Reinstall Thawte Certificates

Similar Messages

• Can't get Mail to recognize Thawte certificate for signing and encrypting

  I got a certificate from Thawte and double clicked on the p12 file. This installed the certificate in the login section of the Keychain. I read in several places that it must be in the X509Anchors chain in order to work. However, whenever I try to import it or copy it there I can't get past the authentication screen. I give it the password to decrypt the p12 file and that works, but then it asks for a password for the X509Anchors keychain. I'm giving it my login password, but that doesn't work. What am I doing wrong?

  You shouldn't have to do anything with the X509Anchors keychain. The X509Anchors keychain contains certificate authority (CA) certificates, i.e., certificates associated with CA's that sign certificates. In it you'll find various CA certificates for thawte among others.
  After you've successfully imported your thawte cert into your login chain, restart mail (I don't think you need to restart keychain access, but it wouldn't hurt).
  Now when you compose a message, you should see encrypt and sign buttons to the right and below the subject line. This of course assumes the email address configured in mail is the same as the one in the thawte certificate.

• Expired Thawte Certificate killed our app

  Today we got several calls from customers saying that they cannot install our application. Adobe Air would install just fine but when Air went to install the app.air file an error popped up saying “Sorry, an error has occurred. The application could not be installed because the AIR file is damaged. Try obtaining a new AIR file from the application author.” I tested the install on several computers here and they all gave the same error. All this happened the day after the Code Signing Certificate expired, so I rolled the clock back on the computer to May 18, 2010 and the application installed just fine. So we figure it must be a problem with the certificate expiring so we call the company that issued the certificate to us, Thawte. They explained to us that the program should keep installing just fine if a timestamp was applied at the time of the signing. Thawte said that you cannot timestamp with Adobe AIR and so when the certificate expired so did the ability to install the application, that’s why turning back the clock worked. Thawte said that there is a slight chance that the new certificate we purchased from them will fix all the disks we have already sent out but I doubt it. So is there a way to fix this so all the applications we allready sent out will work or will we have to redistribute with the new certificate in place? Thanks.

  Hi Oliver,
  1. When we published it from Flex Builder 3 via export release build, I selected the timestamp option on the Digital Signature page
  2. I believe I was looking in the wrong place (Console Messages). I went to all messages, and have attached a screenshot of that output.
  3. Using version 1.5.2 of the SDK to publish
  4. You can download the application here.
  Thanks for your assistance,
  Rob

• After reinstall, SSL certificates not accepted.

  Hello there!
  I've reinstalled my Macbook Air (Mid 2012, OS X Mountain Lion 10.8.2) due to a problem when I lost my password.
  When I launched an app like Safari, Mail or Chrome, I've experienced the same problem. Pages using the SSL encryption were unsupported, not working. It shows the problem with the certificate which is not acceptible, old.
  Please, help me out there.
  In the meantime, I will be using Firefox, which works just fine (strange!).
  Thank you all very much!
  A.

  This is looking like its headed for a common problem people have been having with the GoDaddy certs - mind shooting me a PM with the url that you're using to sync with?  Got a bad feeling the cert compatibility problems are real - especially if Win Mobile devices are unaffected.
  Here's a similar problem:  http://forums.palm.com/palm/board/message?board.id=activesync&thread.id=2600
  And another with some explanation: http://forums.palm.com/palm/board/message?board.id=activesync&thread.id=4693&view=by_date_ascending&...
  Message Edited by Imaginos on 02-13-2009 05:11 PM

• Thawte certificate signing error for jar file

  We are running im version 7.2-28 (patch 118786-28). When connecting to im via the web (which we are serving from webserver version 7) user are prompted by certificate error for the im java application -- not to be confused with the web server certificate.
  This seems like one of those things I miss in the release notes, find later and feel stupid, but I've not found it yet.
  The certificate details are:
  L=Palo Alto,
  ST=California,
  C=US,
  OU=Secure Application Development,
  O=Sun Microsystems Inc.,
  CN=Sun Microsystems Inc.
  MD5:0D:62:CF:DA:1F:0F:00:E3:02:2F:B6:3A:A8:36:4B:DC
  With validity:
  [From: Wed Jan 05 15:02:33 GMT 2005,
  To: Mon Jan 15 18:21:35 GMT 2007]
  It is signed by Thawte, but the CA certificates look fine.
  Any advice on what I'm missing would be appreciated.
  Thanks,
  Ethan

