Server creates certificates

Similar Messages

• Missing the "Microsoft Exchange Server Auth Certificate"

  Hi Everyone,
  I have a single Exchange box.    
  Was integrating my Lync and Exchange and noticed some issues after configuring my Lync pre-reqs: http://technet.microsoft.com/en-us/library/jj721919.aspx
  Following the line of communication and event logs, I quickly saw that the error was not on my Lync Server, but on my Exchange.  The "Microsoft Exchange Server Auth Certificate" that is created during Ex2013 install was missing.
   It was not there to give out tokens for the Server to Server authentication required to integrate Lync, Exchange, and Sharepoint.
  Running Get-AuthConfig: http://technet.microsoft.com/en-us/library/jj215766(v=exchg.150).aspx
  pointed to a thumbprint that did not exist anymore.  
  I confirmed this by checking the local cert store (local computer>personal>certificates), looking in the ECP (servers>certificates), and also running Get-ExchangeCertificate
  In my Exchange Server event log, I found the following errors: 
  Log Name: Application
  Source: MSExchange Certificate Deployment
  Date: 6/8/2014 4:00:50 AM
  Event ID: 2005
  Task Category: General
  Level: Warning
  Keywords: Classic
  User: N/A
  Computer: server.domain.com
  Description:
  Federation or Auth certificate not found: ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation
  Trust to a valid certificate using Set-FederationTrust or Set-AuthConfig. The certificate may take time to propagate to the local or neighboring sites.
  Event Xml:
  2005
  3
  1
  0x80000000000000
  2391484
  Application
  server.domain.com
  ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3
  AND
  Log Name: Application
  Source: MSExchange OAuth
  Date: 6/8/2014 1:25:41 PM
  Event ID: 2004
  Task Category: Configuration
  Level: Warning
  Keywords: Classic
  User: N/A
  Computer: server.domain.com
  Description:
  Unable to find the certificate with thumbprint ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3 in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.
  Event Xml:
  2004
  3
  2
  0x80000000000000
  2397430
  Application
  server.domain.com
  ED2C3E86EBE821AAC2C0DEA85CAB5787E2CAC5F3
  Googling has only produced one article that is about another issue that I would have found further down the line if I wasn't testing within the pre-reqs.  The solution is the same, but the article is somewhat poorly written and does not respond to all
  the comments enough to leave one feeling it's 100% correct.  
  http://blogs.technet.com/b/jenstr/archive/2012/11/22/getting-internal-server-error-500-when-creating...
  The broad strokes are clear:
  The fix is to create a new "Microsoft Exchange Server Auth Certificate" by using the following sequence of cmdlets In EMS on the MBX server:
  1. New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -Services smtp
  Do not accept to replace the SMTP certificate when prompted
  2. Note the thumbprint of the new certificate. Let us assume it is 7A39541F8DF58D4821967DD8F899B27410F7C081
  3. $a=get-date
  4. Set-AuthConfig -NewCertificateThumbprint 7A39541F8DF58D4821967DD8F899B27410F7C081 –NewCertificateEffectiveDate $a
  Accept to continue despite the fact that the certificate effective date is not 48 hours into the future
  5. Set-AuthConfig –PublishCertificate
  6. Make sure to remove any potential reference to the previous certificate (which might not exist anymore) by doing Set-AuthConfig -ClearPreviousCertificate.
  Remember to do iisreset on both CAS and MBX servers. Then finally, you can try to re-issue the New-CsPartnerApplication cmdlet.
  65 Million Dollar question:
  Is the syntax in part 1 correct?  Two people says to add the domain?  Jens responds, but it's vague.  What would the correct command look like?  I do not know where to add the -DomainName within the command and which name I
  should add?  The FQDN of the CAS?
  New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName server.domain.com -Services
  smtp
  Thank you everyone

  Hi,
  Yes, we need to specify a valid FQDN for either the Subject or the DomainName parameter. Please run the following command:
  New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn= Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName server.domain.com -Services
  smtp
  Then following the other steps in your posting to re-create the Microsoft Exchange Server Auth Certificate.
  Regards,
  Winnie Liang
  TechNet Community Support

• Cisco CA + Cisco VPN Client - Error 42: Unable to create certificate enrolment request

