Need to import self-signed certificate?
I'm in the process of migrating an applet to 1.3.1_03. The latest problem I've run into is the change in security between 1.2.2 and some version of 1.3, in that, apparently, I have to import a self-signed certificate into cacerts for our intranet applet to work.
Is this still true for 1.3.1_03? If so, is there an easy way to do this from the client perspective (e.g. some batch file that can be run to handle this)? I've seen quite a few other posts surrounding this topic, but it's difficult to keep track of what's current.
Does 1.4 remove this issue (just curious... we're not planning to go to 1.4)?
Thanks,
Van Williams
What I've done is to import the certificate into a keystore on the web server. I also have the policy file (also on the web server) pointing to this keystore. This works fine, as long as either one of the following is true:
1) the java.security file on the client has a policy.url entry thta points to the policy file on the web server
2) The runtime parameters for the plug-in specify the policy file on the web server (e.g. -Djava.security.manager -Djava.security.policy={location of policy file on web server})
I'm trying to figure out a way to not have an automated procedure change the java.security file on the client (though I'll use this approach if needed). I also don't want to change the runtime parms on the plug-in (will affect other applets). If there is a way to specify this in the HTML for my applet, that would be perfect. Any ideas (will be posting this as a separate thread).
Thanks,
Van Williams
Similar Messages
-
Importing self-signed certificate
Hi there!
I have some problems in importing SSL certificates on my macbook.
There are 2 certificates that needs to be imported: the root CA certificate, which is self-signed naturally and private user certificate, which is signed by above-mentioned CA.
The first file in .crt format, which is consists of CA public key and sign. The second file in .p12 format, which is consists of encrypted public and private keys.
The problem is:
I can't import nor CA neither my personal certificate.
The CA cert should be imported at "CA" tab in keychain, but the import button ("+") is inaccesible here:
http://img.200133883.info/big//%D0%A1%D0%B2%D1%8F%D0%B7%D0%BA%D0%B0_%D0%BA%D0%BB %D1%8E%D1%87%D0%B5%D0%B9-20120313-143521.png
When I tried to double-click CA.crt I got the import error # -67762 which saying that attribute "key length" was invalid. The same thing with my personal certificate.
Could somebody explain me, how should I import those two SSL certificated?I'm using self-signed certificate from SBS. Right now it's not the question, if something is misconfigured within my certificate (I'm aware of SBS certificate problems), the problem is that E90 WILL NOT recognize .cer or .der files as certificates.
There must be someone, who can answer this really simple question, which certificate formates are supported on E90.
You will find this type of question posted many times on different forums, with diiferent suggestion, but they simply don't work.
Again my error is "file format not supported" -
E90 importing self-signed certificate nightmares
Hi!
I want to import selfsigned certificate on customer's E90.
I've I copied correctly exported certificate to phone, but the E90 file manager always says "File format not supported".
I've tried with .cer, converted to .der with the following page: http://www.redelijkheid.com/symcaimport/
I've been through all suggestions and step guides found on internet. Customer support does not have a clue what I'm talking about.
I'm looking for anybody who has succesfuly imported any kind of certificate in to this model certificate store or anybody who can simply answer this question: what type of certicates does this model support.
Thanx for you answers,
ToniI'm using self-signed certificate from SBS. Right now it's not the question, if something is misconfigured within my certificate (I'm aware of SBS certificate problems), the problem is that E90 WILL NOT recognize .cer or .der files as certificates.
There must be someone, who can answer this really simple question, which certificate formates are supported on E90.
You will find this type of question posted many times on different forums, with diiferent suggestion, but they simply don't work.
Again my error is "file format not supported" -
Safari on Windows could not accept self-signed certificate
Hi, i am using Safari 5.0.4 on Windows 7 and I am trying to access an https site with a self-signed certificate (internal developing site).
after i install the certificate to the Windows certificate store (i try both Personal store and Trusted Root Certification), when i try to browse the site, Safari asks me to choose a certificate, after i choose it, after a long hang time, Safari displays "Safari can't open the page".
