RMI / SSL and self signed certifcate

Similar Messages

• IPhone LDAP contacts and Self signed SSL certificates

  Hi,
  I am using OpenLDAP with self signed SSL certificate, and i am unable to get SSL work with LDAP contacts on the IPhone (4.x). I have tried to add a CA cert with a server certificate for the LDAP server and downloaded it to the IPhone by web, it adds the CA, but even with it, it does not want to connect to the LDAP server with SSL enabled.
  Does LDAP contacts should work by adding new CA ? if yes, what is the exact procedure to do it ? (maybe I used a wrong CA export format, or wrong SSL certificate encryption format ...)
  can someone tell me how to do it ?
  This is really anoying, since we have multiple iphones on the company.
  Thanks for the help.

  Hello, found your post.  I realize it's been 6 months since you posted, but I have a solution for you since I have struggled with the same problem since 2009.
  I discovered that when the iPhone is using LDAPS, it tries to bind with LDAPv2.  After it binds, it speaks LDAPv3 like it is supposed to.  Apparently this is a somewhat common practice since OpenLDAP includes an option for it.
  You'll want to set the following option in OpenLDAP:
  dn: cn=config
  olcAllows: bind_v2
  Walla! LDAPS works! (assuming you've correctly done all the certificate stuff).  Took some deep reading through the debug logs to figure out this problem.  Figured I'd share my answer with others.

• Differences between SSL and Code-Signing Certificates

  Hello,
  I unsuccessfully tried to use a SSL - certificate for signing an applet (converting from X.509 to PKCS12 prior to signing) and learned, that SSL certificates and code-signing certificates are different things (after seeking the web for ours). Can somebody point out some source of information about this topic ? What are these differences ? Can I convert my SSL certificate into a code-signing certificate ?
  Things got even more confusing for me, since my first attempt with an wrongly converted SSL cetificate (I used my public and private key for conversion only, omitting the complete chain) at least worked partly: the certificate was accepted, but marked as coming from some untrustworthy organisation. After making a correct conversion (with the complete chain) the java plugin rejected the certificate completely ...
  Ulf

  yep, looks like it.
  keytool can be used with v3 x509 stores:
  Using keytool, it is possible to display, import, and export X.509 v1, v2, and v3 certificates stored as files, and to generate new self-signed v1 certificates. For examples, see the "EXAMPLES" section of the keytool documentation ( for Solaris ) ( for Windows ).
  jarsigner needs a keystore so I would assume public and private key pair.
  you could list the keys from your store:
  C:\temp>keytool -list -keystore serverkeys.key
  Enter keystore password: storepass
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 2 entries
  client, Jul 5, 2005, trustedCertEntry,
  Certificate fingerprint (MD5): 13:50:77:64:94:36:2E:18:00:4B:90:65:D0:26:22:C8
  server, Jul 5, 2005, keyEntry,
  Certificate fingerprint (MD5): 20:90:49:6F:46:BA:AB:11:75:39:9F:6F:29:1F:AB:58
  The server is the private key, this can be used with jarsigner (alias option).
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar client
  jarsigner: Certificate chain not found for: client. client must reference a val
  id KeyStore key entry containing a private key and corresponding public key cert
  ificate chain.
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar server

• Web Server 7 Admin Server and Self-Signed certificate

  Is it possible to create and install a self-signed certificate for the administration server in Sun Web Server 7. The default installation comes with a self-signed certificate but we would like to install our own certificate and not the certificate issued by "admin-ca-cert"
  Message was edited by:
  aar

  As far as I know its not a problem. You can install your own certificate. Make sure that the certificate nick name is changed accordingly in "server-cert-nickname" in server.xml section as shown below :
  <http-listener>
  <name>admin-ssl-port</name>
  <port>2224</port>
  <server-name>alamanac.india.sun.com</server-name>
  <default-virtual-server-name>admin-server</default-virtual-server-name>
  <ssl>
  <server-cert-nickname>Admin-Server-Cert</server-cert-nickname>
  </ssl>
  </http-listener>