  Hi,
  You are facing this issue coz the certificate used to sign im-client jars is expired.This is a known issue and will be fixed in the upcoming release.
  Regards,
  Swetha

• Renewed Thawte Certificate not shown in Address Book

  My old Thawte personal mail certificates expired, and I requested new ones. The ones request via Safari, failed to load in 'My certificates' section of keychain. This is a known bug. I revoked the certificates and re-requested using Firefox.
  From Firefox I 'Fetched' and backed up 'my certificates' to a xxx.p12 file in Documents. Then from Keychain I 'Imported' the xxx.p12 file into the login keychain.
  Mail now works and generates signed e-mails, but when I click on the signed icon against each of my e-mail addesses in the Address Book it shows the old expired certificates.
  I am loathed to delete the expired certificates as it will prevent me from reading my archived mail.
  It is only cosmetic, but can anyone suggest a solution.
  PB 15 1.5 Ghz   Mac OS X (10.4.8)  

  Within the Keychain app I created an Expired.keychain and dragged the expired 'My Certificates' to it. Answered a few enter password prompts and dragged the certificates back to the login.keychain. It complained of some duplicates, which remained in the Expired.keychain. I then deleted the Expired.keychain.
  Problem solved

• Mail 2.1 and Thawte certificates

  I 'joined' Thawte, created a certificate for the address '[email protected]'.
  The fetch process from Thawte using FireFox put the certificate in KeyChain Access's 'Certificates' so I followed this procedure to make a 'backup' in KeyChain Access's my certificates. And there it is - green checkmark, valid and just where it should be; it has the name of the email address with which I registered and requested at Thawte.
  But when I open a New message in Mail from that same account, '[email protected]', documents like this one tell me to expect signature icons at the right hand side under the subject box.
  Nothing. Restarted. Relaunched. Mail isn't recognising what seems to be a valid certificate in 'My Certificates' in KeyChain Access.
  Anyone any ideas? TIA!
  G5 DP 2 GHz   Mac OS X (10.4.8)   No Haxies; permissions frequently repaired etc

  abandoned

• Mail and Thawte certificates

  I've been trying to use a thawte email certificate with Mail and Mail does not recognize it.
  Actually, I think part of the problem is that keychain access puts the certificate in "Certificates" and won't let me put it in "My Certificates" - can anyone explain why this is happening?
  I've gotten this to work with public/private key pairs in the past, and there are posts all over this discussion board from people with the same problem - has anyone figured this out?

  Hi Michael-
  I was having the exact same prob. Turns out that Safari or the Keychain Util. didn't actually install everything it was supposed to. I found some good directions on R'Reilly's MacDevCenter site which fixed everything: http://www.macdevcenter.com/pub/a/mac/2003/01/20/mail.html.
  I had originally gotten a Thawte Personal Freemail certificate using Firefox. So, following their directions, I went to Firefox prefs./security and backed up the Thawte cert. to a file on my desktop. Next, they said to open the Apple keychain util. and CREATE A NEW KEYCHAIN. Not a new certificate, but a new keychain. Call it whatever. Then, double-click on on the backed-up certificate file and install to your new keychain. Voila. You should see three certificates and one private key (when I initially downloaded the certificate using Safari it only installed two certificates, and in the "login" keychain--which I'll now zap).
  Good luck!
  - TRT

• Unable to reinstall SSL Certificate

  Hi I am getting the following message when i am trying to setup another virtual server with the same SSL ceritificate that i have installed on currently running virtual server.
  No private key
  The server could not find the private key associated with the certificate
  How do i add private key without requesting for a new SSL certificate?
  kishore

  You shouldn't see this error message when creating a new virtual server. Are you sure you aren't creating a new server instance? Server instances are different from virtual servers.
  If you are creating a new server instance, consider creating a new virtual server instead; virtual servers consume fewer system resources than server instances. Further, it's simpler to share certificates between virtual servers than it is to share certificates between server instances. The server instance and virtual server concepts are explained in the Administrator's Guide.
  If you've decided you do need a new server instance, you can manually copy an existing server instance's trust database over to the new server instance. The existing trust database consists of 2 files named <server_id>-<hostname>-cert?.db and <server_id>-<hostname>-key?.db, where <server_id> is the server ID of the instance and <hostname> is the hostname of the machine. These files are stored in the alias subdirectory. To copy the trust database to a new instance, simply create a copy of these two files, changing <server_id> to the server ID of the new instance.

