RV120W- How to create new unique self-signed certificate?

Similar Messages

• How to replace an expiring self-signed certificate?

  Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
  First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
  It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
  The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
  It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
  I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
  I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
  Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
  http://screencast.com/t/zlVyR2Hsc
  Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
  Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
  http://screencast.com/t/54c2BUJuXO2
  Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
  Be aware that creating certificates starts to populate your server Keychain.
  http://screencast.com/t/JjLb4YkAM
  It appears that when you start to delete certificates, it leaves behind private keys.
  http://screencast.com/t/XD9zO3n16z
  If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
  OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
  In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
  Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
  Bypass "Introduction".
  In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
  The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
  You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
  In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
  The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
  (OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
  Pant, pant...
  The next window asks for an email address and location information - this appears to be optional.
  Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
  Key Usage Extension window
  Here's where it gets interesting...
  I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
  Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
  Extended Key Usage Extension...
  Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
  Sorry, folks, I just HAVE to show you the help for this window...
  +*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible.  EKU is defined with object identifiers called OIDs.  If the EKU extension is omitted, all operations are potentially valid.*+
  KILL ME NOW!!!
  OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
  Basic Constraints Extension...
  Well, there is no mention of that on the original certificate, so leave it unchecked.
  Subject Alternate Name Extension...
  Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
  DONE!!!! Let's see what the heck we got!
  http://screencast.com/t/QgU86suCiQH
  Well, I don't know about you but that looks pretty close for Jazz?
  I got some extra crap in there but the stuff from the original cert is all there.
  Think we're OK??
  Out with the old certificate (delete).
  Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
  http://screencast.com/t/bydMfhXcBFDH
  Oh yeah...one more thing in KeyChain Access...
  See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
  http://screencast.com/t/GdZfxBkHrea
  Select "Always Trust".
  I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
  I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
  Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
  If you want to see my rant on Apple's worthless documentation, it's here.
  http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

  to add to countryschool and john orban's experiences:
  using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
  in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
  when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
  supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
  you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
  now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
  after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
  lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
  maybe that's hopeful to somebody. but i stopped there since things seem to be working.
  last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
  now, we'll see how everything works once people start really using it...

• Steps to create your own self signed certificate with java plugin working

  You need two tools that comes with your jdk which are keytool and jarsigner.
  Steps explain below in detail. Don't use netscape signtool, it will NEVER work!
  * keytool -genkey -keyalg rsa -alias tstkey -keypass 2br2h2m -dname "cn=Test Object Signing Certificate, o=AI Khalil, ou=Java Products, c=AU"
  cn = Certificate name
  o = organistation
  ou = organistation unit
  c = country (first two letters)
  If don't put the -dname, you can fill it line by line.
  The -keypass has to be verify at the end, and you have to wait for it to create the rsa signing keys.
  On NT by default it will put the alias information at D:\WINNT\Profiles\Administrator (if log in as administrator) with the default file called ".keystore". Windows 98 etc, don't know, search for .keystore
  file. When you update it, check for the timestamp change and you know if you at the right spot.
  You can store your alias information via the -storepass option to your current directory you work on, if you don't want to update the default .keystore file?
  The .keystore contains a list of alias so you don't have to do this process again and again.
  Another tip if you want your certificate encryption validity to be more than the default one month is simply
  add the -validity <valDays>, after the -genkey option, to make your certificate usage for encryption to last much longer.
  Note: You MUST use the -keyalg rsa because for starters the rsa encyption alogorthim is supported on ALL browsers instead of the default DSA and the other one SHA. Java plugins must work with the RSA algorthim when signing applets, else you will get all sorts of weird errors :)
  Do not use signtool because thats a browser dependant solution!! Java plugin is supposed to work via running it owns jre instead of the browser JVM. So if you going to use netscape signtool, it starts to become a mess! ie certificate will install, but applet won't start and give you funny security exception errors :)
  * keytool -export -alias tstkey -file MyTestCert.crt
  It will read the alias information in the .keystore information picking up the rsa private/public keys info and
  create your self sign certificate. You can double click this certificate to install it? But don't think this step is needed but maybe for IE? Someone else can check that part.
  If you make a mistake with the alias, simply keytool -delete -v -alias <your alias key>
  If not in default .keystore file, then simply keytool -delete -v -alias <your alias key> -keystore <your keystore filename>
  * Put your classes in your jar file, my example is tst.jar.
  * jarsigner tst.jar tstkey
  Sign your testing jar file with your alias key that supports the RSA encryption alogorthim.
  * jarsigner -verify -verbose -certs tst.jar
  Check that its been verified.
  The last step is the most tricky one. Its to do with having your own CA (Certified Authority) so you don't
  have to fork out money straight away to buy a Verisign or Twarte certificate. The CA listing as you see in
  netscape browsers under security/signers, is NOT where the plugin looks at. The plugin looks at a file called
  CACERTS. Another confusion is that the cacerts file is stored in your jre/lib/security AND also at your
  JavaSoft/Jre/<Java version>/lib/security. When you install the Java plugin for the first time in uses your
  JavaSoft folder and its the cacerts file that has to be updated you add your own CA, because thats where
  the plugin look at, NOT THE BROWSER. Everything about plugin is never to do with the browser!! :)
  * keytool -import -file MyTestCert.crt -alias tstkey -keystore "D:\Program Files\JavaSoft\JRE\1.3.1\lib\security/cacerts"
  Off course point to your own cacerts file destination.
  Password to change it, is "changeit"
  Before you do this step make a copy of it in its own directory in case you do something silly.
  This example will add a CA with alias of my key called "tstkey" and store to my example destination.
  * keytool -list -v -keystore "E:/jdk/jdk1.3/jre/lib/security/cacerts"
  List to see if another CA is added with your alias key.
  Your html, using Netscape embed and Internet explorer object tags to point to the java plugin,
  your own self sign applet certificate should work
  Cheers
  Abraham Khalil

