PEAP: Enforce that client must verify server certificate
Hi,
I have PEAP setup with server certificate. The ACS server is used for radius authentication and cisco wireless access point 1240 series are used in WPA2/AES. In my setup, clients are working fine with or without server certificate verification. how could i enforce that client should verify the server certificate otherwise the wireless not authenticated..
Regards
You could to that with an Active Directory policy or something like that. There isn't anything on the AP or Radius server that can be done.
Similar Messages
-
In my error log files for iPlanet Web server 4.1SP9 (running on Solaris) I am seeing the following errors sporadically dispersed seemingly at random throughout the day.
Error receiving connection (SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT)
Error receiving connection (SSL_ERROR_BAD_CERT_ALERT - SSL client cannot verify your certificate.)
Error receiving connection (Not connected)Hi,
Are you trying to install a certificate in iWS.
When did you get this error messages ?
For more infomartion about error codes. Please look the below link.
http://www.mozilla.org/projects/ security/pki/nss/ref/ssl/sslerr.html
http://knowledgebase.iplanet.com/ikb/kb/ articles/4811.html
Regards,
Dakshin.
Developer Technical Support
Sun Microsystems
http://www.sun.com/developers/support. -
Mail - Constantly asking me to verify server certificate
Hey guys, I'm new here. Hope everybody's well and hopefully somebody can help me!
I've recently bought a domain name and have created a couple of email addresses. I set them up through Mail and they were fine for the last couple days, until now..
I keep getting asked to verify my mail server certificate? I've already clicked "always trust" a fair few times, it prompts me to enter my administrator password and then seems to work. Only recently it's been asking me for this password twice.. as in, I'll enter it, and then it will ask for it agian INSTANTLY, as though I'd entered it wrong or something.
Here's a screenshot of my problem:
http://img179.imageshack.us/img179/9245/picture6xv1.png
It's becoming very frustrating, and everytime I quit Mail and relaunch it asks me to verify the certificate again.
Is this a Leopard problem? Or something to do with my hosts?
Any help is really appreciated.
Thanks
FelixI had this problem. I solved it by making two separate self-signed certficates on my server. (It used to have only one.) Then I assigned one vertificate to SSL for SMTP and one to SSL IMAP/POP.
Mail.app now remembers to trust these certificates now, simply by clicking "Always Trust" (whatever it was) as one expects one should. Once when first receiving email, and then one more time for sending email (for the SMTP).
My Mail.app is configured to send and reveice through the same server but receive from mail.myserver.com and send to smtp.myserver.com.
It doesn't seem to matter what I called the certficates. I just names them "MyCompany Mail" and "MyCompany SMTP", and assigned them to POP/IMAP and SMTP.
It actually made sense that Mail.app would forget my trust setting for the certificate for mail.mycompany.com when I later trusted the same certificate for smtp.mycompany.com.
Maybe this helps some of you! -
Yesterday my Firefox seemed to spasm and I believe I had a virus (every time I hit the "home" button which is google.com for me, it would send me to this weird site that I knew wasn't safe). I uninstalled and re-installed Firefox and ran virus scanners but nothing was found. After restarting Firefox, every website that I try to go to is giving me an unsafe error and that I must give each site a security exception, even for safe sites like Facebook, Twitter, etc. Once I did get on Facebook, everything is in HTML format and I can't use it at all I tried restarting/uninstalling/resetting Firefox again but to no avail. I checked my Firewalls and nothing came up. Here is the data from the troubleshooting information.
