Root CA certificate marked as non-exportable

Similar Messages

• Creating non-exportable certificates

  I am looking for a way to prevent Certificate being exported out by users.
  Certificate once imported into the keychain user shouldn't be allowed to export it out.

  In 10.5.8 and 10.6, you can import private keys and mark them as non-exportable with the security tool. From security(1):
  -x Specify that private keys are non-extractable after
  being imported.
  This won't stop the user from copying the whole keychain off, however.

• Export & Import Self-Signed Root CA Certificate?

  I have created a self-signed Root CA certificate with which I sign all of my other certificates on a leopard Server. This Root CA is installed and trusted on all of our client machines.
  I recently tested exporting and archiving the Root CA in every format available from Keychain Access and then tried to import these files into another Snow Leopard server and was unable to assign the imported Certificates as a "Default Certificate Authority".
  Does anyone know how I can set this Root CA that I created on another server as the default CA on this new machine for signing all future certificates that I create?
  Fore some reason when I go into Keychain Access and select: Keychain Access -> Certificate Assistant -> Set the Default Certificate Authority… I end up with no certificates to choose from and the "Add a Certificate Authority…" button will not allow me to select any of the exported certificate formats that I archived.
  Any thoughts?

  Anyone have any information at all? This seems like a very basic need for maintaining certificates beyond the usable life of the equipment on which they were created.
  I have found precious little information about this specific to Apple OS.

• HOW TO INSTALL ROOT (Authority) CERTIFICATES ON S4...

  Recently i bought a 6500 Classic and stupidly deleted my Authority Certificates.
  After trwaling the net for info on how to re-install certificates i couldnt find an answer apart from NO YOU CANT DO THIS.
  Well to that i say NUTS!!! because you can and i will show you how by simply following these steps.
  1. Create a New Folder on your desktop and call it whatever you like.
  2. Open notepad on your computer.
  3. Copy the text below into the Notpad file. (I got this from some website as they were using it for smething else but it does work so thanks to them or thanks to you if this is yours)
   <?xml version="1.0"?>
  <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <title>Install root CA</title>
  </head>
  <body>
  <p>
  <a href="der1.cer">Download a CA Cert1</a>
  <a href="der2.cer">Download a CA Cert2</a>
  <a href="der3.cer">Download a CA Cert3</a>
  <a href="der4.cer">Download a CA Cert4</a>
  <a href="der5.cer">Download a CA Cert5</a>
  <a href="der6.cer">Download a CA Cert6</a>
  <a href="der7.cer">Download a CA Cert7</a>
  <a href="der8.cer">Download a CA Cert8</a>
  <a href="der9.cer">Download a CA Cert9</a>
  <a href="der10.cer">Download a CA Cert10</a>
  <a href="der11.cer">Download a CA Cert11</a>
  </p>
  </body>
  </html>
  4. Save the Notpad file as type ALL FILES but when naming it just call it cert.html and save it to the folder you created on your desktop earlier.
  5. Now downlaod the Root Certificates you need to the same folder on your Desktop.
  6. When saving the first Certificate to the folder call it der1 ((make sure not to take out the file extension eg .cer)) then the second der2, third der3 and so on and so on till you get to der11. (Dont worry this will not rename the certificate when it installs on your phone.)
   Example of what the files in your Desktop folder should be called der1.cer, der2.cer etc etc.
  7. Now transfer the whole folder from your Desktop to your Mobile phone. (I did this by using Nokia PC Suite.)
   8. When the folder with the certificates and hmtl we made have been transfered to you phone navigate using your phone to that folder.
  9. Go into the folder and open the cert.html file. (Your browser will now open a page with 11 download links available)10. Now all you have to do is click on each link and accept each certificate remembering to save and they will install on your phone. (On my 6500 Classic i can check this by Navigating through my phone to Menu>Settings>Security>Authority Certificates)
   Notes:- Some errors you may receive when trying to download the certificates through your phone browser may be Already Exists, Expired Certificate and the most annoying is Corrupted Certificate.
  Already Exists - Shouldt allow you to save (DO NOT SAVE IF IT ALLOWS YOU)
  Expired Certificate - (DO NOT SAVE)
  Corrupted Certificate - Install the certificate on your computer first, then go to Tools>Internet Options>Content>Certificates.
  (save the certificate to other people tab) Browse for the certificate you installed then export it in DER format to the Desktop Folder you created then start process over again to get it onto your phone.
  Remember to delete any certificates as you go that you have already installed so you dont get mixed up.
  Any issues reply and i will do what i can to help and if anyone has Hutchinson 3G Root Certificates please let me know.
  Thanks.
  Message Edited by andyhardie on 15-Jul-2009 04:05 PM

  I have nokia 6300 s40v3 and when I tried to open cert.html it showed format unknown.
  What should I do. Can you tell me the format of bookmark so that can rename it to cer.(format)
  sir please give some guidense its very urgent
  reply at *******
  MODERATOR'S NOTE:
  Personal details removed by a moderator. We kindly ask you not to share your personal e-mail address or any other personal information publicly on this forum. This is for your personal safety and privacy.
  Message edited by Aikin19

• New deploy child domain certificate server didn't publish root trust certificate to the client

  Child domain certificate didn't install into child domain workstation.
  https://support.microsoft.com/en-us/kb/281271?wa=wsignin1.0
  Certification Authority configuration to publish certificates in Active Directory of trusted domain
  Any advise?
  Thanks.