• Importing your new verisign/thawte certificate

  When you get your certificate from one of these companies, when using the keytool -import option, must you chose the 'trustcacerts' option?? When i have been importing the cerificate i get the error its not trusted......

  Question about the certificate you are importing... Did you generate a key, export a request, submit it to Verisign and are now importing the response. Or are you trying to import another type of Certificate from Verisign like an HHTPS SSL Cert for a web site?
  When you import a certificate (not a signing response) from verisign in general it should look like:
  Owner: C=.....
  Issuer: CN=Verisign....
  Serial number: 3294872342984...
  Valid from: Tue Sep 25 20:00:00 EDT 2001 until: Thu Sep 26 19:59:59 EDT 2002
  Certificate fingerprints:
  MD5: D4:3D....
  SHA1: D3:4E:F1....
  Trust this certificate? [no]:
  When you import an un-verified cert is should look like:
  Owner: CN=x, OU=x, O=x, L=x, ST=x, C=x
  Issuer: CN=x, OU=x, O=x, L=x, ST=x, C=x
  Serial number: 3bd99f85
  Valid from: Fri Oct 26 13:38:13 EDT 2001 until: Thu Jan 24 12:38:13 EST 2002
  Certificate fingerprints:
  MD5: A8:D4:94:A3:23:2C:D5:CA:9D:AA:F0:66:50:43:EB:33
  SHA1: D2:E0:DA:4D:DA:8F:EC:1B:CA:B3:5C:C0:B0:F4:F2:DC:44:3A:0F:A1
  Trust this certificate? [no]:
  When you import a response it will look like this:
  Top-level certificate in reply:
  Owner: CN=VeriSign Class 3 CA - Commercial Content/Software Publisher, OU="www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU=VeriSign Trust Network, O="VeriSign, Inc."
  Issuer: OU=Class 3 Public Primary Certification uthority, O="VeriSign, Inc.", C=US
  Serial number: 3492xxxx
  Valid from: Wed Dec 30 19:00:00 EST 1998 until: Wed Dec 31 18:59:59 EST 2008
  Certificate fingerprints:
  MD5: D7:B0:C6:xxxxx
  SHA1: FE:A4:A8:8A:xxxxxxx
  ... is not trusted. Install reply anyway? [no]:
  Does this help?

• Thawte Web Server Certificate obtained... now what?

  Hi All,
  We just renewed our Thawte Certificate. The instructions on their site are to copt the information into a text file then follow the server's instructions for using the certificate.
  I have found in the Server Admin for that site a location for the Certificate File and one for the CA file. Which one do I have, and is it as easy to just replace those files?
  TIA - Vijay

  First of all, it doesn't need to be called cert.crt -- you can call it whatever you want. Whatever you name it though is how you'll have to refer to it in your site config.
  To get it into that directory, open a Terminal window. I'm pretending that the certificate is on your desktop and named "cert.crt". I'm also assuming you're logged in as an administrative user.
  Macintosh:~ vijay$: cd Desktop
  Macintosh:~/Desktop vijay$: sudo cp cert.crt /etc/httpd/ssl.crt/
  (enter your password when prompted)
  That's all you need to do to get a copy of your certificate put there.
  However, you'll still have to edit your site's configuration to turn on SSL and store the location of all the related files. I would try doing all this through Server Admin -- it makes the process pretty straightforward. However, if it's not enough, you can dig up some tutorials on getting SSL going on your site. Apple has this one, it's from a while ago, and you'd want to skip some of the info (since it walks you through creating your own, self-signed certificates, but you have one from Thawte).
  Xserve Dual 2.3 GHz / PowerMac Dual 2 GHz   Mac OS X (10.4.3)  