<pre><nowiki>Application Basics
Name: Firefox
Version: 34.0
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Multiprocess Windows: 0/1
Crash Reports for the Last 3 Days
All Crash Reports (including 3 pending crashes in the given time range)
Extensions
Name: avast! Online Security
Version: 9.0.2021.112
Enabled: false
ID: [email protected]
Graphics
Adapter Description: Intel(R) HD Graphics 4600
Adapter Description (GPU #2): NVIDIA GeForce GT 755M
Adapter Drivers: igdumdim64 igd10iumd64 igd10iumd64 igdumdim32 igd10iumd32 igd10iumd32
Adapter Drivers (GPU #2): nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
Adapter RAM: Unknown
Adapter RAM (GPU #2): 2048
Device ID: 0x0416
Device ID (GPU #2): 0x0fcd
Direct2D Enabled: true
DirectWrite Enabled: true (6.3.9600.17111)
Driver Date: 8-19-2013
Driver Date (GPU #2): 10-4-2013
Driver Version: 10.18.10.3277
Driver Version (GPU #2): 9.18.13.2745
GPU #2 Active: false
GPU Accelerated Windows: 1/1 Direct3D 11 (OMTC)
Subsys ID: 380117aa
Subsys ID (GPU #2): 380117aa
Vendor ID: 0x8086
Vendor ID (GPU #2): 0x10de
WebGL Renderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 4600 Direct3D9Ex vs_3_0 ps_3_0)
windowLayerManagerRemote: true
AzureCanvasBackend: direct2d
AzureContentBackend: direct2d
AzureFallbackCanvasBackend: cairo
AzureSkiaAccelerated: 0
Important Modified Preferences
browser.cache.disk.capacity: 358400
browser.cache.disk.smart_size.first_run: false
browser.cache.frecency_experiment: 3
browser.places.smartBookmarksVersion: 7
browser.sessionstore.upgradeBackup.latestBuildID: 20141120192249
browser.startup.homepage_override.buildID: 20141120192249
browser.startup.homepage_override.mstone: 34.0
dom.mozApps.used: true
extensions.lastAppVersion: 34.0
gfx.direct3d.last_used_feature_level_idx: 0
media.gmp-manager.lastCheck: 1417643038
network.cookie.prefsMigrated: true
places.history.expiration.transient_current_max_pages: 104858
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
privacy.sanitize.migrateFx3Prefs: true
Important Locked Preferences
JavaScript
Incremental GC: true
Accessibility
Activated: false
Prevent Accessibility: 0
Library Versions
NSPR
Expected minimum version: 4.10.7
Version in use: 4.10.7
NSS
Expected minimum version: 3.17.2 Basic ECC
Version in use: 3.17.2 Basic ECC
NSSSMIME
Expected minimum version: 3.17.2 Basic ECC
Version in use: 3.17.2 Basic ECC
NSSSSL
Expected minimum version: 3.17.2 Basic ECC
Version in use: 3.17.2 Basic ECC
NSSUTIL
Expected minimum version: 3.17.2
Version in use: 3.17.2
Experimental Features
</nowiki></pre>
Hopefully you can figure something out as I love Firefox but it's very frustrating that I can't use it and that this is happening. I also use Avast! Anti-security but I'm fairly certain that is having no effect on this problem. As I said I've also ran malware and virus scanners but nothing came up harmful.Hello,
Try disabling Avast's web shield and try going to a few safe sites where you experienced the "untrusted connection". You can also follow this article for other common troubleshooting steps: [["This Connection is Untrusted" error message appears - What to do]].
You can try these free programs to scan for malware, which work with your existing antivirus software:
* [http://www.malwarebytes.org/products/malwarebytes_free/ MalwareBytes' Anti-Malware]
* [http://general-changelog-team.fr/en/downloads/viewdownload/20-outils-de-xplode/2-adwcleaner AdwCleaner] (for more info, see this [http://www.bleepingcomputer.com/download/adwcleaner/ alternate AdwCleaner download page])
* [http://www.microsoft.com/security/scanner/default.aspx Microsoft Safety Scanner]
* [http://support.kaspersky.com/viruses/disinfection/5350 Anti-Rootkit Utility - TDSSKiller]
* [http://www.surfright.nl/en/hitmanpro/ Hitman Pro]
* [http://www.eset.com/us/online-scanner/ ESET Online Scanner]
If your home page is has been changed, and you don't have any suspicious extensions:
* Tools (or [[Image: New Fx Menu]]) > Add-ons > Extensions
You can use the [https://addons.mozilla.org/en-US/firefox/addon/searchreset/ Search Reset Tool] to reset your home page, new tab page, and search bar back to default. The extension then uninstalls itself once these preferences are reset.
Let us know if that helps. -
Made calendar..when I try to purchase..it puts together the calendar but then says that I need toi verify my account information...but if I try to do anything...it just goes back and assembles the calendar again and then says that I need to verify my account information,
Go to the Apple store (store.apple.com) and re-emter (not just verify)all of your information,
Before ordering your book preview it using this method - http://support.apple.com/kb/HT1040 - and save the resulting PDF for reference - the delivered book will match it.
and if the preview is fine order
LN -
Certificate Exception - applet client to java server with SSL
Hi,
I'm having some trouble getting SSL working and hope
someone can shed some light. I've been plowing through
these forums for a couple of days - seems lots of folks
have had this problem but I can't find a clear solution.
