Renewal of signed certificate on OS X server 10.4.11

I have been running the web service on OSX server (now 10.4.11 on PMG4) since one year ago. At that time, we migrated our web site from Webster 4.5 on OS 9 to OS X server and we needed to creat new CSR for Verisign that we have been using for years.
I worked on Server Admin and it was not so difficult, I remember, and now we need to revew the certificate for another one year.
Apple Japan let me know the following article and it seemed CSR file "certrequest.pem" seemed to be created successfully. But when I paste the request on Verisign's site, it said "CSR file has some problem so re-create the file" -- the web site shows the information picked up from CSR such as common name, name of organization, and then I found City is blank.
While the command
certtool r certrequest.pem k=CertRequest.keychain c
is executing, it never asks me to input the City.
I guess every CA asks Country, State and City on CSR...
Has anyone experienced the same issue?
http://docs.info.apple.com/article.html?artnum=304808-en

Hi jacossd,
Try installing mailbfr from www.topicdesk.com
For information on how use the utility type "sudo mailbfr -h" into terminal.
Hope that helps.

Similar Messages

  • Generating Self Signed Certificate for iPlanet Directory Server for testing

    Hi Experts,
    I am unable to find how to generate self signed certificate for iPlanet Directory Server for testing purpose. Actually what i mean is i want to connect to the iPlanet LDAP Server with LDAPS:// rather than LDAP:// for Secured LDAP Authentication. For this purpose How to create a Dummy Certificate to enable iPlanet Directory Server SSL. I searched in google but no help. Please provide me the solution how to test it.
    Thanks in Advance,
    Kalyan

    Here's one I did earlier.
    Refers to Solaris 10
    SSL Security
    add a new certificate that lasts for ten years (120 months).
    stop the instance:
    dsadm stop <instance>
    Remove DS from smf control:
    dsadm disable-service <instance>
    Change Certificate Database Password:
    dsadm set-flags <instance> cert-pwd-prompt=on
         Choose the new certificate database password:
         Confirm the new certificate database password:
    Certificate database password successfully updated.
    Restart the instance from the dscc:
    DSCC -> start <instance>
    Now add a new Certificate which lasts for ten years (120 months; -v 120):
    `cd <instance_path>`
    `certutil -S -d . -P slapd- -s "CN=<FQDN_server_name>" �n testcert �v 120 -t T,, -x`
         Enter Password or Pin for "NSS Certificate DB":
    Stop the Instance.
    On the DSCC Security -> Certificates tab:
         select option to "Do not Prompt for Password"
    Restart the instance.
    On the Security -> General tab, select the new certificate to use for ssl encryption
    Restart the instance
    Stop the instance
    Put DS back into smf control:
    dsadm enable-service <instance>
    Check the smf:
    svcs -a | grep ds
    # svcs -a|grep ds
    disabled Aug_16 svc:/application/sun/ds:default
    online Aug_16 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dscc6-dcc-ads
    online 17:04:28 svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1

  • Renew code signing certificate mountain lion server

    Hello to all
    Can you please let me know if there is a way to renew the self code signing certificate for server WITHOUT re enroll all devices?
    We have 500 iPads enrolled and the code signing certificate expires in 2 weeks...
    So it's really critical not to re enroll all devices .
    Is there any way to do this?
    Thank you for you help.

    When I put this in I am just getting the following response
    Usage: certadmin
        --get-private-key-passphrase [path]    
          Retrieve the passphrase for the private key at [path] from the keychain
        --default-certificate-path
          Retrieve the full path for the default certificate
        --default-certificate-authority-chain-path
          Retrieve the full path for the default certificate authority chain
        --default-private-key-path
          Retrieve the full path for the default private key
        --default-concatenation-path
          Retrieve the full path for the default certificate + private key concatenation
        --create-default-self-signed-identity
          Creates a default self signed identity (certificate + private key) using the hostname
        --recreate-self-signed-certificate subject serial_number
          Recreate an existing self signed certificate
        --recreate-CA-signed-certificate subject issuer serial_number
          Recreate an existing certificate signed by an OpenDirectory CA
    where you have "192173c1c is this meant to be the serial number?

  • Cannot renew code signing certificate - maybe bug with german Umlaut?