• Statement on Firefox 33 and self-signed certificates

  Dear Mozilla,
  Your decision to drop support for self-signed certificates is causing problems all around in LANs, VPNs, and domain networks both home and corporate which employ SSL but use self-signed certs. Despite it being understanding that it is generally ill-advised to access sites with such problems, further deciding that this minority of exceptions should be abandoned altogether in a world web full of so many shades of grey and complex setups is not a responsible decision.
  Please implement methods for us to be able to coexist with these updates, as suddenly dropping support for the plenthora of routers, domains, websites and other sources using such a setup, many of which cannot be quickly updated or even at all, is a big problem.
  The internet engineering taskforce has not issued any such directives, nor have broader plans to drop support for self-signed certificates been announced. In the lack of a transitioning climate away from this setup or any plans to do so, Mozilla has unilaterally decided to remove support.
  Please remember that you have a large userbase and thus a responsibility to keep available means of access that are in common use by the world. Self-signed certificates still very much play a role in the ecosystem, and they will continue to exist for as long as there is a need for encryption on intranets.
  Thank you!

  it seems the problem is not self-signed certificate itself, but too short (from current point of view) RSA-keys.
  Please see
  https://support.mozilla.org/en-US/questions/1045971
  moreover, SSLv3 is now insecure, and is soon going to be disabled by default.
  https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

• Backend Encryption with SSL module & Self Signed Cert

  I am trying to configure backend encryption using the SSL module to communicate with a server using a self signed certificate. I configured Authenticate verify none. I have not copied any cert info from the server. Do I need to? The SSL module is complaining about an invalid cert. My config is basic.
  service test-service-cf8-be client
  virtual ipaddr 10.6.1.20 protocol tcp port 80
  server ipaddr 10.6.1.22 protocol tcp port 443
  log-auth-failures
  authenticate verify none
  inservice
  Thanks,
  Dave

  Yes it was up and a debug showed an invalid cert message when the service was hit. The answer turned out to be that you still need to import the root CA from the server so that the SSL mod has something to verify the cert against.
  Thanks..

• Xcode continuous integration, Subversion and self-signed certificate won't work altogether.

  Hi!
  I've installed on MacMini Maverick OS with OSX Server.
  Then I've configured the Xcode continuous integration with Subversion (using self-signed certificate), also created bots and etc.
  But It won't work.
  Attached is the log:
  Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSCheckoutOperation.m:717 7c087310 +0ms] revision: (null) Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSCheckoutOperation.m:718 7c087310 +0ms] log: (null) Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSCheckoutOperation.m:719 7c087310 +0ms] checkoutError: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Error>: [XCSCheckoutOperation.m:732 7c087310 +0ms] Error in SVN checkout Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} <stderr>= (null) Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Error>: [XCSOperation.m:33 7c087310 +0ms] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSOperation.m:28 7c087310 +0ms] Cancelling operation: XCSCheckoutOperation Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Error>: [XCSBuildBundle.m:790 7c087310 +0ms] Got an error from the checkout operation: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildBundle.m:850 7c087310 +0ms] Starting upload files operation Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildBundle.m:1018 7c087310 +0ms] Updating bot run status to running, substatus to uploading Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Info>: [CSRemoteServiceClient.m:151 7c087310 +0ms] Connecting to https://localhost:4443/svc to execute [https]Request{AuthService.enterMagicalAuthRealm()} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildHelper.m:97 7c087310 +38ms] Updating bot run with GUID cccf1c74-6c5a-4fff-a57f-5e5bead09457 Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildHelper.m:102 7c087310 +0ms] Updating bot run (cccf1c74-6c5a-4fff-a57f-5e5bead09457): { guid = "cccf1c74-6c5a-4fff-a57f-5e5bead09457"; status = running; subStatus = uploading; } Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Info>: [CSRemoteServiceClient.m:151 7c087310 +0ms] Connecting to https://localhost:4443/svc to execute [https]Request{XCBotService.updateBotRun:({ guid = "cccf1c74-6c5a-4fff-a57f-5e5bead09457"; status = running; subStatus = uploading; })}
  Hope you'll be able to assist me find what I'm doing wrong.
  Thanks in advance.

  Did anyone find a way around this? I have the exact same error and tried the exact same solution.
  The Xcode 5 release notes described a problem that sounds similar.
  Communicating with a remote SVN repository over HTTPS can fail with an error similar to “Error validating server certificate for server name.” Edit the file /Library/Server/Xcode/Config/xcsbuildd.plist and change the TrustSelfSignedSSLCertificates key from false to true. Then, from a Terminal window, run: sudo killall xcsbuildd. 14639890
  https://developer.apple.com/library/ios/releasenotes/DeveloperTools/RN-Xcode/Cha pters/xc5_release_notes.html
  I haven't found a similar fix for Xcode 6 though.

