Self Signed Certificate Problems

Similar Messages

• Self-Signed Certificate Problem

  Hi all,
  I believe this is the correct forum for this question, and I apologize if this has been asked and answered already (I looked but didn't find anything).
  I have a servlet application on a webserver. I built a test client in Java to connect to it, and all worked perfectly. Then I learned that the people I'm building this for require this to be on an SSL port. So I moved the application and now am getting the following exception:
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  Now I've noticed that the webserver (used exclusively for testing) has a self-signed certificate, which might be causing the problem. However I'm not in a position to change that. Typically we test websites on this server, so the browser can handle the self-signed certificate, however in this case we don't have that luxury. Given that, is there a way to get around this?
  I'll include the code from my test client in the hopes that someone has some helpful tips.
  Thanks in advance,
  - Jack
  import java.io.*;
  import javax.net.ssl.HttpsURLConnection;
  import java.net.URL;
  public class fileloadTester
  public fileloadTester()
  public static void main(String[] args) throws Exception
  (new fileloadTester()).run();
  public void run()
  HttpsURLConnection conn;
  try
  URL serverURL =
  new URL("https://mytestserver.com:8443/xxx/contact");
  conn = (HttpsURLConnection) serverURL.openConnection();
  conn.setDoOutput(true);
  conn.setUseCaches(false);
  conn.setRequestMethod("POST");
  conn.setRequestProperty("Content-type", "text/xml");
  File file = new File ("test.xml");
  if (!file.exists() || !file.canRead())
  return;
  FileInputStream fis = new FileInputStream(file);
  String xmlRequestString = readInputStream(fis);
  fis.close();
  System.out.println(xmlRequestString);
  conn.setRequestProperty("Content-Length",
  Integer.toString(xmlRequestString.length()));
  OutputStream os = conn.getOutputStream();
  os.write(xmlRequestString.getBytes());
  os.close();
  catch (Exception e)
  e.printStackTrace();
  }

  Get them to export the server certificate and import it into your test client's trusstore. Don't let this truststore leak into production.

• SendSynchronousRequest with self signed certificate

  Hi
  Due to the application design I cannot use the – initWithRequest:delegate: method of NSURLConnection class for my https requests to a server. Hence I have to make synchronous calls using sendSynchronousRequest:returningResponse:error.
  When I was using initWithRequest , it was taking a class delegate of NSURLConnectionDelegate class hence I handled the self signed certificate problem by the following code:-
  - (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
      return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
  - (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
      [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
      [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
  Now the problem is that sendSynchronousRequest does not take any delegates to be called on. So now how do I handle non trusted certificate problem using synchronous request.
  I searched but so far can't find any solution.

  Hi 2UCowpoke,
  According to your description and the error messages ,it seems that the self-signed certificate is not trusted or supported by Windows 7 machine .
  How did you get the certificate ?
  It is recommended to ask for help from the certificate issuer support .
  Here is a link for reference :
  Windows does not have enough information to verify this certificate.
  http://www.kozeniauskas.com/itblog/2011/06/27/windows-does-not-have-enough-information-to-verify-this-certificate/
  NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Problem with placing self-signed certificate in trust store on WLS 10.3

  I have had some problems setting up two-way SSL on WLS 10.3.2.
  1. I have not been able to use the java properties listed on
  http://weblogic-wonders.com/weblogic/2010/11/09/enforce-weblogic-to-use-sun-ssl-implementation-rather-than-certicom/
  to use the native Java SSL implementation rather than the certicom. Has anyone else had success using these?
  -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
  -Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
  -DUseSunHttpHandler=true
  -Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)
  2. When I use the ValidateCertChain to validate my keystore with the self-signed certificate I get the message
  CA cert not marked with critical BasicConstraint indicating it is a CA
  Certificate chain is invalid
  which I read was a problem with certificates generated by keytool, yet I find I was not able to circumvent this
  by setting the property weblogic.security.SSL.enforceConstraints to off in the WLS server environment.
  Has anyone else noticed this?
  3. The error I get is
  ####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server
  <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1297793541204> <BEA-000000> <Exception during hands
  hake, stack trace follows
  java.lang.NullPointerException
  at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
  at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
  at com.certicom.tls.interfaceimpl.CertificateSupport.findInTrusted_Validity(Unknown Source)
  ####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tunin
  g)'> <<WLS Kernel>> <> <> <1297793541207> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  java.lang.Exception: New alert stack
  at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  Are there other conditions besides the issue about the missing Basic Constraint field that can raise an
  alert with type 40?
  4. Steps I used to generate jks keystore for inclusion in trust keystore (actual values substituted):
  ** keytool -genkey -alias mykey -keystore mykeystore -validity 35600 \
  -dname "cn=Common Name, ou=Common Name, o=Org, l=location, s=state, c=US" \
  -storepass mypass -keypass mypass
  ** exported a DER format head certificate of mykey into mykey.cer.der
  ** keytool -import -trustcacerts -keystore DemoTrust.jks -alias mykey -file mykey.cer.der
  Any comments appreciated and thanks for this forum.