My questions are:
1. Any one has configured safari on windows to accept self-signed certificate successfully?
2. i see some other posts saying "Safari on Windows has bug to use the self-signed certificate", any official document or link saying this if this is true?Microsoft Windows web browser support questions? Try one or more of these resources:
http://technet.microsoft.com/en-us/library/cc747495(WS.10).aspx
http://www.leonmeijer.nl/archive/2008/08/01/123.aspx
http://stackoverflow.com/questions/681695/what-do-i-need-to-do-to-get-ie8-to-acc ept-a-self-signed-certificate
That was from tossing the /internet explorer import self-signed certificate/ query at Google, and some poking around. StackOverflow and Microsoft Technet and the Microsoft KBs have more details on Microsoft platforms and products and permutations, too.
The usual best fix with this stuff is to create your own certificate authority (CA) root certificate and to configure that within your chosen platforms and browsers, but I do not know (off-hand) how to do that on Microsoft Windows boxes. Google or some KB probably has details of loading your own root cert. This approach means loading one cert, and the rest of what you create that's signed from that cert will now automatically be trusted. Basically you become your own CA provider, load your root cert into each of your clients, and then issue your own certs chained from your own root cert, and Bob's Your Uncle. -
How to import the self-signed certificate in runtime
HI.
I work to connect between JSSE client and OpenSSL server with self-signed certificate.
But I met the SSLSocketException during handshaking.
Many Solutions registered in this page.
But their are all using keytool.
My application connect many site support the self-signed certificate.
So, I want to import the certificate in run time.
How Can I do??
Please, answer me..
Thanks,did you figure this out??? I need to know how to accept a self-signed certificate, otherwise it's this exception...
D:\javatools\apis\jsse1.0.2\samples\urls>java -cp jcert.jar;jnet.jar;jsse.jar;. URLReader
Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:61)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-12019
8])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120
198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V
1.2-120198])
at java.net.URL.openStream(URL.java:798)
at URLReader.main(URLReader.java:46) -
Nokia X - import self signed server certificate
Do someone know how to import a self signed server certificate? No CA root certificate, only a server!
I connect from all my devices to a Baikal server for calenders and addresses. For this machine I generate a self signed server certificate. I am working with all devices without problems after I import the certificate to this (iPhone, iPad, iMac, Win7, Srv2k8, Linux,...). Only the Nokia X don't want to accept it.
I store the cert in DER format and name ending to .cer to the memory card, choose the import, the cert is found and I have to name it, but then it will not import it??? And the CAdroid is not working?!
Do someone know how to do this right? Thanks.Hi, anoymo. You may install the self-signed certificate by downloading it using the phone's browser. The file format should be DER encoded binary (X.509). Or you can create an HTML file using the notepad. Just copy this code (<HTML><BODY><a href="FileName.cer">Install certificate</a></BODY></HTML>) excluding the parenthesis to the notepad and save it as .html. Create a zip file for the certificate and the HTML file, copy it to the phone then open the .html file it should prompt you to install the certificate. Directly importing it to the phone is not possible.
-
How to successfully import ASA self-signed certificate?
On ASA 9.1 i am trying to export an Identity certificate, self-signed certificate into p12 file so i can import it into laptop and used it for secure connection to ASA over ASDM. I can add certificate OK using ASDM, certificate show up OK in Certificate management/dentity certificate. Exported certificate into .p12 file with passphrase OK.
In Win XP and Windows 7 every time i try to import certificate i got message that password is incorrect. Yes, i did type correct password.
Even thru cli i got the same error when trying to import the file.
ASA(config)# crypto ca export ASDM_TRUSTPOINT pkcs12 password
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIIHPwIBAzCCBvkGCSqGSIb3DQEHAaCCBuoEggbmMIIG4jCCBt4GCSqGSIb3DQEH
BqCCBs8wggbLAgEAMIIGxAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQItd0L
7e5QezkgxXzmCJKpv3GqQV5/tfk66ySnBMCGrMzsQKBa32wzHYcSerSEePNXzudJ
Frdyc3ETMXECvO83gujQZLyJ9DfPaDy4gZHwEs9fwGqpJel/NTwUo16dtzO2Vbko
1kc8kd
-----END PKCS12-----
Any tips or tricks how to get this simple task completted? Is maybe file format not right?Hi
Please show the error ASA is reporting during import.
It's working correctly with 9.1(0)2, example:
ASA9(config)# crypto ca trustpoint TP
ASA9(config-ca-trustpoint)# enrollment self
ASA9(config)# crypto ca enroll TP
WARNING: Trustpoint TP has already enrolled and has
a device cert issued to it.
If you successfully re-enroll this trustpoint,
the existing certificate will be replaced.
