Server certificate rejected by ChainVerifier

Similar Messages

• SAP PI 7.3 Peer certificate rejected by ChainVerifier

  Hi
      We upgraded the PI systems(Dev and Quality) from 7.0 to v7.3 Before the upgrade https scenario was working fine. Important thing is we were not using any certificates to transfer files to our vendor.  All the SOAP receiver adapter with HTTPS url is working fine in production. The production is still with PI 7.0
      After basis upgrade the PI system to v7.3  when I send a messaage to the below url with SOAP receiver adapter i see the below error. This is not a webservice interface.
  https://staging.napa-ibiz.com/..........
  The error is:
  SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Delivering the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.
  The strange part is, after the upgrade it is working fine with one vendor. The SOAP receiver adapter configuration is no different from other scenerios.
  We even restarted  the JAVA engine still no luck.
  I didn't get answer for my below questions:
  1. When I'm not using any certificates to send files to my vendor, why/how I see the above certificates related error.
  2. If it is really a certificate related error, how i'm able to successfully send to one vendor with the similar SOAP receivier configuration.
  3. Why only after the upgrade i see this error?
  Can you please throw some lights on this?
  Thanks,

  >When I'm not using any certificates to send files to my vendor, why/how I see the above certificates related error.
  The URL shows that you are using https transport communication. So you might be sharing the certificate or anonymous ssl with different vendors.  PLease go to STRUST and see whether  you have certificates in the keystore for the different vendors. As you production environment behaves different from pre production in terms of security.
  >If it is really a certificate related error, how i'm able to successfully send to one vendor with the similar SOAP receivier configuration
  You might share certificate correctly for one vendor and keystore might not have for the other vendors.  This is nothing related to soap receiver channel configuration. Certificates can be maintained either java stack level or abap stack.
  >Why only after the upgrade i see this error?
  PI 7.1 and above are 64 bit OS products. There are plenty of changes in the installation and security standards.  Talk to BASIS,

• Error PI 7.31 RFC-SOAP Certificate Rejected

  Hi Experts,
  I'm facing an error last days.
  The scenario is, an interface was working fine in DEV, but in QAS stopped.
  DEV and QAS has the same configuration, same endpoint, user, etc....
  In QAS the error in PI 7.31 was:
  com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  So, I saw the certificate and it was expired. The server updated the certified.
  And now DEV and QAS stopped working, and both return the message above in PI.
  The certificate is a auto-signed, and according to the documentation there was no certificate installation in development.
  The communication is an RFC to SOAP synchronous.
  Using Proxy, and authentication.
  The communication channel was not changed, and they don't have certificate authentication.
  I requested de basis team to install the certificate in NWA, but the view does not appeard in the configuration in PI.
  So... any idea what's my problem?
  Thanks.

  Hi,
  Thanks all for the answers.
  I already requested the installation of certificate, but they don't appear in configuration of channel communication on PI:
  the certificate installed:
  Any Ideia?

• Error:iaik.security.ssl.SSLCertificateException: Peer certificate rejected

  Hi,
  I am getting error com.sap.engine.interfaces.messaging.api.exception.MessagingException:
  iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  When i test for digital signing and encryption using soap receiver CC
  we passed all the values for soap CC
  Created key store view and in that view I have generated private certificate and generated CSR using SAP CA(test ssl for 8 weeks) for the private key and also imported public key for encryption given by reciver
  When i test i get the error message
  I check certificates validity dates
  I restarted java engine and ICM
  I added the public key in trusted CA in NWA
  I re created the view and added the certifcates
  still the same error
  how and where to check to check IAIK in NWA and how to deploy it in java engine using NWA, we are using PI7.11 (no VA)
  any suggestions?