  Faisal,
  Certicom has an internal restriction that a Date must be notBefore 1970 and notAfter 2105 inclusive.The Java-generated key is valid until Wed Mar 14 11:03:59 EDT 2108. Your knowledge of this area is
  quite impressive, thank you so much for this!

• Problems generating a self-signed certificate using SDK

  Adobe AIR 1.1 SDK was extracted to "D:\AIR\SDK\" in XP Pro
  SP2 system. Also Java 2 runtime version 1.4 installed.
  When I'm trying to generate a self-signed certificate I typed
  the following in command line:
  D:\AIR\SDK\bin\adt.bat -certificate -cn SelfSign 2048-RSA
  newcert.p12 pass123
  After a short delay an "unable to create output file" message
  appears in command console and an empty (0 byte length) newcert.p12
  created.
  What may be the problem?
  Also I would like to know if there was another way to create
  self-signed certificates or is it possible to build air packages
  without signing the source code?
  Thanks in advance and sorry for bad English!

  I haven't seen this error occur before. It could indicate a
  full drive or similar condition that might prevent writing to the
  file.
  Can you try using Java 1.5? Although 1.4 is officially
  supported, I think 1.5 receives much more testing.
  You can create self-signed certificates using other tools. If
  you do that, make sure the certificate is marked as usable for
  code-signing; otherwise, adt won't accept it.
  You cannot create air packages without signing them.

• Problem connecting to HTTPS host with self signed certificate

  I have set up a tomcat server with SSL running in a vmware on my machine using a self signed certificate. I can connect to this no problem with a browser from my main machine with the url https://myserver:8443.
  However, I am not able to connect with a Java client. I always get the below exception. I read that I need to add it as a trusted certificate in the keystore. I went to the site with firefox and saved the certificate as a .cer file, and imported it into the default keystore at c:\users\louis\.keystore. I still have the same problem. I think the problem is the client is not using the keystore, and I don't know how to make it do so. I tried adding the following argument to the run command:
  -Djavax.net.ssl.trustStore=c:\users\louis\.keystore -Djavax.net.ssl.trustStorePassword=changeit
  but it doesn't help.
  Here is the exception I'm getting:
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
       at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
       at Test.main(Test.java:39)
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
       at sun.security.validator.Validator.validate(Validator.java:218)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
       ... 12 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
       ... 18 more

  I have worked around this problem by configuring the Java client to trust all certificates and disabling hostname verification. That way I don't need a trust store. I'll just have to remove that code in production. Not ideal since I'd rather have certificate/hostname verification working for testing, but it works at least.
  I have looked at the Java security documentation and as far as i can tell a keystore and trust store is still basically the same type of file and created the same way with the keytool. The difference is when you import a cert you use the -trustcacerts option. The client 'keystore' is only being used to store the trusted cert, so it essentially is a trust store. This is documented in the keytool doc for the command -importcert.
  http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html
  I actually think my problem is more to do with the hostname, since my server doesn't have a real domain hostname like www.myserver.com. I am just using the machine name for the host, although web browsers do not have a problem with this. When I set my java client to trust all certs, I was getting the following error:
  java.io.IOException: HTTPS hostname wrong
  Disabling hostname verification fixed this, so I'm wondering if my cert has the wrong hostname. I originally created the self signed cert using the keytool with the command -genkey, which creates a key pair and also a self signed cert. I looked at the keytool docs, and I don't see any way of specifying the hostname or even seeing what the host name of a cert is. What does it put as the hostname by default? The IP address or machine name, or am I understanding this wrong?