    Hello!
    Since one month I expierence a message that I should renew my code signing certificate and today I thought it is time to stop this message.
    Because I could not find anything about renewing the certificate in Mountain Lion I used the KB-article that discribes the process for Lion.
    http://support.apple.com/kb/HT5358
    after that I get this in at my terminal:
    sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate 'myserver.domain.de Signierungszertifikate für Code' 'IntermediateCA_MYSERVER.DOMAIN.DE_1' 7D3E2458
    when I press return I get this:
    /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin Cannot find the certificate: myserver.domain.de Signierungszertifikate für Code
    I checked it again and again - I cannot find any typo or something like that - so maybe Mountain Lion wants to renew the certificate in a different way or certadmin cannot cope with german "Umlaute" - "für" - in english for - but I did not gave this name it was given by the system when I setup the server one year ago.
    Every hint is welcome, bye
    Christoph

    I am stupid - I read the KB article again and there it says
    "When entering the hexadecimal serial number, ensure that all letters are entered in lower case."
    I retyped the command with lower case hex numbers and everything was fine
    Bye,
    Christoph

  • Code-signing Certificate Provider for Mavericks Server?

    Our Digicert Code Signing Certificate [which worked fine in Mountain Lion Server but doesn't work in Mavericks Server no matter what I try] is about to expire, and I'm wondering if anyone could recommend a vendor whose code-signing certificates definitely work with Mavericks Server?

    I have just created a self-signed code-signing certificate, I used XCA to generate it which is a front-end for openssl. Obviously being generated from a self-signed rootCA it is not going to be trusted by the outside world but it is good enough for an internal Profile Manager setup since the enrollment process will automatically trust your own self-signed rootCA.
    Anyway, when trying to install it I did come across a gotcha which might help you and others here. I found that if I imported the certificate in to Keychain Access e.g. by double-clicking on it, then Server.app did not list it as an available certificate for Profile Manager code-signing. However if instead I used the option in Server.app under Profile Manager to import the code-signing certificate it was accepted.
    In theory importing via Keychain Access should work as well but it did not, so if you have been doing it that way try importing via Server.app instead.
    If you have already imported it via Keychain Access just delete it from your Keychain and try again.
    With regards to the suggestion from ajm_from_WA for buying one from www.ssls.com I could not find any code-signing certificates listed on their website. These are different to ordinary website certificates.

  • Renewing Self Signed Certificate on IPN Nodes 1.2

    Dear Team
    I have just upgraded the ISE infrastructure to 1.2, IPN nodes have also been upgraded, a default self signed certificate is generated, which is for a validity of 90 days.
    on my ISE main units, i have self signed certificates with 2048 Modulas and SHA1-256 hash, validity = 12 years.
    1:  I want to generate self signed certificate on IPN with the same specifications.
    how it can be achieved, is it through "pep certificate server add" ?
    IPN2/admin# pep certificate server add
    Server Certificate change will result in application restart. Proceed? (y/n): y
    Bind the certificate to private key made by last certificate signing request? (y/n):
    but as such i am not generating any CSR, because we do not have any CA in our deployment.
    Thanks
    Ahad Samir

    Above requirement is necessary because we don't have an Enterprise CA in our Deployment. We have to rely on self Signed certificates.
    Further Self Signed certificates should be valid for a long period so that no communication issue happens, 

  • Renewing Self Signed Certificate for WAAS Central Manager

    Hi,
    We would like some help from you about the following: We have an WAAS Central Manager which its self-signed certificate validity has expired as showed below:
            Validity
                Not Before: Jul  7 00:47:06 2009 GMT
                Not After : Jul  6 00:47:06 2014 GMT
    We have used its certificate to install some other remote WAAS Express routers. 
    We would like to know the following:
    1. is it possible to renew this certificate? or 
    2. do we need to reinstall another certificate on CM and replicate this new one on these waas express remote devices?
    If affirmative for at least one of them, please, could you share any document that describe how to do it?
    I have attached some output commands from our CM.
    Thanks,
    Marcelo

    attaching file now!!!

  • Getting self-signed certificates from an internal server...