  I follow Signed Applet in Plugin, and it's working on
  my computer. Thanks
  But When I open my applet from another computer on
  network, why it does not work ..?
  How to make this applet working at another computer
  without change the policy file ..?
  thanks in advance,
  AnomYou must install the certificate on that computers plugin. Can this be done from the web? can anyone suggest a batch file or otherwise that could do this for end users?
  I want a way for end users to accept my cert as Root or at least trust my cert so I dont have to buy one. I am not worried about my users refusing to accept my cert. just how do I make it easy for them? IE you can just click the cert from a link, but that installs for IE, and not the plugin where it needs to be.

• How to successfully import ASA self-signed certificate?

  On ASA 9.1 i am trying to export an Identity certificate, self-signed certificate into p12 file so i can import it into laptop and used it for secure connection to ASA over ASDM. I can add certificate OK using ASDM, certificate show up OK in Certificate management/dentity certificate. Exported certificate into .p12 file with passphrase OK.
  In Win XP and Windows 7 every time i try to import certificate i got message that password is incorrect. Yes, i did type correct password.
  Even thru cli i got the same error when trying to import the file.
  ASA(config)# crypto ca export ASDM_TRUSTPOINT pkcs12 password
  Exported pkcs12 follows:
  -----BEGIN PKCS12-----
  MIIHPwIBAzCCBvkGCSqGSIb3DQEHAaCCBuoEggbmMIIG4jCCBt4GCSqGSIb3DQEH
  BqCCBs8wggbLAgEAMIIGxAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQItd0L
  7e5QezkgxXzmCJKpv3GqQV5/tfk66ySnBMCGrMzsQKBa32wzHYcSerSEePNXzudJ
  Frdyc3ETMXECvO83gujQZLyJ9DfPaDy4gZHwEs9fwGqpJel/NTwUo16dtzO2Vbko
  1kc8kd
  -----END PKCS12-----
  Any tips or tricks how to get this simple task completted? Is maybe file format not right?