  Hi,
  >>New deploy child domain certificate server didn't publish root trust certificate to the client
  Is this an enterprise root CA or standalone CA?
  If it is an enterprise root CA, it will automatically use Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. If it is an standalone CA, we can configure GPO
  to distribute the certificate.
  Regarding how to use policy to distribute certificates, the following article can be referred to for more information.
  Use Policy to Distribute Certificates
  https://technet.microsoft.com/en-us/library/cc772491.aspx
  We can run command gpupdate/force to immediately update group policy and then we can refresh the certificates in certmgr.msc to see if the certificate will come up.
  Besides, for certificate questions, we can also ask for suggestions in the following forum.
  Security
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Error -2147415740 from Keychain when importing a root CA certificate

  I've been given an iMac at work to use as my primary workstation, and work in an environment that uses certificate based authentication. I was provided the root CA certificate as a .pem file to import into my system, and every time I try, Keychain Access throws an error of "-2147415740".
  Running "openssl x509 -inform pem -in cacert.pem -text" shows the certificate as valid, and specifically:
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  RSA Public Key: (8192 bit)
  Modulus (8192 bit):
  I've seen a few other reports of this, and it seems to be tied to the certificate being signed with an 8192 bit key. Asking the company to change to a lower key to sign the certificate is not a possibility, as it would require redistribution across a high number of machines to work around what appears to be an OS X specific bug. Does anyone know a workaround?
  Out of curiosity, I took the certificate and imported it successfully into an iBook running OS X 10.4.0. The certificate continues to work all the way up to 10.4.8, but breaks once Security Update 2006-007 or 10.4.9 is applied. The certificate is also imported just fine on an iPad running iOS 4.2.1.
  For now, I have to avoid using any Apple provided tools, and many 3rd party OS X programs, negating the benefit of using OS X and an iMac.

  sigh
  Result 1, this thread
  Result 2, another person encountering the same problem and posted here on the discussion forums, unanswered, beyond me responding to see if it is the exact same situation I'm now running into.
  Result 3, a posting to the OpenCA users list, also confirming the problem, with no specific solution to the error. Only a workaround of resigning the CA with a 4096bit or lower key, a workaround that as I mentioned already, cannot be done here without forcing every other user in the company to do work for what appears to only be an OS X specific problem/bug.
  Please only respond again if you have an actual useful suggestion for this exact problem. These boards are to help facilitate discussion about problems leading to a solution. Neither of your generic responses has helped, and I'd appreciate it if you could avoid wasting more of my time following up on a new post notification.

• Adding crop marks in jpeg export

  Hi All,
  Is is possible to add crop marks in jpeg export similar to what we have in pdf export.
  I see SnapshotUtils class but could not see any method to set crop marks.
  What I need to do to set crop marks?
  Regards,
  Alam

  Well, since there is no Crop Marks option when doing a JPEG Export (Snapshot) by hand, I would be very surprised if there were a plug-in API for it.
  So I think you'll have to add your own Crop Marks before you do the JPEG Export. It isn't really that hard ... just a little tedious. You can get the general idea from the CropMarks.jsx script that comes with InDesign.

• Order Management - 'Export' and 'Non-export' orders.

  Hi,
  Could anyone help me how to distinguish between an 'export' type sales order and a 'non-export' type sales order?
  I need the details of the columns that we should be looking into to identify the above types of sales orders.
  Thanks and Regards,
  Mantha

  The reason the stock is released to warehouse is because requested quantity is set to zero so the seeded process fails on reservation so the cycle exits in limbo.
  The solution is to rather leave the requested quantity and set the stock Available to Request (ATR) to zero.
  Tracing through the packages yields...
  WSH_PICK_LIST.RELEASE_BATCH
  |--> INV_PICK_RELEASE_PUB.PICK_RELEASE
  |--> INV_PICK_RELEASE_PVT.PROCESS_LINE
  |--> ..PROCESS_RESERVATIONS
  ... which is where the ATR is set via INV_QUANTITY_TREE_PUB and can thus be "hacked".
  A functional solution is to perhaps have two logical warehouses. One for any packing unit and one for cartonised packing units. But then again not all business' can see there way clear with vanilla functionality ;)
  G

• Root CA Certificate expired in WTK

  Hi, does anybody knows how to renew root CA certificate for WTK? The one that is inlcuded with WTK is expired.
  Thanks

  Hi there,
  Did you ever find a solution to this problem? Im having a similar problem with a midlet connecting to a https webpage. I get a root ca's certificate expired in wtk 2.
  Any suggestions would be great....thanks

• How to import Root CA certificate (Firefox 22)on windows using certutil? what are the dlls required?

