SBS2008 Self signed certificate renewal: Root CA not trusted by clients

Similar Messages

• New self signed certificate, how to mark as trusted for all users on clients

  We have a new 10.8 server that we are currently using for iChat/Messages service.  We have created a self signed certificate to encrypt the traffic to the Messages service since we have the service accessible for internet and phone users.  We use network accounts and users need to log in on several different machines when in the office.
  Can anyone suggest how to tell a client machine to trust the certificate for all users?
  Currently, each user is asked to trust the certificate on each client they log into.
  I have imported the server certificate into the client's system keychain in Kechain Access and asked it to trust the certificate for all items manually.  This does not appear to allow all users to trust the certificate since subsequent users who have not yet trusted the certificate on the test client are still asked to confirm trust.  When opening the iChat.app the users are still propmpted to verify the certificate which now indicates that it is trusted for all users.

  Resolved.
  - Drag certificate from verification dialog.
  - Import into System Keychain
  - Select certificate in System Keychain and select "i" button at bottom of window.
  - Set all items to always trust.

• Self Signed Certificates on Exchange 2003 not work...

  Hi all. Small business scenario - several new E71s (on Orange) trying to synch up with Exchange. The selfssl creates a certificate that works fine with OWA, WM5+ etc but will not be recognised by E71 when imported. When you look at the file it just says 'unrecognised'. It is doing our heads in. Orange support are useless. I have seen several posts for this on various sites - but never a solution.
  In short, is there any tip/trick/utility that will allow our X.509 cer to be recognised and installed on a E71? We love the E71 device. It is the only smartphone we've had that lasts past lunchtime but we can't can't get this bit to work. Although I bet a public key would work, there is a specific reason we want to use our selfssl - it's not that we're being cheapskate.
  Any help would be greatly appreciated - and I'm sure a bunch of other exchange E71 users will be grateful too.

  Hi All,
  i have the same problem:
  Exchange 2003 - OWA
  certificate exported successfully (DER X,509) - extension .CER
  Transferred to E75
  --> File is not recognized as a certificate
  Thanks for some help
  Best regards
  Peter

• J2me Code Signing:Self Signed Certificate VS Unknown Certificate VS No Cert

  Hello all,
  I have Developed a j2me Application which i want to digitally sign with a Certificate
  that i am going to buy from Verisign.The application is simply doing http/https connections.
  My questions are:
  (1) Which tool should i use? WTK 2.5.2 signing tools or something else like openssl?
  (2) In which Security domain should i include My certificate? identified_third_party or something else?
  Additionally lets say that the Phone in which i am going to install my application for some reason does NOT
  CONTAIN the appropriate ROOT Certificate from Verisign (in which belongs the certificate that i will buy)
  The (Crucial) Questions are:
  (A)What will happen if i will try to install my signed Midlet in a handset not containt Verisign Root Certificate?
  will be installed or no installation at all will take place?
  (B)What will happen if i sign my Midlet with one a "Self Signed" Certificate and install it to my Handset?
  Finally what must be my decision for Handsets that do not include the Appropriate Verisign ROOT Certificate?
  (a)Sign My Application with the Certificate that i will buy From Verisign?
  (b)Sign My Application a "Self Signed" Certificate?
  (c)Do not Sign the application at all?
  (d)Buy A second Certificate from another CA authrity ie thawte
  Please HELP!
  Thanks
  NiKolaos

  (1) Which tool should i use? WTK 2.5.2 signing tools or something else like openssl?
  (2) In which Security domain should i include My certificate? identified_third_party or something else?Did you check the WTK User Guide ? In my version WTK (2.5.1), guide contains quite a large chapter *"Security and MIDlet Signing"* explaining how to use various WTK utilities.
  As far as I can tell, this chapter in particular describes how to emulate real world usage with WTK, for example how to create a key pair and sign a MIDlet (for testing purposes only) and how to emulate real world certificates management (again, for testing purposes).
  This chapter also describes toolkit procedure for signing MIDlet suites with real keys and how to import certificates.
  Chapter also contains sections explaining security policies and protection domains.