  Hi,
  The main causes for this kind of problem are:
  1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
  0a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for it and if it's the case renew it or extend the validation.
  3. The certificate chain was not in correct order. Basically the server certificate chain should be in order
  Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again.
  4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
  (This certificate is the one which is sent to Server for Client authentication)
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
  Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio Cagnani

• ** SOAP - Receiver CC - Sync - Error - certificate rejected by ChainVerifie

  Hi Friends,
  In our interface BPM - SOAP call (Sync), in the receiver SOAP CC, we are getting the below error. 
  SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  In the SOAP CC, we use HTTP protocol.  In the target URL, it starts with https://...... and soapAction is mentioned.
  Previously, this channel was working fine. No issues.
  For testing, I copied and pasted the target URL in Internet Explorere, it did not ask any certificate, I am able to execute the wsdl. i.e call the soapAction - sent the request and got the response.
  Friends, could you tell me why the above error is coming now ?
  Kind regards,
  Jegathees P.

  Hi,
  https service is running?
  Check: SMICM -> Services
  Also check  with the named SAP note inside.
  Cheers,
  André
  Edited by: André Schillack on Apr 28, 2010 5:37 PM

• ELM send SOAP distributor - SSLCertificateException: certificate rejected

  Hi,
  I try to configure the Swiss income tax scenario ELM via our PI 7.11. The sending step produces the failure: SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVeri-fier
  Usually I have to install the certificates from the https page, but I have already installed the them (from the https side of the distributor: https://distributor.swissdec.ch/services/elm-pucs-puns/SalaryDeclaration/20051002 ). I still get this error.
  Is anybody else using transferring the ELM via PI and facing the same problem?
  Thanks a lot,
  Thomas

  Hello,
  The main reasons for why you are receiving this error can be checked below:
  1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in these two URLs:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bb487e28674be10000000a421937/frameset.htm
  2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.
  3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct
  order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.
  4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period. (This certificate is the one which is sent to Server for Client authentication)
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
  Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
  In any other case the SSL communication will not work.
  Hope that is useful for your case too!
  Regards,
  Caio Cagnani

• FTPS error: Peer Certificate Rejected by Chain Verifier

  Hi,
  This scenario is a File to File - Outbound Async Interface. Receiver is configured FTPS with mostly the default parameters.
  However FTPS again haunted us with "Peer Certificate Rejected by Chain Verifier  " error.  We have configured one communication channel with FTPS and tested in DEV, QA clients and moved to production. The weird behavior is it works only certain time. Overall it works 50% of time ok and 50% of time failed with the above error.
  We kept opened all ports on the firewall for outgoing messages.
  We cannot understand the dual behavior. Appreciate any help to resolve this issue.
  Dharmasiri Amith

  Hi Amith,
  The main reasons for this error follows:
  1. The correct server certificate could not be present in the TrustedCA
  keystore view of NWA. Please ensure you have done all the steps
  described in these two URLs:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
  0a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for
  it (that was the cause for other customers as well) and if it's the case
  renew it or extend the validation.
  3. Some other customers have reported similar problem and mainly the
  problem was that the certificate chain was not in correct
  order. Basically the server certificate chain should be in order
  Own->Intermedite->Root. To explain in detail, if your server certificate
  is A which is issued by an intermediate CA B and then B's certificate is
  issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to
  have the right order of certificate in the chain. If the order is B
  first followed by A followed by C, then the IAIK library used by PI
  cannot verify the server as trusted. Please generate the certificate in
  the right order and then import this certificate in the TrustedCA
  keystore view and try again. Please take this third steps as the
  principal one.
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has
  to have certificate with CN equal to the requested site.  I mean if I
  request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in
  the ftp request. This can be the IP address or the full name of the
  host.
  Request the url with the IP of the SSL Server and the certificate to be
  with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio Cagnani

• Wired 802.1x EAP-TLS Server Certificate Problem

  I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
  If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
  11:48:53.088 Validating the server.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
  11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
  11:48:54.776 The authentication process has failed.
  If I look at the Auth log on ACS (set to full logging) it states:
  AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
  AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
  If I configure the client to not check the servers certificate it all works ok.
  Can anyone tell me why my server certificate is getting rejected?
  Thanks,
  Paul

