OpenSSL - Alternative chains certificate forgery

Similar Messages

• Chain certificate : PKCS#7 format

  I have received set of certificates from CA. I have added all the certs except the chain into ACE chaingroup configuration. https is working fine without issues. Do I need to install the chain certificate as well. Chain is given in PKCS#7 format whereas ACE does not accept PKCS#7. Please suggest.

  Well I haven't had any luck getting an iPhone to present an SSL certificate to an IIS7 ASP.Net webserver.
  The same .p12 certificate works on IE7, PocketIE (WM6), Firefox and Safari (PC version). The website is set to Require an SSL certificate. From the Windows Mobile or PC browsers, you get a prompt for the client certificate. I have tried Nick's website and the iPhone will prompt to choose between his and my certificates, however with IIS7 you just get a 403.7 client SSL certificate required error.
  I have turned on SSL tracing in HTTP.Sys and get the following (edited for length) :
  <Opcode>SslInititateSslRcvClientCert</Opcode>
  - <Keywords>
  <Keyword>Flagged on all HTTP events handling ssl interactions</Keyword>
  </Keywords>
  <Task>HTTP SSL Trace Task</Task>
  <Message>Server application is attempting to receive the SSL client certificate, which will be provided if available. If the client certificate is not available, a renegotiation will be initiated.</Message>
  <Channel>HTTP Service Channel</Channel>
  <Provider>Microsoft-Windows-HttpService</Provider>
  ... then after various SSL negotiations and receive raw data traces I see...
  <Opcode>SslRcvClientCertFailed</Opcode>
  - <Keywords>
  <Keyword>Flagged on all HTTP events handling ssl interactions</Keyword>
  </Keywords>
  <Task>HTTP SSL Trace Task</Task>
  <Message>Attempt by server application to receive client certificate failed with status: 0xC0000225.</Message>
  <Channel>HTTP Service Channel</Channel>
  <Provider>Microsoft-Windows-HttpService</Provider>
  Which basically seems to mean a "not found" error.
  Anyone had any luck with iPhone to IIS 7 (which we have to use as it is an ASP.Net website)?

• How to get a server chain certificate

  Hi all,
  I'm installing SSL on Bea Logic server 6.0, but i dont know how to get a server
  chain certificate.
  Does any body know how to get this certificate?
  Also, I read in the e-docs site that we can use utility der2pem and vice versa
  to convert between them, but i odnt know where to get the tools.(It's not in the
  utils.jar)
  thanks for any answer.
  Uy

  Hi all,
  I'm installing SSL on Bea Logic server 6.0, but i dont know how to get a server
  chain certificate.
  Does any body know how to get this certificate?
  Also, I read in the e-docs site that we can use utility der2pem and vice versa
  to convert between them, but i odnt know where to get the tools.(It's not in the
  utils.jar)
  thanks for any answer.
  Uy

• Used a Subject Alternative Names certificate with an ESA IronPort C170

  Hi all,
  Is  someone know if it is possible to use a "Subject Alternative Names" Certificate (SAN / UCC SSL) for an Email Security Appliance C170.
  Is it possible to do this, with an IronPort ?
  Thank you very much, for your reply.
  Regards,
  David

  Hello RYAN,
  Thank you for your reply, It is a very good new for us.
  Have a nice day!
  David

• Multiple Customers having Problems with .pem files -chain certificate

  I have 2 different customers who recently started using weblogic. My Applications are ASP hosted web services and require digital certificates. For added security, our CSO uses a <b>chain certificate</b>. The private cert is signed by an intermediary verisign cert which is signed by the Root CA. <p><p>
  Embaressingly, I just found out one Customer completed <b>side-stepped the BEA implementation for .pem files and implemented a non BEA class to work around</b> based on difficulty they had trying to get the .pem file for the intermediary verisign cert to work. I am stuck in that I don't want to advise the second client to do the same thing, but I can't find great support on what to do and some of the BLOGS are conflicting. From what I understand, this first client struggled on this for <b>2 weeks and gave up.</b> <p><p>What I am trying to ascertain is whether the <b>private</b> .pem file is suppossed to have <b>both the RSA PRIVATE KEY as well as the CERTIFICATE of the intermediate cert inside that one .pem file or not</b>. I can see their needs to be a .pem for the intermediary and a .pem for the private but not sure if any of the data should repeat.
  <p><p>
  Also, good samples of how these should look would help. The .pem files my client showed me looked incorrect.
  <p><p>
  Please note both these clients are top Investment Banks and I think it's in both Bea's interest and my interest to see this work on Weblogic without coding around the default Weblogic security implementation.