• RMI, SSL, and compression

  Hi,
  I am trying to find an example of how to create a custom socket factory for RMI that does SSL and compression. Doing either separately is easy, but it seems that using SSL precludes the use of a custom socket as one would want for compression. Any suggestions or pointers would be appreciated.
  Regards,
  Neal

  Thank you for the help. Sadly, I am still unable to wrap my brain around this one. I am hoping a concrete example will help out:
  public class SecureServerSocketFactory implements java.rmi.server.RMIServerSocketFactory, java.io.Serializable
      /** Creates new SSLServerSocketFactory */
      public SecureServerSocketFactory()
       * Create a server socket on the specified port (port 0 indicates
       * an anonymous port).
       * @param  port the port number
       * @return the server socket on the specified port
       * @exception IOException if an I/O error occurs during server socket
       * creation
      public java.net.ServerSocket createServerSocket( int port )
          throws java.io.IOException
           SSLSocketFactory sssf = null;
          ServerSocketFactory ssf = null;
          ClassLoader cl = this.getClass().getClassLoader();
           try
              // set up key manager to do server authentication
              SSLContext ctx;
              KeyManagerFactory kmf;
              TrustManagerFactory tmf;
              KeyStore ks;
              char[] passphrase = "xxxxxxxxxxxxxx".toCharArray();
              ctx = SSLContext.getInstance( "TLS" );
              kmf = KeyManagerFactory.getInstance( "SunX509" );
              tmf = TrustManagerFactory.getInstance( "SunX509" );
              ks = KeyStore.getInstance( "JKS" );
              ks.load( new FileInputStream( SimpleLocator.getInstanceValue( "ServerKeystore") ), passphrase );
              kmf.init( ks, passphrase );
              tmf.init( ks );
              ctx.init( kmf.getKeyManagers(), tmf.getTrustManagers(), null );
              // this is w/o compression
              //ssf = ctx.getSocketFactory();
          catch( Exception e ) { e.printStackTrace(); }
          // need to put ejp's idea to practice here...
          // create a LZMACompressedSocket
          // put it into server mode?
          // wrap in SSL?
          return socket;
      }Any help you can provide would be appreciated.
  On a related note, I do agree that compressing at this level likely will not help, but I want to try all solutions.
  Thanks again for your help.

• Two way ssl with self signed certificate?

  How can I use a self signed certificate with two-way SSL with weblogic 7sp4?
  Specfically, I don't want to use any CA authority.
  Is it possible to simply have the clients certificate in the servers truststore or not?
  I pull out the certificate via
  javax.servlet.request.X509Certificate
  but when I use a self signed certificate it's never there.
  If I instead use a certificate that was created with CertGen it works. But CertGen uses the GenCertCA to create the certificate chain.

  How can I use a self signed certificate with two-way SSL with weblogic 7sp4?
  Specfically, I don't want to use any CA authority.
  Is it possible to simply have the clients certificate in the servers truststore or not?
  I pull out the certificate via
  javax.servlet.request.X509Certificate
  but when I use a self signed certificate it's never there.
  If I instead use a certificate that was created with CertGen it works. But CertGen uses the GenCertCA to create the certificate chain.

• Server 2012 R2 - Remote Apps (RDWeb) and Self Signed Certificates!

  Hi all! I have been playing around with VM's on Microsoft Azure just to try and have some Windows Services facing externally that I can play around with and test.
  I have spun up a Windows Server 2012 R2 Server and installed Remote Desktop Services on it. I am looking to publish some remote apps and ideally I am looking to get it to work externally.
  The Server has been given an IP address which is fine, i have gone to my domain and actually setup cloud.mydomain.co.uk and DNS for this is pointing to the IP address of the server. This is all working and functioning! 
  Basically if I go onto my server and connect to the RDweb section and login, i can see my remote apps, i can download the laucher and open them, all works great! :)
  If however, I go to https://cloud.mydomain.co.uk/RDWeb it asks me to login, I can then see my remote apps but when I click on them I get a certificate stating that the computer cannot verify the identity of the RD Gateway. 
  What am i missing....what do I need to do to get this to work?
  If there is some sort of tutorial on how to set this up, fully, from start to finish then that would be great. Otherwise any advice on this would be muchly appreciated!!
  Thanks! :)
        