• Checklist for Exchange Certificate issues

  Checklist for Exchange Certificate issues
  1. 
  Why certificate is important for Exchange and What are Certificates used for
  Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to
  securing web services, it has also incorporated Transport Layer Security (TLS) for session based authentication and encryption.
  Certificates are used for several things on Exchange Server. Most customers also use certificates
  on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.
  IIS (OWA, ECP, EWS, EAS, OA, Autodiscover, OAB, UM)
  POP/IMAP
  SMTP
   2. 
  Common symptoms for
  certificate issue
  Here we can see three different types of the certificate warning, mainly from the Outlook
  side.
  a.
  Certificate mismatch issue
  b.
  Certificate trust issue
  c.
  Certificate expiration issue
  3. 
  Checklists
  In this section, checklists will be provided according to the three different scenarios:
  Certificate Mismatch Issue
  [Analysis]:
  This issue mainly occurs because the URL of the web services Outlook tries
  to connect does not match the host name in the certificate.
  [Checklist]:
  Firstly make sure how many host name in your certificate the certificate. Run “Get-ExchangeCertificate | select certificatedomain”.
  Secondly, check the web services URLs which Outlook are trying to connect to. Run “Test Email AutoConfiguration”
  In this scenario, you need to check the host name for the following services:
  Autodiscover
  EWS
  OAB
  ECP
  UM
  If any of the urls above does not match the one in the certificate, refer to the following article to change
  it via EMS:
  http://support.microsoft.com/kb/940726
   1.
  Do not forget to restart the IIS service after applying the changes above.
   2. Make sure a valid certificate is enabled on the IIS service.
  Certificate Trust Issue
  [Analysis]:
  For the self-signed and PKI-based (Enterprise)
  certificates, they are not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. On the other hand, Third-party or commercial
  certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates
  greatly simplifies deployment.
  [Checklist]:
  If it’s an Enterprise CA certificate, manually install the root certificate to the “Trusted Root Certification Authorities” folder:
  If it is a 3^rd-party certificate, first remove and reinstall the certificate. Check whether the Windows Certificate Store on the local
  client is corrupted. If it still does not work, please contact the third-party CA support to verify the certificate.
  Certificate Expiration Issue
  [Checklist]:
  When a certificate is about to expired, we just need to renew it by referring the following article:
  Renew an Exchange Certificate
  http://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx
  To avoid any conflictions, it’s recommended to remove the expired certificate from the certificate store.
  [How to set a reminder to alert the administrator when a certificate is about to expired]:
  It’s easy to fix the certificate expire issue. But it should be more important to set a reminder before the
  certificate expiration. Or there can be a large user impacts.
  Generally, the Event ID “^(24|25)$” will appear in Application log when a certificate is about to expire.
  If it’s not quite visible, we can refer to the following solution:
  http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
  OWA certificate revoked issue
  [Analysis]:
  IE
  includes support for server certificate revocation which verifies that an issuing
  CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions
  are present. If the URL for the revocation information is unresponsive, IE cancels the connection.
  [Solution or workaround]:
  1. Contact CA provider and check whether the questioned certificate is in the Revoked List.
  2. If not, check whether the certificate has a private key.
  3. Remove the old certificate and import the new one.
  Workaround:
  IE Internet Options -> Advanced tab -> Clear the "Check for server certificate revocation"
  checkbox.
  4. 
  More References
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  More on Exchange 2007 and certificates - with real world scenario
  http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

  (Reported previous post with link to SIS package to moderator)
  This is not the correct SIS package for the N73. The package shown is for S60 3.2 devices, but the N73 is not S60 3.2, I believe it is S60 3.0.
  Most features may work with this SIS, but if you experience strange problems, try using the S60 3.0 version.
  But there are no significant difference between 2.5.3 and 2.5.5 with regard to attachments. The only changes were with localization (languages).
  At this point, try 2.7.0 which is out now:
  http://businesssoftware.nokia.com/mail_for_exchange_downloads.php
  Make sure to pick the right phone on the drop down list. It does matter! There are 4 different packages. This list makes sure you get the right one.
  I have seen some issues with attachments not completing that seem to be carrier dependent. You can test this my using Wifi (if possible).
  Message Edited by m4e_team_k on 28-Sep-2008 12:25 AM

• Trying to set up encrypted mails but I'm confused about certificates and keys

  Hello all,
  My first foray into encrypted emails and I'm already confused! To begin with, I'm trying to exchange mails with one other person, who I believe uses Outlook. So far:
  He's sent me his certificate (although I thought I would receive his public key) which is a file called smime.p7m. I don't know what to do with this.
  I've successfully followed the instructions at https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages. When I start a new mail, I can either go to the Enigmail menu and switch on encryption / digital signing and it seems fine, or I can go to the dropdown on the S/MIME button and it says "You need to set up one or more personal certificates before you can use this security feature." Are these two different ways of doing the same thing (in which case I'll use the one that works!) or not?
  As you can see, I'm getting confused between keys and certificates! If some kind person could take a minute to explain what my next steps are, that would be much appreciated. I couldn't find anything on the Thunderbird support pages, though I know I need to send him my public key.
  Thanks in advance.
  Stuart.

