SSL sessions? I'm convinced the identity (DN cn) is OK.

  Shamelessly bumping this question,
  Anyone out there (maybe from Cisco) who can tell us, which atttributes are required on a self signed certificate?
  I keep getting "Certificate does not match the Server Name" for SSL-VPN, IPsec-VPN is fine for the same server.

• Java security error after 8u31 (Timestamped Jarsigned Applet within valid period of Code Signing certificate)

  Hello,
    I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
  Here is the warning message:
    "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
  What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
  When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
  s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
        [entry was signed on 27.01.2014 13:19]
        X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
        [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
        X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
        [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
        X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
        [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
        X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
        [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
  sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
  As you may see the timestamp was correctly done. And it is in the valid period of CSC.
  Than i started to check how Java confirms the Certificate, and found some flowcharts.
  Here is an example from DigiCert:
  Code Signature Verification Process
  After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
  The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
  If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
  So according to this scheme, my applet had to work properly, and without security warning.
  However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
  The optional timestamping provides a notary-like capability of identifying
  when the signature was applied.
      If a certificate passes its natural expiration date without revocation,
  trust is extended for the length of the timestamp.
      Timestamps are not considered for certificates that have been revoked,
  as the actual date of compromise could have been before the timestamp
  occurred.
  source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
  So, could anyone please explain why Java gives security error when someone tries to reach that applet?
  Here is a link of applet: http://85.105.68.11/home.asp?dd_056
  I know the situation seems a bit complicated, but i tried to explain as simple as i can.
  waiting for your help,
  regards,
  Anıl

  Hello,
    I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
  Here is the warning message:
    "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
  What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
  When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
  s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
        [entry was signed on 27.01.2014 13:19]
        X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
        [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
        X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
        [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
        X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
        [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
        X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
        [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
  sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
  As you may see the timestamp was correctly done. And it is in the valid period of CSC.
  Than i started to check how Java confirms the Certificate, and found some flowcharts.
  Here is an example from DigiCert:
  Code Signature Verification Process
  After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
  The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
  If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
  So according to this scheme, my applet had to work properly, and without security warning.
  However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
  The optional timestamping provides a notary-like capability of identifying
  when the signature was applied.
      If a certificate passes its natural expiration date without revocation,
  trust is extended for the length of the timestamp.
      Timestamps are not considered for certificates that have been revoked,
  as the actual date of compromise could have been before the timestamp
  occurred.
  source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
  So, could anyone please explain why Java gives security error when someone tries to reach that applet?
  Here is a link of applet: http://85.105.68.11/home.asp?dd_056
  I know the situation seems a bit complicated, but i tried to explain as simple as i can.
  waiting for your help,
  regards,
  Anıl

• SendSynchronousRequest with self signed certificate

  Hi
  Due to the application design I cannot use the – initWithRequest:delegate: method of NSURLConnection class for my https requests to a server. Hence I have to make synchronous calls using sendSynchronousRequest:returningResponse:error.
  When I was using initWithRequest , it was taking a class delegate of NSURLConnectionDelegate class hence I handled the self signed certificate problem by the following code:-
  - (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
      return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
  - (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
      [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
      [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
  Now the problem is that sendSynchronousRequest does not take any delegates to be called on. So now how do I handle non trusted certificate problem using synchronous request.
  I searched but so far can't find any solution.

  Hi 2UCowpoke,
  According to your description and the error messages ,it seems that the self-signed certificate is not trusted or supported by Windows 7 machine .
  How did you get the certificate ?
  It is recommended to ask for help from the certificate issuer support .
  Here is a link for reference :
  Windows does not have enough information to verify this certificate.
  http://www.kozeniauskas.com/itblog/2011/06/27/windows-does-not-have-enough-information-to-verify-this-certificate/
  NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• ACS 5.3 / Self Signed / Certificate base auth

  Hello,
  Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.
  We have exported it to have a Trusted Certificate for client machine.
  This certificat has been installed on a laptop.
  The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)
  I have this error in the log:
  12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in  the client certificates chain
  I think the Access Policies (identity & authorization) are misconfigured:
  > I allowed Host Lookup, PAP/ASCII, MSCHAPV2, EAP-MD5, EAP-TLS, PEAP, EAP-FAST
  > Identity: System:EAPauthentication match EAP-TLS
  id Source: AD in which AD, Internal Users, Password based, certificate based CN Username are enabled
  > authorization: System:WasMachineAuthenticated=True
  Thanks for your help,
  regards,

  Hello,
  I found the answer here:
  https://supportforums.cisco.com/message/1298039#1298039
  ACS self-signed certificate is not compatible with EAP-TLS
  Thanks,

• How to replace an expiring self-signed certificate?

  Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
  First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
  It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
  The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
  It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
  I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
  I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
  Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
  http://screencast.com/t/zlVyR2Hsc
  Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
  Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
  http://screencast.com/t/54c2BUJuXO2
  Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
  Be aware that creating certificates starts to populate your server Keychain.
  http://screencast.com/t/JjLb4YkAM
  It appears that when you start to delete certificates, it leaves behind private keys.
  http://screencast.com/t/XD9zO3n16z
  If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
  OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
  In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
  Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
  Bypass "Introduction".
  In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
  The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
  You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
  In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
  The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
  (OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
  Pant, pant...
  The next window asks for an email address and location information - this appears to be optional.
  Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
  Key Usage Extension window
  Here's where it gets interesting...
  I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
  Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
  Extended Key Usage Extension...
  Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
  Sorry, folks, I just HAVE to show you the help for this window...
  +*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible.  EKU is defined with object identifiers called OIDs.  If the EKU extension is omitted, all operations are potentially valid.*+
  KILL ME NOW!!!
  OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
  Basic Constraints Extension...
  Well, there is no mention of that on the original certificate, so leave it unchecked.
  Subject Alternate Name Extension...
  Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
  DONE!!!! Let's see what the heck we got!
  http://screencast.com/t/QgU86suCiQH
  Well, I don't know about you but that looks pretty close for Jazz?
  I got some extra crap in there but the stuff from the original cert is all there.
  Think we're OK??
  Out with the old certificate (delete).
  Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
  http://screencast.com/t/bydMfhXcBFDH
  Oh yeah...one more thing in KeyChain Access...
  See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
  http://screencast.com/t/GdZfxBkHrea
  Select "Always Trust".
  I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
  I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
  Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
  If you want to see my rant on Apple's worthless documentation, it's here.
  http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

  to add to countryschool and john orban's experiences:
  using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
  in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
  when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
  supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
  you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
  now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
  after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
  lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
  maybe that's hopeful to somebody. but i stopped there since things seem to be working.
  last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
  now, we'll see how everything works once people start really using it...