  We find ourselves in a difficult situation with the
  Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
  "Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
  There is no additional information in the VPN client logs where we have set 3-High for all logs.
  In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
  To create and enrol a certificate we do the following:
  1. Click on the Enroll button to show the Certificate Enrolment dialog
  2. Select  Online
  3. Select <New> for Certificate Authority
  4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
  5. Click Next to display the dialog where we can enter certificate details
  6. Enter details in all fileds except IP Address and Domain
  7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
  If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
  The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
  We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
  Thank you
  Emil

  FYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
  Cisco2691#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Cisco2691(config)#crypto pki server CERTSERVER
  Cisco2691(cs-server)#grant ?
    auto     Automatically grant incoming SCEP enrollment requests
    none     Automatically reject any incoming SCEP enrollment request
    ra-auto  Automatically grant RA-authorized incoming SCEP enrollment request
  Cisco2691(cs-server)#grant auto
  % The CS config is locked. You need to shut the server off before changing its configuration.
  Cisco2691(cs-server)#shut
  Cisco2691(cs-server)#grant auto
  Cisco2691(cs-server)#
  Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
  Cisco2691(cs-server)#no shut
  % Certificate Server enabled.

• SCCM 2007 Site Server Signing Certificate - Any Way to Extend Life of Template

  Good morning,
  It looks like my Site Server Signing certificate can't be renewed past the five year validity that the template was given.  So, come Feb. 14th, I can't renew my existing Site Server Signing certificate.  Is there any way to extend the life of the
  certificate template so I can just "renew" the existing certificate on my server as opposed to creating and distributing a new one?  Thanks for any help anyone can provide.

  Good morning,
  It looks like my Site Server Signing certificate can't be renewed past the five year validity that the template was given.  So, come Feb. 14th, I can't renew my existing Site Server Signing certificate.  Is there any way to extend the life of the
  certificate template so I can just "renew" the existing certificate on my server as opposed to creating and distributing a new one?  Thanks for any help anyone can provide.

• OAM with OVD SSL , can I use openSSL to create certificate

  OAM with OVD SSL , can I use openSSL to create certificate . In the doc, it use miscrosoft cert server . But I want to use openssl , but not success. Does anyone success to do?

  OAM with OVD SSL , can I use openSSL to create certificate . In the doc, it use miscrosoft cert server . But I want to use openssl , but not success. Does anyone success to do?

• Creating certificate in ms-word for training and event management  sap hr

  hi, everybody, i used ole programming,to create certificate for attendee but i need to save in perticular directory,but all files are opening ,could anybody tell how to save in a perticular directory instead opening every file.

  upgraded SAP Frontend from 4.6c to 4.6d.

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• Problem in Creating Certificate in java

  Dear all
  I have problem in creating certificate using the java lang
  I created the keystore as shown in my code:
  but i still hasing problem with the code as u can see in the pics...
  Please help me to create my digitale certificate because i have to verifying it later... and i am still having no idea how i am going to verify the certificate.....
  Thanks in advance..
  Mariah
  Message was edited by:
  screen83

  i am sorry the picture can't be displayed
  anywhy, this the the code:
  1KeyStore ks = KeyStore.getInstance("JKS");
  2               char[] password = getPassword();
  3               java.io.FileInputStream fis =
  4               new java.io.FileInputStream("keyStoreName");
  5               ks.load(fis, password);
  6               fis.close();
  7               // get my private key
  8               KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
  9               ks.getEntry("privateKeyAlias", password);
  10               PrivateKey myPrivateKey = pkEntry.getPrivateKey();
  11
  12               // save my secret key
  13               javax.crypto.SecretKey mySecretKey;
  14               KeyStore.SecretKeyEntry skEntry =
  15               new KeyStore.SecretKeyEntry(mySecretKey);
  16               ks.setEntry("secretKeyAlias", skEntry, password);
  17
  18               // store away the keystore
  19               java.io.FileOutputStream fos =
  20               new java.io.FileOutputStream("newKeyStoreName");
  21               ks.store(fos, password);
  22               fos.close();
  and I have error at line 2 when I am calling rhe method getPassword();
  and at line 9 when calling the method getEntry()
  and at line 16 when calling the mthod setEntry
  Thanks
  Mariah
  Message was edited by:
  screen83