Do you want to continue with re-enrollment? [yes/no]: yes
% The fully-qualified domain name in the certificate will be: ASA9
% Include the device serial number in the subject name? [yes/no]: yes
Generate Self-Signed Certificate? [yes/no]: yes
ASA9(config)#
ASA9(config)# crypto ca export TP pkcs12 123456
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
+5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
-----END PKCS12-----
ASA9(config)#
ASA9(config)#
ASA9(config)# no crypto ca trustpoint TP
WARNING: Removing an enrolled trustpoint will destroy all
certificates received from the related Certificate Authority.
Are you sure you want to do this? [yes/no]: yes
ASA9(config)# crypto key zeroize rsa
WARNING: All RSA keys will be removed.
WARNING: All device digital certificates issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
ASA9(config)# crypto ca trustpoint TP2
ASA9(config)# crypto ca import TP2 pkcs12 123456
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
+5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
quit
INFO: Import PKCS12 operation completed successfully
ASA9(config)#
ASA9(config)# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 6e85f150
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=ASA9+serialNumber=123456789AB
Subject Name:
hostname=ASA9+serialNumber=123456789AB
Validity Date:
start date: 15:52:01 UTC Jan 12 2013
end date: 15:52:01 UTC Jan 10 2023
Associated Trustpoints: TP2
You might want to enable debugs: "debug crypto ca 255".
Be carefull when typing password - watch out for trailing space !
Michal -
Steps to create your own self signed certificate with java plugin working
You need two tools that comes with your jdk which are keytool and jarsigner.
Steps explain below in detail. Don't use netscape signtool, it will NEVER work!
* keytool -genkey -keyalg rsa -alias tstkey -keypass 2br2h2m -dname "cn=Test Object Signing Certificate, o=AI Khalil, ou=Java Products, c=AU"
cn = Certificate name
o = organistation
ou = organistation unit
c = country (first two letters)
If don't put the -dname, you can fill it line by line.
The -keypass has to be verify at the end, and you have to wait for it to create the rsa signing keys.
On NT by default it will put the alias information at D:\WINNT\Profiles\Administrator (if log in as administrator) with the default file called ".keystore". Windows 98 etc, don't know, search for .keystore
file. When you update it, check for the timestamp change and you know if you at the right spot.
You can store your alias information via the -storepass option to your current directory you work on, if you don't want to update the default .keystore file?
The .keystore contains a list of alias so you don't have to do this process again and again.
Another tip if you want your certificate encryption validity to be more than the default one month is simply
add the -validity <valDays>, after the -genkey option, to make your certificate usage for encryption to last much longer.
Note: You MUST use the -keyalg rsa because for starters the rsa encyption alogorthim is supported on ALL browsers instead of the default DSA and the other one SHA. Java plugins must work with the RSA algorthim when signing applets, else you will get all sorts of weird errors :)
Do not use signtool because thats a browser dependant solution!! Java plugin is supposed to work via running it owns jre instead of the browser JVM. So if you going to use netscape signtool, it starts to become a mess! ie certificate will install, but applet won't start and give you funny security exception errors :)
* keytool -export -alias tstkey -file MyTestCert.crt
It will read the alias information in the .keystore information picking up the rsa private/public keys info and
create your self sign certificate. You can double click this certificate to install it? But don't think this step is needed but maybe for IE? Someone else can check that part.
If you make a mistake with the alias, simply keytool -delete -v -alias <your alias key>
If not in default .keystore file, then simply keytool -delete -v -alias <your alias key> -keystore <your keystore filename>
* Put your classes in your jar file, my example is tst.jar.
* jarsigner tst.jar tstkey
Sign your testing jar file with your alias key that supports the RSA encryption alogorthim.
* jarsigner -verify -verbose -certs tst.jar
Check that its been verified.
The last step is the most tricky one. Its to do with having your own CA (Certified Authority) so you don't
have to fork out money straight away to buy a Verisign or Twarte certificate. The CA listing as you see in
netscape browsers under security/signers, is NOT where the plugin looks at. The plugin looks at a file called
CACERTS. Another confusion is that the cacerts file is stored in your jre/lib/security AND also at your
JavaSoft/Jre/<Java version>/lib/security. When you install the Java plugin for the first time in uses your
JavaSoft folder and its the cacerts file that has to be updated you add your own CA, because thats where
the plugin look at, NOT THE BROWSER. Everything about plugin is never to do with the browser!! :)
* keytool -import -file MyTestCert.crt -alias tstkey -keystore "D:\Program Files\JavaSoft\JRE\1.3.1\lib\security/cacerts"
Off course point to your own cacerts file destination.