  Hi
  Please show the error ASA is reporting during import.
  It's working correctly with 9.1(0)2, example:
  ASA9(config)# crypto ca trustpoint TP
  ASA9(config-ca-trustpoint)# enrollment self
  ASA9(config)# crypto ca enroll TP
  WARNING: Trustpoint TP has already enrolled and has
  a device cert issued to it.
  If you successfully re-enroll this trustpoint,
  the existing certificate will be replaced.
  Do you want to continue with re-enrollment? [yes/no]: yes
  % The fully-qualified domain name in the certificate will be: ASA9
  % Include the device serial number in the subject name? [yes/no]: yes
  Generate Self-Signed Certificate? [yes/no]: yes
  ASA9(config)#
  ASA9(config)# crypto ca export TP pkcs12 123456
  Exported pkcs12 follows:
  -----BEGIN PKCS12-----
  MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
  BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
  +5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
  fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
  IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
  QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
  QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
  WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
  4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
  8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
  pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
  h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
  XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
  OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
  0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
  mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
  fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
  kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
  PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
  8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
  fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
  yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
  gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
  Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
  WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
  VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
  qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
  FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
  JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
  bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
  p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
  v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
  0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
  -----END PKCS12-----
  ASA9(config)#
  ASA9(config)#
  ASA9(config)# no crypto ca trustpoint TP
  WARNING: Removing an enrolled trustpoint will destroy all
  certificates received from the related Certificate Authority.
  Are you sure you want to do this? [yes/no]: yes
  ASA9(config)# crypto key zeroize rsa
  WARNING: All RSA keys will be removed.
  WARNING: All device digital certificates issued using these keys will also be removed.
  Do you really want to remove these keys? [yes/no]: yes