• Problems with Creating a self-signed Certificate

  hi,
  I read the keytool Documentation and wanted to create my own self-signed certificate.
  ok, I followed the steps :
  1) keytool -keyclone -alias origkey -dest my_key
  2) keytool -selfcert -alias my_key -dname "cn=Stefan Gross, ou=Computers, o=notintersting, c=D"
  3) keytool -certreq -alias my_key (output in mycert.cer)
  4)keytool -certreq -alias my_key -sigalg X.509 -file newcert.cer
  .. Password Input...
  Keytool-Error: java.lang.Exception: Alias <my_key> does not exist.
  But it exists, see :
  [usr]$ keytool -list
  Keystore-Typ: jks
  Keystore-Provider: SUN
  new_key, 06.05.2003, keyEntry,
  So it exists, but why do I get the error ?
  So far,
  Stefan Gross

  stefan hi,
  i have tried to produce a certificate my_cert.cer and it went well. as far as i understood you have to create a keystore first. this keystore holds a key pair.
  and then using the keystore you can create as many certificates as possible based on the key pair.
  try following the steps below. it should work, i mean i have followed them and all was fine. you can find the original form of the following from documentation of keytool (sun).
  hope this time it'll work, let me know.
  cem.
  note: the last step is importing the certificate to the keystore which is not necessary if you only want the certificate.
  To set up a digital certificate,
  Generate a key pair.
  The keytool utility enables you to generate the key pair. The keytool utility that ships with the J2SE SDK programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
  To generate the keystore file, run the keytool utility as follows, replacing <keystore_filename> with the name of your keystore file, for example, server.keystore. If you are using the Tomcat server, the file must either be named .keystore and located in the home directory of the machine on which Tomcat is running, or you will need to tell Tomcat where the kestore file is by adding a keystoreFile attribute to the <Factory> element in the Tomcat configuration file or by specifying the location of the file on the Connector (8443) node of admintool.
  keytool -genkey -keyalg RSA -alias tomcat-server
  -keystore <keystore_filename>
  The keytool utility prompts you for the following information:
  Keystore password--Enter the default password, which is changeit. Refer to the keytool documentation for information on changing the password.
  First and last name--Enter the appropriate value, for example, JWSDP.
  Organizational unit--Enter the appropriate value, for example, Java Web Services.
  Organization--Enter the appropriate value, for example, Sun Microsystems.
  City or locality--Enter the appropriate value, for example, Santa Clara.
  State or province--Enter the unabbreviated name, for example, CA.
  Two-letter country code--For the USA, the two-letter country code is US.
  Review the information you've entered so far, enter Yes if it is correct.
  Key password for the Web server--Do not enter a password. Press Return.
  The next step is generate a signed certificate for this keystore. A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, continue with Creating a Self-Signed Certificate. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.
  Creating a Self-Signed Certificate
  This example assumes that the keystore is named server.keystore, the certificate file is server.cer, and the CA file is cacerts.jks. Run these commands in your <HOME> directory so that they are created there.
  Export the server certificate to a certificate file:
  keytool -keystore server.keystore -export -alias tomcat-server -file server.cer
  Enter the password (changeit).
  Keytool returns the following message:
  Certificate stored in file <server.cer>
  Import the new server certificate into the Certificate Authority file cacerts.jks:
  keytool -import -alias serverCA -keystore <HOME>/cacerts.jks
  -file server.cer
  Enter the password (changeit).
  Keytool returns a message similar to the following:
  Owner: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Issuer: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Serial number: 3e39e3e0
  Valid from: Thu Jan 30 18:48:00 PST 2003 until: Wed Apr 30 19:48:00 PDT 2003
  Certificate fingerprints:
  MD5: 44:89:AF:54:FE:79:66:DB:0D:BE:DC:15:A9:B6:09:84
  SHA1:21:09:8A:F6:78:E5:C2:19:D5:FF:CB:DB:AB:78:9B:98:8D:06:8C:71
  Trust this certificate? [no]: yes
  Certificate was added to keystore
  ----------------------------------

• Problems with Self Signed Certificate

  I have installed a self-signed client certificate on my Windows 7 workstation. (64 bit Professional)
  The project is to use VPN/IKEv2 to connect my windows 7 workstation to a Linux 7 server. (using machine certificates)
  To that end I generated a self-signed certificate and exported the client certificate to my windows 7 workstation.
  I used the certmgr to install the certificate in the CA Trusted Store.
  However when I try to connect the workstation to the server via a vpn session I get the 13806 error.
  Upon reviewing the installed certificate I noted these two messages:
  Windows does not have enough information to verify this certificate
  The issuer of this certificate could not be found.
  So my question is how do I "tell' my windows 7 system to go ahead and accept the certificate and/or somehow tell the
  the system the issuer of the certificate should be trusted.
  Thanks
  Guy

  Hi 2UCowpoke,
  According to your description and the error messages ,it seems that the self-signed certificate is not trusted or supported by Windows 7 machine .
  How did you get the certificate ?
  It is recommended to ask for help from the certificate issuer support .
  Here is a link for reference :
  Windows does not have enough information to verify this certificate.
  http://www.kozeniauskas.com/itblog/2011/06/27/windows-does-not-have-enough-information-to-verify-this-certificate/
  NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• How to register iOS device when using self signed certificate with apple Server?