    Hi!
    Thanks to the beautiful [Andreas Sterbenz's|http://blogs.sun.com/andreas/entry/no_more_unable_to_find] article I was able to download the two self generated certificates from the mail server and store them in a single file. So I expected things to work like a charm but soon I had to change my mind due to the (usual) error:
    javax.mail.MessagingException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;
    nested exception is:
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:571)
    at javax.mail.Service.connect(Service.java:288)
    at javax.mail.Service.connect(Service.java:169)
    at com.agiletec.plugins.webmail.aps.system.services.webmail.WebMailManager.initInboxConnection(Unknown Source)
    at com.agiletec.plugins.webmail.aps.tags.WebmailIntroTag.doStartTag(Unknown Source)
    [etc etc]
    So here's the first question: Is it correct to store the certificates in the system properties with the following code?
    System.setProperty("javax.net.ssl.trustStore", certificateInUse); // <--- path of the file where I've stored the certificates
    System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); // password used
    System.setProperty("javax.net.ssl.trustStoreType","JKS");
    I haven't gone in the depth of the SSL theory but it seems to me that my webapp stores the certificates and keeps on connecting in the standard (non SSL) way....
    Thanks in advance for the time spent reading!
    Matteo

    Have you tried setting the "Always trust" property? Double click the certificate in Keychain Access and allow it to have always trust for email.
    Also, make sure that bundles are enabled for mail.
    (Forget the command, google for "defaults write com.apple.mail enableBundles")
    That did it for me.
    Br,
    T

  • Renew code signing certificate

    I just wonder if there is any article about code signing with renewed certificate.  My Thawte certificate will expire soon. Let's say I renew it now and get the new certificate. My air app can update itself automatically when newer version is found. My question is, will my air app (older version signed with the old certificate) update successfully to the newer version (signed w/ renewed certificate)?

    You should use Migration feature to connect both versions of app.
    You can read Oliver's blg here:
    http://blogs.adobe.com/simplicity/install-update/

  • Signed certificates not importing Yosemite Server

    I'm trying to update an SSL cert and through Rapid SSL and I'm running into some difficulties.
    First when passing the CSR to RapidSSL it asks what the Webserver is.  I've been choosing Apache + OpenSSL.  Is that correct?
    Second, when I get the intermediate and primary certs back from RapidSSL and drag them into the server app as it says to do I get back the following error:
    I've tried various variations of trying to get the cert into OS X Server but I'm just not having any luck.
    Has anyone run into this problem before?
    Stats:
    Mac OS 10.10.3
    Server 4.1

    So feeling like an idiot, but I tried it one more time.  And I don't know why but it worked this time.  I did nothing different that I can think of. Frustrating experience. 

  • Lion server erased self signed certificate

    Help!!! I accidentally deleted the self signed certificate that had the right keys for my third party SSL.  Now I cannot replace the self signed certificate with the new SSL.  Now what????

    I will begin my answer by making an emphasis that the best way to protect your data in-transit is using a 2048 bit certificate signed by a trusted certificate authority (CA) instead of relying on the self-signed certificate created by SQL Server.
     Please remember that the self-signed certificate created by SQL Server usage for data in-transit protection was designed as a mitigation against passive traffic sniffers that could potentially obtain SQL Server credentials being transmitted
    in cleartext, but nothing more. Think of it as a mitigation against a casual adversary.
     The self-signed certificate usage was not intended to replace real data in-transit protection using a certificate signed by a trusted CA and encrypting the whole communication channel. Remember, if it is self-signed, it is trivial to spoof.
    After making this clarification, the self-signed certificate generated by SQL Server uses a 1024 bit key, but that size may be subject to change in future versions of the product. Once again, I would like to strongly discourage relying on the self-signed
    certificate created by SQL Server for data in transit transmission.
    BTW. Azure SQL Database uses a 2048 certificate issued by a valid certificate authority.
    I hope this information helps,
    -Raul Garcia
     SQL Server Security
    This posting is provided "AS IS" with no warranties, and confers no rights.

  • SQL Server 2008 self-signed certificate is 1024bit or 2048bit?

    When there is no user defined certificate available, SQL Server will generate a self-signed certificate when service starts, We have a tool scans and finds that in SQL 2005 the self-signed certificate is 1024bit,  does someone know the default self-signed
    certificate is still 1024bit or is it 2048bit in SQL 2008? Thanks a lot!!!

    I will begin my answer by making an emphasis that the best way to protect your data in-transit is using a 2048 bit certificate signed by a trusted certificate authority (CA) instead of relying on the self-signed certificate created by SQL Server.
     Please remember that the self-signed certificate created by SQL Server usage for data in-transit protection was designed as a mitigation against passive traffic sniffers that could potentially obtain SQL Server credentials being transmitted
    in cleartext, but nothing more. Think of it as a mitigation against a casual adversary.
     The self-signed certificate usage was not intended to replace real data in-transit protection using a certificate signed by a trusted CA and encrypting the whole communication channel. Remember, if it is self-signed, it is trivial to spoof.
    After making this clarification, the self-signed certificate generated by SQL Server uses a 1024 bit key, but that size may be subject to change in future versions of the product. Once again, I would like to strongly discourage relying on the self-signed
    certificate created by SQL Server for data in transit transmission.
    BTW. Azure SQL Database uses a 2048 certificate issued by a valid certificate authority.
    I hope this information helps,
    -Raul Garcia
     SQL Server Security
    This posting is provided "AS IS" with no warranties, and confers no rights.