• Could not create certificate request

  jdev version: 10.1.2.3.0
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Prod
  PL/SQL Release 10.2.0.4.0 - Production
  TNS for Linux: Version 10.2.0.4.0 - Production
  How can i create a certificate signing request like that:
  CN=EURTRANSBEL
  OU=ICT 4.2 ORACLE
  O=SPF AFFAIRES ETRANGERES
  L=BRUXELLES
  ST=BRABANT FLAMAND
  C=BE
  SN=020100303
  E=[email protected]
  In oracle wallet manager(new signing request, advance and there i put the DN),
  when i create a certificate signing request like that it's said "could not create certificate request...."
  When i try to put a Dn like that:
  CN=EURTRANSBEL, OU=ICT 4.2 ORACLE, O=SPF AFFAIRES ETRANGERES, L=BRUXELLES, ST=BRABANT FLAMAND, C=BE
  it work fine, but when i only add the SN like that:
  CN=EURTRANSBEL, OU=ICT 4.2 ORACLE, O=SPF AFFAIRES ETRANGERES, L=BRUXELLES, ST=BRABANT FLAMAND, C=BE, SN=020100303
  it crash.
  How can i do.
  Thanks in advance
  Edited by: Malebodja on Mar 3, 2010 6:28 AM

  You are making the dn manual? Or you are filling the form?
  Why dont you try to run it in a windows Machine, install the Database client and it includes a Wallet Manager. I never seen a problem like you mentioned I've done this in Linux, Unix and Windows and haven't had any problem unless there is a missconfiguration or bad installation.
  Greetings

• Creating Certificates

  I am creating certificates for my program and they need to be able to use a mail merge to insert the names onto the certificates.  I am trying to create the certificates in Word but it never works right for me.  Is it possible to an InDesign file or PDF with mail merge to add the certificate names?

  Absolutely. Look up Data Merge in the help files.

• How do we create certificate with .pem extension using keytool

  Hai all,
  please tell me the procedure to create certificates using keytool with .pem extension.

  I dont think keytool can do this, try OpenSSL:
  openssl pkcs12 -in test.p12 -out test.pem
  David

• Creating Certificate using Acrobat dll in C# program

  Hello,
  I need to create a certificate, basically .pfx file in C#. I used makecert tool to create the certificate first and then export it into .pfx file through command line. My attempt was successful. Then I used the .pfx file to encrypt a pdf using iTextSharp. The pdf is encrypted successfuly but when i try to open the pdf,  Acrobat/Reader shows a message "You do not have access rights to this encrypted document". I intalled the .pfx file but the problem still remains.
  Can anyone please guide me what am I doing wrong. I used the following code from command prompt to create a certificate and then export the certificate to a pxf file
  Create certificate - makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser -a sha1 -sky signature -sv MyCA.pvk MyCA.cer
  Export to pfx - pvk2pfx -pvk MyCA.pvk -spc MyCA.cer -pfx MySPC.pfx -po <password>
  Is it possible to create a pfx file using acrobat dll in C#??
  Please help me, its urgent.
  Thanks in advance!

  No, there are no APIs for working with certificates from C#.
  From: Adobe Forums <[email protected]<mailto:[email protected]>>
  Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>
  Date: Tue, 13 Dec 2011 22:35:57 -0800
  To: Leonard Rosenthol <[email protected]<mailto:[email protected]>>
  Subject: Creating Certificate using Acrobat dll in C# program
  Re: Creating Certificate using Acrobat dll in C# program
  created by poortip87<http://forums.adobe.com/people/poortip87> in Acrobat SDK - View the full discussion<http://forums.adobe.com/message/4083490#4083490

• The verification of the server's certificate chain failed

  Hi All,
  Not sure this is the right forum for this but never mind.
  I am trying to get abap2GApps working and am having problems with the client certificates.
  I am getting the below error in ICM :-
  [Thr 06] Mon Jul 30 09:34:47 2012
  [Thr 06] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
  [Thr 06]    session uses PSE file "/usr/sap/BWD/DVEBMGS58/sec/SAPSSLC.pse"
  [Thr 06] SecudeSSL_SessionStart: SSL_connect() failed
    secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
  [Thr 06] >>            Begin of Secude-SSL Errorstack            >>
  [Thr 06] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
  ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Equifax Secure Certificate Authority, O=E
  ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
  [Thr 06] <<            End of Secude-SSL Errorstack
  [Thr 06]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
  [Thr 06]   SSL NI-sock: local=172.30.7.170:59036  peer=172.30.8.100:80
  [Thr 06] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000053910f0)==SSSLERR_SSL_CONNECT
  [Thr 06] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000726d5} [icxxconn_mt.c 2031]
  Having already got the accounts.google.com SSL certificate chain installed and working I can't get the docs.google.com SSL chain working.
  For accounts.google.com they use (this set works) :-
  1) CN=accounts.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
  2) CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
  3) OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  For docs.google.com they use a different set of SSL certs. :-
  1) CN=*.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
  2) CN=Google Internet Authority, O=Google Inc, C=US
  3) OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Can anyone explain what I am doing wrong or how to correct this?
  Thanks
  Craig