  Hi,
  I have installed the server.app by Apple and used a slef signed certificate for my server. Now I want to register my different devices (iMac, iPhone etc.). I could register the iMac without problesm (I just had to add my self signed certificate to the trusted certificates)
  Sadly, with the iPhone it is not that easy. I can install the "trust profile", but still after that I can not register my device. It seems like it does not accept my self signed certificate for device registration. When adding a registration profile, I get the error "www._mydomain_.tld/devicemanagement/api/device/auto_join_ota_service" is not valid.
  Nethertheless, I can install a profile with setting, e.g. my imap settings, via the profile management without problems.
  Does anyone have an idea how to get around the problem with the self signed certificate?
  Best regards

  Try deleting the Server.app and download it again from the App Store, restart.
  My Server is also using self signed certificates and is working with iOS device (Trust Profile needed first).

• How to replace an expiring self-signed certificate?

  Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
  First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
  It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
  The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
  It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
  I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
  I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
  Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
  http://screencast.com/t/zlVyR2Hsc
  Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
  Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
  http://screencast.com/t/54c2BUJuXO2
  Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
  Be aware that creating certificates starts to populate your server Keychain.
  http://screencast.com/t/JjLb4YkAM
  It appears that when you start to delete certificates, it leaves behind private keys.
  http://screencast.com/t/XD9zO3n16z
  If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
  OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
  In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
  Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
  Bypass "Introduction".
  In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
  The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
  You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
  In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
  The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
  (OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
  Pant, pant...
  The next window asks for an email address and location information - this appears to be optional.
  Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
  Key Usage Extension window
  Here's where it gets interesting...
  I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
  Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
  Extended Key Usage Extension...
  Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
  Sorry, folks, I just HAVE to show you the help for this window...
  +*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible.  EKU is defined with object identifiers called OIDs.  If the EKU extension is omitted, all operations are potentially valid.*+
  KILL ME NOW!!!
  OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
  Basic Constraints Extension...
  Well, there is no mention of that on the original certificate, so leave it unchecked.
  Subject Alternate Name Extension...
  Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
  DONE!!!! Let's see what the heck we got!
  http://screencast.com/t/QgU86suCiQH
  Well, I don't know about you but that looks pretty close for Jazz?
  I got some extra crap in there but the stuff from the original cert is all there.
  Think we're OK??
  Out with the old certificate (delete).
  Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
  http://screencast.com/t/bydMfhXcBFDH
  Oh yeah...one more thing in KeyChain Access...
  See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
  http://screencast.com/t/GdZfxBkHrea
  Select "Always Trust".
  I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
  I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
  Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
  If you want to see my rant on Apple's worthless documentation, it's here.
  http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

  to add to countryschool and john orban's experiences:
  using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
  in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
  when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
  supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
  you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
  now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
  after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
  lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
  maybe that's hopeful to somebody. but i stopped there since things seem to be working.
  last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
  now, we'll see how everything works once people start really using it...

• Importing self-signed certificate

  Hi there!
  I have some problems in importing SSL certificates on my macbook.
  There are 2 certificates that needs to be imported: the root CA certificate, which is self-signed naturally and private user certificate, which is signed by above-mentioned CA.
  The first file in .crt format, which is consists of CA public key and sign. The second file in .p12 format, which is consists of encrypted public and private keys.
  The problem is:
  I can't import nor CA neither my personal certificate.
  The CA cert should be imported at "CA" tab in keychain, but the import button ("+") is inaccesible here:
  http://img.200133883.info/big//%D0%A1%D0%B2%D1%8F%D0%B7%D0%BA%D0%B0_%D0%BA%D0%BB %D1%8E%D1%87%D0%B5%D0%B9-20120313-143521.png
  When I tried to double-click CA.crt I got the import error # -67762 which saying that attribute "key length" was invalid. The same thing with my personal certificate.
  Could somebody explain me, how should I import those two SSL certificated?