  #2 sounds like we would need 2 Essentials servers and we will not have that.
  We currently have Server 2008 R2 and have 2012 Standard licenses that are not yet used.
  We have much more than 75 users total, but 75 is more than the number of users that will probably take advantage of using RD Gateway any time soon.  It will probably take time to catch on.
  If RD Gateway usage was to get super popular and more than 75 users were depending on access to it, then we could financially justify paying to buy all the CALs needed to run RD Gateway without Essentials.  Right now, they are skeptical that it will
  be worth spending much money on this and don't want to invest a lot  of money up front.
  My understanding is that if we have 75 or fewer users using RD Gateway then we need to by no CALs, just apply a Server Standard Edition License to the server, but if we had 76, we would need to turn off Essentials and buy 76 new CALs.
  Or would we need to add 50 CALs to the 25 that automatically come with Essentials?
  Also does "turning off" Essentials mean we would have to reinstall and redeploy the RDG or is it just a matter of enabling the RD license server and adding purchased CALs?
  No, when you buy essentials you get the right to create 25 users that access the server, when you create the 26th user you will need to have 26 CAL and RDS CAL. 

• Ssl certificate-self-signed certificate

  HI Experts,
  In my company PCI audit is happening & they found below two issue. what necessarie changes should I done for this.

  You can install use a certificate from an external certificate authority (CA) on your ASA (assuming that's where the problem is since you posted in firewall forum). It can be from either an internal CA your company runs or from a commercial CA.
  This document is getting pretty old but the basic procedure remains valid.

• How do I override self-signed certificate old ssl blocking.

  My hard drive failed and was replaced by my desktop support team. As a result, I had to re-install FireFox, my preferred browser to provide console connections to my production servers. These connections are old, firmware platforms that are not updatable behind multiple firewall layers. They use old versions of ssl and self signed certificates. Your new browser simply blocks access. Without the ability to override permanently this 'feature', I am unable to access the consoles of servers doing billions of dollars in business. I have a work-around in place with other browsers.

  So, you are saying that EVERY time I need to access this type of server on my own internal network that is not visible anywhere, I have to go thru this rigamarole of this add on thing, because YOU have decided I can no longer access my own servers in my own network? If there is no permanent fix, I will find another browser that will do the job, and this will be uninstalled across the enterprise, because it becomes very unusable in crisis situations and even during a normal workday, because of the unnecessarily complicated process that has to be done each time. Unbelievable gall. I am speechless. Sure glad I discovered it when it was not urgent. I am sure glad you all are smarter than I am. Sheesh.

• Renew Exchange 2007 self signed SSL cert : Warning

  Hi,
  We are getting an issue with the new SSL certificate being created. 
  WARNING: This certificate will not be used for external TLS connections with an
  FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint
  '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following
  connectors match that FQDN: Send to Internet. 
  Heres the code below:
  [PS] C:\Windows\System32>get-exchangecertificate | list
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
                       .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
                       X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 1:46:15 PM
  NotBefore          : 7/23/2012 1:46:15 PM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 52F90CEC000000000005
  Services           : IMAP, POP, IIS
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                       ty.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.
                       [mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 11:44:05 AM
  NotBefore          : 7/23/2012 11:44:05 AM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 5289341C000000000003
  Services           : IMAP, POP, SMTP
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  [PS] C:\Windows\System32>get-exchangecertificate 1B6705DB9755A75E94F5B05081AEDED
  3A0065D4A | New-ExchangeCertificate
  WARNING: This certificate will not be used for external TLS connections
  with an FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate
  with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes
  precedence. The following connectors match that FQDN: Default PPLOEX2K7.
  WARNING: This certificate will not be used for external TLS connections
  with an FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate
  with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes
  precedence. The following connectors match that FQDN: Send to Internet.
  Confirm
  Overwrite existing default SMTP certificate,
  '99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB' (expires 7/23/2014 11:44:05
  AM), with certificate 'F835E526BC8D3805E7AA230A17C5971872D3759C'
  (expires 7/22/2015 10:17:51 AM)?
  [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
  (default is "Y"):y
  Thumbprint                                Services  
  Subject
  F835E526BC8D3805E7AA230A17C5971872D3759C  .....      C=ph, S=NCR, L=Pasig, O...
  [PS] C:\Windows\System32>get-exchangecertificate | list
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                       ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                       ssControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
                       .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
                       X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : True
  Issuer             : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c
                       om
  NotAfter           : 7/22/2015 10:17:51 AM
  NotBefore          : 7/22/2014 10:17:51 AM
  PublicKeySize      : 2048
  RootCAType         : None
  SerialNumber       : 6B5A6E27C63C36A54FDD3E07FF982497
  Services           : IMAP, POP, SMTP
  Status             : Valid
  Subject            : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c
                       om
  Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
                       .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
                       X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 1:46:15 PM
  NotBefore          : 7/23/2012 1:46:15 PM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 52F90CEC000000000005
  Services           : IMAP, POP, IIS
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                       ty.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.
                       [mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 11:44:05 AM
  NotBefore          : 7/23/2012 11:44:05 AM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 5289341C000000000003
  Services           : IMAP, POP, SMTP
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  Services: [PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint F835E5
  26BC8D3805E7AA230A17C5971872D3759C -Service IIS, SMTP, IMAP, POP
  WARNING: This certificate will not be used for external TLS connections with an
  FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate with
  thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The
  following connectors match that FQDN: Default PPLOEX2K7.
  WARNING: This certificate will not be used for external TLS connections with an
  FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint
  '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following
  connectors match that FQDN: Send to Internet.
  [PS] C:\Windows\System32>