  Further UPDATE
  After removing every certificate related to docs.google.com I still get the same error!
  I have even tried downloading the root certificate directly from GeoTrust themselves and yet I still get the same error.
  I have even resorted to running SAP program ZSSF_TEST_PSE from note 800240 to check the PSE and all is well!
  Referring to SAP Note 1318906 suggests I am missing a certificate in the chain but I am not!
  "Situation: The ICM is in the client role and the following entry is displayed in the trace:
  ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
  Reason:You try to set up a secure connection to a server, but the validity of the certificate cannot be verified because the required certificates are not available.
  Solution:The missing certificates are listed in the trace file. You must use transaction STRUST to insert these certificates in the Personal Security Environment (PSE) that is used for the connection. The certificates are usually made available to you by the server administrator. If the certificates are public Certification Authority (CA) certificates, you can also request the certificates there."
  What could possibly causing this?
  Please help!
  Craig

• Microsoft Exchange Server Auth Certificate Error

  I have new install the Exchange server 2013. I accidentally assigned the IIS service to the Microsoft Exchange Auth Certificate. now i'm facing problem to connect exchange server from outlook.
  The Error shows
  "There is a problem with the proxy server's security certificate.  The name on the security certificate is invalid or does not match the name of the target site
  name.  Outlook is unable to connect to the proxy server. (Error Code 10)."
  Certificate shows error
  "This CA root Certificate is nit trusted because it is not in the Trusted Root Certificate Authorities store"
  Please help me...
  Thanks

  HI Winnie,
  if i use root CA from AD CA can solve this issue?
  Please see the result:
  [PS] C:\Windows\system32>Get-ExchangeCertificate | FL
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                       System.Security.AccessControl.CryptoKeyAccessRule,
                       System.Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {DBH-EX01, DBH-EX01.deltabrac.com}
  HasPrivateKey      : True
  IsSelfSigned       : True
  Issuer             : CN=Microsoft Exchange Server Auth Certificate
  NotAfter           : 12/19/2018 12:37:13 PM
  NotBefore          : 12/19/2013 12:37:13 PM
  PublicKeySize      : 2048
  RootCAType         : None
  SerialNumber       : 30F29F3C289D448A4244C95D267B9976
  Services           : IMAP, POP, SMTP
  Status             : Valid
  Subject            : CN=Microsoft Exchange Server Auth Certificate
  Thumbprint         : 514DDBBDAB0878766B9D305A0D500CBEA334E109
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                       System.Security.AccessControl.CryptoKeyAccessRule,
                       System.Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {}
  HasPrivateKey      : True
  IsSelfSigned       : True
  Issuer             : CN=Microsoft Exchange Server Auth Certificate
  NotAfter           : 12/18/2018 3:51:00 PM
  NotBefore          : 12/18/2013 3:51:00 PM
  PublicKeySize      : 2048
  RootCAType         : None
  SerialNumber       : 2AAA1A565B385794473CE3AC8D3A85F4
  Services           : IIS, SMTP
  Status             : Valid
  Subject            : CN=Microsoft Exchange Server Auth Certificate
  Thumbprint         : 5E6026E8C9CC18BFE3684E58CD2876AC97A2514D
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                       System.Security.AccessControl.CryptoKeyAccessRule,
                       System.Security.AccessControl.CryptoKeyAccessRule,
                       System.Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {DBH-EX01, DBH-EX01.deltabrac.com}
  HasPrivateKey      : True
  IsSelfSigned       : True
  Issuer             : CN=DBH-EX01
  NotAfter           : 12/11/2018 7:25:05 PM
  NotBefore          : 12/11/2013 7:25:05 PM
  PublicKeySize      : 2048
  RootCAType         : Registry
  SerialNumber       : 1C611FA9102B64B3462A0100FEF74A12
  Services           : IMAP, POP, IIS, SMTP
  Status             : Valid
  Subject            : CN=DBH-EX01
  Thumbprint         : 2FD1A8D2141DCA036F3DD5BE1191FD1FB6966EE9
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                       System.Security.AccessControl.CryptoKeyAccessRule,
                       System.Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {WMSvc-DBH-EX01}
  HasPrivateKey      : True
  IsSelfSigned       : True
  Issuer             : CN=WMSvc-DBH-EX01
  NotAfter           : 12/9/2023 5:03:46 PM
  NotBefore          : 12/11/2013 5:03:46 PM
  PublicKeySize      : 2048
  RootCAType         : Registry
  SerialNumber       : 4013857FC4683FA940C6DCC87A83A05F
  Services           : None
  Status             : Valid
  Subject            : CN=WMSvc-DBH-EX01
  Thumbprint         : BAE5A99C48FDFDBDBDE1E158833F862BB977DC01