  If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

• Client Certificate Rejected, repeatedly +with great vigor

  Hi all --
  Perhaps you can give me a hand. I recently got a new Macbook Pro -- my first new CPU since the ole' clamshell back in 2001. Very happy with it as a whole but also finding that I am a bit behind the times in terms of my understanding of the software. Here is the problem: Yesterday I tried to access a page using Safari (2.0.3) from my history. I do not believe that it was a secure page as it was part of the dartmouth.edu website but it may have been. Anyway, a dialouge box popped up asking for my to use FileVaultMaster keychain. I did not know that I had such a thing but I typed in my master password. The page still did not open, but Safari displayed a text box saying that there was an error -- this particular error, in fact:
  <begin quote>
  The error was: “client certificate rejected” (NSURLErrorDomain:-1205) Please choose Report Bug to Apple from the Safari menu, note the error number, and describe what you did before you saw this message
  <end of quote>
  Now, when I try to access the basic Dartmouth homepage of http://www.dartmouth.edu, Safari converts it automatically to https://www.dartmouth.edu and asks for the keychain and then displays the error. I tried emptying the cache and resetting Safari (and even restarting the computer, although I understand that that is no longer necessairy with OS X) but to no avail. Can anyone clue me as to what is happening, and why?
  Thanks much in advance,
  -Sparco03
  MacBook Pro   Mac OS X (10.4.5)  

  I emailed [email protected] about this problem and here is the response. The solution of getting a valid Dartmouth certificate doesn't apply to non Dartmouth users, so I'm not sure what to do in that case.
  "You need to check your Keychain. The reason you are getting that error is because Safari is sending a Client Certificate back to the web server (which asked for it), but the web server can't verify that it's a good certificate. This usually happens when you have an expired certificate, or you have a non-Dartmouth certificate that Safari is likely sending because it can't find a Dartmouth one."
  "Whichever of these is the case, the solution is to get a valid Dartmouth certificate, which you can generate by going to https://collegeca.dartmouth.edu/ and following the directions on the web page. If you have an expired Dartmouth cert, you will need to delete that before you import your new, valid certificate."
  "The reason all of this is happening is specific to Intel Macs. The mechanism that Dartmouth has used, better than 7+ years, to authenticate browser users to web site (Kerberos) uses the SideCar helper application. This application doesn't run on Intel Macs, and it most likely never will. Fortunately, Dartmouth installed client certificates as an additional/alternate solution for web site authentication a few years ago. Since client certs work great on Intel Macs, we had to force Intel Macs to always use HTTPS when connecting to any site on www.dartmouth.edu. That way we can always be able to ask for your client cert, so that we don't break your ability to access protected sites that live on the www.dartmouth.edu server."

• SSL VPN Failed to validate server certificate (cannot access https)

  Hi all,
  I have the next problem.
  I've configured in an UC520 a SSL VPN.
  I can access properly and I can see the labels, but I only can access urls which are http, not https:
  I can access the default ip of the uc520 (192.168.1.10) but
  When I try to get access to a secure url I get the msg: Failed to validate server certificate
  I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
  Does the certificate of both hardware has to be the same?
  How can I add a https?
  Here is the config of the router:
  webvpn gateway SDM_WEBVPN_GATEWAY_1
  ip address 192.168.1.254 port 443 
  ssl trustpoint TP-self-signed-2977472073
  inservice
  webvpn context SDM_WEBVPN_CONTEXT_1
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  url-list "Intranet"
     heading "Corporate Intranet"
     url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
     url-text "Impresora" url-value "http://192.168.10.100"
     url-text "DMM" url-value "https://pc.sumkio.local:8443"
     url-text "DMM 1" url-value "http://192.168.10.10:8080"
     url-text "UC520" url-value "http://192.168.10.1"
  policy group SDM_WEBVPN_POLICY_1
     url-list "Intranet"
     mask-urls
     svc dns-server primary 192.168.10.250
     svc dns-server secondary 8.8.8.8
  default-group-policy SDM_WEBVPN_POLICY_1
  aaa authentication list sdm_vpn_xauth_ml_1
  gateway SDM_WEBVPN_GATEWAY_1
  max-users 10
  inservice
  Any help would be apreciatted.
  Thank you