  I'm using self-signed certificate from SBS. Right now it's not the question, if something is misconfigured within my certificate (I'm aware of SBS certificate problems), the problem is that E90 WILL NOT recognize .cer or .der files as certificates.
  There must be someone, who can answer this really simple question, which certificate formates are supported on E90.
  You will find this type of question posted many times on different forums, with diiferent suggestion, but they simply don't work.
  Again my error is "file format not supported"

• How to use self-signed Certificate or No-Check-Certificate in Browser ?

  Folks,
  Hello. I am running Oracle Database 11gR1 with Operaing System Oracle Linux 5. But Enterprise Manager Console cannot display in Browser. I do it in this way:
  [user@localhost bin]$ ./emctl start dbconsole
  The command returns the output:
  https://localhost.localdomain:1158/em/console/aboutApplication
  Starting Oracle Enterprise Manager 11g Database Control ... ...
  I open the link https://localhost.localdomain:1158/em/console/aboutApplication in browser, this message comes up:
  The connection to localhost.localdomain: 1158 cannot be established.
  [user@localhost bin]$ ./emctl status dbconsole
  The command returns this message: not running.
  [user@localhost bin]$ wget https://localhost.localdomain:1158/em
  The command returns the output:
  10:48:08 https://localhost.localdomain:1158/em
  Resolving localhost.localdomain... 127.0.0.1
  Connecting to localhost.localdomain|127.0.0.1|:1158... connected.
  ERROR: cannot verify localhost.localdomain's certificate, issued by `/DC=com/C=US/ST=CA/L=EnterpriseManager on localhost.localdomain/O=EnterpriseManager on localhost.localdomain/OU=EnterpriseManager on localhost.localdomain/CN=localhost.localdomain/[email protected]':
  Self-signed certificate encountered.
  To connect to localhost.localdomain insecurely, use `--no-check-certificate'.
  Unable to establish SSL connection.
  A long time ago when I installed Database Server Oracle 11gR1 into my computer, https://localhost.localdomain:1158/em in Browser comes up this message:
  Website certified by an Unknown Authority. Examine Certificate...
  I select Accept this certificate permanently. Then https://localhost.localdomain:1158/em/console/logon/logon in Browser displays successfully.
  But after shut down Operating System Oracle Linux 5 and reopen the OS, https://localhost.localdomain:1158/em/console/logon/logon in Browser returns a blank screen with nothing, and no more message comes up to accept Certificate.
  My browser Mozilla Firefox, dbconsole, and Database Server 11gR1 are in the same physical machine.I have checked Mozilla Firefox in the following way:
  Edit Menu > Preferences > Advanced > Security > View Certificates > Certificate Manager > Web Sites and Authorities
  In web sites tab, there is only one Certificate Name: Enterprise Manager on localhost.localdomain
  In Authorities tab, there are a few names as indicated in the above output of wget.
  My question is: How to use self-signed certificate and no-check-certificate in Mozilla Firefox for EM console to display ?
  Thanks.

  Neither problem nor solution do involve Oracle DB
  root cause of problem & fix is 100% external, detached, & isolated from Oracle DB.
  This thread is OFF TOPIC for this forum.

• Can you use a self signed certificate on an external Edge Server interface?

  Hi,
  I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
  interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
  cert is valid (root and intermediate have been checked for validity).
  At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
  Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
  Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
  I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
  Thx

  Drago,
  Thanks for all your help. I got it working.
  My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
  Let me update everyone about self-signed certificates:
  YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
  I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
  intermediate have been checked for validity).
  Here are my notes:
  Create/enable your own external Certificate Authority (CA) running on a server with internet access. 
  On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
  Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
  You should have already completed: Step1 and Step 2.
  Run or Run Again "Step 3: Request, Install or Assign Certificates".
  Install the "Edge internal" certificate.
  Click "Request" button to run the "Certificate Request" wizard.
  You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
  Once the certificate has been created, use "Import Certificate" to import it.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
  In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
  Install the "Edge External" certificate (public Internet).
  Click the "Request" button to run the "Certificate Request" wizard.
  Press "next"
  Select "Prepare the request now, but send it later (offline certificate request).
  Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
  Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
  Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
  Fill in the organization info.
  Fill in the Geographical Information.
  The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
  Select your "Configured SIP domains"
  "Configure Additional Subject Alternative Names" if you want. Otherwise, next.
  Verify the "certificate Request Summary". Click next.
  Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
   Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
  In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
  For the "External Edge certificate (public Internet), click "Assign".
  The "Certificate Assignment" wizard will run.
  Click next.
  From the list, select your cert "EXTERNAL-EDGE".
  Finish the wizard to "complete".
  You are finished on the server.
  Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
  When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
  Browse
  Select "Trusted Root Certification Authorities"
  Finish the wizard.