Password to change it, is "changeit"
Before you do this step make a copy of it in its own directory in case you do something silly.
This example will add a CA with alias of my key called "tstkey" and store to my example destination.
* keytool -list -v -keystore "E:/jdk/jdk1.3/jre/lib/security/cacerts"
List to see if another CA is added with your alias key.
Your html, using Netscape embed and Internet explorer object tags to point to the java plugin,
your own self sign applet certificate should work
Cheers
Abraham KhalilI follow Signed Applet in Plugin, and it's working on
my computer. Thanks
But When I open my applet from another computer on
network, why it does not work ..?
How to make this applet working at another computer
without change the policy file ..?
thanks in advance,
AnomYou must install the certificate on that computers plugin. Can this be done from the web? can anyone suggest a batch file or otherwise that could do this for end users?
I want a way for end users to accept my cert as Root or at least trust my cert so I dont have to buy one. I am not worried about my users refusing to accept my cert. just how do I make it easy for them? IE you can just click the cert from a link, but that installs for IE, and not the plugin where it needs to be. -
ASA self-signed certificate for Anyconnect 3.1, which attributes?
Hi everybody,
I can't find the detailed information which attributes are exactly needed for the Anyconnect 3.1 client to correctly identify the VPN server -ASA 8.4(4)1
I have added two servers in the client connection profile:
IP address, primary protocol IPsec
IP address/non-default port number, primary protocol SSL
Connecting via IPsec only issues a warning about "untrusted source" (I didn't import the certificate as trusted, but that's not the issue)
Connecting via SSL issues an additional warning "Certificate does not match the server name".
The self-signed certificate (created with ASDM) includes the IP address as DN cn, additionally as alternate identity "IP address". I have exported the certificate and parsed it with openssl (after re-encoding to PKCS#12 DER) and apparently no attributes are included.
I would like to give it a try with certtool and openssl to generate a self-signed certificate which is accepted by the Anconnect 3.1, where can I find a detailed description, which attributes are required for Anyconnect SSL sessions? I'm convinced the identity (DN cn) is OK.Shamelessly bumping this question,
Anyone out there (maybe from Cisco) who can tell us, which atttributes are required on a self signed certificate?
I keep getting "Certificate does not match the Server Name" for SSL-VPN, IPsec-VPN is fine for the same server. -
Error when using sapgenpse import_own_cert to import a signed certificate
We have installed a WebDispatcher and want to use SSL and executed the following steps:
1. Generate Self-Signed Certificate and CSR by:
sapgenpse get_pse -p SAPSSLS.pse -r SAPSSL.req "CN=emsd3c.cs-apps.carestreamhealth.com, OU=IT, O=Carestream Health, C=US"
2. User service.sap.com/trust SSL Test Server Certifcated service to signed the CSR which looks like
BEGIN CERTIFICATE-----
MIIBpDCCAQ0CAQAwZDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEUNhcmVzdHJlYW0g
SGVhbHRoMQswCQYDVQQLEwJJVDEsMCoGA1UEAxMjZW1zZDNjLmNzLWFwcHMuY2Fy
ZXN0cmVhbWhlYWx0aC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP+w
TmRWeRlt1tg5GnjMloRhezO6lRJ1mhgNcWGQTECtAXDVypnznTFhimj3OG1zgW
gItJ1u4GjvQuYR2w2T92UrV3mnORrlHfpYOBCngRwQWfSaG7Ih5g3NeQ4bAq60Ap
0BwVg9hTpjZfTXfqYQHyzYPk6Pv9c+l0m3Va/DMfAgMBAAGgADANBgkqhkiG9w0B
AQUFAAOBgQBw6ipAyPUor96WGIOu93v7jjxE0uLuCMkfjaHnuqpYaOWM7z6XQn
2jWMwEKG4vsvU1X5azUuqA1yidH5+GXTD0VCbXUqLWZEP6S2FMJXixv/e3QELYrT
qBee2JDYPAdoMkKX/cwshFwXXo41R/gjEwn6aBDg9jkA70xFZEOjTQ==
BEGIN CERTIFICATE-----
The certificated signed by SAP looks like and I have created a file called d3c_test.cer to contain it:
BEGIN CERTIFICATE-----