I've written a server in java. The client is an applet.
This is an internet app so I have no control over
configuring clients. I'm trying to prove SSL communication from the applet to my server. This is
commercial software so the customer would put their own
keys on the machine and resign the applet before deploying.
I've created a keystore with keytool. Then I self-
signed it. Then I signed my applet jarfile. I've even tried exporting the certificate and importing using the java plug-in control panel
(obviously not something I can do in the real world but
just wanted to see if that was it). I start up my server
and navigate to a web page to start the applet. For
development purposes, I'm doing this all on one machine. I'm running jdk 1.4.1_02. We're requiring the
Sun plug-in as our client java VM.
Once the client starts to connect, I get this error in
the plug-in console:
java.security.cert.CertificateException: Couldn't find trusted certificate
On my server, I get:
Wed May 14 16:27:46 EDT 2003 [EXCEPTION]: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
at java.io.InputStreamReader.read(InputStreamReader.java:167)
at java.io.BufferedReader.fill(BufferedReader.java:136)
at java.io.BufferedReader.readLine(BufferedReader.java:299)
at java.io.BufferedReader.readLine(BufferedReader.java:362)
at com.pactolus.webBroker.psWebLegClientThread.run(psWebLegClientThread.java:130)
at java.lang.Thread.run(Thread.java:536)
The client code is pretty simple:
SSLSocketFactory factory = (SSLSocketFactory)
SSLSocketFactory.getDefault();
tcpSocket = (SSLSocket) factory.createSocket(addr,
iPortNbr);
tcpSocket.setUseClientMode(true);
tcpSocket.startHandshake();followed by a thread kick-off which will listen on the
socket for incoming messages.
The server code is:
SSLContext sslCtxt = SSLContext.getInstance("SSL");
KeyManagerFactory kmf = KeyManagerFactory.getInstance
("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
char[] password = keyPassword.toCharArray();
ks.load(new FileInputStream(keyFile), password);
kmf.init(ks, password);
sslCtxt.init(kmf.getKeyManagers(), null, null);
SSLServerSocketFactory factory =
sslCtxt.getServerSocketFactory();
secureTCPSocket = (SSLServerSocket)
factory.createServerSocket(port);
secureTCPSocket.setNeedClientAuth(false);followed by a thread kick-off which will listen for
connections and spin-off other threads to manage each
client socket.
I'm pretty much at my wits end. As I said, seems lots of
folks have had this problem but I haven't yet seen a
firm answer.
If anyone can shed some light on this so I can get my
proof of conecept going, I would really appreciate it -and buy you a couple of beers!
Thanks,
Scott JohnsonProblem resolved! It was the certificate. I can get it working in a test scenario by using the test certs file
provided with the jdk on the client and server sides.
So, does this mean that I MUST use a certificate from
one of the known authorities as delivered with the JDK?
My applet will be used by internet clients. I'm requiring
the sun plug-in. Is it true there is no way to get
a certificate I've created to be presented to the client
so it can choose to add it to it's trusted authorities?
I am required to use, say, a Verisign certificate?
I can get my sample working but only if I place a
jssecacerts (a copy of the samplecacerts) where both the client and server can get at it. In the real world, I can't do that on the client.
Presumably the client will only have the cacerts that was delivered with the Sun plug-in. I'm restricted, then, to using a server key file signed with a certificate from
one of the providers found in the cacerts file? Or, can
I present to the client a certificate which it can
choose to accept as trusted and place in it's cacerts file? Any info would be appreciated - I've already
committed those duke bucks!
Scott
Hi,
I'm having some trouble getting SSL working and hope
someone can shed some light. I've been plowing
through
these forums for a couple of days - seems lots of
folks
have had this problem but I can't find a clear
solution.
I've written a server in java. The client is an
applet.
This is an internet app so I have no control over
configuring clients. I'm trying to prove SSL
communication from the applet to my server. This is
commercial software so the customer would put their
own
keys on the machine and resign the applet before
deploying.
I've created a keystore with keytool. Then I self-
signed it. Then I signed my applet jarfile. I've
even tried exporting the certificate and importing
using the java plug-in control panel
(obviously not something I can do in the real world
but
just wanted to see if that was it). I start up my
server
and navigate to a web page to start the applet. For
development purposes, I'm doing this all on one
machine. I'm running jdk 1.4.1_02. We're requiring
the
Sun plug-in as our client java VM.