• Self signed certificate set up

  I'm looking for a little assistance properly setting up a self signed certificate.
  We are running, mail, webmail and https using the "default" certificate which is created in the OS installation. Each time we try to use mail with SSL or https we get the usual message that the browser cannot trust the site since the certificate is self signed. The pop up message is annoying to have to deal with each time we go to our webmail via https or mail with SSL.
  Following advice found in Safari forums, I copied the certificate, accessable in the pop up message, to the client machine, opened keychain access app, imported the certificate and told the keychain to "always allow." I still get the pop up message no matter what I do. The imported certificate says it is not trusted in the root servers. I also got a message about a name mismatch??
  Can someone help with setting up a self signed certificate which can actually be trusted if I tell my client I want it to be.
  Thank you.

  Resolved this on my own with continued testing. For anyone else who looks this up...
  It appears that the name of the self signed certificate must be for the server the client is logging into.
  SERVER
  Certificate name for www.domain.com/webmail needs to be named www.domain.com
  Certificate for attaching to a mail server pop.domain.com or smtp.domain.com as apropriate needs to be named pop.domain.com or smtp.domain.com as apropriate.
  CLIENT
  As mentioned above, the certificate does need to be imported into the keychain for each client machine. After it is imported make sure to select the certificate and select trust settings as needed. In my case we set it to always trust and we no longer get the questioning pop up.

• Safari on Windows could not accept self-signed certificate

  Hi, i am using Safari 5.0.4 on Windows 7 and I am trying to access an https site with a self-signed certificate (internal developing site).
  after i install the certificate to the Windows certificate store (i try both Personal store and Trusted Root Certification), when i try to browse the site, Safari asks me to choose a certificate, after i choose it, after a long hang time, Safari displays "Safari can't open the page".
  My questions are:
  1. Any one has configured safari on windows to accept self-signed certificate successfully?
  2. i see some other posts saying "Safari on Windows has bug to use the self-signed certificate", any official document or link saying this if this is true?

  Microsoft Windows web browser support questions?   Try one or more of these resources:
  http://technet.microsoft.com/en-us/library/cc747495(WS.10).aspx
  http://www.leonmeijer.nl/archive/2008/08/01/123.aspx
  http://stackoverflow.com/questions/681695/what-do-i-need-to-do-to-get-ie8-to-acc ept-a-self-signed-certificate
  That was from tossing the /internet explorer import self-signed certificate/ query at Google, and some poking around.  StackOverflow and Microsoft Technet and the Microsoft KBs have more details on Microsoft platforms and products and permutations, too.
  The usual best fix with this stuff is to create your own certificate authority (CA) root certificate and to configure that within your chosen platforms and browsers, but I do not know (off-hand) how to do that on Microsoft Windows boxes.  Google or some KB probably has details of loading your own root cert.  This approach means loading one cert, and the rest of what you create that's signed from that cert will now automatically be trusted.  Basically you become your own CA provider, load your root cert into each of your clients, and then issue your own certs chained from your own root cert, and Bob's Your Uncle.

• How to renew a self signed certificate

  Hello,
  Can someone tell me how I can renew a self signed certificate ? I can't find the relevant option with the certadmin command.
  thx,
  Tom.

  Hi,
  thanks I had scanned through that document, but it doesn't tell you how to renew a self signed certificate. I went through all the options of the certadmin tool, and renewing a certificate is not one of them. So I guess it must be done manually via some pki binary somewhere on my system, but which one and how ?

• Renewing Self Signed Certificate for WAAS Central Manager

  Hi,
  We would like some help from you about the following: We have an WAAS Central Manager which its self-signed certificate validity has expired as showed below:
          Validity
              Not Before: Jul  7 00:47:06 2009 GMT
              Not After : Jul  6 00:47:06 2014 GMT
  We have used its certificate to install some other remote WAAS Express routers. 
  We would like to know the following:
  1. is it possible to renew this certificate? or 
  2. do we need to reinstall another certificate on CM and replicate this new one on these waas express remote devices?
  If affirmative for at least one of them, please, could you share any document that describe how to do it?
  I have attached some output commands from our CM.
  Thanks,
  Marcelo

  attaching file now!!!