MIIC5zCCAlCgAwIBAgIDANTZMA0GCSqGSIb3DQEBBQUAMFAxCzAJBgNVBAYTAkRF
MRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MQ8wDQYDVQQLEwZTZXJ2ZXIx
EjAQBgNVBAMTCVNlcnZlciBDQTAeFw0wOTA3MjkxNzM4NDVaFw0wOTA5MjcxNzM4
NDVaMIGAMQswCQYDVQQGEwJERTEcMBoGA1UEChMTU0FQIFRydXN0IENvbW11bml0
eTEYMBYGA1UECxMPQ2FyZXN0cmVhbUhlYXRoMQswCQYDVQQLEwJJVDEsMCoGA1UE
AxMjZW1zZDNjLmNzLWFwcHMuY2FyZXN0cmVhbWhlYWx0aC5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPjouDXa5nj8UQN77E53KCn1Xv2mI4uQMwz2cv
2YLL0086PfLzv+GZgMNsykmFzCAw2Nq2PthvhRhIUSZmCWgF36vN3GnwYPhc3flw
bvYGkeyFvJ3i3I0xiZTwVdvNDnd/GmLH6VCqCEbIwPXEJJamWop6SumaHl7h5KgV
aaqPAgMBAAGjgZ0wgZowDAYDVR0TAQH/BAIwADAlBgNVHRIEHjAchhpodHRwOi8v
c2VydmljZS5zYXAuY29tL1RDUzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8B
Af8EBAMCBPAwHQYDVR0OBBYEFHBRAASwukLlThOY+NbGKycJGjjIMB8GA1UdIwQY
MBaAFIHbg/NK+zUYCLkBvbcdW51zNVtJMA0GCSqGSIb3DQEBBQUAA4GBAIxe9gRz
7UdawNwiIyKo2jvg6P0VnvPRMiyfMJdtbaTarinJmgP2yghMGKx84twvEds9GV42
xUXbX/AHdgI3ef8N/WXvs15Hi4GnMdb/d7zhz3DAcjajbr7xmFycFFqRSwJ68Kb0
JF2cZLtwh9G0dJZMbT5ihJ61mCVMXvIbH27s
END CERTIFICATE-----
3. Execute the following commend to import SAP's response (d3c_test.cer)
sapgenpse import_own_cert -c d3c-test.cer -p SAPSSLS.pse
Receive the following error:
sapgenpse import_own_cert -c d3c-test.cer -p SAPSSLS.pse
Please enter PIN: ****
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Server CA, OU=Server, O=SAP Trust Community, C=DE"
ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Server CA, OU=Server, O=SAP Trust Community, C=DE"
Any help will be appreciated.
Thanks
RiversHi Sri Garimella,
As you have mentioned above to donwload root certificate also & giv the command as
sapgenpse -import_own_cert -c d3c-test.cer -p SAPSSLS.pse -r <RootCA_cert_file>.
Could you please help me from where can i get the RootCA_cert_file ?
In service market place I am unable to find RootCA_cert_file.
Could you please elloborate the issue ?
Regards
Hari -
Can you use a self signed certificate on an external Edge Server interface?
Hi,
I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
cert is valid (root and intermediate have been checked for validity).
At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
ThxDrago,
Thanks for all your help. I got it working.
My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
Let me update everyone about self-signed certificates:
YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
intermediate have been checked for validity).
Here are my notes:
Create/enable your own external Certificate Authority (CA) running on a server with internet access.
On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
You should have already completed: Step1 and Step 2.
Run or Run Again "Step 3: Request, Install or Assign Certificates".
Install the "Edge internal" certificate.
Click "Request" button to run the "Certificate Request" wizard.
You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
Once the certificate has been created, use "Import Certificate" to import it.
Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
Install the "Edge External" certificate (public Internet).
Click the "Request" button to run the "Certificate Request" wizard.
Press "next"
Select "Prepare the request now, but send it later (offline certificate request).
Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
Fill in the organization info.
Fill in the Geographical Information.
The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
Select your "Configured SIP domains"
"Configure Additional Subject Alternative Names" if you want. Otherwise, next.
Verify the "certificate Request Summary". Click next.
Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
For the "External Edge certificate (public Internet), click "Assign".
The "Certificate Assignment" wizard will run.
Click next.
From the list, select your cert "EXTERNAL-EDGE".
Finish the wizard to "complete".
You are finished on the server.
Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
Browse
Select "Trusted Root Certification Authorities"
Finish the wizard. -
SSL (Self Signed Certificate) in Business Connector
After going through hundreds of messages, I am still not clear about the steps involved in including SSL certificate with HTTP protocol.
1. Instead of subscribing to Trusted Certificate Authority, can we ceate a Self Signed Certificate? If yes, how?
2. Can anyone please explain the steps involved in including SSL certificate (configuring/importing the certificate)? We are successfully calling HTTP and sending the XML document to a HTTPS URL with authorized user name and password. I need to include SSL certificate to complete the requirement. I have looked at all the PDF documents that are available with BC installation and looked at many forums and still haven't found the answers.
Thanks in advance.Hi Ramesh.
When untrusted root certificates may be acceptable
Some CAs may be trusted, but in only a very limited way. For example, a company with employees in diverse
locations can make internal documents available to all its employees by setting up a Web site on an intranet that
is only accessible from inside the corporate LAN (i.e. people on the Internet cannot see it). If there are
documents on this site that should have limited access within the company (such as strategic plans or personnel
documents), then these can be protected with SSL.
Since both the servers as well as the browsers are on corporate-controlled equipment, it is well within the
companyu2019s interests to act as its own CA. This means that the company can generate its own root certificate
with which it can sign as many SSL certificates as required for the servers deployed in its intranet. Once this is
done, this certificate should be installed into the certificate stores of all the browsers used in the company. Since
the computers these browsers run on are controlled by the company, this is easy to do: the corporate IT
department can have a policy that the companyu2019s root certificate is installed in the browseru2019s certificate store
whenever a new computer is set up. This prevents security warnings from being displayed whenever an
employee accesses an SSL-secured site on the company intranet.
The advantage to the company is that it can deploy secured sites anywhere on its intranet without purchasing
certificates from an external CA. Note that if the company also runs an e-commerce site, then it should purchase
its SSL certificate from a trusted CA and not use an internal one for sites accessible to the public, who will not
have the certificate installed by the corporate IT department, and thus would receive a security warning.
In such an environment, an unscrupulous employee (most likely a member of the IT team) who has access to
the private key could launch very successful MITM attacks against employees who visit SSL-protected ecommerce
and e-banking sites at work. This will be discussed later in this document. However, the company
can easily protect itself by warning employees not to visit such sites on company time or equipment, since they
are not u201Cbusiness related activities.u201D
Please see this doc related to trusted and untrusted certificate.
http://www.sericontech.com/Downloads/Untrusted_Root_Certificates_Considered_Harmful.pdf -
Keytool self-signed certificate.
Using Keyman on hp-unix. Wanted to create self-signed certificate.
When I tried to create, it asked to create keys. I created them. Then I could select self-signed and create it. This is listed under private certificates. Now what to do? For somebody to trust this certificate, do I have to take it to another database on another box?
Say, I created a private certificate pc1 at Box1. For Box2 to trust Box1, I guess I need to take this certificate and put it on Box2. (exporting from box1 and importing to box2). Is this what I am supposed to do? Or am I understanding something different? If I am correct, it(keyman) is not giving me option to export the certificate.
Please help.Using ikeyman, Not keytool
-
New self signed certificate, how to mark as trusted for all users on clients
We have a new 10.8 server that we are currently using for iChat/Messages service. We have created a self signed certificate to encrypt the traffic to the Messages service since we have the service accessible for internet and phone users. We use network accounts and users need to log in on several different machines when in the office.
Can anyone suggest how to tell a client machine to trust the certificate for all users?
Currently, each user is asked to trust the certificate on each client they log into.
I have imported the server certificate into the client's system keychain in Kechain Access and asked it to trust the certificate for all items manually. This does not appear to allow all users to trust the certificate since subsequent users who have not yet trusted the certificate on the test client are still asked to confirm trust. When opening the iChat.app the users are still propmpted to verify the certificate which now indicates that it is trusted for all users.Resolved.
- Drag certificate from verification dialog.
- Import into System Keychain
- Select certificate in System Keychain and select "i" button at bottom of window.
- Set all items to always trust. -
How to use Self Signed certificate with SSLServerSocket?
Hello to all.
I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
The server must have it's own certificate, clients don't need one.
I started with this
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
To generate key for the server and a self signed certificate.