  Hi Patrick,
  If you fixed the issue changing your PowerShell code, would you mind posting the working code here for reference for other people that might experience this problem?
  Thanks in advance.
  Nico Martens - MCTS, MCITP
  SharePoint Infrastructure Consultant / Trainer

• How to use Chained Certificates from CA (Thawte) ?

  Hi,
  I have an application which does the communication over secured channel to another site(Say www.XYZ.com) over internet, for this xyz.com has given a certificate which is used for secured communication. Till the time certificate was self signed certificate i did not have any problem. I use to import certificate in trusted store and use it with the help of JSSE.
  Now the problem is xyz.com has given a new certificate, which is chained and issued by Thawte. Now as i understand JDK Does not come with thawte as trusted CA. so we need to add the same in the keystore. The problem i am facing is how do the chain certificates work under JAVA i.e. how the chain of certificates is created in keystore file. When i import CA's self signed certificate as documented in keytool tools documentation this completes without problem. In the documentation theres is a mention regarding importing "Certificate Reply from the CA" but there is no mention about how to import a certificate given by 3rd Party i.e. xyz.com in our case. Is "Certificate Reply from the CA" and certificate from 3rd party the same. or there is some specific way in which we have to do the import to keystore?
  Thanks in advance
  Sachin

  Thank you for taking time to reply, but this is solved now. You are right, need to import all the certificates. So what is did is exported all the certificates which were in chain from IE. Then starting from Root's self signed certificate imported all of them one by one into keystore and then provided this keystore while communication and it works
  Thanks once again
  Sachin

• Azure Management Cmdlet Add-AzureCertificate not working for chained certificate

  Hi,
  While running the Azure cmdlet Add-AzureCertificate against a public certificate that I have, it is
  not able to upload all the chained certificates to the cloud service certificate store. All it does is just
  upload one certificate.
  However, when I manually load them via Azure management portal, I see 3 of them uploaded.
  Is there a bug in the cmdlet?
  Thanks!

  Hi,
   Apparently it looks like a limitation with the cmdlet.
   you can refer to the following link for a workaround using REST Api
   http://blogs.msdn.com/b/arunrakwal/archive/2012/04/16/windows-azure-adding-multiple-certificate-to-hosted-service-using-powershell-and-c.aspx
  Regards,
  Nithin Rathnakar

• OAM with OVD SSL , can I use openSSL to create certificate

  OAM with OVD SSL , can I use openSSL to create certificate . In the doc, it use miscrosoft cert server . But I want to use openssl , but not success. Does anyone success to do?

  OAM with OVD SSL , can I use openSSL to create certificate . In the doc, it use miscrosoft cert server . But I want to use openssl , but not success. Does anyone success to do?

• ACE Chain Certificates in mobile devices

  Hi,
  I'm having an issue with intermediate certificates from GoDaddy when connecting from some browsers of mobile devices:
  Browser in Android 2.3.3;
  Safari in iOS 4.2.1;
  Chrome 18 in Android 4.0.
  In a PC there's no problem, only from the above mobile devices. The intermediate certificate isn't downloaded from the ACE 4710 resulting in a "SSL Certificate Not Trusted" error.
  Since GoDaddy has no instructions to resolve the issue from a Cisco ACE, i'm hoping someone in the community has dealed with this issue before.
  Best regards,
  Ricardo Canto