  ASA9(config)# crypto ca trustpoint TP2
  ASA9(config)# crypto ca import TP2 pkcs12 123456
  Enter the base 64 encoded pkcs12.
  End with the word "quit" on a line by itself:
  MIIGHwIBAzCCBdkGCSqGSIb3DQEHAaCCBcoEggXGMIIFwjCCBb4GCSqGSIb3DQEH
  BqCCBa8wggWrAgEAMIIFpAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIp8j1
  +5Rh9TQCAQGAggV4DUlYOI+VlGxuCXiGnDTYx+cR5XjPca7KW7L50D5lLQQHLr+U
  fV+QVEaELnQ1MKsMm87zl9AuycuI9EeOJnPTF9Ddxy32ODzaZ4/3BaXnHl2ETyzM
  IohydDJCfscT0r2TPNlE8XSknDfftK+3g3Aa0Gi+Nsq1+NXxTdYcfdXpZHvD9tk0
  QZInQy1UG+NhCERyOe6SIbynuCBfksk9g+rRjeNW4bTNRDpCJ1DnrtpN6BCq8VGN
  QMQagUZ1ONNLaFtQegd17RxWzXUZiWQgqf0jUZnr/BJQI9bPrISkA+JnysNU3MvS
  WVKKfyGQcsYD4ExH+wi6xkohKi7hj80s9cFOyq+xpXjikZw9gKMcpoY2lLs4ivIl
  4x9bB3EQ3xYW5nxbORwDx5xEyYLMUNkVRvC14ts+RB2QcEAXwq2JaaNuO6aBvjhj
  8mpHjXR+wkxV8Mm+UYEed2f1SuzjtZ966OPYW0YkmXGTH+wt/rxbCROAqnmh6HGz
  pU4H5/yhHgBIJOd6vZaKf5XlnX17wSniM+JRw4FsArVpuNOZFeCkDsHHFP6TPYII
  h2aS2jBEH2KW0KuzEP0rHOJ8WVjZgVucSu0pb+vVGw3MzsBl14CnL5kZcPe+81wJ
  XnFibhkucyo9arO/kcc7OtMcAuoktGfBVb1jrX6Se/SY8GFrzYbikNuT4DI4/dw+
  OinRXOX7S/Bhaefx4JSFYoL/7agD7f+kwzv7qAEyIQtjxoGgYuqY2lZVsbZL05dJ
  0D3xDkSDOc9H/5M5nZqP/xwnqVMoREPvt/a+ZdGezfzApUYUH/VAU4NzST44QcvM
  mdeeizpj0VwA7WdZOrMaJll927NGb1RikmtE+6ITgdiksuJVOeNWcXuq00sDAxvZ
  fv7tOQxgWX0+LNKaFd1Ef7PF9KqsJLQnbC28GC9GBNExcc9Pm+Kqfq6qj7HEosHt
  kPSfLFs0kkQQzq+G4xH6pzKQkG7Yt3xjLblI9IdWsCvuHLl8fgN0LHpVXPi9iftW
  PqGG8f9dCymAqHKFEnZzOiCcNlKKG+ddAN7Qb4mGVBYsaeROvVWBL2aAzIDpL7Uv
  8rFHsJVKk/yCruuNSDjmbbaTlYxb2iglo2MkgGsCO5X7fOPTCO3C+UikFyOi6/7c
  fSyn+LE6Za76kdRn4V2FHGG767nBxFBR/bB+uzngR+w/GzIgHQahpJ2xJlKumS2M
  yiy3kGYDhIN+WV6Lz91YwZpSobk1qrcn/7fzl2FFaY6+3+AgAXiOeVL7DyPHqm3N
  gX1EGBzwqeN9h7BeaTJvebhrvtLDU97UnPeyyFZTiSQWZhhRjqsr5mI69NvDybkq
  Db1Rx/Awnqg72RtnwOPxGNlTlRMUK7PjQNW6Kc2F7iy0byyNab9BEO6DNIN8RtXS
  WyioVOdFrFXIYPYnuvoPp46remUaaI4B4428cS7YfWHP5pq0j0PUj0gZnJM7aM0c
  VTHkVp2eZVSBFd9/Tv1q7+2tM5PhRE8ZCKcIIqJq2UJm4+HcIXGCgpIlfW3jL4t7
  qmkfu0ClnHgmoSJBycPxTPaU38FQk2ZmYcnV2RAZxtwL51q5WhAvXi0amATF2h6h
  FtcAP+Iq4Xx8s+wkcaK4I/puK0+wmMyslESWhq3RfB73BKyT9/J4FONliyAQP+4M
  JKkvkMAPx7Do6fqItHhbRR4FxQXg+al21UTLZ9aaY7PGjuqMZ40JY175qPG7CJFn
  bEOfHQGZjLbmqJfJByG6U5mQBoLr4XzTYPrtvErV/TrTGPK4RVATXgnQ/re7TD/G
  p0klPQcDHBkbnAuMVt88Q4QlqZKAov8ofLZr8IvlKsfmPFTFpfqCQCIMa1uGo6P9
  v8zGHGyvZwsOXwB1vMKAfpINCR0wPTAhMAkGBSsOAwIaBQAEFJb8DGrkwS6ApBkL
  0TXZXRY3WGx3BBSBXw+QkTTFm7BL+FS1KoeOupwmowICBAA=
  quit
  INFO: Import PKCS12 operation completed successfully
  ASA9(config)#
  ASA9(config)# sh crypto ca certificates
  Certificate
    Status: Available
    Certificate Serial Number: 6e85f150
    Certificate Usage: General Purpose
    Public Key Type: RSA (1024 bits)
    Signature Algorithm: SHA1 with RSA Encryption
    Issuer Name:
      hostname=ASA9+serialNumber=123456789AB
    Subject Name:
      hostname=ASA9+serialNumber=123456789AB
    Validity Date:
      start date: 15:52:01 UTC Jan 12 2013
      end   date: 15:52:01 UTC Jan 10 2023
    Associated Trustpoints: TP2
  You might want to enable debugs: "debug crypto ca 255".
  Be carefull when typing password - watch out for trailing space !
  Michal