To sum it up:
Create a new keystore and self-signed certificate with corresponding public/private keys.
keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
Export and examine the self-signed certificate.
keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
Import the certificate into a new truststore.
keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jksThen in my server code I do
System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
Socket s = sslServerSocket.accept();I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
Can it be a problem with the certificate? When using -validity <days> in keytool the certificate gets self-signed, so it should work if I'm not wrong.
I have also tried this solution
serverKeyStore = KeyStore.getInstance( "JKS" );
serverKeyStore.load( new FileInputStream("/scratch/stores/server.jks" ),
"123456".toCharArray() );
tmf = TrustManagerFactory.getInstance( "SunX509" );
tmf.init( serverKeyStore );
sslContext = SSLContext.getInstance( "TLS" );
sslContext.init( null, tmf.getTrustManagers(),secureRandom );
SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
SSLServerSocket ss = (SSLServerSocket)sf.createServerSocket( port );and still it doesn't work.
So what am I missing?You were right. I corrected the mistakes in the server code, now it's
private SSLServerSocket setupSSLServerSocket(){
try {
SSLContext sslContext = SSLContext.getInstance( "TLS" );
KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(_KEYSTORE), _KEYSTORE_PASSWORD.toCharArray());
km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
* Da usare con un truststore se serve autenticazione dei client
* TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
tm.init(ks);*/
sslContext.init(km.getKeyManagers(), null, null);
SSLServerSocketFactory f = sslContext.getServerSocketFactory();
SSLServerSocket ss = (SSLServerSocket) f.createServerSocket(_PORT);
return ss;
} catch (UnrecoverableKeyException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
return null;
}and on the client code
private SSLSocket setupSSLClientSocket(){
try {
SSLContext sslContext = SSLContext.getInstance( "TLS" );
/* SERVER
KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
KeyStore clientks = KeyStore.getInstance("JKS");
clientks.load(new FileInputStream(_TRUSTSTORE), _TRUSTSTORE_PASS.toCharArray());
TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
tm.init(clientks);
sslContext.init(null, tm.getTrustManagers(), null);
SSLSocketFactory f = sslContext.getSocketFactory();
SSLSocket sslSocket = (SSLSocket) f.createSocket("localhost", _PORT);
return sslSocket;
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
return null;
}and added a System.out.println(sslSocket); after every incoming message (server side) and SSL is now fully working!
So my mistakes were:
[] Incorrect setup done by code
[] Incorrect and insufficient println() of socket status
Now that everything works, I've deleted all this manual setup and just use the system properties. (They MUST be set before getting the Factory)
SERVER SIDE:
System.setProperty("javax.net.ssl.keyStore", _KEYSTORE);
System.setProperty("javax.net.ssl.keyStorePassword", KEYSTOREPASSWORD);
SSLServerSocketFactory f = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
SSLServerSocket sslServerSocket = (SSLServerSocket) f.createServerSocket(_PORT);
CLIENT SIDE:
System.setProperty("javax.net.ssl.trustStore", "/scratch/stores/client.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "client");
SSLSocketFactory f = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslSocket = (SSLSocket) f.createSocket(_HOST, _PORT);
And everything is working as expected. Thank you!
I hope my code will help someone else in the future.
Maybe you are looking for
-
Portege M700-7008x - How can I recover the system, if F8 ist not possible?
The Notbook has an invisible partition, from which the system can repair or restore. Theoretically, should I start with f8 in the meantime. It does not work. The main problem is a mini change. I have to start over LAN to Disable. After the restart st
-
Error: "DoFunction fork failed" in the Messaging Server 3.x logs on Digital Unix or AIX
Receiving error message DoFunction fork failed in the Messaging Server 3.x logs on Digital Unix or AIX. <P> The dxkerneltuner command is one way to raise the number of user processes on Digital Unix. Steps follow: <OL> <LI>Login as root (or su to roo
-
Have seen this problem in discussions since 2007. I have just uprgraded my computer to Mountain Lion, Aperture to the latest version of 3.3.2 and consolidated a few libraries with iPhoto. Not sure if all files have worked fine in Aperture before but
-
Lately, when I work in Dreamweaver it seems to be generating some sort of temporary files in the root folder. A new file is created every 15 minutes or so independently of what I'm doing, each with and a random name and a TMP extension, like so - MFC
-
We're two users that have have one iMac and three MacBooks, one Pro, one regular and one Air. Thanks to the very useful tips provided in this magnificent forum, we've managed to consolidate our two iPhoto libraries and migrate them over to Aperture.