  Hi Jammizi,
  I collect some information from the command results as below:
  1. When run Get-ExchangeCertificate | FL command, it returned 2 certificates.
  •Certificate01
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  IsSelfSigned       : False
  Services           : IMAP, POP, IIS
  •Certificate02
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  IsSelfSigned       : False
  Services           : IMAP, POP, SMTP
  2. When run Get-ExchangeCertificate 1B….4A (Certificate01) | New-ExchangeCertificate, got warning.
     Overwrite Certificate02 (99…BB) to Certificate03 (F8…9C).
  3. When run Get-ExchangeCertificate | FL command, it returned 3 certificates.
  •Certificate03
  Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C
  IsSelfSigned       : True
  Services           : IMAP, POP, SMTP
  •Certificate01
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  IsSelfSigned       : False
  Services           : IMAP, POP, IIS
  •Certificate02
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  IsSelfSigned       : False
  Services           : IMAP, POP, SMTP
  4. When run Enable Certificate03 command, got warning.
  According to the information above, please notice that both Certificate01 and Certificate02 are not Self-signed certificate. And the New-ExchangeCertifiate command in Exchange 2007 server is to new an Exchange Self-signed certificate. I suggest double check
  whether your org has self-signed certificates. If your org only need 3rd party certificates without self-signed certifcate, I suggest apply a new certificate from CA.
  Thanks
  Mavis
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Mavis Huang
  TechNet Community Support

• SSL and 9IAS

  I have a server that is a J2EE and Webcache installation.
  I want to take the default cirtual host on port 4443 and do two things:
  1) change the port to 443
  2) have the host stop using the Wallet file and use a standard SSL Certificate key and file from
  direcotries that I specify
  What I have done:
  -generated the key and self-signed cert using openssl.
  -edited the httpd.conf file and located the virtual host in the SSL section and:
  1) Commented out all the SSLWallet stuff
  2) Added the SSLCertificateFile and SSLCertificateKeyFile paths and filenames
  - Stopped the HTTP server from OEM website
  - Started the HTTP server from OEM website
  When I try to go to https://myhost:443/ I get "Page not found"
  When I put the httpd.conf file back to the Wallet stuff and comment out my lines, it works again!
  Any ideas?
  Jason

  Please explain further. I am having major problems with webcache with SSL.
  Whenever I point to this default directory "D:\portal\webcache\wallets\default" SSL Portal works yet when I point to my directroy with my real certificates it fails.
  Each directory has file called ewallet.p12 in it. I tried to rename one and put both within one directory. I have have the cwallet.sso file in the directory but I still can't seem to get it working.
  Is the system default location where webcache is looking for the certicates or is the location that wallet manager is using?

• How to use Self Signed certificate with SSLServerSocket?