• How to Generate a Proper Self Signed Certificate for RV180W

  Right now the Self-signed Certificate on my RV180W generates errors as it was issued to the MAC address instead of the current IP address. Could someone please provide me insrtucions on Generating a Self-Signed certificate (or 1 from my Windows Server 2012 Certification Authority) that will eliminate the constant barreage of certificate errors I get when trying to access the management interface of my device?  the internal domain is mythos.local, netbios name of MYTHOS, and the device name in question is surtur.
  Thanks in advance,
  Robert Hessenauer

  Anybody?  It is unlike everyo9ne to ignore a post without comment for 9 days.
  Not complaining (woll maybe just a bit)
  Robert Hessenauer

• How to Install a trusted self signed certificate in iPhone?

  Hi,
  I'm trying to install a self signed CA certificate in an iPhone 4S (IOS 5.1) but always the certificate is showed as "Not Trusted".
  I have an iPhone 4 (same IOS 5.1) and when I install the same certificate it appear as Trusted. I have the same behavior in some iPads.
  I think this is the reason because my VPN is not working. When a try to use a Cisco VPN with certificate always receive the "Could not validate the server certificate." error in the devices how can't trust in my CA.
  Anyone have a clue about how to resolve this?

  You need to use a profile updater like iPhone configuration utility.
  1. Create a configuration profilecredential.
  2. In the profile go in credential and add/import the root certificate from the authority you want to have.
  3. Install the profile on the device.
  I should work.
  HTH,
  ../Bruno

• How can I replace the self-signed certificate on a SL150?

  Hi,
  I would prefer to have our internal CA sign the SSL-certificate for our SL150.
  Is this possible? Where can I find the configuration to generate a request and upload the certificate?
  Thanks,
  /M

  http://h10032.www1.hp.com/ctg/Manual/c01918142.pdf
    Videos from the HP Media Service Library
   http://h20574.www2.hp.com/default.htm?lang=en&cc=U​S&hpappid=psml
   It's probably easier to order a new board as it's separate from the main mother board.

• Self Signed Certificate for Web Proxy 4.0.2

  Does anyone have instructions on how to create and install self signed Certificate for Web Proxy Server 4.0.2? My OS is RHEL 4.
  Shed.

  Unfortunately you will not be able to do that from the GUI.
  You will have to use certutil frin proxy-install/bin/proxy/admin/bin/certutil
  Make sure that your LD_LIBRARY_PATH includes proxy-install/bin/proxy/lib
  (start -shell will give you a shell with all necessary paths set.)
  create a file called password-file which contains your password to your cert database
  your cert database resides in the alias directory of proxy installation.
  certutil -S -s "CN=My Issuer" -n myissuer -x -t "C,C,C" -1 -2 -5 -m 1234
  -f password-file -d certdir

• How to renew your self-signed certificate p12 with Flash Builder

  I have been using a self-signed certificate (generated using Adobe Flash Builder 4.7) for my Android app. The app is live on Google Play market but the certificate is going to expire soon, and I know if I create new certificate and update my app, existing Android users will not be able to auto-update the app (as the App's Signature has been changed). I would like to know how can we re-new the self-signed Certificate .p12 with Flash Builder?
  Thank you very much.

  After doing my research about the self-signed certificate created by Adobe Flash Builder , I realized that was my mistake to think that the certificate would expire soon. I doubled check the expiration date of my self-signed certificate and the date was set to 35 years after I generated it using flash builder 4.7 (which is very safe).
  For anyone who wants to check the self-signed .p12 expiration date you follow the instruction from this link:
  http://bsdsupport.org/how-do-i-determine-the-expiration-date-of-a-p12-certificate/
  Hope it helps

• How do I install this self-signed SSL certificate?