  Stuart8, good find, that article.
  I found the main disincentive to using the built-in S/MIME capability is that it's not immediately obvious where to get your certificate and keys. Most providers want $$$ for them, which is natural enough if they are actually going to validate you in some way. I did at one time have a Thawte certificate and even enough WOT vouches to be a low-grade WOT Attorney.
  Once you have your key, it's a bit of a pfaff to install it into Thunderbird. You'll probably find that S/MIME is the default in business correspondence, since many businesses operate their own mail servers, ftp servers and so on and probably have an arrangement to generate self-issued certificates or to buy them on a commercial basis from a CA.
  Enigmail/OpenPGP doesn't require any financial outlay on your part, but is harder to get your keys properly validated since there's not much of a formal WOT nor a reliable central registry. You generate your own keys and it's pretty much all based on mutual trust.
  Since the two systems are incompatible, you need to have set up the same as whatever your correspondent is using.
  I suspect that you have discovered that it's a two-way process. In order for a correspondent to send you an encrypted message, you must both be using the same system, and he must have your public key to encrypt his message, and you'll need his in order to reply with encryption. So yes, he needs to send you his public key for you to send to him, but what he sends to you needs YOUR public key.
  Obviously, signing messages is a useful halfway house. I believe that you sign with your private key, and the recipient will have to download your public key to validate your signature. Whilst a signature doesn't safeguard your privacy, it goes some way to proving that the message came from who it says it came from and that it hasn't been altered in transit. (I really can't understand why banks, lawyers, insurance companies haven't picked up on these encryption and signing schemes. Perhaps they actually prefer all those awful phone calls where you need to struggle to recall supposedly unforgettable names and dates! ;-) )
  In practice, I find that if you sign a message to an outfit who don't know what to do with it, their numpty anti-virus system will probably barf on the signature which it thinks is executable code and therefore must be a virus or worm. :-(

• Mail not recognizing new certificate, recognizing old expired certificate.

  Recently the Thawte certificate for the SSL mail server at work expired and Mail could no longer connect to our mail server. No one else in the office uses a Mac and no one else seemed to be affected. IT claimed all their certs were up to date. I contacted the fine folks at Thawte and they hooked me up with the new cert. I've added that to my X509Anchors keychain, along with the root cert from Thawte to be sure, and Mail is not recognizing it. In fact, the old expired cert is in my login keychain, so I delete it, but every time Mail attempts to connect to the mail server, the old expired cert reappears in my login keychain and it gives me the same "expired cert" error message. Temporary workaround has been to change my system date/time so it is within the valid dates of the old expired cert, but that renders my calendar useless, and other problems. What is going on? Any ideas? How can I get Mail to use the new valid cert?

  Anna,
  I am having the same issue. I am on a new laptop without my cert, so I downloaded it again from thawte but it only installs the public key, not the private key.

• .mac encryption not compatible with popular AIM certificates

  I recently switched on encryption in iChat AV 3. I was happy to test it out with my family, who use .mac screen names in iChat. I was bummed, however, to go to work and use my AIM account to IM back to my home computer.
  My AIM account at work uses a Thawte certificate. No worky. I also tried an aimencrypt certificate. Also no worky. Is there a way to encrypt an AIM account and have encrypted IM sessions with encrypted .mac accounts?
  If the answer is no, .mac encryption is mostly worthless. Not a great user experience to get excited about it and switch it on unknowingly. In fact, it's a poor one.
  Thoughts?
  Scott

  Thanks, Ralph.
  The problem with limiting encrypted communication to only paid .mac subscribers is that it signifigantly devalues the application. As encryption become more prevelant, fewer users will use iChat. In my opionion, that's not a good thing.
  Similarly, the Groups section of .mac suffers virtually the same requirement. Unless the .mac subscriber base were to increase signifigantly from where it is now, both applications are not useful.
  Cheers!
  Scott
  Gigabit Ethernet Power Mac G4 Mac OS X (10.4.1) Airport Extreme, TiVo Desktop, 4 HDDs, 1 GB RAM, DVD-A04, Zip 100, RAID 0, Dual displays