  Hello to all.
  I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
  The server must have it's own certificate, clients don't need one.
  I started with this
  http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
  To generate key for the server and a self signed certificate.
  To sum it up:
       Create a new keystore and self-signed certificate with corresponding public/private keys.
  keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
       Export and examine the self-signed certificate.
  keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
       Import the certificate into a new truststore.
  keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jksThen in my server code I do
  System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
  System.setProperty("javax.net.ssl.keyStorePassword", "123456");
  SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
  SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
  Socket s = sslServerSocket.accept();I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
  Can it be a problem with the certificate? When using -validity <days> in keytool the certificate gets self-signed, so it should work if I'm not wrong.
  I have also tried this solution
  serverKeyStore = KeyStore.getInstance( "JKS" );
  serverKeyStore.load( new FileInputStream("/scratch/stores/server.jks" ),
       "123456".toCharArray() );
  tmf = TrustManagerFactory.getInstance( "SunX509" );
  tmf.init( serverKeyStore );
  sslContext = SSLContext.getInstance( "TLS" );
  sslContext.init( null, tmf.getTrustManagers(),secureRandom );
  SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
  SSLServerSocket ss = (SSLServerSocket)sf.createServerSocket( port );and still it doesn't work.
  So what am I missing?

  You were right. I corrected the mistakes in the server code, now it's
       private SSLServerSocket setupSSLServerSocket(){
            try {
                 SSLContext sslContext = SSLContext.getInstance( "TLS" );
                 KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
                 KeyStore ks = KeyStore.getInstance("JKS");
                 ks.load(new FileInputStream(_KEYSTORE), _KEYSTORE_PASSWORD.toCharArray());
                 km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
                  * Da usare con un truststore se serve autenticazione dei client
                  * TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
                 tm.init(ks);*/
                 sslContext.init(km.getKeyManagers(), null, null);
                 SSLServerSocketFactory f = sslContext.getServerSocketFactory();
                 SSLServerSocket ss = (SSLServerSocket) f.createServerSocket(_PORT);
                 return ss;
            } catch (UnrecoverableKeyException e) {
                 e.printStackTrace();
            } catch (KeyManagementException e) {
                 e.printStackTrace();
            } catch (NoSuchAlgorithmException e) {
                 e.printStackTrace();
            } catch (KeyStoreException e) {
                 e.printStackTrace();
            } catch (CertificateException e) {
                 e.printStackTrace();
            } catch (FileNotFoundException e) {
                 e.printStackTrace();
            } catch (IOException e) {
                 e.printStackTrace();
            return null;
       }and on the client code
  private SSLSocket setupSSLClientSocket(){
       try {
            SSLContext sslContext = SSLContext.getInstance( "TLS" );
            /* SERVER
            KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
            km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
            KeyStore clientks = KeyStore.getInstance("JKS");
            clientks.load(new FileInputStream(_TRUSTSTORE), _TRUSTSTORE_PASS.toCharArray());
            TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
            tm.init(clientks);
            sslContext.init(null, tm.getTrustManagers(), null);
            SSLSocketFactory f = sslContext.getSocketFactory();
            SSLSocket sslSocket = (SSLSocket) f.createSocket("localhost", _PORT);
            return sslSocket;
       } catch (KeyManagementException e) {
            e.printStackTrace();
       } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
       } catch (KeyStoreException e) {
            e.printStackTrace();
       } catch (CertificateException e) {
            e.printStackTrace();
       } catch (FileNotFoundException e) {
            e.printStackTrace();
       } catch (IOException e) {
            e.printStackTrace();
       return null;
  }and added a System.out.println(sslSocket); after every incoming message (server side) and SSL is now fully working!
  So my mistakes were:
  [] Incorrect setup done by code
  [] Incorrect and insufficient println() of socket status
  Now that everything works, I've deleted all this manual setup and just use the system properties. (They MUST be set before getting the Factory)
  SERVER SIDE:
  System.setProperty("javax.net.ssl.keyStore", _KEYSTORE);
  System.setProperty("javax.net.ssl.keyStorePassword", KEYSTOREPASSWORD);
  SSLServerSocketFactory f = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
  SSLServerSocket sslServerSocket = (SSLServerSocket) f.createServerSocket(_PORT);
  CLIENT SIDE:
  System.setProperty("javax.net.ssl.trustStore", "/scratch/stores/client.jks");
  System.setProperty("javax.net.ssl.trustStorePassword", "client");
  SSLSocketFactory f = (SSLSocketFactory) SSLSocketFactory.getDefault();
  SSLSocket sslSocket = (SSLSocket) f.createSocket(_HOST, _PORT);
  And everything is working as expected. Thank you!
  I hope my code will help someone else in the future.