• Mail App Not Working with Self-Signed Certificates

  First and foremost, I apologise for starting another thread that is 90% similar to others but I wanted to avoid falling into an existing context.  Like may others, I am having issues with the Mail App in Mavericks but I have an email account other than G-Mail.
  That being said, here is the issue I am having.  Until recently I never had an issue sending and receiving email from various accounted.  My Internet provider, an Exchange account, even a G-Mail account.
  Yesterday, my Web hosting provider issued a new (self-signed) certificate as the old one had expired (which was also a self-signed certificate).  While I am able to still receive messages, I am no longer able to send any.
  I have tried numberous possible solutions to no avail.  I have removed and readded my email account, I have refreshed my SMTP settings, I have removed all semblence of the account from my Key Chain, added the Certificate manually with full trust, and I have even flushed the caches from my ~/Library/ folder.  The last one perked up the Mail App but did not restore my ability to send messages from my Web provider's SMTP server.
  I suspect this is a bug in the Mail App but I'm hoping I can find a few last solutions before I file a bug report.
  In the meantime, I am using another outgoing server from my Internet provider.  It will do but for consistency I'd much rather use the outgoing server that came with the email account in question.
  I am all but convinced it is the Mail App as Thunderbird is able to use the SMTP server just fine and I am still able to send messages using the exact same settings on my iPhone and iPad.
  In case it helps, I am using a Early 2011 MacBook Pro with the latest Mavericks update (which ironically was meant to solve some issues other users had with the Mail App).
  On a related note, I wish I had stayed on Snow Leopard.  I did not have a single issue with that OS.  Now I feel like I am working on Windows Vista again and I am waiting for the Apple version of Windows 7 to set things right.

  MrsCDS wrote:
  I am using an iPhone 6 plus on iOS 8.1 and suddenly my Yahoo email account will not populate to my Mail app. I have deleted and re-added the account and also re-booted the phone with no luck. I get the spinning wheel up by my Wi-Fi signal that suggests it's attempting to do something, but the bottom of the Inbox only says "Updated Yesterday." Has anyone else experienced this or can someone, especially an Apple employee, tell me how to fix this?
  There is no Apple in this user to user technical forum, if you want an Apple employee you would need to take your phone to the Apple store.
  What happens when you switch to using cellular data?  Does your email update?
  FYI - Yahoo email account is notoriously bad, you can try their app.

• In Firefox 4.0 with a Server with a self signed certificate using IPv6 I can not add a "Security Exception" for this certificate.

  In Firefox 4.0 I have a server ... it contains a self signed certificate. Using IPv6 I can not add a "Security Exception" for this certificate.
  1. I log onto the server (using IPv6). I get the "Untrusted connection page" saying "This connection is Untrusted"
  2. I click on "Add Exception.." under the "I understand the Risks" section.
  3. The "Add Security Exception" dialog comes up. soon after the dialog comes up I get an additional "Alert" dialog saying
  An exception occured during connection to xxxxxxxxx.
  Peer's certificate issuer has been marked as not trusted by the User.
  (Error code sec_error_untrusted_issuer).
  Please note that this works in Firefox 3.6.16 (in IPv4 and IPv6). It also works in Firefox 4.0 in IPv4 only IPv6 has an issue. What's wrong?

  Exactly the same problem, except I'm using FF v6 for Windows, not FF v4 as for the lead post. This is for a self-cert which IS trusted, although the error message says it isn't.