Once the client starts to connect, I get this error
in
the plug-in console:
java.security.cert.CertificateException: Couldn't find
trusted certificate
On my server, I get:
Wed May 14 16:27:46 EDT 2003 [EXCEPTION]:
javax.net.ssl.SSLHandshakeException: Received fatal
alert: certificate_unknown
javax.net.ssl.SSLHandshakeException: Received fatal
alert: certificate_unknown
at
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(Dasho
6275)
at
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(Dasho
6275)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA627
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA627
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA627
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA627
at
com.sun.net.ssl.internal.ssl.AppInputStream.read(Dasho
6275)
at
sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDec
der.java:406)
at
sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDeco
er.java:446)
at
sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
at
java.io.InputStreamReader.read(InputStreamReader.java:
67)
at
java.io.BufferedReader.fill(BufferedReader.java:136)
at
java.io.BufferedReader.readLine(BufferedReader.java:29
at
java.io.BufferedReader.readLine(BufferedReader.java:36
at
com.pactolus.webBroker.psWebLegClientThread.run(psWebL
gClientThread.java:130)
at java.lang.Thread.run(Thread.java:536)
The client code is pretty simple:
SSLSocketFactory factory = (SSLSocketFactory)
SSLSocketFactory.getDefault();
tcpSocket = (SSLSocket) factory.createSocket(addr,
iPortNbr);
tcpSocket.setUseClientMode(true);
tcpSocket.startHandshake();followed by a thread kick-off which will listen on
the
socket for incoming messages.
The server code is:
SSLContext sslCtxt = SSLContext.getInstance("SSL");
KeyManagerFactory kmf = KeyManagerFactory.getInstance
("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
char[] password = keyPassword.toCharArray();
ks.load(new FileInputStream(keyFile), password);
kmf.init(ks, password);
sslCtxt.init(kmf.getKeyManagers(), null, null);
SSLServerSocketFactory factory =
sslCtxt.getServerSocketFactory();
secureTCPSocket = (SSLServerSocket)
factory.createServerSocket(port);
secureTCPSocket.setNeedClientAuth(false);followed by a thread kick-off which will listen for
connections and spin-off other threads to manage each
client socket.
I'm pretty much at my wits end. As I said, seems lots
of
folks have had this problem but I haven't yet seen a
firm answer.
If anyone can shed some light on this so I can get my
proof of conecept going, I would really appreciate it
-and buy you a couple of beers!
Thanks,
Scott Johnson -
I cannot get past a box that says "cannot verify server identity"
Try just holding down the power button and restarting. I've no idea what you're talking about but if it's a file copy, move, etc., it shouldn't take 3-4 days.
Power down. Power up.
Clinton -
Is a truststore neeeded if the server certificate is signed by a CA?
I have a server SSL certificate that has been signed by a trusted certificate authority (CA). I'm using a java desktop application to consume web services at that server over ssl/https using Axis 2 (no client certificate authentication). Everything is working fine, but I see code examples using a truststore or keystore (by the way, what is the difference?) and I'm starting to wonder if I need to use this kind of mechanism. Some articles I have read imply that I don't need to use a keystore because the server's certificate is signed by a CA. I've read lately about some man-in-the-middle attacks that involve intercepting https traffic and impersonating the server. Will my solution be vulnerable to this kind of attack if I don't use a keystore? If I simply provide Axis with an https endpoint url of the web services, will my solution be secure? Any help would be appreciated. Thanks.
SSL provides you with privacy, integrity, and authentication. That is, the messages are encrypted, tamper-evident, and come from an authenticated identity. Whether that's the identity you want to talk to is another question. So the application has to perform the authorization step, i.e. check the identity against what is expected. You do this by getting the peer certificates out of the SSLSession, usually in a HandshakeCompletedListener, and check that the identity of the server is what you expect. SSL can't do this for you as only the application knows who it expects to talk to. Another way around this is to ship a custom truststore that only contains the server certificate for the correct server, so it won't trust anybody else.
-
HT5012 Why can't I log onto the iBook store? message reads cannot verify server identity
I no longer can log into the iBook store when I previously could - also I continue to get notices that read "cannot verify server"
Hello Jkmcdonald530,
This may be due to an inability to properly communicate with the iTunes Store. The following article provides troubleshooting steps that can help re-establish communication between the store and your iPad.