  Hi Jorge,
  I'm sorry not being able to answer you questions earlier. I became a father at a few weeks and needed to take an absence.
  The issue was solved after the certificates were renewed last week and imported to the ACEs, no change has been made to the intermediate certificates.
  I'm going to answer your questions so that this issue can be document for future reference:
  You have indicated you have you have also the intermediate applied under a chaingroup in your current configuration, correct?
  Indeed, the intermediate is applies to the chaingroup.
  Do you have any ssl parameter to force the ACE only to use some specific certificates or you are using all(default)?
  There is a different ssl-proxy for each service. Each one has it's own chaingroup, certs and keys.
  You said you are testing with mobile devices, do you have the same behavior no matter what type of mobile device(no matter that brand)?
  Only some browsers are affected by this issue:
  Browser in Android 2.3.3;
  Safari in OS 4.2.1;
  Chrome 18 in Android 4.0.
  I've tried with other browsers but had no error:
  Google Chrome 22 in Windows 7;
  Windows Internet Explorer 9 in Windows 7;
  Opera Mini 7.5 in Android 2.3.3;
  What are you getting from your mobile devices? Page cannot be displayed or what exactly?
  In the browsers affected appears an error indicating "SSL Certificate Not Trusted"
  The error is in Portuguese, but is saying "This certificate is not from a trusted authority". As I say above the certificate is from GoDaddy, and has not been revoked.
  Have you tried from different mobile devices from differente locations?
  See answer 3.
  Have you tried to do the same tests over clear text, meaning on http? Does it work on http only?
  Non issue, since the problem refers only to SSL
  The issue was solved but wasn't able to determine if the issue was with the certificates or with the ACE.
  Thank you,
  Ricardo Canto

• Migration: Ex 2007 to Ex 2013 and co-exist scenario: Subject Alternative Name certificate

  We are planning the migration of Exchange 2007 to Exchange 2013. In our Existing SAN certificate for Exchange services (OWA,ActiveSync), we have a URL that we included that we no longer have a service for or anything associated with it. For
  example: mail.contoso.com.
  Can we use this URL in the new Exchange 2013 certificate (3rd Party) we request/obtain as opposed to putting an entry for legacy.contoso.com? Or will we get errors?
  Thanks for your answers!

  Hello,
  No problem. For example, currently, you have two records in SAN, the last one is not in use.
  {a.domian.com, b.domain.com}
  You can:
  a.domain.com -> Exchange 2007
  b.domain.com -> Exchange 2013
  BTW, you must have autodiscover.domain.com point it to Exchange 2013.
  Thanks,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• CSCut26025 - Doc. ISE 1.3 certificate chain is not being send till services restarted

  hi,
  i got issues with a chained certificate for the guest portal too. could you please let me know which service/services need to be restarted? or should i restart the whole ise after importing the required certificates?
  regards
  thilo

  Hi,
  You would have to restart the services, there is a note in the Cisco ISE document. Please refer it below:
  If you are using Firefox and Internet Explorer 8 browsers and you change the HTTPS local certificate on a node, existing browser sessions connected to that node do not automatically switch over to the new certificate. You must restart your browser to see the new certificate.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_cert.html#pgfId-1183856
  Regards,
  Tushar Bangia
  Note : Please do rate post if you find it helpful!!

• SSL CA Certificate Chain not available.

  Hey Everyone,
  I've got a Cisco 851 running IOS12.3. I'm trying to install a SSL Certificate but after following all the instructions and installing a CA certificate I'm not getting the full chain of authority in a browser just the devices certificate itself. I've repeated the installation process using individual CA certificates all up and down the chain but still the same results. I've even tried installing all the chain certificates but the buffer times out before they are all pasted in.
  What am I doing wrong?
  Russ

  I assume you are using a 3rd party CA with 2048-bit certificate and intermediate certificates. In these cases, it's sometimes counter-intuitive in getting the right order for the chaining to be correctly parsed.
  I've had good results using the checking tools at digicert and verisign sites. See:
  http://www.digicert.com/help/
  https://ssl-tools.verisign.com/#certChecker

• CSS: How to chain SSL certificates outside of CSS before install?