  Hi, thanks for your advise.
  I'm trying to copy the certificate via cut and paste, but I'm getting a
  % Error in saving certificate: status = FAIL
  I dont know if I'm doing this right.
  I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
  I get a file which if I open with notepad is like
  -----BEGIN CERTIFICATE-----
  MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
  KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
  mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
  nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
  -----END CERTIFICATE-----
  If I try to authenticate the trustpoint, I get that error.
  how can I export the certificate from the DMM?
  I think that this file is not the right file.
  and then, do I have to make some changes in
  webvpn gateway SDM_WEBVPN_GATEWAY_1?
  Should I choose the new trustpoint?
  I understand that the old trustpoint is for the outside connection, no for the LAN connection.
  Dont worry about me, answer when you can but I really need to fix this.
  Thank you so much

• AnyConnect 3.1 - removing Security Warning: Untrusted VPN Server Certificate!

  Hi guys,
  Is there a way to disable the warning generated from using self signed certs?
  I would like to make the process as seamless as possible.
  AnyConnect 3.1
  ASA 8.4(2)
  Thanks.

  Hi,
  We had problem with the above error message with our certificate when we moved to AnyConnect 3.1
  We were instructed to request a new one
  Also here is the link to Cisco site we were provided that explains the changes in 3.1
  IPSec and SSL connections require server  certificates to contain Key Usage attributes of Digital Signature and  Key Encipherment, as well as an Enhanced Key Usage attribute of Server  Authentication or IKE Intermediate. Note that IPSec server certificates  not containing a Key Usage are considered invalid for all Key Usages,  and similarly an IPSec server certificate not containing an Enhanced Key  Usage is considered invalid for all Enhanced Key Usages.
  Link to document
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1049936
  Sadly I dont dable with certificates myself so I'm not really familiar with this.
  - Jouni

• How to add a certificate to IIS global "Server Certificates" list using PowerShell?

  Hi, been surfing the web for an example on how to add a certificate to the "global" IIS "Server Certificates" list using PowerShell but to no luck. I already have code in place on how to tie / associate a specific website with a specific cert but not how
  to add the new .cer file using the "Complete Certificate Request..." wizard using PowerShell.... I dont expect the final code to become published but if someone had an idea on howto integrate / get an entry point on where to interact between the "Server Certificate"
  list in IIS and POSH I would be super happy! :|
  I am runnign IIS on a Windows 2008R2 x64 Standard Edition if that helps..... of course, I would saddle for an CLI if there is no other way, but POSH is of course the way to go! :)
  Thanks for the help in advance guys, take care!
  br4tt3