  I was using certutil from my application to import root CA certificate, but it it started complaining about missing dlls after Firefox 18. What are the dlls required.
  It will be appreciable if some one can give the code of Firefox (What they use), to import root CA certificates.
  Thanks

  I found the following with a google search. Hope it helps.
  *https://support.mozilla.org/questions/955513 How to add a private SSL root certificate authority
  *https://support.mozilla.org//questions/952035 Where can I download certutil.exe and the NSS Utils for Windows
  *https://www.felixrr.pro/archives/165/mozilla-nss-utils-with-nspr-compiled-for-download
  *http://wiki.cacert.org/FAQ/BrowserClients#Mozilla_Firefox

• Intermediate CA certificate and the Root CA certificate

  HI
  What are Intermediate CA certificate and the Root CA certificate ??
  What is the difference between these two types of certificates ??
  What are all the other alternative names that are used with these names ??
  thanks
  kumar

  Hi,
  An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate.
  The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.
  Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.
  Refer
  https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0
  The advantages of using intermediate certificates u2013 Sometimes referred to as u2018chainingu2019
  http://www.whichssl.com/intermediate_certificates2.html
  Root certificate
  The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in the Internet browsers by their manufacturers.
  a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority (CA). A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA).
  http://support.microsoft.com/kb/887413
  Thanks
  swarup

• Provide steps to send Root CA certificate to the Lync client, getting error" There was a problem verifying certificate from the server"

  Hi,
    I Build an Lync 2013 set up with FEpool, Director pool and Exchange server is integrated. I have windows 8 client machine, with Lync client installed. When I try to login to the lync client, I am getting error like"There was a problem verifying
  certificate from the server".
  When I installed ROOT CA cert  manually on client machine I am able to login to the lync client. similarly if I add my client machine in my domain, I am able to login to the Lync client.
  Now is there any other way to send the certificate automatically to the client machine (Which are NOT part of the DOMAIN) from the server, instead of manual installation process.
  Please help me troubleshoot this problem

  Agree with S Guna, there is no easy way to push a certificate automatically to a client that you don't control other than building an installer package and asking them to run it.  In this situation, if there are a lot of non-domain joined machines
  a third party certificate is the way you need to go.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Quastion marks in non-latin charecters when searching with google

  Hello,
  After installing firefox I encountered a problem.
  I am on the hebrew version of the browser, updated to the latest (33.1) version.
  When searching in the search bar with google using non-latin chars (hebrew) I am taken to google search page but instead of the search term I am getting quastion marks symbols (???????) I then need to again write the search term (which is now ok)
  This doesn't happen in DuckDuckGo or Yahoo search.
  A solution would be appreciated (and also important for other users)
  Thank you

  I can't seem to duplicate this.  Are you typing in the same place I am?　I see I only have 6.0.1...

• Servlet Displaying Quotation Marks as Non-Printable Characters

  I have a servlet which is reading an HTML file and displaying it's contents. My problem is that, in the output, quotation marks in the source html (" and ') are being reproduced as non-printable characters (). Furthermore, the same servlet prints the quotation marks fine under the Linux OS and Apache Web Server, but does not under the Windows (2000) OS and IIS Web Server (running j2sdk-1_3_0_02-win). Any suggestions would be appreciated. Code in question is below. "str" is the line from the file. :
       FileReader freader = new FileReader (filePath);
       BufferedReader breader = new BufferedReader(freader);
       String str = null;
       while ((str = breader.readLine()) != null) {
       document = document + str + "\n";
       freader.close();

  Technically, you don't need to add the "\n" in there anyway. Newlines mean nothing to an HTML file if all you're doing is displaying that file. The lack of a carriage return, when the HTML is parsed, is completely irrelevant.
  Also, when handling large String concatenations, it's always going to be more efficient to use StringBuffer.
  StringBuffer sbDocument = new StringBuffer();
  while((str = breader.readLine()) != null)
     sb.append(str);
  String document = sbDocument.toString()

• 7920 associates to root bridge but not to non-root bridge

  I have 7920s using open authentication with WEP128 cipher. I have two 1300 root AP's (with client support) and three non-root AP's (also client support) in the same lab area. The root AP's and non-Root AP's associate and link to each other no problem. However, the 7920's will only associate with the Root APs. If I power down the root APs, the 7920s show "no AP found". I've verified SSID and WEP128 keys. I've also noted that the root AP does have a channel specified under dot11radio0 but the non-roots do not. Do the 7920's just scan for any channel until it finds an association or do I need to specify a channel in the non-root bridges?
  Thanks,
  Mike.

  With static WEP, the authentication is happening at the AP level. Will want to ensure non-root is associated to a root though otherwise the interface may be in "reset" state.
  The 7920 will look at these 2 as individual APs regardless of channel. Non-roots should have the same channel as the root, otherwise will not be able to communicate.