Can't connect to the iTunes Store
http://support.apple.com/kb/TS1368
Cheers,
Allen -
How do I remove "cannot verify server" message?
I have a message that says "cannot verify server" with options to cancel, details, or continue. I hit any of these and nothing happens. I cannot power down the ipad.
Right-click on the Identity Plate, and change the selected Identity Plate from "Lightroom Mobile" to "Lightroom".
-
We upgraded Lync Server 2010 to Lync 2013.
Users are able to login on desktop clients but unable to connect on mobile client. We get following error message:
Can't verify the certificate from the server.
Please contact your support teamPlease check the Root CA is installed on your mobile device.
Can you sign in externally?
Please check you have updated the DNS records for Lync mobile autodiscover service.
Lisa Zheng
TechNet Community Support -
Can a server trust *client* code without a certificate
Here's a sticky security question
I want my server to trust that a client has performed the operation it says it has on some data held by the client (the client performs the operation to reduce server load). The server can supply code to perform the operation to the client, via a serialized object or RMI.
However, I don't want every client to have to register with the server (eg if each client had its own certificate this would be necessary)
Presumably something must happen as the client performs the operation to show that the correct (server generated) code was used.
If the object whic h knows how to perform the operation is sent using RMI with a public sign method and the server lends its own private key for the signing, in a private field of this object, can a malicious client discern the private key of the server simply by deserializing the object ? Encryption of the serialized object doesn't seem to help as a normal client needs to decrypt, so the malicious one can too.
What about if a private/public key pair is generated at the server and given to the client for signing? again the malicious client could sign using the key then perform a completely different operation.
What should actually be signed at the client end - the object sent which performs the operation ? the server needs to know that this signature proves that the code it sent was used.
would be interested in any ideas (this is for a university project)
thanks to all
Johnthanks for this
a policy would be fine for a server only to allow certain clients to connect - but what I want to ensure is that once connected, a client really does use the code generated by the server - in effect I want to have untrusted clients (eg anyone) to be able to connect, but I need to trust that they perform a certain operation.
I think that with RMI I can ensure that a certain method is called if the client has a true (verified...how?) java virtual machine installed, and not a malicious one... but I am coming to the conclusion that to ensure that the right code is used, I will have to give each client its own public/private key and let the server hold a register of trusted clients (which reduces the elegance of the system)
Jon -
Lync 2010 Certificate Issue - "There was a problem verifying your certificate from the server"
Greetings.
My Issue:
Lync 2010 client does not connect to server;error displayed "Cannot sign into Lync. There was a problem verifying the certificate from the server."
Description:
The client is running on my Windows 7 box, and my CA server is a Windows Server 2003 box. I have installed the hotfix on the Server 2003 box to update the Web Enrollment portion of CA to allow for newer clients (Vista and 7) to receive certificates from
this server.
Lync server is running on Server 2008 R2 STD, installation was a success.
The Windows 7 box is a part of the domain.
I have manually exported the Root CA from my Enterprise CA server from
Trusted Root Certification Authorities -> Certificates and imported into the same location on my Windows 7 box.
If I look at the certification path on the Root CA, on my Windows 7 box, it says "The certificate is OK." The same goes for the servers involved.
Still nothing.
I have read the other forum posts on here about people having success once they manually import the Root CA from the Enterprise CA server, but this is not my case here.
All certificates are successfully assigned on the Lync server box; however, I did have to manually import the Root CA into Lync server's
Trusted Root Certification Authorities -> Certificates before I could successfully assign them. Had to do this on another deployment I completed, so I didn't think anything of it.
To recap: it seems that even with my Root CA imported into my Windows 7 box I can still not connect to my Lync server with the client, and I get the error message "There was a problem verifying the certificate from the server."Solved
Solution : Export certificate from Lync Server Start > Administrative Tools > IIS > Server Certificate > Export > abc.pfx save it, Copy and place the certificate where Ms Lync 2010 client is installed or getting certificate
error. Follow these steps on client machine to install certificate
Run > mmc > add or remove snap in > certificates > computer account > local computer >finish > ok > expand Certificate > Trusted Root Certification Authorities > Certificate > All task > Import > copy abc.pfx certificate
and delete unnecessary certificate from there.
Restart Client machine and open microsoft Lync client 2010 and open option menu > Personal > Advanced > choose Auto Configuration > save ok -
Need for NPS server certificate with PEAP-MS-CHAPv2
Hi,
I have a question about a small setup I'm currently testing. In a Wireless access with 802.1X authentication based on PEAP/MS-CHAPv2, and a NPS server (MS server 2012R2), I've noted reading technet documentation that the NPS server or other RADIUS server
do have a certificate (issued by a 3rd party CA or by an AD CS environment).