  Hi and thanks for the suggestions!
  Although it comes close, the suggested code example points on howto import / incorporate .pfx files - I am getting fed by .cer files which I need to add into the IIS console using POSH.
  I tried explore the IIS.CertObj object but was not able to work out if this one could be used for importing / adding .cer files into IIS! However, launching the following command from a POSH console with Import-Module Webadministration already
  loaded into that shell;
  $certMgr = New-Object -ComObject IIS.CertObj returns the following error message:
  New-Object : Cannot load COM type IIS.CertObj
  From an IIS perspective I have the following components installed;
  [X] Web Server (IIS)                                    Web-Server
      [X] Web Server                                      Web-WebServer
          [ ] Common HTTP Features                        Web-Common-Http
              [ ] Static Content                          Web-Static-Content
              [ ] Default Document                        Web-Default-Doc
              [ ] Directory Browsing                      Web-Dir-Browsing
              [ ] HTTP Errors                             Web-Http-Errors
              [ ] HTTP Redirection                        Web-Http-Redirect
              [ ] WebDAV Publishing                       Web-DAV-Publishing
          [X] Application Development                     Web-App-Dev
              [ ] ASP.NET                                
  Web-Asp-Net
              [X] .NET Extensibility                      Web-Net-Ext
              [ ] ASP                                    
  Web-ASP
              [ ] CGI                                    
  Web-CGI
              [ ] ISAPI Extensions                        Web-ISAPI-Ext
              [ ] ISAPI Filters                           Web-ISAPI-Filter
              [ ] Server Side Includes                    Web-Includes
          [ ] Health and Diagnostics                      Web-Health
              [ ] HTTP Logging                            Web-Http-Logging
              [ ] Logging Tools                           Web-Log-Libraries
              [ ] Request Monitor                         Web-Request-Monitor
              [ ] Tracing                                
  Web-Http-Tracing
              [ ] Custom Logging                          Web-Custom-Logging
              [ ] ODBC Logging                            Web-ODBC-Logging
          [X] Security                                   
  Web-Security
              [ ] Basic Authentication                    Web-Basic-Auth
              [ ] Windows Authentication                  Web-Windows-Auth
              [ ] Digest Authentication                   Web-Digest-Auth
              [ ] Client Certificate Mapping Authentic... Web-Client-Auth
              [ ] IIS Client Certificate Mapping Authe... Web-Cert-Auth
              [ ] URL Authorization                       Web-Url-Auth
              [X] Request Filtering                       Web-Filtering
              [ ] IP and Domain Restrictions              Web-IP-Security
          [ ] Performance                                 Web-Performance
              [ ] Static Content Compression              Web-Stat-Compression
              [ ] Dynamic Content Compression             Web-Dyn-Compression
      [X] Management Tools                                Web-Mgmt-Tools
          [X] IIS Management Console                      Web-Mgmt-Console
          [X] IIS Management Scripts and Tools            Web-Scripting-Tools
          [ ] Management Service                          Web-Mgmt-Service
          [ ] IIS 6 Management Compatibility              Web-Mgmt-Compat
              [ ] IIS 6 Metabase Compatibility            Web-Metabase
              [ ] IIS 6 WMI Compatibility                 Web-WMI
              [ ] IIS 6 Scripting Tools                   Web-Lgcy-Scripting
              [ ] IIS 6 Management Console                Web-Lgcy-Mgmt-Console
      [X] FTP Server                                      Web-Ftp-Server
          [X] FTP Service                                 Web-Ftp-Service
          [X] FTP Extensibility                           Web-Ftp-Ext
      [ ] IIS Hostable Web Core                           Web-WHC
  More or less the one thing that I am trying to get up and running is an automated FTPS solution - I just use the IIS console to be able to troubleshoot / compare how things scripted from POSH interacts in the MMC representation. The error I am getting
  might be that I am lacking some IIS components to be in place to be able to automate some parts of the IIS - as suggested by the IIS.CertObj object listed in the example..... I will get back if I can track down which component needs to be added to be
  able to reference the IIS.CertObj object.
  Br4tt3 signing out...
  br4tt3

• How can I make Firefox trust a Server Certificate by Default?