  I haven't been able to connect to the jabber server I've been using (phcn.de) for quite some time now, so I filed a bug report with mcabber. The friendly people there told me to install phcn.de's self-signed certificate, but I can't figure out for the life of me how to do that.
  I know I can download something resembling a certificate using
  $ gnutls-cli --print-cert -p 5223 phcn.de
  Which does give me something to work with:
  Resolving 'phcn.de'...
  Connecting to '88.198.14.54:5223'...
  - Ephemeral Diffie-Hellman parameters
  - Using prime: 768 bits
  - Secret key: 767 bits
  - Peer's public key: 767 bits
  - PKCS#3 format:
  -----BEGIN DH PARAMETERS-----
  MIHFAmEA6eZCWZ01XzfJf/01ZxILjiXJzUPpJ7OpZw++xdiQFBki0sOzrSSACTeZ
  hp0ehGqrSfqwrSbSzmoiIZ1HC859d31KIfvpwnC1f2BwAvPO+Dk2lM9F7jaIwRqM
  VqsSej2vAmAwRwrVoAX7FM4tnc2H44vH0bHF+suuy+lfGQqnox0jxNu8vgYXRURA
  GlssAgll2MK9IXHTZoRFdx90ughNICnYPBwVhUfzqfGicVviPVGuTT5aH2pwZPMW
  kzo0bT9SklI=
  -----END DH PARAMETERS-----
  - Certificate type: X.509
  - Got a certificate list of 1 certificates.
  - Certificate[0] info:
  - subject `CN=phcn.de', issuer `CN=phcn.de', RSA key 1024 bits, signed using RSA-SHA, activated `2009-05-04 08:26:21 UTC', expires `2014-04-08 08:26:21 UTC', SHA-1 fingerprint `d01bf1980777823ee7db14f8eac1c353dedb8fb7'
  -----BEGIN CERTIFICATE-----
  MIIBxzCCATCgAwIBAgIINN98WCZuMLswDQYJKoZIhvcNAQEFBQAwEjEQMA4GA1UE
  AwwHcGhjbi5kZTAeFw0wOTA1MDQwODI2MjFaFw0xNDA0MDgwODI2MjFaMBIxEDAO
  BgNVBAMMB3BoY24uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALqS+tnB
  tNruBGdcjw0o+BWSdfkKH4T3VpS7bkrsS0q7RD5iUIao7jH2lJqTk1TrLbQe28+R
  H0X9Ya+w22iYFea2l3wkrTnBfgdSZbRhpSxgVvC2QEBMoSrEQoRpo5lzXadRlob/
  RQ+rhu/cWCNeiRJzfkmNirPVEciGKQHrwKxxAgMBAAGjJjAkMCIGA1UdEQQbMBmg
  FwYIKwYBBQUHCAWgCwwJKi5waGNuLmRlMA0GCSqGSIb3DQEBBQUAA4GBALFBalfI
  oESZY+UyVwOilQIF8mmYhGSFtreEcUsIQvG1+cgD16glKehx+OcWvJNwf8P6cFvH
  7yiq/fhMVsjnxrfW5Hwagth04/IsuOtIQQZ1B2hnzNezlnntyvaXBMecTIkU7hgl
  zYK97m28p07SrLX5r2A2ODfmYGbp4RD0XkAC
  -----END CERTIFICATE-----
  - The hostname in the certificate matches 'phcn.de'.
  - Peer's certificate issuer is unknown
  - Peer's certificate is NOT trusted
  - Version: TLS1.0
  - Key Exchange: DHE-RSA
  - Cipher: AES-128-CBC
  - MAC: SHA1
  - Compression: NULL
  - Handshake was completed
  - Simple Client Mode:
  Unfortunately, the above command spits out more than a certificate. Do I need the additional information? If so, what do I need it for? Where do I need to put the certificate file?

  Hi,
  I recently found out a way how to install test or self-signed certificates and use it with S1SE.
  See:
  http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html
  Follow the instructions there
  1. Create CA
  2. Create root ca certificate
  Now install the root-ca-certificate in S1SE -> Security>Certificate Management and Install a "Trusted Certificate Authority".
  Paste the contents of the file: cacert.pem into the message-text box.
  Then restart the server. Now your CA-Cert should be visible in the Manage Certificates menu.
  The next step is to send a certificate-request from S1SE to your e-mail-address.
  The contents of the e-mail the server sends to you (certificate request) must be pasted into the file: newreq.pem.
  Now just sign the Request:
  CA.pl -sign
  The last step is that you have to paste the contents of the file newcert.pem into the message-box of the Security>Certificate Management - now under the option Certificate for "This Server".
  Then you have to reboot the server/instance again and it should work with your certificate.
  Regards,
  Dominic

• How do i install a self signed server certificate

  After using the admin tool to generate a request CSR, how do I sign this myself for testing purposes so I can install it and therefore run using https?
  I have keytool and certutil both available on the system.
  My most recent solution was to cut and paste the request to www.thawte.com/cgi/server/test.exe and it would return a certificate that was good for 21 days. This however is not the solution I am looking for.
  Thanks