However, it remains for me a point I would like to clarify (sorry I surely have a bad understanding of documentation). If my client is configured for not "validate server certificate", do I still need to have a certificate on the NPS server ?
Well, I know it is not secured, but this will permit me to test without configuring an AD CS, and without buying a certificate.
Many thanks in advance for your answer.
Regards,
FabriceYou also need a server certificate in this case as the protection in Protected EAP is due to the encryption of the TLS session.
Not validating the server certificate just means that no additional check of the name is done, so the client would be able to connect to any RADIUS server - given that its certificate chain is valid. But the certificate chain as such is checked as in every
SSL handshake.
You don't need a certificate issued by a commercial CA though - you could use an inhouse PKI. For tests you could use a self-signed certificate as well.
Edit: If you want to test self-signed certificates the easiest way is probably to install the web server role and use its built-in option to create a self-signed certificate.
Elke -
DSEE Server certificate required on client side?
I have DSEE 6.3 working in my environment but I am not sure it's configured as it should be....
I am using tls:simple and everything works, the certificate store is setup with
the CA and LDAP server certificates on both the LDAP servers and clients.
Questions:
- I was expecting the LDAP client to only require the CA certificate however that didn't work!?
- Shouldn't the server present the server certificate and the client would accept it by validating against the CA certificate? Why would it need to have the server certificate as well?
- If I deploy the LDAP server certificates to the clients will they all need to be replaced/updated when the server certificate expires?
Additional info:
My DSEE server is configured to NOT accept certificate based client authentication.
All my certificates are valid when I check them with certutil -V
Edited by: smorris@ on Jan 5, 2009 8:58 PMHi,
I ended up getting a certificate signed by my internal CA and it worked just as expected.
I can only assume my CA certificate wasn't actually a CA...
Checking the output of the commands you suggested clearly shows this - I must have been blind when I ran this last time (or looking at a different cert).
I guess my question should now be - why was the certificate I created not a valid CA?
Create CA:
CA.sh -newca
Create certdb:
/usr/sfw/bin/certutil -A -n test-ca -t TC,, -d . -i testca.pem
Certutil output on this CA:
/usr/sfw/bin/certutil -d . -L
test-ca CT,,
/usr/sfw/bin/certutil -V -e -l -u V -d . -n test-ca
test-ca : Issuer certificate is invalid.
/usr/sfw/bin/certutil -d . -L -n test-ca
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "<snip>"
Validity:
Not Before: Mon Dec 08 01:57:47 2008
Not After : Tue Dec 06 01:57:47 2016
Subject: "<snip>"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
<snip>
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Comment
Comment: "OpenSSL Generated Certificate"
Name: Certificate Subject Key ID
Data:
<snip>
Name: Certificate Authority Key Identifier
Key ID:
<snip>
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
<snip>
Fingerprint (MD5):
<snip>
Fingerprint (SHA1):
<snip>
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
Trusted Client CA
Email Flags:
Object Signing Flags:
Edited by: smorris@ fixed format
Maybe you are looking for
-
Can I Merge Tracks with Garageband?
Hello there, Mostly I like to use Reason when it comes to recording and mixing tracks but since buying the new Aluminum Macbook, which incorporates a music software package of its own, I thought I'd try a different approach. My problem, however, is t
-
HP Pavilion DV8el Entertainment recovery and partitioning drive C
Someone must have done this before, but I just cannot find anything... I had to replace drive C for bad sectors, and now the Recovery Disks I had made three years ago crash with blue screen on partitioning the drive. Nothing can be installed via that
-
Need help I can't install windows 7 to my SATA HD
need help I can't install windows 7 to my SATA hard drive, when it gets to the part of selecting a drive partition to install windows it tells me my hardware does not support booting to this disk check that the disk's controller is enabled in the bio
-
TS3694 how will i turn on my iphone3g?
i updated my iphone 3g (4.2.1)now it needs to be restored in the itunes but it said iphone could not be restored error 1015 now i cant open my iphone3g...i cant used it anymore.
-
when i try to synch my i-pod i get a message that says 'required file cannot be found' this files appear to be song imported into i tunes not the one purchased. I have tried restoreing the i-pod but nothing seems to work.