• ACS v5.2 - New Self Signed Certificate Not Showing In Browser

  Hi
  I have just renewed the self signed certificate on a v5.2 ACS and expiry date of 2013 is showing in the ACS GUI. However, when I start an ACS Admin session and view the certificate information in the browser it is showing the old expiry date of 2010. I have tried this in IE and Firefox and the certificate information is the same.
  Is there a way I can get the browser to pick the new certificate ?
  The screenshots show the difference (any advice would be appreciated)

  from the screen shots it does seem to be configured OK
  So I couple of suggestions
  - restart browsers / clear browser cache
  - if that fails consider a restart of ACS. Since this is certificate presented on web sessions maybe a restart of the web server is requried

• Safari 7 on OSX 10.9 not enjoying SSL self signed certificates

  Hello people from the web,
  I am experiencing a weird issue with self signed certificates. Since I upgraded to OSX 10.9 (Maverick) I am not able to connect to an HTTPS site protected by a self signed SSL certificate. The only remaining browser on my computer able to do the trick is Firefox (24). Chrome (30) and Safari (7) cannot.
  Have you experienced the same issue? Have you found a solution?
  On my quest for a solution I found this article:
  http://curl.haxx.se/mail/archive-2013-10/0036.html
  However it seems to me this is more the webkit common engine causing the issue. Is it possible that Webkit has become more picky with SSL Certificates? In which case how to generate a cutom one that would suit Safari 7 and Chrome 30+?
  Thank you for any help you could provide
  Oscar

  Safari - Unsupported third-party add-ons may cause Safari to unexpectedly quit or have performance issues
  Safari/other browsers – Website not loading
  Safari Problems

• Renewing Self Signed Certificate on IPN Nodes 1.2

  Dear Team
  I have just upgraded the ISE infrastructure to 1.2, IPN nodes have also been upgraded, a default self signed certificate is generated, which is for a validity of 90 days.
  on my ISE main units, i have self signed certificates with 2048 Modulas and SHA1-256 hash, validity = 12 years.
  1:  I want to generate self signed certificate on IPN with the same specifications.
  how it can be achieved, is it through "pep certificate server add" ?
  IPN2/admin# pep certificate server add
  Server Certificate change will result in application restart. Proceed? (y/n): y
  Bind the certificate to private key made by last certificate signing request? (y/n):
  but as such i am not generating any CSR, because we do not have any CA in our deployment.
  Thanks
  Ahad Samir

  Above requirement is necessary because we don't have an Enterprise CA in our Deployment. We have to rely on self Signed certificates.
  Further Self Signed certificates should be valid for a long period so that no communication issue happens, 

• How to renew your self-signed certificate p12 with Flash Builder

  I have been using a self-signed certificate (generated using Adobe Flash Builder 4.7) for my Android app. The app is live on Google Play market but the certificate is going to expire soon, and I know if I create new certificate and update my app, existing Android users will not be able to auto-update the app (as the App's Signature has been changed). I would like to know how can we re-new the self-signed Certificate .p12 with Flash Builder?
  Thank you very much.

  After doing my research about the self-signed certificate created by Adobe Flash Builder , I realized that was my mistake to think that the certificate would expire soon. I doubled check the expiration date of my self-signed certificate and the date was set to 35 years after I generated it using flash builder 4.7 (which is very safe).
  For anyone who wants to check the self-signed .p12 expiration date you follow the instruction from this link:
  http://bsdsupport.org/how-do-i-determine-the-expiration-date-of-a-p12-certificate/
  Hope it helps

• Safari could not establish secure connection to my localhost with self signed certificate

  was using maven+grizzly+jersey to start my own server. I created self signed certificate so that my server can support https. I case you are curious, following is how I generated my certificate
  I was testing this on my iMac (Running Mavericks) Now, I added the server.cert to the system keychain so that all users can trust this certificate. Also, I change the trust level to "Always Trust".
  I get this work in Chrome and Firefox. They asked me to add exception for this certificate, I did and then everything goes fine. However, I have never make Safari(7.0) happy. I always get the error saying that Safari cannot establish secure connection to my localhost.
  Does anyone have any idea why it happened? Or is there better way to debug this problem so that I will be able to tell at which step things goes wrong.
  Thank you in advance. I really appreciated it.

  Any help much appreciated!