  Hi,
  I recently found out a way how to install test or self-signed certificates and use it with S1SE.
  See:
  http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html
  Follow the instructions there
  1. Create CA
  2. Create root ca certificate
  Now install the root-ca-certificate in S1SE -> Security>Certificate Management and Install a "Trusted Certificate Authority".
  Paste the contents of the file: cacert.pem into the message-text box.
  Then restart the server. Now your CA-Cert should be visible in the Manage Certificates menu.
  The next step is to send a certificate-request from S1SE to your e-mail-address.
  The contents of the e-mail the server sends to you (certificate request) must be pasted into the file: newreq.pem.
  Now just sign the Request:
  CA.pl -sign
  The last step is that you have to paste the contents of the file newcert.pem into the message-box of the Security>Certificate Management - now under the option Certificate for "This Server".
  Then you have to reboot the server/instance again and it should work with your certificate.
  Regards,
  Dominic

• Problems with Creating a self-signed Certificate

  hi,
  I read the keytool Documentation and wanted to create my own self-signed certificate.
  ok, I followed the steps :
  1) keytool -keyclone -alias origkey -dest my_key
  2) keytool -selfcert -alias my_key -dname "cn=Stefan Gross, ou=Computers, o=notintersting, c=D"
  3) keytool -certreq -alias my_key (output in mycert.cer)
  4)keytool -certreq -alias my_key -sigalg X.509 -file newcert.cer
  .. Password Input...
  Keytool-Error: java.lang.Exception: Alias <my_key> does not exist.
  But it exists, see :
  [usr]$ keytool -list
  Keystore-Typ: jks
  Keystore-Provider: SUN
  new_key, 06.05.2003, keyEntry,
  So it exists, but why do I get the error ?
  So far,
  Stefan Gross

  stefan hi,
  i have tried to produce a certificate my_cert.cer and it went well. as far as i understood you have to create a keystore first. this keystore holds a key pair.
  and then using the keystore you can create as many certificates as possible based on the key pair.
  try following the steps below. it should work, i mean i have followed them and all was fine. you can find the original form of the following from documentation of keytool (sun).
  hope this time it'll work, let me know.
  cem.
  note: the last step is importing the certificate to the keystore which is not necessary if you only want the certificate.
  To set up a digital certificate,
  Generate a key pair.
  The keytool utility enables you to generate the key pair. The keytool utility that ships with the J2SE SDK programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
  To generate the keystore file, run the keytool utility as follows, replacing <keystore_filename> with the name of your keystore file, for example, server.keystore. If you are using the Tomcat server, the file must either be named .keystore and located in the home directory of the machine on which Tomcat is running, or you will need to tell Tomcat where the kestore file is by adding a keystoreFile attribute to the <Factory> element in the Tomcat configuration file or by specifying the location of the file on the Connector (8443) node of admintool.
  keytool -genkey -keyalg RSA -alias tomcat-server
  -keystore <keystore_filename>
  The keytool utility prompts you for the following information:
  Keystore password--Enter the default password, which is changeit. Refer to the keytool documentation for information on changing the password.
  First and last name--Enter the appropriate value, for example, JWSDP.
  Organizational unit--Enter the appropriate value, for example, Java Web Services.
  Organization--Enter the appropriate value, for example, Sun Microsystems.
  City or locality--Enter the appropriate value, for example, Santa Clara.
  State or province--Enter the unabbreviated name, for example, CA.
  Two-letter country code--For the USA, the two-letter country code is US.
  Review the information you've entered so far, enter Yes if it is correct.
  Key password for the Web server--Do not enter a password. Press Return.
  The next step is generate a signed certificate for this keystore. A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, continue with Creating a Self-Signed Certificate. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.
  Creating a Self-Signed Certificate
  This example assumes that the keystore is named server.keystore, the certificate file is server.cer, and the CA file is cacerts.jks. Run these commands in your <HOME> directory so that they are created there.
  Export the server certificate to a certificate file:
  keytool -keystore server.keystore -export -alias tomcat-server -file server.cer
  Enter the password (changeit).
  Keytool returns the following message:
  Certificate stored in file <server.cer>
  Import the new server certificate into the Certificate Authority file cacerts.jks:
  keytool -import -alias serverCA -keystore <HOME>/cacerts.jks
  -file server.cer
  Enter the password (changeit).
  Keytool returns a message similar to the following:
  Owner: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Issuer: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Serial number: 3e39e3e0
  Valid from: Thu Jan 30 18:48:00 PST 2003 until: Wed Apr 30 19:48:00 PDT 2003
  Certificate fingerprints:
  MD5: 44:89:AF:54:FE:79:66:DB:0D:BE:DC:15:A9:B6:09:84
  SHA1:21:09:8A:F6:78:E5:C2:19:D5:FF:CB:DB:AB:78:9B:98:8D:06:8C:71
  Trust this certificate? [no]: yes
  Certificate was added to keystore
  ----------------------------------