• Web Server 7 Admin Server and Self-Signed certificate

  Is it possible to create and install a self-signed certificate for the administration server in Sun Web Server 7. The default installation comes with a self-signed certificate but we would like to install our own certificate and not the certificate issued by "admin-ca-cert"
  Message was edited by:
  aar

  As far as I know its not a problem. You can install your own certificate. Make sure that the certificate nick name is changed accordingly in "server-cert-nickname" in server.xml section as shown below :
  <http-listener>
  <name>admin-ssl-port</name>
  <port>2224</port>
  <server-name>alamanac.india.sun.com</server-name>
  <default-virtual-server-name>admin-server</default-virtual-server-name>
  <ssl>
  <server-cert-nickname>Admin-Server-Cert</server-cert-nickname>
  </ssl>
  </http-listener>

• Xcode continuous integration, Subversion and self-signed certificate won't work altogether.

  Hi!
  I've installed on MacMini Maverick OS with OSX Server.
  Then I've configured the Xcode continuous integration with Subversion (using self-signed certificate), also created bots and etc.
  But It won't work.
  Attached is the log:
  Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSCheckoutOperation.m:717 7c087310 +0ms] revision: (null) Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSCheckoutOperation.m:718 7c087310 +0ms] log: (null) Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSCheckoutOperation.m:719 7c087310 +0ms] checkoutError: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Error>: [XCSCheckoutOperation.m:732 7c087310 +0ms] Error in SVN checkout Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} <stderr>= (null) Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Error>: [XCSOperation.m:33 7c087310 +0ms] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSOperation.m:28 7c087310 +0ms] Cancelling operation: XCSCheckoutOperation Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Error>: [XCSBuildBundle.m:790 7c087310 +0ms] Got an error from the checkout operation: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk." UserInfo=0x7fb388c4b4e0 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fb388c18ff0 [0x7fff7baddf00]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fb389904370 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk.", NSErrorPeerCertificateChainKey=( "<SecCertificate 0x7fb388c6f490 [0x7fff7baddf00]>" ), NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “svn.myheritage.co.il” which could put your confidential information at risk., NSErrorFailingURLKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorFailingURLStringKey=https://svn.myheritage.co.il:8443/svn/mobile/MyHeritageMobileiPhone/branches/Mob ile_with_albums_and_inapp, NSErrorClientCertificateStateKey=0} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildBundle.m:850 7c087310 +0ms] Starting upload files operation Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildBundle.m:1018 7c087310 +0ms] Updating bot run status to running, substatus to uploading Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Info>: [CSRemoteServiceClient.m:151 7c087310 +0ms] Connecting to https://localhost:4443/svc to execute [https]Request{AuthService.enterMagicalAuthRealm()} Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildHelper.m:97 7c087310 +38ms] Updating bot run with GUID cccf1c74-6c5a-4fff-a57f-5e5bead09457 Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Debug>: [XCSBuildHelper.m:102 7c087310 +0ms] Updating bot run (cccf1c74-6c5a-4fff-a57f-5e5bead09457): { guid = "cccf1c74-6c5a-4fff-a57f-5e5bead09457"; status = running; subStatus = uploading; } Aug 24 14:03:27 osxserver.iloffice.myhrtg.net xcsbuildd[82719] <Info>: [CSRemoteServiceClient.m:151 7c087310 +0ms] Connecting to https://localhost:4443/svc to execute [https]Request{XCBotService.updateBotRun:({ guid = "cccf1c74-6c5a-4fff-a57f-5e5bead09457"; status = running; subStatus = uploading; })}
  Hope you'll be able to assist me find what I'm doing wrong.
  Thanks in advance.

  Did anyone find a way around this? I have the exact same error and tried the exact same solution.
  The Xcode 5 release notes described a problem that sounds similar.
  Communicating with a remote SVN repository over HTTPS can fail with an error similar to “Error validating server certificate for server name.” Edit the file /Library/Server/Xcode/Config/xcsbuildd.plist and change the TrustSelfSignedSSLCertificates key from false to true. Then, from a Terminal window, run: sudo killall xcsbuildd. 14639890
  https://developer.apple.com/library/ios/releasenotes/DeveloperTools/RN-Xcode/Cha pters/xc5_release_notes.html
  I haven't found a similar fix for Xcode 6 though.