• TLS get server's certificate

  Hello,
  I'm connecting with java mail to a smtp server which offers STARTTLS. I would like to know if there is a way to get the server's certificate to my application using the java mail API. Basically, I just want to show the server certificate in the same way the openssl command does it :
  openssl s_client -connect 192.168.0.1:25 -starttls smtp -showcerts  EDIT: ok I think I have to do this on a lower level with a SSL Socket:
      SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
      SSLSocket socket = (SSLSocket) factory.createSocket("127.0.0.1", 8888);
      socket.startHandshake();
      SSLSession session = socket.getSession();
      java.security.cert.Certificate[] servercerts = session.getPeerCertificates()The problem is that when I do not have the remote certificate in my keystore, the "startHandshake" will fail. What I want to do is to offer the user the possibility to accept/refuse the certificate. How can I do this ?
  EDIT2: I did the following workaround by implementing a dummy X509TrustManager : http://forums.sun.com/thread.jspa?threadID=183410
  But now I don't know how to 1st connect in clear, then issue STARTTLS and then use a SSL socket to get the certificate.
  Thanks,
  Tex
  Edited by: Tex-Twil on Jul 13, 2010 2:31 AM
  Edited by: Tex-Twil on Jul 13, 2010 2:56 AM

  I think I found a solution. Basically I connect manually to the smtp using a normal socket, issue "EHLO" and "STARTTLS" commands. Then I wrap the clear socket into a SSL Socket and start the handshake. Then I can get the certificates:
  public static void main(String[] args) {
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  Socket clearSocket = null;
  PrintWriter out = null;
  BufferedReader in = null;
  clearSocket = new Socket("192.168.0.1", 25);
  out = new PrintWriter(clearSocket.getOutputStream(), true);
  in = new BufferedReader(new InputStreamReader(clearSocket.getInputStream()));
  readServerResponse(in);
  out.println("ehlo test");
  readServerResponse(in);
  out.println("starttls");
  readServerResponse(in);
  // SSL
  TrustManager[] tm = { new RelaxedX509TrustManager() };
  SSLContext sslContext = SSLContext.getInstance("SSL");
  sslContext.init(null, tm, new java.security.SecureRandom());
  SSLSocketFactory factory = sslContext.getSocketFactory();
  SSLSocket sslSocket = (SSLSocket)factory.createSocket(clearSocket, "192.168.0.1", 25, true);
  sslSocket.startHandshake();
  Certificate[] servercerts = sslSocket.getSession().getPeerCertificates();
  private static String readServerResponse(BufferedReader in) throws IOException {
          String serverResponse = null;
          String line = null;
          StringBuffer buf = new StringBuffer(100);
          do {
              line = in.readLine();
              if (line == null) {
                  serverResponse = buf.toString();
                  if (serverResponse.length() == 0)
                      serverResponse = "[EOF]";
              buf.append(line);
              buf.append("\n");
          while (isNotLastLine(line));
          System.out.println(buf.toString());
          return buf.toString();
  class RelaxedX509TrustManager implements X509TrustManager {
      public boolean isClientTrusted(java.security.cert.X509Certificate[] chain) {
          return true;
      public boolean isServerTrusted(java.security.cert.X509Certificate[] chain) {
          return true;
      public java.security.cert.X509Certificate[] getAcceptedIssuers() {
          return null;
      public void checkClientTrusted(java.security.cert.X509Certificate[] chain) {
      public void checkServerTrusted(java.security.cert.X509Certificate[] chain) {
      public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
      public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
  }