  I'm trying to distribute Firefox via Empirum. All settings are made using the CCK-Wizard Addon.
  When I import our Certificates in CCK-Wizard, I can make trust-settings for CA's, but not for Server Certificates, and so the SC isn't trusted by default.
  Is there any way to make the trust Settings for SC's in the install package, maybe through an option in about:config (didn't find any, but maybe somebody knows more than google :P )?
  I tried to do it like PRF_1 suggested here https://support.mozilla.org/de/questions/687296#answer-112220 but in the last step I got an Error 1: C compiler cannot create executables.
  Regards,
  Bowser

  Hello,
  '''Try Firefox Safe Mode''' to see if the problem goes away. Safe Mode is a troubleshooting mode, which disables most add-ons.
  ''(If you're not using it, switch to the Default theme.)''
  * On Windows you can open Firefox 4.0+ in Safe Mode by holding the '''Shift''' key when you open the Firefox desktop or Start menu shortcut.
  * On Mac you can open Firefox 4.0+ in Safe Mode by holding the '''option''' key while starting Firefox.
  * On Linux you can open Firefox 4.0+ in Safe Mode by quitting Firefox and then going to your Terminal and running: firefox -safe-mode (you may need to specify the Firefox installation path e.g. /usr/lib/firefox)
  * Or open the Help menu and click on the '''Restart with Add-ons Disabled...''' menu item while Firefox is running.
  [[Image:FirefoxSafeMode|width=520]]
  ''Once you get the pop-up, just select "'Start in Safe Mode"''
  [[Image:Safe Mode Fx 15 - Win]]
  '''''If the issue is not present in Firefox Safe Mode''''', your problem is probably caused by an extension, and you need to figure out which one. Please follow the [[Troubleshooting extensions and themes]] article for that.
  ''To exit the Firefox Safe Mode, just close Firefox and wait a few seconds before opening Firefox for normal use again.''
  ''When you figure out what's causing your issues, please let us know. It might help other users who have the same problem.''
  Thank you.

• Error: Untrusted Server Certificate

  When i click on Query Interfaces (IPS Manager: Configuration > Settings > Interfaces) i get the following error:
  An error occurred trying to get the interface information. An error occurred while trying to determine the sensor version. Detail = Error occurred while communicating with 172.17.xx.xx: java.security.cert.CertificateException: Untrusted Server Certificate Chain
  Any suggestion?
  Thank you,

      That is a pretty strange message. Have you had a chance to reach out to Windows Live?
  TamaraH_VZW
  Follow us on Twitter @VZWSupport

• Untrusted Server Certificate Chain error

  I am trying to use a certificate (digital signature) on the client, when accessing a Webservice. This fails with the following error :
  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain
  My code is :
  KeyStore ks = null;
  String strURL = "https://myserver.com/myurl/lookup.asmx";
  SSLSocketFactory sslSocketFactory = null;
  System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Load certificate dynamically
  SSLContext sslContext = SSLContext.getInstance("SSLv3");
  TrustManagerFactory trustMgtFactory = TrustManagerFactory.getInstance("SunX509");
  CertificateFactory cert = CertificateFactory.getInstance("X.509");
  FileInputStream lo_fileinputstream = null;
  lo_fileinputstream = new FileInputStream("c:\\temp\\digital.cer");
  X509Certificate servercacert = (X509Certificate)cert.generateCertificate(lo_fileinputstream);
  lo_fileinputstream.close();
  String s1 = servercacert.getSerialNumber().toString();
  if(ks == null)
  ks = KeyStore.getInstance("JKS");
  ks.load(null, null);
  ks.setCertificateEntry(s1, servercacert);
  trustMgtFactory.init(ks);
  sslContext.init(null, trustMgtFactory.getTrustManagers(), null);
  sslSocketFactory = sslContext.getSocketFactory();
  HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
  // Call webservice
  URL cascadeURL = new URL(strURL);
  HttpsURLConnection conn = (HttpsURLConnection) cascadeURL.openConnection();
  String inputline=null;
  if (conn instanceof HttpsURLConnection) {
  conn.connect();
  BufferedReader in = new BufferedReader(
  new InputStreamReader(
  conn.getInputStream()));
  while ((inputline = in.readLine()) != null) {
  System.out.println(inputline);
  in.close();
  Please help - I am on a very tight deadline (as usual).

  Found the problem. I simply needed to add another certificate.