  • Web Server 7 Admin Server and Self-Signed certificate

    Is it possible to create and install a self-signed certificate for the administration server in Sun Web Server 7. The default installation comes with a self-signed certificate but we would like to install our own certificate and not the certificate issued by "admin-ca-cert"
    Message was edited by:
    aar

    As far as I know its not a problem. You can install your own certificate. Make sure that the certificate nick name is changed accordingly in "server-cert-nickname" in server.xml section as shown below :
    <http-listener>
    <name>admin-ssl-port</name>
    <port>2224</port>
    <server-name>alamanac.india.sun.com</server-name>
    <default-virtual-server-name>admin-server</default-virtual-server-name>
    <ssl>
    <server-cert-nickname>Admin-Server-Cert</server-cert-nickname>
    </ssl>
    </http-listener>

  • Does a 2012 DC generate exchange certificates on Exchange 2007 server?

    The reason I ask is because we have a 2008 server environment with a few 2012 servers in the mix, one being a DC. It is time to renew our self-signed certificates on our exchange server and when I attempt to do this via the Get-ExchangeCertificate command,
    I get a warning stating the following: 
    WARNING: This certificate will not be used for external TLS connections with an FQDN of 'mail1.mymail.com.COM' because the self-signed certificate with thumbprint 'AAA-THUMBPRINT-AAAAAAA' takes precedence.
    On further investigation I noticed we have a certificate that I do not remember from years past nor do I ever remember getting that warning message before. We have not used third party CA's. Notice the items in bold, the certificate is an enterprise cert, not
    self signed and linked to our 2012 DC. There appear to be no services assigned to it but we still get that warning.
    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {EXCHANGESERVERNAME.DOMAIN.NAME}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=DOMAIN-DC3-CA, DC=DOMAIN, DC=NAME
    NotAfter : 12/31/2014 4:36:02 PM
    NotBefore : 12/31/2013 4:36:02 PM
    PublicKeySize : 2048
    RootCAType : Enterprise
    SerialNumber : 2D00XXXXXXXXXXXXXXXXXXXXXXX
    Services : None
    Status : Valid
    Subject : CN=EXCHANGESERVERNAME.DOMAIN.NAME
    Thumbprint : 4886XXXXXXXXXXXXXXXXXXXXXXXXXX
    So my question is two-fold, why is this certificate here (was it generated by our 2012 DC) and will it effect anything when it expires? If so, how do I renew it?

    OK, so it is normal. We did add the 2012 DC to our existing server environment later on. It is not our primary DC.
    So, since there are no services assigned, when it expires in a few days, there will be no effect? If there will be an issue, how do I go about renewing it exactly?
    I am not aware of us requesting an Enterprise CA, however our previous manager could have. I am not familiar with the process.
    Basically, I ignored the "This certificate will not be used for external TLS connections warning" and created and enabled new self-signed certs for our mail server. The warnings in the event log that the old certs are about to expire have
    stopped. So that should be that then right?
    So as of now, we show 3 certificates, one being the enterprise one I mentioned which will expire in a few days. (Is this normal or should we just have one self signed cert that has all services?) I have a feeling this configuration isn't optimal.
    Thumbprint                                
    Services   Subject
    2038XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  ...WS     CN=WMSvc-MAILSERVERNAME
    B52BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  IP..S      CN=MAILSERVERNAME
    4886XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  .....        CN=MAILSERVERNAME.DOMAIN.NAME

  • Self Signed Certificate for Web Proxy 4.0.2

    Does anyone have instructions on how to create and install self signed Certificate for Web Proxy Server 4.0.2? My OS is RHEL 4.
    Shed.

    Unfortunately you will not be able to do that from the GUI.
    You will have to use certutil frin proxy-install/bin/proxy/admin/bin/certutil
    Make sure that your LD_LIBRARY_PATH includes proxy-install/bin/proxy/lib
    (start -shell will give you a shell with all necessary paths set.)
    create a file called password-file which contains your password to your cert database
    your cert database resides in the alias directory of proxy installation.
    certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234
    -f password-file -d certdir

Maybe you are looking for