• How pass client credentials to ws client and accept self signed certificate

  How do you connect to a web service over ssl and accept self-signed certificates. I generated the client using JAX-WS but i ran into two problems. First of all, how do you pass the client credentials? And second, how can you accept a self-signed certificate?

  Thanks for your comments Jason.
  I'm not quite sure why the certificate has client auth. It does seem to be a misconfiguration, but I do see both 7.3.1 & 7.3.2 on the cert. That seems like a possible fix, but in a backwards way.  I can get those certificates reissued, but I'm confused
  as to why config manager itself is not installing per the site settings.
  My default install is via a vbs script you wrote (1.6.5).  The other methods I've tried in this particular instance are by browsing to the server and running ccmsetup.exe from explorer out of my sms_<site> directory, and by using command line
  specifying the /mp:mp.mysite.com
  I looked for command line switches to use, but there's no /NoUsePKI switch or /UseSelfSigned...
  any suggestions for a better installation method?

• How to renew a self signed certificate

  Hello,
  Can someone tell me how I can renew a self signed certificate ? I can't find the relevant option with the certadmin command.
  thx,
  Tom.

  Hi,
  thanks I had scanned through that document, but it doesn't tell you how to renew a self signed certificate. I went through all the options of the certadmin tool, and renewing a certificate is not one of them. So I guess it must be done manually via some pki binary somewhere on my system, but which one and how ?

• Cannot upload self signed certificate on EZ Media

  The problem I have is on my Lenovo Iomega EZ Media & Backup Center 3TB, version 4.1.108.32627
  Using openssl I created the following self signed certificates in both .pem and .der format:
  -CA.cert.pem( this is the CA that I used to sign the server certificate that I intend to upload to the Iomega EZ; I installed this in my browser, works ok )
  -server.cert.pem ( this is the certificate that I want to install on server )
  -server.key.pem ( this is the key that I used to make the certificate signing request that I used to generate server.cert.pem ).
  From the security menu ( https://<personal_cloud_url>/manage/security.html ) I try to install server.cert.pem ( and also in .der format ).
  The problem is that I receive this error:
  "Failed to validate the uploaded certificate"
  Same error is seen when I try to upload CA.cert.pem/.crt.
  I red the help file for this particular security page, but I could not find anything about the required format of the certificate.
  Does anyone have any idea how to install a self signed certificate?
  Thank you.
  Solved!
  Go to Solution.

  Hello zupermann
  Iomega/LenovoEMC Lifeline devices only support x.509 certificates with one private key and pem extension.  
  This should be the format used to create an open ssl cert for use with a lifeline device 
  " # openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout newCertificate.pem -out newCertificate.pem "
  Hope that helps!
  LenovoEMC Contact Information is region specific. Please select the correct link then access the Contact Us at the top right:
  US and Canada: https://lenovo-na-en.custhelp.com/
  Latin America and Mexico: https://lenovo-la-es.custhelp.com/
  EU: https://lenovo-eu-en.custhelp.com/
  India/Asia Pacific: https://lenovo-ap-en.custhelp.com/
  http://support.lenovoemc.com/