  Could some one advise on how to chain the certs files outside and before installing to CSS, please.
  How to check if the cert files I received are in PEM format?
  What program (widows) I use to chain the certificates.
  What is the order in which the chaining is done.
  Currently all I have is two cert files
  xxtrustL1c.crt.txt
  xxxx.xxxxxx.net.pfx.txt
  and
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a00801de89b.shtml
  Step by step guidence please.
  Sri

  In order to use the chained certificates on the CSS, the server certificate and intermediate must be concatenated together. This allows the CSS to return the entire certificate chain to the client upon the initial SSL handshake. When the chained certificate file is created for the CSS, make sure the certificates are in the proper order. The server certificate must be first, then the intermediate certificate is used to sign the server certificate must be next. The power entry modules (PEM) format is not very strict, and the empty lines between keys or certificates do not matter.
  The entire contents of the mychainedrsacert.pem file are shown here with the server cert on the top, followed by the intermediate CA cert. If you need to add the root cert, it would go to the bottom.
  -----BEGIN CERTIFICATE -----
  BxMKQm94Ym9yb3VnaDEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAG
  Binary data of your server certificate
  BxMKQm94Ym9yb3VnaDEcMBoGA1UEChMTQ2lzY28gU3lzdGVtcywgSW5jLjESMBAG
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
  MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
  LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
  HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy
  aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx
  BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg
  MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g
  TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB
  jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
  veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O
  OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB
  4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw
  KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV
  HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI
  ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk
  oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB
  BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv
  1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw
  E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
  -----END CERTIFICATE-----
  Then you can re-import your new concatenated certificate file.
  Hope this helps,
  Sean

• SSL certificates chain

  When I try to connect to a site with chain certificates, I get javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure.
  Correct me if I'm wrong, this looks like Java problem.
  I'm now trying to investigate:
  a) there's a workaround for this?
  b) If I really really really had to make this work, do you know if there's another passage, trick, product or whatsoever?
  Any suggestion, advice?
  Thanks to everyone in advance.
  Simone

  By the way, I was thinking... maybe I might be doing something wrong with the approach.
  I mean, I tried to download https://paypal.com an HttpURLConnection and worked like charm. But that was simple https stuff.
  Now this new site has a certificate chain ...
  Edited by: Simone.Pezzano on Jan 29, 2010 3:06 AM

• Can't install a wildcard SSL certificate

  Running ML Server. I have a GoDaddy issued wildcard SSL certificate to *.mydomain.com. The certificate is currently installed on a different (non-Mac OS) server. I am able to cut and paste the main certificate, private key and other chain certificates from that server's interface and paste into a text file using TextWrangler. On the OS X server I deleted all of the old certificates in KeyChain (this server had an old wildcard version of the certificate before), deleted the old wildcard cert in Server.app and deleted the corresponding files in /etc/certificates
  I then created a new self-signed certificate for *.mydomain.com in Server.app, then selected it, went to Manage Certificates and tried up update the self-signed certifcate with the signed certificate using the Server.app interface. The interface enables you to drag and drop certifcate and chain files to add.
  However, this is where it gets strange...
  The first time I drag the certificate file to the interface, I get the green + symbol, let go and nothing happens. If I do it again, the interface lights up green again, but this time it adds it to the Non-identify certificate list. I am able to replicate this every time!
  Why does the interface show me the first time that I can drag the file, but does nothing, and then the second time adds it as a non-identity certificate? Same behavior happens if I start with the chain certificate as well.
  I can confirm that the four certificate files show up in /etc/certificates, but they appear to be generated by the self-signed certificate creation.
  Any insights appreciated! TAA

  In fact i had the same issue last week and i could only solve it by exporting the key with the certificate in a PCKS12 file. Fortunately this is supported by the windows certificate manager where the certificate was originally installed.
  You could take your key and certificate files and merge them into a PKCS12 file using openssl (go to terminal, it is installed on an OSX box) and fire the following command (and change the filenames ;-)):
  openssl pkcs12 -export -inkey openssl_key.pem -in openssl_crt.pem -out openssl_key_crt.p12 -name openssl_key_crt
  The openssl tool requests a passphrase for the created file that you will need to provide again when the key is imported into the keychain.
  Good luck with it